diff --git a/blacklist.conf b/blacklist.conf index df691de..b800920 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2187,3 +2187,36 @@ e0fce6f945a26d4e953a147fe7ca11410322c9fe # there is no icmp_ndo_send 6fb9e1d94789e8ee5a258a23bc588693f743fd6c # this adds an uevent the udev of SLE12 is not prepared to handle, hence pointless 6071a6c0fba2d747742cadcbb3ba26ed756ed73b # cosmetic fix to comments not in kernel-doc 6a2d90ba027adba528509ffa27097cffd3879257 # rectifies behavior of a deprecated operation +662f11d55ffd02933e1bd275d732b97eddccf870 # Documentation/Cosmetic +39e0f991a62ed5efabd20711a7b6e7da92603170 # Optimization. Breaks kABI +614c0b9fee711dd89b1dd65c88ba83612a373fdc # Missing dependency 6553896666433e7efec589838b400a2a652b3ffa +0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f # there is no .port_set_jumbo_size +e75130f20b1f48e04ccc806aea01f0a361f9cb6b # requires 10f78fd0dabbc3856ddd67b09a46abdedb045913 +10f78fd0dabbc3856ddd67b09a46abdedb045913 # fix for e75130f20b1f48e04ccc806aea01f0a361f9cb6b +7dee93a9a8808b3d8595e1cc79ccb8b1a7bc7a77 # introduces boot_mem_top, 4.12 code uses boot_memory_size indiscriminately +bec53196adf4791d466adf0e339b61186c7b5283 # relies on boot_mem_top, 4.12 code uses boot_memory_size indiscriminately +b38cd3b42fba66cc538edb9cf77e07881f43f8e2 # misattributed. Bug introduced in 4a56f891efceee88d422af2e99d00c8321c671c1, which we don't have +3ad02c27d89d72b3b49ac51899144b7d0942f05f # cleanup breaking kABI +218848835699879ed6260ec49bbb22e9e7839017 # cleanup breaking kABI +594cc251fdd0d231d342d88b2fdff4bc42fb0690 # Added to backlog: make 'user_access_begin()' do 'access_ok()' +7e34f4e4aad3fd34c02b294a3cf2321adf5b4438 # Added to backlog: drm/i915/gen8+: Add RC6 CTX corruption WA +268de6530aa18fe5773062367fd119f0045f6e88 # Added to backlog: drm: mst: Fix query_payload ack reply struct +d308a881a5917bdb46472c861a1dabe54b46c423 # Added to backlog: drm/dp_mst: Kill the second sideband tx slot, save the world +4caf017ee93703ba1c4504f3d73b50e6bbd4249e # Added to backlog: drm/i915/gem: Avoid implicit vmap for highmem on x86-32 +b7eeb2b4132ccf1a7d38f434cde7043913d1ed3c # Added to backlog: drm/i915: Avoid mixing integer types during batch copies +9397d66212cdf7a21c66523f1583e5d63a609e84 # Added to backlog: drm/i915/dp: Track pm_qos per connector +6fdb335f1c9c0845b50625de1624d8445c4c4a07 # Added to backlog: drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence +8840e3bd981f128846b01c12d3966d115e8617c9 # Added to backlog: drm/i915: Fix the GT fence revocation runtime PM logic +5e61b84f9d3ddfba73091f9fbc940caae1c9eb22 # Added to backlog: drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() +e3512fb67093fabdf27af303066627b921ee9bd8 # Added to backlog: drm/amdgpu: check alignment on CPU page for bo map +eb9dfdd1ed40357b99a4201c8534c58c562e48c9 # Added to backlog: drm/vc4: crtc: Reduce PV fifo threshold on hvs4 +e7c6e405e171fb33990a12ecfd14e6500d9e5cf2 # Added to backlog: Fix misc new gcc warnings +25315ebfaefcffd126a266116b37bb8a3d1c4620 # Added to backlog: drm/radeon: Fix a missing check bug in radeon_dp_mst_detect() +e0c16eb4b3610298a74ae5504c7f6939b12be991 # Added to backlog: amdgpu: fix GEM obj leak in amdgpu_display_user_framebuffer_create +c69f27137a38d24301a6b659454a91ad85dff4aa # Added to backlog: drm/radeon: Avoid power table parsing memory leaks +359615251034790abaa06b7b0e5635543e01d473 # Added to backlog: drm/radeon: Fix off-by-one power_state index heap overwrite +abd9d66a055722393d33685214c08386694871d7 # Added to backlog: drm/i915/display: Fix the 12 BPC bits for PIPE_MISC reg +0c9856e4edcdcac22d65618e8ceff9eb41447880 # Added to backlog: drm: mxsfb: Enable recovery on underflow +9891cb54445bc65bf156bda416b6215048c7f617 # Added to backlog: drm: mxsfb: Increase number of outstanding requests on V4 and newer HW +5e23c98178eb1a2cdb7c4fee9a39baf8cabf282d # Added to backlog: drm: mxsfb: Clear FIFO_CLEAR bit +aff890288de2d818e4f83ec40c9315e2d735df07 # Added to backlog: drm/amdgpu/acp: Make PM domain really work diff --git a/kabi/severities b/kabi/severities index bcf11e2..4d1ac48 100644 --- a/kabi/severities +++ b/kabi/severities @@ -99,6 +99,9 @@ posix_clock_register PASS # nobody cares bcache symbols drivers/md/bcache/* PASS +# cxgb3 symbols +drivers/net/ethernet/chelsio/cxgb3/* PASS + # inter-module symbols for qed/qede/qedf/qedi/qedr drivers/net/ethernet/qlogic/qed/* PASS drivers/net/ethernet/qlogic/qede/* PASS diff --git a/patches.kabi/powerpc-powernv-kABI-add-back-powernv_get_random_lon.patch b/patches.kabi/powerpc-powernv-kABI-add-back-powernv_get_random_lon.patch new file mode 100644 index 0000000..dfe8032 --- /dev/null +++ b/patches.kabi/powerpc-powernv-kABI-add-back-powernv_get_random_lon.patch @@ -0,0 +1,39 @@ +From cbddef9267861ca36182a70378214fa4ec31ade5 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 9 Aug 2022 12:50:51 +0200 +Subject: [PATCH] powerpc: powernv: kABI: add back powernv_get_random_long + +References: bsc#1065729 +Signed-off-by: Michal Suchanek +--- + arch/powerpc/include/asm/archrandom.h | 1 + + arch/powerpc/platforms/powernv/rng.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h +index 89417909a54d..f743dd24e3d0 100644 +--- a/arch/powerpc/include/asm/archrandom.h ++++ b/arch/powerpc/include/asm/archrandom.h +@@ -47,6 +47,7 @@ static inline int arch_has_random_seed(void) + + #ifdef CONFIG_PPC_POWERNV + int pnv_get_random_long(unsigned long *v); ++#define powernv_get_random_long pnv_get_random_long + #endif + + #endif /* _ASM_POWERPC_ARCHRANDOM_H */ +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index 829ebb8c7c5a..b68b4c5faf63 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -198,3 +198,7 @@ static int __init pnv_rng_late_init(void) + return 0; + } + machine_subsys_initcall(powernv, pnv_rng_late_init); ++ ++#undef powernv_get_random_long ++int powernv_get_random_long(unsigned long *v) { return pnv_get_random_long(v); } ++EXPORT_SYMBOL_GPL(powernv_get_random_long); +-- +2.35.3 + diff --git a/patches.kabi/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys-kabi-workaround.patch b/patches.kabi/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys-kabi-workaround.patch new file mode 100644 index 0000000..5415b7f --- /dev/null +++ b/patches.kabi/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys-kabi-workaround.patch @@ -0,0 +1,26 @@ +From: Petr Mladek +Subject: kABI workaround for including mm.h in fs/sysfs/file.c +Patch-mainline: Never, kABI workaround for linux-5.3 based SUSE kernels +References: bsc#1200598 CVE-2022-20166 + +Including the header changes kABI of sysfs API that is implemented +in fs/sysfs/file.c. + +Signed-off-by: Petr Mladek + +--- + fs/sysfs/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -17,7 +17,9 @@ + #include + #include + #include ++#ifndef __GENKSYMS__ + #include ++#endif + + #include "sysfs.h" + #include "../kernfs/kernfs-internal.h" diff --git a/patches.rt/0303-Revert-random-invalidate-batched-entropy-after-crng-init.patch b/patches.rt/0303-Revert-random-invalidate-batched-entropy-after-crng-init.patch index 4a6beb0..2092a20 100644 --- a/patches.rt/0303-Revert-random-invalidate-batched-entropy-after-crng-init.patch +++ b/patches.rt/0303-Revert-random-invalidate-batched-entropy-after-crng-init.patch @@ -59,7 +59,7 @@ Signed-off-by: Mike Galbraith * Copyright Matt Mackall , 2003, 2004, 2005 * * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All -@@ -779,8 +776,6 @@ static DECLARE_WAIT_QUEUE_HEAD(crng_init +@@ -780,8 +777,6 @@ static DECLARE_WAIT_QUEUE_HEAD(crng_init static struct crng_state **crng_node_pool __read_mostly; #endif @@ -68,7 +68,15 @@ Signed-off-by: Mike Galbraith static void crng_initialize(struct crng_state *crng) { int i; -@@ -856,7 +851,6 @@ static int crng_fast_load(const char *cp +@@ -864,7 +859,6 @@ static void crng_finalize_init(struct cr + return; + } + +- invalidate_batched_entropy(); + numa_crng_init(); + crng_init = 2; + process_random_ready_list(); +@@ -904,7 +898,6 @@ static int crng_fast_load(const char *cp } spin_unlock_irqrestore(&primary_crng.lock, flags); if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { @@ -76,15 +84,7 @@ Signed-off-by: Mike Galbraith crng_init = 1; wake_up_interruptible(&crng_init_wait); pr_notice("random: fast init done\n"); -@@ -939,7 +933,6 @@ static void crng_reseed(struct crng_stat - crng->init_time = jiffies; - spin_unlock_irqrestore(&crng->lock, flags); - if (crng == &primary_crng && crng_init < 2) { -- invalidate_batched_entropy(); - numa_crng_init(); - crng_init = 2; - process_random_ready_list(); -@@ -2173,7 +2166,6 @@ struct batched_entropy { +@@ -2189,7 +2182,6 @@ struct batched_entropy { }; unsigned int position; }; @@ -92,7 +92,7 @@ Signed-off-by: Mike Galbraith /* * Get a random word for internal kernel use only. The quality of the random -@@ -2187,20 +2179,14 @@ static DEFINE_PER_CPU(struct batched_ent +@@ -2203,20 +2195,14 @@ static DEFINE_PER_CPU(struct batched_ent u64 get_random_u64(void) { u64 ret; @@ -113,7 +113,7 @@ Signed-off-by: Mike Galbraith put_cpu_var(batched_entropy_u64); return ret; } -@@ -2210,42 +2196,19 @@ static DEFINE_PER_CPU(struct batched_ent +@@ -2226,42 +2212,19 @@ static DEFINE_PER_CPU(struct batched_ent u32 get_random_u32(void) { u32 ret; diff --git a/patches.rt/0305-random-avoid-preempt_disable-ed-section.patch b/patches.rt/0305-random-avoid-preempt_disable-ed-section.patch index bf29bd7..80b3427 100644 --- a/patches.rt/0305-random-avoid-preempt_disable-ed-section.patch +++ b/patches.rt/0305-random-avoid-preempt_disable-ed-section.patch @@ -27,7 +27,7 @@ Signed-off-by: Mike Galbraith #include #include -@@ -2175,35 +2176,37 @@ struct batched_entropy { +@@ -2191,35 +2192,37 @@ struct batched_entropy { * point prior. */ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64); diff --git a/patches.rt/0306-char-random-don-t-print-that-the-init-is-done.patch b/patches.rt/0306-char-random-don-t-print-that-the-init-is-done.patch index 91b2cf6..f0499d1 100644 --- a/patches.rt/0306-char-random-don-t-print-that-the-init-is-done.patch +++ b/patches.rt/0306-char-random-don-t-print-that-the-init-is-done.patch @@ -151,7 +151,15 @@ Signed-off-by: Mike Galbraith --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -852,7 +852,6 @@ static int crng_fast_load(const char *cp +@@ -864,7 +864,6 @@ static void crng_finalize_init(struct cr + crng_init = 2; + process_random_ready_list(); + wake_up_interruptible(&crng_init_wait); +- pr_notice("crng init done\n"); + if (unseeded_warning.missed) { + pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n", + unseeded_warning.missed); +@@ -901,7 +900,6 @@ static int crng_fast_load(const char *cp if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { crng_init = 1; wake_up_interruptible(&crng_init_wait); @@ -159,11 +167,3 @@ Signed-off-by: Mike Galbraith } return 1; } -@@ -936,7 +935,6 @@ static void crng_reseed(struct crng_stat - crng_init = 2; - process_random_ready_list(); - wake_up_interruptible(&crng_init_wait); -- pr_notice("random: crng init done\n"); - if (unseeded_warning.missed) { - pr_notice("random: %d get_random_xx warning(s) missed " - "due to ratelimiting\n", diff --git a/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch b/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch new file mode 100644 index 0000000..e366ff7 --- /dev/null +++ b/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch @@ -0,0 +1,43 @@ +From 72ef98445aca568a81c2da050532500a8345ad3a Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 5 Apr 2022 10:02:00 -0400 +Subject: [PATCH] Bluetooth: hci_qca: Use del_timer_sync() before freeing +Git-commit: 72ef98445aca568a81c2da050532500a8345ad3a +References: git-fixes +Patch-mainline: v5.19-rc1 + +While looking at a crash report on a timer list being corrupted, which +usually happens when a timer is freed while still active. This is +commonly triggered by code calling del_timer() instead of +del_timer_sync() just before freeing. + +One possible culprit is the hci_qca driver, which does exactly that. + +Eric mentioned that wake_retrans_timer could be rearmed via the work +queue, so also move the destruction of the work queue before +del_timer_sync(). + +Cc: Eric Dumazet +Cc: stable@vger.kernel.org +Fixes: 0ff252c1976da ("Bluetooth: hciuart: Add support QCA chipset for UART") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Marcel Holtmann +Signed-off-by: Oliver Neukum +--- + drivers/bluetooth/hci_qca.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -524,9 +524,9 @@ static int qca_close(struct hci_uart *hu + + skb_queue_purge(&qca->tx_wait_q); + skb_queue_purge(&qca->txq); +- del_timer(&qca->tx_idle_timer); +- del_timer(&qca->wake_retrans_timer); + destroy_workqueue(qca->workqueue); ++ del_timer_sync(&qca->tx_idle_timer); ++ del_timer_sync(&qca->wake_retrans_timer); + qca->hu = NULL; + + kfree_skb(qca->rx_skb); diff --git a/patches.suse/IBRS-forbid-shooting-in-foot.patch b/patches.suse/IBRS-forbid-shooting-in-foot.patch deleted file mode 100644 index 9b1208b..0000000 --- a/patches.suse/IBRS-forbid-shooting-in-foot.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Jiri Slaby -Subject: x86/speculation: IBRS, forbid shooting in foot -Patch-mainline: Never, SUSE specific -References: bsc#1068032 CVE-2017-5753 bnc#1119065 - -When a user tries to force IBRS on a system without IBRS support, the -system oopses. So check if the system supports IBRS first, before -enabling the support. - -Signed-off-by: Jiri Slaby ---- - arch/x86/kernel/cpu/bugs.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -940,10 +940,13 @@ static void __init spectre_v2_select_mit - return; - - case SPECTRE_V2_CMD_IBRS: -- mode = SPECTRE_V2_IBRS; -- setup_force_cpu_cap(X86_FEATURE_USE_IBRS); -- goto specv2_set_mode; -+ if (boot_cpu_has(X86_FEATURE_IBRS)) { -+ mode = SPECTRE_V2_IBRS; -+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS); -+ goto specv2_set_mode; -+ } - -+ /* fall through */ - case SPECTRE_V2_CMD_FORCE: - case SPECTRE_V2_CMD_AUTO: - if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { diff --git a/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch b/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch index 41e5dad..605444c 100644 --- a/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch +++ b/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:35:15 -0700 Subject: KVM: x86/speculation: Disable Fill buffer clear within guests Git-commit: 027bbb884be006b05d9c577d6401686053aa789e -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 The enumeration of MD_CLEAR in CPUID(EAX=7,ECX=0).EDX{bit 10} is not an diff --git a/patches.suse/PCI-qcom-Fix-runtime-PM-imbalance-on-probe-errors.patch b/patches.suse/PCI-qcom-Fix-runtime-PM-imbalance-on-probe-errors.patch new file mode 100644 index 0000000..1183b51 --- /dev/null +++ b/patches.suse/PCI-qcom-Fix-runtime-PM-imbalance-on-probe-errors.patch @@ -0,0 +1,47 @@ +From: Johan Hovold +Date: Fri, 1 Apr 2022 15:38:53 +0200 +Subject: PCI: qcom: Fix runtime PM imbalance on probe errors + +Git-commit: 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 +Patch-mainline: v5.19-rc1 +References: git-fixes + +Drop the leftover pm_runtime_disable() calls from the late probe error +paths that would, for example, prevent runtime PM from being reenabled +after a probe deferral. + +Link: https://lore.kernel.org/r/20220401133854.10421-2-johan+linaro@kernel.org +Fixes: 6e5da6f7d824 ("PCI: qcom: Fix error handling in runtime PM support") +Signed-off-by: Johan Hovold +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Acked-by: Stanimir Varbanov +Cc: stable@vger.kernel.org # 4.20 +Cc: Bjorn Andersson +Signed-off-by: Mian Yousaf Kaukab +--- + drivers/pci/dwc/pcie-qcom.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/pci/dwc/pcie-qcom.c ++++ b/drivers/pci/dwc/pcie-qcom.c +@@ -1394,17 +1394,14 @@ static int qcom_pcie_probe(struct platfo + } + + ret = phy_init(pcie->phy); +- if (ret) { +- pm_runtime_disable(&pdev->dev); ++ if (ret) + goto err_pm_runtime_put; +- } + + platform_set_drvdata(pdev, pcie); + + ret = dw_pcie_host_init(pp); + if (ret) { + dev_err(dev, "cannot initialize host\n"); +- pm_runtime_disable(&pdev->dev); + goto err_pm_runtime_put; + } + diff --git a/patches.suse/SUNRPC-Fix-READ_PLUS-crasher.patch b/patches.suse/SUNRPC-Fix-READ_PLUS-crasher.patch new file mode 100644 index 0000000..75205e3 --- /dev/null +++ b/patches.suse/SUNRPC-Fix-READ_PLUS-crasher.patch @@ -0,0 +1,33 @@ +From: Chuck Lever +Date: Thu, 30 Jun 2022 16:48:18 -0400 +Subject: [PATCH] SUNRPC: Fix READ_PLUS crasher +Git-commit: a23dd544debcda4ee4a549ec7de59e85c3c8345c +Patch-mainline: v5.19 +References: git-fixes + +Looks like there are still cases when "space_left - frag1bytes" can +legitimately exceed PAGE_SIZE. Ensure that xdr->end always remains +within the current encode buffer. + +Reported-by: Bruce Fields +Reported-by: Zorro Lang +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216151 +Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()") +Signed-off-by: Chuck Lever +Acked-by: NeilBrown + +--- + net/sunrpc/xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -544,7 +544,7 @@ static __be32 *xdr_get_next_encode_buffe + */ + xdr->p = (void *)p + frag2bytes; + space_left = xdr->buf->buflen - xdr->buf->len; +- if (space_left - nbytes >= PAGE_SIZE) ++ if (space_left - frag1bytes >= PAGE_SIZE) + xdr->end = (void *)p + PAGE_SIZE; + else + xdr->end = (void *)p + space_left - frag1bytes; diff --git a/patches.suse/arch_topology-Do-not-set-llc_sibling-if-llc_id-is-in.patch b/patches.suse/arch_topology-Do-not-set-llc_sibling-if-llc_id-is-in.patch new file mode 100644 index 0000000..0f9c369 --- /dev/null +++ b/patches.suse/arch_topology-Do-not-set-llc_sibling-if-llc_id-is-in.patch @@ -0,0 +1,35 @@ +From: Wang Qing +Date: Sun, 10 Apr 2022 19:36:19 -0700 +Subject: arch_topology: Do not set llc_sibling if llc_id is invalid + +Git-commit: 1dc9f1a66e1718479e1c4f95514e1750602a3cb9 +Patch-mainline: v5.18-rc5 +References: git-fixes + +When ACPI is not enabled, cpuid_topo->llc_id = cpu_topo->llc_id = -1, which +will set llc_sibling 0xff(...), this is misleading. + +Don't set llc_sibling(default 0) if we don't know the cache topology. + +Reviewed-by: Sudeep Holla +Signed-off-by: Wang Qing +Fixes: 37c3ec2d810f ("arm64: topology: divorce MC scheduling domain from core_siblings") +Cc: stable +Link: https://lore.kernel.org/r/1649644580-54626-1-git-send-email-wangqing@vivo.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Mian Yousaf Kaukab +--- + arch/arm64/kernel/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/topology.c ++++ b/arch/arm64/kernel/topology.c +@@ -238,7 +238,7 @@ static void update_siblings_masks(unsign + for_each_possible_cpu(cpu) { + cpu_topo = &cpu_topology[cpu]; + +- if (cpuid_topo->llc_id == cpu_topo->llc_id) { ++ if (cpu_topo->llc_id != -1 && cpuid_topo->llc_id == cpu_topo->llc_id) { + cpumask_set_cpu(cpu, &cpuid_topo->llc_siblings); + cpumask_set_cpu(cpuid, &cpu_topo->llc_siblings); + } diff --git a/patches.suse/block-drbd-drbd_nl-Make-conversion-to-enum-drbd_ret_code-explicit.patch b/patches.suse/block-drbd-drbd_nl-Make-conversion-to-enum-drbd_ret_code-explicit.patch new file mode 100644 index 0000000..f5cce68 --- /dev/null +++ b/patches.suse/block-drbd-drbd_nl-Make-conversion-to-enum-drbd_ret_code-explicit.patch @@ -0,0 +1,84 @@ +From: Lee Jones +Date: Fri, 12 Mar 2021 10:55:26 +0000 +Subject: block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' + explicit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 1f1e87b4dc4598eac57a69868534b92d65e47e82 +Patch-mainline: v5.13-rc1 +References: git-fixes + +Fixes the following W=1 kernel build warning(s): + + from drivers/block/drbd/drbd_nl.c:24: + drivers/block/drbd/drbd_nl.c: In function ‘drbd_adm_set_role’: + drivers/block/drbd/drbd_nl.c:793:11: warning: implicit conversion from ‘enum drbd_state_rv’ to ‘enum drbd_ret_code’ [-Wenum-conversion] + drivers/block/drbd/drbd_nl.c:795:11: warning: implicit conversion from ‘enum drbd_state_rv’ to ‘enum drbd_ret_code’ [-Wenum-conversion] + drivers/block/drbd/drbd_nl.c: In function ‘drbd_adm_attach’: + drivers/block/drbd/drbd_nl.c:1965:10: warning: implicit conversion from ‘enum drbd_state_rv’ to ‘enum drbd_ret_code’ [-Wenum-conversion] + drivers/block/drbd/drbd_nl.c: In function ‘drbd_adm_connect’: + drivers/block/drbd/drbd_nl.c:2690:10: warning: implicit conversion from ‘enum drbd_state_rv’ to ‘enum drbd_ret_code’ [-Wenum-conversion] + drivers/block/drbd/drbd_nl.c: In function ‘drbd_adm_disconnect’: + drivers/block/drbd/drbd_nl.c:2803:11: warning: implicit conversion from ‘enum drbd_state_rv’ to ‘enum drbd_ret_code’ [-Wenum-conversion] + +Cc: Philipp Reisner +Cc: Lars Ellenberg +Cc: Jens Axboe +Cc: drbd-dev@lists.linbit.com +Cc: linux-block@vger.kernel.org +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20210312105530.2219008-8-lee.jones@linaro.org +Signed-off-by: Jens Axboe +Acked-by: Lee Duncan +--- + drivers/block/drbd/drbd_nl.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index bf7de4c7b96c..31902304ddac 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -790,9 +790,11 @@ int drbd_adm_set_role(struct sk_buff *skb, struct genl_info *info) + mutex_lock(&adm_ctx.resource->adm_mutex); + + if (info->genlhdr->cmd == DRBD_ADM_PRIMARY) +- retcode = drbd_set_role(adm_ctx.device, R_PRIMARY, parms.assume_uptodate); ++ retcode = (enum drbd_ret_code)drbd_set_role(adm_ctx.device, ++ R_PRIMARY, parms.assume_uptodate); + else +- retcode = drbd_set_role(adm_ctx.device, R_SECONDARY, 0); ++ retcode = (enum drbd_ret_code)drbd_set_role(adm_ctx.device, ++ R_SECONDARY, 0); + + mutex_unlock(&adm_ctx.resource->adm_mutex); + genl_lock(); +@@ -1962,7 +1964,7 @@ int drbd_adm_attach(struct sk_buff *skb, struct genl_info *info) + drbd_flush_workqueue(&connection->sender_work); + + rv = _drbd_request_state(device, NS(disk, D_ATTACHING), CS_VERBOSE); +- retcode = rv; /* FIXME: Type mismatch. */ ++ retcode = (enum drbd_ret_code)rv; + drbd_resume_io(device); + if (rv < SS_SUCCESS) + goto fail; +@@ -2687,7 +2689,8 @@ int drbd_adm_connect(struct sk_buff *skb, struct genl_info *info) + } + rcu_read_unlock(); + +- retcode = conn_request_state(connection, NS(conn, C_UNCONNECTED), CS_VERBOSE); ++ retcode = (enum drbd_ret_code)conn_request_state(connection, ++ NS(conn, C_UNCONNECTED), CS_VERBOSE); + + conn_reconfig_done(connection); + mutex_unlock(&adm_ctx.resource->adm_mutex); +@@ -2800,7 +2803,7 @@ int drbd_adm_disconnect(struct sk_buff *skb, struct genl_info *info) + mutex_lock(&adm_ctx.resource->adm_mutex); + rv = conn_try_disconnect(connection, parms.force_disconnect); + if (rv < SS_SUCCESS) +- retcode = rv; /* FIXME: Type mismatch. */ ++ retcode = (enum drbd_ret_code)rv; + else + retcode = NO_ERROR; + mutex_unlock(&adm_ctx.resource->adm_mutex); + diff --git a/patches.suse/bnxt_en-Re-write-PCI-BARs-after-PCI-fatal-error.patch b/patches.suse/bnxt_en-Re-write-PCI-BARs-after-PCI-fatal-error.patch new file mode 100644 index 0000000..679c341 --- /dev/null +++ b/patches.suse/bnxt_en-Re-write-PCI-BARs-after-PCI-fatal-error.patch @@ -0,0 +1,88 @@ +From 425afcb6aa408de4522f4be7530305490fca6c04 Mon Sep 17 00:00:00 2001 +From: Vasundhara Volam +Date: Mon, 26 Oct 2020 00:18:19 -0400 +Subject: [PATCH 8/8] bnxt_en: Re-write PCI BARs after PCI fatal error. +Git-commit: f75d9a0aa96721d20011cd5f8c7a24eb32728589 +Patch-mainline: v5.10-rc2 +References: git-fixes + +When a PCIe fatal error occurs, the internal latched BAR addresses +in the chip get reset even though the BAR register values in config +space are retained. + +pci_restore_state() will not rewrite the BAR addresses if the +BAR address values are valid, causing the chip's internal BAR addresses +to stay invalid. So we need to zero the BAR registers during PCIe fatal +error to force pci_restore_state() to restore the BAR addresses. These +write cycles to the BAR registers will cause the proper BAR addresses to +latch internally. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 ++++++++++++++++++- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index b1dbacc8d6d5..b1ba6df8911d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10857,6 +10857,9 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev, + return PCI_ERS_RESULT_DISCONNECT; + } + ++ if (state == pci_channel_io_frozen) ++ set_bit(BNXT_STATE_PCI_CHANNEL_IO_FROZEN, &bp->state); ++ + if (netif_running(netdev)) + bnxt_close(netdev); + +@@ -10884,7 +10887,7 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + { + struct net_device *netdev = pci_get_drvdata(pdev); + struct bnxt *bp = netdev_priv(netdev); +- int err = 0; ++ int err = 0, off; + pci_ers_result_t result = PCI_ERS_RESULT_DISCONNECT; + + netdev_info(bp->dev, "PCI Slot Reset\n"); +@@ -10896,6 +10899,20 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + "Cannot re-enable PCI device after reset.\n"); + } else { + pci_set_master(pdev); ++ /* Upon fatal error, our device internal logic that latches to ++ * BAR value is getting reset and will restore only upon ++ * rewritting the BARs. ++ * ++ * As pci_restore_state() does not re-write the BARs if the ++ * value is same as saved value earlier, driver needs to ++ * write the BARs to 0 to force restore, in case of fatal error. ++ */ ++ if (test_and_clear_bit(BNXT_STATE_PCI_CHANNEL_IO_FROZEN, ++ &bp->state)) { ++ for (off = PCI_BASE_ADDRESS_0; ++ off <= PCI_BASE_ADDRESS_5; off += 4) ++ pci_write_config_dword(bp->pdev, off, 0); ++ } + pci_restore_state(pdev); + pci_save_state(pdev); + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index a2d616f1aaeb..11dc51e82fd6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1462,6 +1462,7 @@ struct bnxt { + #define BNXT_STATE_OPEN 0 + #define BNXT_STATE_IN_SP_TASK 1 + #define BNXT_STATE_READ_STATS 2 ++#define BNXT_STATE_PCI_CHANNEL_IO_FROZEN 8 + + struct bnxt_irq *irq_tbl; + int total_irqs; +-- +2.16.4 + diff --git a/patches.suse/cxgb3-l2t-Fix-undefined-behaviour.patch b/patches.suse/cxgb3-l2t-Fix-undefined-behaviour.patch new file mode 100644 index 0000000..7eabe24 --- /dev/null +++ b/patches.suse/cxgb3-l2t-Fix-undefined-behaviour.patch @@ -0,0 +1,50 @@ +From 60f535745e7213c1a2cd3a33ee7d8b5dbaa4fc27 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 29 Mar 2019 10:27:26 -0500 +Subject: [PATCH 1/2] cxgb3/l2t: Fix undefined behaviour +Git-commit: 76497732932f15e7323dc805e8ea8dc11bb587cf +Patch-mainline: v5.2-rc1 +References: git-fixes + +The use of zero-sized array causes undefined behaviour when it is not +the last member in a structure. As it happens to be in this case. + +Also, the current code makes use of a language extension to the C90 +standard, but the preferred mechanism to declare variable-length +types such as this one is a flexible array member, introduced in +C99: + +struct foo { + int stuff; + struct boo array[]; +}; + +By making use of the mechanism above, we will get a compiler warning +in case the flexible array does not occur last. Which is beneficial +to cultivate a high-quality code. + +Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +index c2fd323c4078..ea75f275023f 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h ++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +@@ -75,8 +75,8 @@ struct l2t_data { + struct l2t_entry *rover; /* starting point for next allocation */ + atomic_t nfree; /* number of free entries */ + rwlock_t lock; +- struct l2t_entry l2tab[0]; + struct rcu_head rcu_head; /* to handle rcu cleanup */ ++ struct l2t_entry l2tab[]; + }; + + typedef void (*arp_failure_handler_func)(struct t3cdev * dev, +-- +2.16.4 + diff --git a/patches.suse/dm-raid-fix-KASAN-warning-in-raid5_add_disks.patch b/patches.suse/dm-raid-fix-KASAN-warning-in-raid5_add_disks.patch new file mode 100644 index 0000000..3614d10 --- /dev/null +++ b/patches.suse/dm-raid-fix-KASAN-warning-in-raid5_add_disks.patch @@ -0,0 +1,31 @@ +From: Mikulas Patocka +Date: Wed, 29 Jun 2022 13:40:57 -0400 +Subject: [PATCH] dm raid: fix KASAN warning in raid5_add_disks +Git-commit: 617b365872a247480e9dcd50a32c8d1806b21861 +Patch-mainline: v5.19 +References: git-fixes + +There's a KASAN warning in raid5_add_disk when running the LVM testsuite. +The warning happens in the test +lvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning +by verifying that rdev->saved_raid_disk is within limits. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Acked-by: NeilBrown + +--- + drivers/md/raid5.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7725,6 +7725,7 @@ static int raid5_add_disk(struct mddev * + */ + if (rdev->saved_raid_disk >= 0 && + rdev->saved_raid_disk >= first && ++ rdev->saved_raid_disk <= last && + conf->disks[rdev->saved_raid_disk].rdev == NULL) + first = rdev->saved_raid_disk; + diff --git a/patches.suse/drivers-core-Miscellaneous-changes-for-sysfs_emit.patch b/patches.suse/drivers-core-Miscellaneous-changes-for-sysfs_emit.patch new file mode 100644 index 0000000..f204b3e --- /dev/null +++ b/patches.suse/drivers-core-Miscellaneous-changes-for-sysfs_emit.patch @@ -0,0 +1,295 @@ +From 948b3edba8988306b635578a72b0dab6091a5eb0 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Wed, 16 Sep 2020 13:40:42 -0700 +Subject: [PATCH] drivers core: Miscellaneous changes for sysfs_emit +Git-commit: 948b3edba8988306b635578a72b0dab6091a5eb0 +Patch-mainline: v5.10-rc1 +References: bsc#1200598 CVE-2022-20166 + +Change additional instances that could use sysfs_emit and sysfs_emit_at +that the coccinelle script could not convert. + +o macros creating show functions with ## concatenation +o unbound sprintf uses with buf+len for start of output to sysfs_emit_at +o returns with ?: tests and sprintf to sysfs_emit +o sysfs output with struct class * not struct device * arguments + +Miscellanea: + +o remove unnecessary initializations around these changes +o consistently use int len for return length of show functions +o use octal permissions and not S_ +o rename a few show function names so DEVICE_ATTR_ can be used +o use DEVICE_ATTR_ADMIN_RO where appropriate +o consistently use const char *output for strings +o checkpatch/style neatening + +Signed-off-by: Joe Perches +Link: https://lore.kernel.org/r/8bc24444fe2049a9b2de6127389b57edfdfe324d.1600285923.git.joe@perches.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Petr Mladek + +[ pmladek@suse.com: Removed changes when the buffer could never overflow. + Also removed cosmetic changes. +] + + +--- + drivers/base/class.c | 2 - + drivers/base/core.c | 6 ++--- + drivers/base/cpu.c | 31 +++++++++++++++--------------- + drivers/base/node.c | 49 ++++++++++++++++++++---------------------------- + drivers/base/platform.c | 4 --- + 5 files changed, 42 insertions(+), 50 deletions(-) + +--- a/drivers/base/class.c ++++ b/drivers/base/class.c +@@ -506,7 +506,7 @@ ssize_t show_class_attr_string(struct cl + struct class_attribute_string *cs; + + cs = container_of(attr, struct class_attribute_string, attr); +- return snprintf(buf, PAGE_SIZE, "%s\n", cs->str); ++ return sysfs_emit(buf, "%s\n", cs->str); + } + + EXPORT_SYMBOL_GPL(show_class_attr_string); +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -960,7 +960,7 @@ static ssize_t uevent_show(struct device + struct kset *kset; + struct kobj_uevent_env *env = NULL; + int i; +- size_t count = 0; ++ int len = 0; + int retval; + + /* search the kset, the device belongs to */ +@@ -990,10 +990,10 @@ static ssize_t uevent_show(struct device + + /* copy keys to file */ + for (i = 0; i < env->envp_idx; i++) +- count += sprintf(&buf[count], "%s\n", env->envp[i]); ++ len += sysfs_emit_at(buf, len, "%s\n", env->envp[i]); + out: + kfree(env); +- return count; ++ return len; + } + + static ssize_t uevent_store(struct device *dev, struct device_attribute *attr, +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -240,30 +240,30 @@ unsigned int total_cpus; + static ssize_t print_cpus_offline(struct device *dev, + struct device_attribute *attr, char *buf) + { +- int n = 0, len = PAGE_SIZE-2; ++ int len = 0; + cpumask_var_t offline; + + /* display offline cpus < nr_cpu_ids */ + if (!alloc_cpumask_var(&offline, GFP_KERNEL)) + return -ENOMEM; + cpumask_andnot(offline, cpu_possible_mask, cpu_online_mask); +- n = scnprintf(buf, len, "%*pbl", cpumask_pr_args(offline)); ++ len += sysfs_emit_at(buf, len, "%*pbl", cpumask_pr_args(offline)); + free_cpumask_var(offline); + + /* display offline cpus >= nr_cpu_ids */ + if (total_cpus && nr_cpu_ids < total_cpus) { +- if (n && n < len) +- buf[n++] = ','; ++ len += sysfs_emit_at(buf, len, ","); + + if (nr_cpu_ids == total_cpus-1) +- n += snprintf(&buf[n], len - n, "%u", nr_cpu_ids); ++ len += sysfs_emit_at(buf, len, "%u", nr_cpu_ids); + else +- n += snprintf(&buf[n], len - n, "%u-%d", ++ len += sysfs_emit_at(buf, len, "%u-%d", + nr_cpu_ids, total_cpus-1); + } + +- n += snprintf(&buf[n], len - n, "\n"); +- return n; ++ len += sysfs_emit_at(buf, len, "\n"); ++ ++ return len; + } + static DEVICE_ATTR(offline, 0444, print_cpus_offline, NULL); + +@@ -307,22 +307,23 @@ static ssize_t print_cpu_modalias(struct + struct device_attribute *attr, + char *buf) + { +- ssize_t n; ++ int len = 0; + u32 i; + +- n = sysfs_emit(buf, "cpu:type:" CPU_FEATURE_TYPEFMT ":feature:", +- CPU_FEATURE_TYPEVAL); ++ len += sysfs_emit_at(buf, len, ++ "cpu:type:" CPU_FEATURE_TYPEFMT ":feature:", ++ CPU_FEATURE_TYPEVAL); + + for (i = 0; i < MAX_CPU_FEATURES; i++) + if (cpu_have_feature(i)) { +- if (PAGE_SIZE < n + sizeof(",XXXX\n")) { ++ if (len + sizeof(",XXXX\n") >= PAGE_SIZE) { + WARN(1, "CPU features overflow page\n"); + break; + } +- n += sprintf(&buf[n], ",%04X", i); ++ len += sysfs_emit_at(buf, len, ",%04X", i); + } +- buf[n++] = '\n'; +- return n; ++ len += sysfs_emit_at(buf, len, "\n"); ++ return len; + } + + static int cpu_uevent(struct device *dev, struct kobj_uevent_env *env) +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -54,13 +54,13 @@ static DEVICE_ATTR(cpulist, S_IRUGO, nod + static ssize_t node_read_meminfo(struct device *dev, + struct device_attribute *attr, char *buf) + { +- int n; ++ int len = 0; + int nid = dev->id; + struct pglist_data *pgdat = NODE_DATA(nid); + struct sysinfo i; + + si_meminfo_node(&i, nid); +- n = sysfs_emit(buf, ++ len = sysfs_emit(buf, + "Node %d MemTotal: %8lu kB\n" + "Node %d MemFree: %8lu kB\n" + "Node %d MemUsed: %8lu kB\n" +@@ -87,7 +87,7 @@ static ssize_t node_read_meminfo(struct + nid, K(sum_zone_node_page_state(nid, NR_MLOCK))); + + #ifdef CONFIG_HIGHMEM +- n += sprintf(buf + n, ++ len += sysfs_emit_at(buf, len, + "Node %d HighTotal: %8lu kB\n" + "Node %d HighFree: %8lu kB\n" + "Node %d LowTotal: %8lu kB\n" +@@ -97,7 +97,7 @@ static ssize_t node_read_meminfo(struct + nid, K(i.totalram - i.totalhigh), + nid, K(i.freeram - i.freehigh)); + #endif +- n += sprintf(buf + n, ++ len += sysfs_emit_at(buf, len, + "Node %d Dirty: %8lu kB\n" + "Node %d Writeback: %8lu kB\n" + "Node %d FilePages: %8lu kB\n" +@@ -143,8 +143,8 @@ static ssize_t node_read_meminfo(struct + #else + nid, K(sum_zone_node_page_state(nid, NR_SLAB_UNRECLAIMABLE))); + #endif +- n += hugetlb_report_node_meminfo(nid, buf + n); +- return n; ++ len += hugetlb_report_node_meminfo(nid, buf + len); ++ return len; + } + + #undef K +@@ -175,28 +175,28 @@ static ssize_t node_read_vmstat(struct d + int nid = dev->id; + struct pglist_data *pgdat = NODE_DATA(nid); + int i; +- int n = 0; ++ int len = 0; + + for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++) +- n += sprintf(buf+n, "%s %lu\n", vmstat_text[i], ++ len += sysfs_emit_at(buf, len, "%s %lu\n", vmstat_text[i], + sum_zone_node_page_state(nid, i)); + + #ifdef CONFIG_NUMA + for (i = 0; i < NR_VM_NUMA_STAT_ITEMS; i++) +- n += sprintf(buf+n, "%s %lu\n", ++ len += sysfs_emit_at(buf, len, "%s %lu\n", + vmstat_text[i + NR_VM_ZONE_STAT_ITEMS], + sum_zone_numa_state(nid, i)); + #endif + + for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++) +- n += sprintf(buf+n, "%s %lu\n", ++ len += sysfs_emit_at(buf, len, "%s %lu\n", + vmstat_text[i + NR_VM_ZONE_STAT_ITEMS + + NR_VM_NUMA_STAT_ITEMS], + node_page_state(pgdat, i)); + +- return n; ++ return len; + } +-static DEVICE_ATTR(vmstat, S_IRUGO, node_read_vmstat, NULL); ++static DEVICE_ATTR(vmstat, 0444, node_read_vmstat, NULL); + + static ssize_t node_read_distance(struct device *dev, + struct device_attribute *attr, char *buf) +@@ -211,13 +211,15 @@ static ssize_t node_read_distance(struct + */ + BUILD_BUG_ON(MAX_NUMNODES * 4 > PAGE_SIZE); + +- for_each_online_node(i) +- len += sprintf(buf + len, "%s%d", i ? " " : "", node_distance(nid, i)); ++ for_each_online_node(i) { ++ len += sysfs_emit_at(buf, len, "%s%d", ++ i ? " " : "", node_distance(nid, i)); ++ } + +- len += sprintf(buf + len, "\n"); ++ len += sysfs_emit_at(buf, len, "\n"); + return len; + } +-static DEVICE_ATTR(distance, S_IRUGO, node_read_distance, NULL); ++static DEVICE_ATTR(distance, 0444, node_read_distance, NULL); + + static struct attribute *node_dev_attrs[] = { + &dev_attr_cpumap.attr, +@@ -615,17 +617,6 @@ void unregister_one_node(int nid) + * node states attributes + */ + +-static ssize_t print_nodes_state(enum node_states state, char *buf) +-{ +- int n; +- +- n = scnprintf(buf, PAGE_SIZE - 1, "%*pbl", +- nodemask_pr_args(&node_states[state])); +- buf[n++] = '\n'; +- buf[n] = '\0'; +- return n; +-} +- + struct node_attr { + struct device_attribute attr; + enum node_states state; +@@ -635,7 +626,9 @@ static ssize_t show_node_state(struct de + struct device_attribute *attr, char *buf) + { + struct node_attr *na = container_of(attr, struct node_attr, attr); +- return print_nodes_state(na->state, buf); ++ ++ return sysfs_emit(buf, "%*pbl\n", ++ nodemask_pr_args(&node_states[na->state])); + } + + #define _NODE_ATTR(name, state) \ +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -858,9 +858,7 @@ static ssize_t modalias_show(struct devi + if (len != -ENODEV) + return len; + +- len = snprintf(buf, PAGE_SIZE, "platform:%s\n", pdev->name); +- +- return (len >= PAGE_SIZE) ? (PAGE_SIZE - 1) : len; ++ return sysfs_emit(buf, "platform:%s\n", pdev->name); + } + static DEVICE_ATTR_RO(modalias); + diff --git a/patches.suse/drivers-core-Remove-strcat-uses-around-sysfs_emit-an.patch b/patches.suse/drivers-core-Remove-strcat-uses-around-sysfs_emit-an.patch new file mode 100644 index 0000000..9352a9d --- /dev/null +++ b/patches.suse/drivers-core-Remove-strcat-uses-around-sysfs_emit-an.patch @@ -0,0 +1,65 @@ +From 973c39115cb308b6b1fe64b4f342996f3eef06d0 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Wed, 16 Sep 2020 13:40:40 -0700 +Subject: [PATCH] drivers core: Remove strcat uses around sysfs_emit and neaten +Git-commit: 973c39115cb308b6b1fe64b4f342996f3eef06d0 +Patch-mainline: v5.10-rc1 +References: bsc#1200598 CVE-2022-20166 + +strcat is no longer necessary for sysfs_emit and sysfs_emit_at uses. + +Convert the strcat uses to sysfs_emit calls and neaten other block +uses of direct returns to use an intermediate const char *. + +Signed-off-by: Joe Perches +Link: https://lore.kernel.org/r/5d606519698ce4c8f1203a2b35797d8254c6050a.1600285923.git.joe@perches.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Petr Mladek + +[ pmladek@suse.com: Removed changes where the buffer could never overflow. ] +--- + drivers/base/memory.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -396,6 +396,7 @@ static ssize_t show_valid_zones(struct d + unsigned long nr_pages = PAGES_PER_SECTION * sections_per_block; + unsigned long valid_start_pfn, valid_end_pfn; + bool append = false; ++ int len = 0; + int nid; + + /* +@@ -416,25 +416,25 @@ static ssize_t show_valid_zones(struct d + &valid_start_pfn, &valid_end_pfn)) + return sysfs_emit(buf, "none\n"); + start_pfn = valid_start_pfn; +- strcat(buf, page_zone(pfn_to_page(start_pfn))->name); ++ len += sysfs_emit_at(buf, len, "%s", page_zone(pfn_to_page(start_pfn))->name); + goto out; + } + + nid = mem->nid; + if (allow_online_pfn_range(nid, start_pfn, nr_pages, MMOP_ONLINE_KERNEL)) { +- strcat(buf, default_zone_for_pfn(nid, start_pfn, nr_pages)->name); ++ len += sysfs_emit_at(buf, len, "%s", default_zone_for_pfn(nid, start_pfn, nr_pages)->name); + append = true; + } + + if (allow_online_pfn_range(nid, start_pfn, nr_pages, MMOP_ONLINE_MOVABLE)) { + if (append) +- strcat(buf, " "); +- strcat(buf, NODE_DATA(nid)->node_zones[ZONE_MOVABLE].name); ++ len += sysfs_emit_at(buf, len, " "); ++ len += sysfs_emit_at(buf, len, "%s", NODE_DATA(nid)->node_zones[ZONE_MOVABLE].name); + } + out: +- strcat(buf, "\n"); ++ len += sysfs_emit_at(buf, len, "\n"); + +- return strlen(buf); ++ return len; + } + static DEVICE_ATTR(valid_zones, 0444, show_valid_zones, NULL); + #endif diff --git a/patches.suse/drivers-core-Use-sysfs_emit-and-sysfs_emit_at-for-sh.patch b/patches.suse/drivers-core-Use-sysfs_emit-and-sysfs_emit_at-for-sh.patch new file mode 100644 index 0000000..8849a09 --- /dev/null +++ b/patches.suse/drivers-core-Use-sysfs_emit-and-sysfs_emit_at-for-sh.patch @@ -0,0 +1,312 @@ +From aa838896d87af561a33ecefea1caa4c15a68bc47 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Wed, 16 Sep 2020 13:40:39 -0700 +Subject: [PATCH] drivers core: Use sysfs_emit and sysfs_emit_at for + show(device *...) functions +Git-commit: aa838896d87af561a33ecefea1caa4c15a68bc47 +Patch-mainline: v5.10-rc1 +References: bsc#1200598 CVE-2022-20166 + +Convert the various sprintf fmaily calls in sysfs device show functions +to sysfs_emit and sysfs_emit_at for PAGE_SIZE buffer safety. + +Done with: + +$ spatch -sp-file sysfs_emit_dev.cocci --in-place --max-width=80 . + +And cocci script: + +$ cat sysfs_emit_dev.cocci +@@ +identifier d_show; +identifier dev, attr, buf; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + return +- sprintf(buf, ++ sysfs_emit(buf, + ...); + ...> +} + +@@ +identifier d_show; +identifier dev, attr, buf; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + return +- snprintf(buf, PAGE_SIZE, ++ sysfs_emit(buf, + ...); + ...> +} + +@@ +identifier d_show; +identifier dev, attr, buf; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + return +- scnprintf(buf, PAGE_SIZE, ++ sysfs_emit(buf, + ...); + ...> +} + +@@ +identifier d_show; +identifier dev, attr, buf; +expression chr; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + return +- strcpy(buf, chr); ++ sysfs_emit(buf, chr); + ...> +} + +@@ +identifier d_show; +identifier dev, attr, buf; +identifier len; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + len = +- sprintf(buf, ++ sysfs_emit(buf, + ...); + ...> + return len; +} + +@@ +identifier d_show; +identifier dev, attr, buf; +identifier len; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + len = +- snprintf(buf, PAGE_SIZE, ++ sysfs_emit(buf, + ...); + ...> + return len; +} + +@@ +identifier d_show; +identifier dev, attr, buf; +identifier len; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... + len = +- scnprintf(buf, PAGE_SIZE, ++ sysfs_emit(buf, + ...); + ...> + return len; +} + +@@ +identifier d_show; +identifier dev, attr, buf; +identifier len; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + <... +- len += scnprintf(buf + len, PAGE_SIZE - len, ++ len += sysfs_emit_at(buf, len, + ...); + ...> + return len; +} + +@@ +identifier d_show; +identifier dev, attr, buf; +expression chr; +@@ + +ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + ... +- strcpy(buf, chr); +- return strlen(buf); ++ return sysfs_emit(buf, chr); +} + +Signed-off-by: Joe Perches +Link: https://lore.kernel.org/r/3d033c33056d88bbe34d4ddb62afd05ee166ab9a.1600285923.git.joe@perches.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Petr Mladek + +[ pmladek@suse.com: Removed changes whe the buffer could never overflow. ] + +--- + drivers/base/cpu.c | 16 ++++------------ + drivers/base/memory.c | 2 +- + drivers/base/node.c | 28 ++++++++++++++-------------- + drivers/base/platform.c | 2 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/soc.c | 8 ++++---- + 6 files changed, 25 insertions(+), 33 deletions(-) + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -270,11 +270,7 @@ static DEVICE_ATTR(offline, 0444, print_ + static ssize_t print_cpus_isolated(struct device *dev, + struct device_attribute *attr, char *buf) + { +- int n = 0, len = PAGE_SIZE-2; +- +- n = scnprintf(buf, len, "%*pbl\n", cpumask_pr_args(cpu_isolated_map)); +- +- return n; ++ return sysfs_emit(buf, "%*pbl\n", cpumask_pr_args(cpu_isolated_map)); + } + static DEVICE_ATTR(isolated, 0444, print_cpus_isolated, NULL); + +@@ -282,11 +278,7 @@ static DEVICE_ATTR(isolated, 0444, print + static ssize_t print_cpus_nohz_full(struct device *dev, + struct device_attribute *attr, char *buf) + { +- int n = 0, len = PAGE_SIZE-2; +- +- n = scnprintf(buf, len, "%*pbl\n", cpumask_pr_args(tick_nohz_full_mask)); +- +- return n; ++ return sysfs_emit(buf, "%*pbl\n", cpumask_pr_args(tick_nohz_full_mask)); + } + static DEVICE_ATTR(nohz_full, 0444, print_cpus_nohz_full, NULL); + #endif +@@ -318,8 +310,8 @@ static ssize_t print_cpu_modalias(struct + ssize_t n; + u32 i; + +- n = sprintf(buf, "cpu:type:" CPU_FEATURE_TYPEFMT ":feature:", +- CPU_FEATURE_TYPEVAL); ++ n = sysfs_emit(buf, "cpu:type:" CPU_FEATURE_TYPEFMT ":feature:", ++ CPU_FEATURE_TYPEVAL); + + for (i = 0; i < MAX_CPU_FEATURES; i++) + if (cpu_have_feature(i)) { +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -414,7 +414,7 @@ static ssize_t show_valid_zones(struct d + */ + if (!test_pages_in_a_zone(start_pfn, start_pfn + nr_pages, + &valid_start_pfn, &valid_end_pfn)) +- return sprintf(buf, "none\n"); ++ return sysfs_emit(buf, "none\n"); + start_pfn = valid_start_pfn; + strcat(buf, page_zone(pfn_to_page(start_pfn))->name); + goto out; +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -60,7 +60,7 @@ static ssize_t node_read_meminfo(struct + struct sysinfo i; + + si_meminfo_node(&i, nid); +- n = sprintf(buf, ++ n = sysfs_emit(buf, + "Node %d MemTotal: %8lu kB\n" + "Node %d MemFree: %8lu kB\n" + "Node %d MemUsed: %8lu kB\n" +@@ -153,19 +153,19 @@ static DEVICE_ATTR(meminfo, S_IRUGO, nod + static ssize_t node_read_numastat(struct device *dev, + struct device_attribute *attr, char *buf) + { +- return sprintf(buf, +- "numa_hit %lu\n" +- "numa_miss %lu\n" +- "numa_foreign %lu\n" +- "interleave_hit %lu\n" +- "local_node %lu\n" +- "other_node %lu\n", +- sum_zone_numa_state(dev->id, NUMA_HIT), +- sum_zone_numa_state(dev->id, NUMA_MISS), +- sum_zone_numa_state(dev->id, NUMA_FOREIGN), +- sum_zone_numa_state(dev->id, NUMA_INTERLEAVE_HIT), +- sum_zone_numa_state(dev->id, NUMA_LOCAL), +- sum_zone_numa_state(dev->id, NUMA_OTHER)); ++ return sysfs_emit(buf, ++ "numa_hit %lu\n" ++ "numa_miss %lu\n" ++ "numa_foreign %lu\n" ++ "interleave_hit %lu\n" ++ "local_node %lu\n" ++ "other_node %lu\n", ++ sum_zone_numa_state(dev->id, NUMA_HIT), ++ sum_zone_numa_state(dev->id, NUMA_MISS), ++ sum_zone_numa_state(dev->id, NUMA_FOREIGN), ++ sum_zone_numa_state(dev->id, NUMA_INTERLEAVE_HIT), ++ sum_zone_numa_state(dev->id, NUMA_LOCAL), ++ sum_zone_numa_state(dev->id, NUMA_OTHER)); + } + static DEVICE_ATTR(numastat, S_IRUGO, node_read_numastat, NULL); + +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -905,7 +905,7 @@ static ssize_t driver_override_show(stru + ssize_t len; + + device_lock(dev); +- len = sprintf(buf, "%s\n", pdev->driver_override); ++ len = sysfs_emit(buf, "%s\n", pdev->driver_override); + device_unlock(dev); + return len; + } +--- a/drivers/base/power/sysfs.c ++++ b/drivers/base/power/sysfs.c +@@ -101,7 +101,7 @@ static const char ctrl_on[] = "on"; + static ssize_t control_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- return sprintf(buf, "%s\n", ++ return sysfs_emit(buf, "%s\n", + dev->power.runtime_auto ? ctrl_auto : ctrl_on); + } + +--- a/drivers/base/soc.c ++++ b/drivers/base/soc.c +@@ -72,13 +72,13 @@ static ssize_t soc_info_get(struct devic + struct soc_device *soc_dev = container_of(dev, struct soc_device, dev); + + if (attr == &dev_attr_machine) +- return sprintf(buf, "%s\n", soc_dev->attr->machine); ++ return sysfs_emit(buf, "%s\n", soc_dev->attr->machine); + if (attr == &dev_attr_family) +- return sprintf(buf, "%s\n", soc_dev->attr->family); ++ return sysfs_emit(buf, "%s\n", soc_dev->attr->family); + if (attr == &dev_attr_revision) +- return sprintf(buf, "%s\n", soc_dev->attr->revision); ++ return sysfs_emit(buf, "%s\n", soc_dev->attr->revision); + if (attr == &dev_attr_soc_id) +- return sprintf(buf, "%s\n", soc_dev->attr->soc_id); ++ return sysfs_emit(buf, "%s\n", soc_dev->attr->soc_id); + + return -EINVAL; + diff --git a/patches.suse/ehea-fix-error-return-code-in-ehea_restart_qps.patch b/patches.suse/ehea-fix-error-return-code-in-ehea_restart_qps.patch new file mode 100644 index 0000000..7185325 --- /dev/null +++ b/patches.suse/ehea-fix-error-return-code-in-ehea_restart_qps.patch @@ -0,0 +1,68 @@ +From babe58e001576c73bba73101dfa8bd2ca7262094 Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Fri, 28 May 2021 16:55:55 +0800 +Subject: [PATCH 15/16] ehea: fix error return code in ehea_restart_qps() +Git-commit: 015dbf5662fd689d581c0bc980711b073ca09a1a +Patch-mainline: v5.14-rc1 +References: git-fixes + +Fix to return -EFAULT from the error handling case instead of 0, as done +elsewhere in this function. + +By the way, when get_zeroed_page() fails, directly return -ENOMEM to +simplify code. + +Fixes: 2c69448bbced ("ehea: DLPAR memory add fix") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 975a7b9867a0..1e5874f2f3cf 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -2647,10 +2647,8 @@ static int ehea_restart_qps(struct net_device *dev) + u16 dummy16 = 0; + + cb0 = (void *)get_zeroed_page(GFP_KERNEL); +- if (!cb0) { +- ret = -ENOMEM; +- goto out; +- } ++ if (!cb0) ++ return -ENOMEM; + + for (i = 0; i < (port->num_def_qps); i++) { + struct ehea_port_res *pr = &port->port_res[i]; +@@ -2670,6 +2668,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2682,6 +2681,7 @@ static int ehea_restart_qps(struct net_device *dev) + &dummy64, &dummy16, &dummy16); + if (hret != H_SUCCESS) { + netdev_err(dev, "modify_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2690,6 +2690,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (2)\n"); ++ ret = -EFAULT; + goto out; + } + +-- +2.16.4 + diff --git a/patches.suse/fbcon-Disallow-setting-font-bigger-than-screen-size.patch b/patches.suse/fbcon-Disallow-setting-font-bigger-than-screen-size.patch new file mode 100644 index 0000000..3dabd4c --- /dev/null +++ b/patches.suse/fbcon-Disallow-setting-font-bigger-than-screen-size.patch @@ -0,0 +1,37 @@ +From 65a01e601dbba8b7a51a2677811f70f783766682 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 25 Jun 2022 12:56:49 +0200 +Subject: [PATCH] fbcon: Disallow setting font bigger than screen size +Git-commit: 65a01e601dbba8b7a51a2677811f70f783766682 +Patch-mainline: v5.19-rc6 +References: CVE-2021-33655 bsc#1201635 + +Prevent that users set a font size which is bigger than the physical screen. +It's unlikely this may happen (because screens are usually much larger than the +fonts and each font char is limited to 32x32 pixels), but it may happen on +smaller screens/LCD displays. + +Signed-off-by: Helge Deller +Reviewed-by: Daniel Vetter +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v4.14+ +Acked-by: Takashi Iwai + +--- + drivers/video/console/fbcon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -2415,6 +2415,11 @@ static int fbcon_set_font(struct vc_data + if (charcount != 256 && charcount != 512) + return -EINVAL; + ++ /* font bigger than screen resolution ? */ ++ if (w > FBCON_SWAP(info->var.rotate, info->var.xres, info->var.yres) || ++ h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres)) ++ return -EINVAL; ++ + /* Make sure drawing engine can handle the font */ + if (!(info->pixmap.blit_x & (1 << (font->width - 1))) || + !(info->pixmap.blit_y & (1 << (font->height - 1)))) diff --git a/patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch b/patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch new file mode 100644 index 0000000..081dba3 --- /dev/null +++ b/patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch @@ -0,0 +1,109 @@ +From e64242caef18b4a5840b0e7a9bff37abd4f4f933 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 25 Jun 2022 13:00:34 +0200 +Subject: [PATCH] fbcon: Prevent that screen size is smaller than font size +Git-commit: e64242caef18b4a5840b0e7a9bff37abd4f4f933 +Patch-mainline: v5.19-rc6 +References: CVE-2021-33655 bsc#1201635 + +[ backport note: the patch was heavily modified to be adaptable to the + old kernel code where both fbcon and fbmem were still separated. + The original patch exports fbcon_modechange_possible() from fbcon to + be used by fbmem, but it's not possible with the old kernel. + Hence, this patch makes fbcon_modechange_possible() to be called via + the fb notifier instead. fbmem calls the notifier with the new event + type. -- tiwai ] + +We need to prevent that users configure a screen size which is smaller than the +currently selected font size. Otherwise rendering chars on the screen will +access memory outside the graphics memory region. + +This patch adds a new function fbcon_modechange_possible() which +implements this check and which later may be extended with other checks +if necessary. The new function is called from the FBIOPUT_VSCREENINFO +ioctl handler in fbmem.c, which will return -EINVAL if userspace asked +for a too small screen size. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Acked-by: Takashi Iwai + +--- + drivers/video/console/fbcon.c | 29 +++++++++++++++++++++++++++++ + drivers/video/fbdev/core/fbmem.c | 7 ++++++- + include/linux/fb.h | 2 ++ + 3 files changed, 37 insertions(+), 1 deletion(-) + +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -2676,6 +2676,32 @@ static void fbcon_set_all_vcs(struct fb_ + fbcon_modechanged(info); + } + ++/* let fbcon check if it supports a new screen resolution */ ++static int fbcon_modechange_possible(struct fb_info *info, ++ struct fb_var_screeninfo *var) ++{ ++ struct fbcon_ops *ops = info->fbcon_par; ++ struct vc_data *vc; ++ unsigned int i; ++ ++ if (!ops) ++ return 0; ++ ++ /* prevent setting a screen size which is smaller than font size */ ++ for (i = first_fb_vc; i <= last_fb_vc; i++) { ++ vc = vc_cons[i].d; ++ if (!vc || vc->vc_mode != KD_TEXT || ++ registered_fb[con2fb_map[i]] != info) ++ continue; ++ ++ if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) || ++ vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres)) ++ return notifier_from_errno(-EINVAL); ++ } ++ ++ return 0; ++} ++ + static int fbcon_mode_deleted(struct fb_info *info, + struct fb_videomode *mode) + { +@@ -3031,6 +3057,9 @@ static int fbcon_event_notify(struct not + idx = info->node; + fbcon_remap_all(idx); + break; ++ case FB_EVENT_MODE_CHANGE_CHECK: ++ ret = fbcon_modechange_possible(event->info, event->data); ++ break; + } + done: + return ret; +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1123,7 +1123,12 @@ static long do_fb_ioctl(struct fb_info * + return -ENODEV; + } + info->flags |= FBINFO_MISC_USEREVENT; +- ret = fb_set_var(info, &var); ++ event.info = info; ++ event.data = &var; ++ ret = fb_notifier_call_chain(FB_EVENT_MODE_CHANGE_CHECK, &event); ++ ret = notifier_to_errno(ret); ++ if (!ret) ++ ret = fb_set_var(info, &var); + info->flags &= ~FBINFO_MISC_USEREVENT; + unlock_fb_info(info); + console_unlock(); +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -162,6 +162,8 @@ struct fb_cursor_user { + #define FB_EARLY_EVENT_BLANK 0x10 + /* A hardware display blank revert early change occured */ + #define FB_R_EARLY_EVENT_BLANK 0x11 ++/* pre-check for mode change (used only by fbcon) */ ++#define FB_EVENT_MODE_CHANGE_CHECK 0x12 + + struct fb_event { + struct fb_info *info; diff --git a/patches.suse/fbmem-Check-virtual-screen-sizes-in-fb_set_var.patch b/patches.suse/fbmem-Check-virtual-screen-sizes-in-fb_set_var.patch new file mode 100644 index 0000000..ee76c84 --- /dev/null +++ b/patches.suse/fbmem-Check-virtual-screen-sizes-in-fb_set_var.patch @@ -0,0 +1,40 @@ +From 6c11df58fd1ac0aefcb3b227f72769272b939e56 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 29 Jun 2022 15:53:55 +0200 +Subject: [PATCH] fbmem: Check virtual screen sizes in fb_set_var() +Git-commit: 6c11df58fd1ac0aefcb3b227f72769272b939e56 +Patch-mainline: v5.19-rc6 +References: CVE-2021-33655 bsc#1201635 + +Verify that the fbdev or drm driver correctly adjusted the virtual +screen sizes. On failure report the failing driver and reject the screen +size change. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Acked-by: Takashi Iwai + +--- + drivers/video/fbdev/core/fbmem.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -956,6 +956,16 @@ fb_set_var(struct fb_info *info, struct + int ret = 0; + u32 unused; + ++ /* verify that virtual resolution >= physical resolution */ ++ if (var->xres_virtual < var->xres || ++ var->yres_virtual < var->yres) { ++ pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n", ++ info->fix.id, ++ var->xres_virtual, var->yres_virtual, ++ var->xres, var->yres); ++ return -EINVAL; ++ } ++ + if (var->activate & FB_ACTIVATE_INV_MODE) { + struct fb_videomode mode1, mode2; + diff --git a/patches.suse/fdt-add-support-for-rng-seed.patch b/patches.suse/fdt-add-support-for-rng-seed.patch index 249ac5e..ed2c31c 100644 --- a/patches.suse/fdt-add-support-for-rng-seed.patch +++ b/patches.suse/fdt-add-support-for-rng-seed.patch @@ -20,6 +20,8 @@ add_hwgenerator_randomness(). Otherwise it would be passed to add_device_randomness(). Decision is controlled by kernel config RANDOM_TRUST_BOOTLOADER. +[lduncan: re-refreshed to apply cleanly again.] + Signed-off-by: Hsin-Yi Wang Reviewed-by: Stephen Boyd Reviewed-by: Rob Herring @@ -127,5 +129,5 @@ Signed-off-by: Mian Yousaf Kaukab extern void add_device_randomness(const void *, unsigned int); +extern void add_bootloader_randomness(const void *, unsigned int); - #if defined(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) && !defined(__CHECKER__) + #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) static inline void add_latent_entropy(void) diff --git a/patches.suse/fsl_lpuart-Don-t-enable-interrupts-too-early.patch b/patches.suse/fsl_lpuart-Don-t-enable-interrupts-too-early.patch new file mode 100644 index 0000000..1a3c968 --- /dev/null +++ b/patches.suse/fsl_lpuart-Don-t-enable-interrupts-too-early.patch @@ -0,0 +1,64 @@ +From: Indan Zupancic +Date: Thu, 5 May 2022 13:47:50 +0200 +Subject: fsl_lpuart: Don't enable interrupts too early + +Git-commit: 401fb66a355eb0f22096cf26864324f8e63c7d78 +Patch-mainline: v5.18-rc7 +References: git-fixes + +If an irq is pending when devm_request_irq() is called, the irq +handler will cause a NULL pointer access because initialisation +is not done yet. + +Fixes: 9d7ee0e28da59 ("tty: serial: lpuart: avoid report NULL interrupt") +Cc: stable +Signed-off-by: Indan Zupancic +Link: https://lore.kernel.org/r/20220505114750.45423-1-Indan.Zupancic@mep-info.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Mian Yousaf Kaukab +--- + drivers/tty/serial/fsl_lpuart.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2206,6 +2206,7 @@ static int lpuart_probe(struct platform_ + struct device_node *np = pdev->dev.of_node; + struct lpuart_port *sport; + struct resource *res; ++ irq_handler_t handler; + int ret; + + sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL); +@@ -2283,17 +2284,11 @@ static int lpuart_probe(struct platform_ + + if (lpuart_is_32(sport)) { + lpuart_reg.cons = LPUART32_CONSOLE; +- ret = devm_request_irq(&pdev->dev, sport->port.irq, lpuart32_int, 0, +- DRIVER_NAME, sport); ++ handler = lpuart32_int; + } else { + lpuart_reg.cons = LPUART_CONSOLE; +- ret = devm_request_irq(&pdev->dev, sport->port.irq, lpuart_int, 0, +- DRIVER_NAME, sport); ++ handler = lpuart_int; + } +- +- if (ret) +- goto failed_irq_request; +- + ret = uart_add_one_port(&lpuart_reg, &sport->port); + if (ret) + goto failed_attach_port; +@@ -2314,6 +2309,11 @@ static int lpuart_probe(struct platform_ + writeb(UARTMODEM_TXRTSE, sport->port.membase + UARTMODEM); + } + ++ ret = devm_request_irq(&pdev->dev, sport->port.irq, handler, 0, ++ DRIVER_NAME, sport); ++ if (ret) ++ goto failed_irq_request; ++ + return 0; + + failed_attach_port: diff --git a/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch b/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch index 13433c2..7dd1066 100644 --- a/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch +++ b/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:58 +0200 Subject: intel_idle: Disable IBRS during long idle Git-commit: bf5835bcdb9635c97f85120dba9bfa21e111130f -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Having IBRS enabled while the SMT sibling is idle unnecessarily slows @@ -190,7 +189,7 @@ Signed-off-by: Borislav Petkov continue; } -+ if (cpu_feature_enabled(X86_FEATURE_USE_IBRS) && ++ if (cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS) && + cpuidle_state_table[cstate].flags & CPUIDLE_FLAG_IBRS) { + drv->states[drv->state_count].enter = intel_idle_ibrs; + } diff --git a/patches.suse/ipv4-avoid-using-shared-IP-generator-for-connected-s.patch b/patches.suse/ipv4-avoid-using-shared-IP-generator-for-connected-s.patch new file mode 100644 index 0000000..7697c31 --- /dev/null +++ b/patches.suse/ipv4-avoid-using-shared-IP-generator-for-connected-s.patch @@ -0,0 +1,64 @@ +From: Eric Dumazet +Date: Wed, 26 Jan 2022 17:10:22 -0800 +Subject: ipv4: avoid using shared IP generator for connected sockets +Patch-mainline: v5.17-rc2 +Git-commit: 23f57406b82de51809d5812afd96f210f8b627f3 +References: CVE-2020-36516 bsc#1196616 + +ip_select_ident_segs() has been very conservative about using +the connected socket private generator only for packets with IP_DF +set, claiming it was needed for some VJ compression implementations. + +As mentioned in this referenced document, this can be abused. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +Before switching to pure random IPID generation and possibly hurt +some workloads, lets use the private inet socket generator. + +Not only this will remove one vulnerability, this will also +improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT + +Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reported-by: Ray Che +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + include/net/ip.h | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -385,19 +385,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, + { + struct iphdr *iph = ip_hdr(skb); + ++ /* We had many attacks based on IPID, use the private ++ * generator as much as we can. ++ */ ++ if (sk && inet_sk(sk)->inet_daddr) { ++ iph->id = htons(inet_sk(sk)->inet_id); ++ inet_sk(sk)->inet_id += segs; ++ return; ++ } + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { +- /* This is only to work around buggy Windows95/2000 +- * VJ compression implementations. If the ID field +- * does not change, they drop every other packet in +- * a TCP stream using header compression. +- */ +- if (sk && inet_sk(sk)->inet_daddr) { +- iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += segs; +- } else { +- iph->id = 0; +- } ++ iph->id = 0; + } else { ++ /* Unfortunately we need the big hammer to get a suitable IPID */ + __ip_select_ident(net, iph, segs); + } + } diff --git a/patches.suse/ipv4-tcp-send-zero-IPID-in-SYNACK-messages.patch b/patches.suse/ipv4-tcp-send-zero-IPID-in-SYNACK-messages.patch new file mode 100644 index 0000000..b9fe974 --- /dev/null +++ b/patches.suse/ipv4-tcp-send-zero-IPID-in-SYNACK-messages.patch @@ -0,0 +1,71 @@ +From: Eric Dumazet +Date: Wed, 26 Jan 2022 17:10:21 -0800 +Subject: ipv4: tcp: send zero IPID in SYNACK messages +Patch-mainline: v5.17-rc2 +Git-commit: 970a5a3ea86da637471d3cd04d513a0755aba4bf +References: CVE-2020-36516 bsc#1196616 + +In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and +ACK sent in SYN-RECV and TIME-WAIT state") we took care of some +ctl packets sent by TCP. + +It turns out we need to use a similar strategy for SYNACK packets. + +By default, they carry IP_DF and IPID==0, but there are ways +to ask them to use the hashed IP ident generator and thus +be used to build off-path attacks. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +One of this way is to force (before listener is started) +echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc + +Another way is using forged ICMP ICMP_FRAG_NEEDED +with a very small MTU (like 68) to force a false return from +ip_dont_fragment() + +In this patch, ip_build_and_send_pkt() uses the following +heuristics. + +1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore +can use IP_DF regardless of the listener or route pmtu setting. + +2) In case the SYNACK packet is bigger than IPV4_MIN_MTU, +we use prandom_u32() generator instead of the IPv4 hashed ident one. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: Ray Che +Reviewed-by: David Ahern +Cc: Geoff Alexander +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/ipv4/ip_output.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -160,12 +160,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- if (ip_dont_fragment(sk, &rt->dst)) { ++ /* Do not bother generating IPID for small packets (eg SYNACK) */ ++ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { + iph->frag_off = htons(IP_DF); + iph->id = 0; + } else { + iph->frag_off = 0; +- __ip_select_ident(net, iph, 1); ++ /* TCP packets here are SYNACK with fat IPv4/TCP options. ++ * Avoid using the hashed IP ident generator. ++ */ ++ if (sk->sk_protocol == IPPROTO_TCP) ++ iph->id = (__force __be16)prandom_u32(); ++ else ++ __ip_select_ident(net, iph, 1); + } + + if (opt && opt->opt.optlen) { diff --git a/patches.suse/irqchip-exiu-Fix-acknowledgment-of-edge-triggered-in.patch b/patches.suse/irqchip-exiu-Fix-acknowledgment-of-edge-triggered-in.patch new file mode 100644 index 0000000..a6e09fc --- /dev/null +++ b/patches.suse/irqchip-exiu-Fix-acknowledgment-of-edge-triggered-in.patch @@ -0,0 +1,101 @@ +From: Daniel Thompson +Date: Tue, 3 May 2022 14:45:41 +0100 +Subject: irqchip/exiu: Fix acknowledgment of edge triggered interrupts + +Git-commit: 4efc851c36e389f7ed432edac0149acc5f94b0c7 +Patch-mainline: v5.19-rc1 +References: git-fixes + +Currently the EXIU uses the fasteoi interrupt flow that is configured by +it's parent (irq-gic-v3.c). With this flow the only chance to clear the +interrupt request happens during .irq_eoi() and (obviously) this happens +after the interrupt handler has run. EXIU requires edge triggered +interrupts to be acked prior to interrupt handling. Without this we +risk incorrect interrupt dismissal when a new interrupt is delivered +after the handler reads and acknowledges the peripheral but before the +irq_eoi() takes place. + +Fix this by clearing the interrupt request from .irq_ack() if we are +configured for edge triggered interrupts. This requires adopting the +fasteoi-ack flow instead of the fasteoi to ensure the ack gets called. + +These changes have been tested using the power button on a +Developerbox/SC2A11 combined with some hackery in gpio-keys so I can +play with the different trigger mode [and an mdelay(500) so I can +can check what happens on a double click in both modes]. + +Fixes: 706cffc1b912 ("irqchip/exiu: Add support for Socionext Synquacer EXIU controller") +Signed-off-by: Daniel Thompson +Reviewed-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220503134541.2566457-1-daniel.thompson@linaro.org +Signed-off-by: Mian Yousaf Kaukab +--- + arch/arm64/Kconfig.platforms | 1 + + drivers/irqchip/irq-sni-exiu.c | 25 ++++++++++++++++++++++--- + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/arch/arm64/Kconfig.platforms ++++ b/arch/arm64/Kconfig.platforms +@@ -160,6 +160,7 @@ config ARCH_SHMOBILE + + config ARCH_SYNQUACER + bool "Socionext SynQuacer SoC Family" ++ select IRQ_FASTEOI_HIERARCHY_HANDLERS + + config ARCH_RENESAS + bool "Renesas SoC Platforms" +--- a/drivers/irqchip/irq-sni-exiu.c ++++ b/drivers/irqchip/irq-sni-exiu.c +@@ -39,11 +39,26 @@ struct exiu_irq_data { + u32 spi_base; + }; + +-static void exiu_irq_eoi(struct irq_data *d) ++static void exiu_irq_ack(struct irq_data *d) + { + struct exiu_irq_data *data = irq_data_get_irq_chip_data(d); + + writel(BIT(d->hwirq), data->base + EIREQCLR); ++} ++ ++static void exiu_irq_eoi(struct irq_data *d) ++{ ++ struct exiu_irq_data *data = irq_data_get_irq_chip_data(d); ++ ++ /* ++ * Level triggered interrupts are latched and must be cleared during ++ * EOI or the interrupt will be jammed on. Of course if a level ++ * triggered interrupt is still asserted then the write will not clear ++ * the interrupt. ++ */ ++ if (irqd_is_level_type(d)) ++ writel(BIT(d->hwirq), data->base + EIREQCLR); ++ + irq_chip_eoi_parent(d); + } + +@@ -93,10 +108,13 @@ static int exiu_irq_set_type(struct irq_ + writel_relaxed(val, data->base + EILVL); + + val = readl_relaxed(data->base + EIEDG); +- if (type == IRQ_TYPE_LEVEL_LOW || type == IRQ_TYPE_LEVEL_HIGH) ++ if (type == IRQ_TYPE_LEVEL_LOW || type == IRQ_TYPE_LEVEL_HIGH) { + val &= ~BIT(d->hwirq); +- else ++ irq_set_handler_locked(d, handle_fasteoi_irq); ++ } else { + val |= BIT(d->hwirq); ++ irq_set_handler_locked(d, handle_fasteoi_ack_irq); ++ } + writel_relaxed(val, data->base + EIEDG); + + writel_relaxed(BIT(d->hwirq), data->base + EIREQCLR); +@@ -106,6 +124,7 @@ static int exiu_irq_set_type(struct irq_ + + static struct irq_chip exiu_irq_chip = { + .name = "EXIU", ++ .irq_ack = exiu_irq_ack, + .irq_eoi = exiu_irq_eoi, + .irq_enable = exiu_irq_enable, + .irq_mask = exiu_irq_mask, diff --git a/patches.suse/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch b/patches.suse/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch new file mode 100644 index 0000000..7073ba8 --- /dev/null +++ b/patches.suse/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch @@ -0,0 +1,62 @@ +From: Paolo Bonzini +Date: Fri, 15 Jul 2022 07:34:55 -0400 +Subject: KVM: emulate: do not adjust size of fastop and setcc subroutines +Git-commit: 79629181607e801c0b41b8790ac4ee2eb5d7bc3e +Patch-mainline: v5.19-rc7 +References: bsc#1201930 + +Instead of doing complicated calculations to find the size of the subroutines +(which are even more complicated because they need to be stringified into +an asm statement), just hardcode to 16. + +It is less dense for a few combinations of IBT/SLS/retbleed, but it has +the advantage of being really simple. + +Cc: stable@vger.kernel.org # 5.15.x: 84e7051c0bc1: x86/kvm: fix FASTOP_SIZE when return thunks are enabled +Cc: stable@vger.kernel.org +Suggested-by: Linus Torvalds +Signed-off-by: Paolo Bonzini +Acked-by: Borislav Petkov +--- + arch/x86/kvm/emulate.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -189,9 +189,6 @@ + #define X8(x...) X4(x), X4(x) + #define X16(x...) X8(x), X8(x) + +-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1) +-#define FASTOP_SIZE 8 +- + /* + * fastop functions have a special calling convention: + * +@@ -207,8 +204,14 @@ + * + * fastop functions are declared as taking a never-defined fastop parameter, + * so they can't be called from C directly. ++ * ++ * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR ++ * and 1 for the straight line speculation INT3, leaves 7 bytes for the ++ * body of the function. Currently none is larger than 4. + */ + ++#define FASTOP_SIZE 16 ++ + struct fastop; + + struct opcode { +@@ -434,10 +437,7 @@ static int fastop(struct x86_emulate_ctx + * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETPOLINE] + * INT3 [1 byte; CONFIG_SLS] + */ +-#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETPOLINE)) + \ +- IS_ENABLED(CONFIG_SLS)) +-#define SETCC_LENGTH (3 + RET_LENGTH) +-#define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1)) ++#define SETCC_ALIGN 16 + + /* Special case for SETcc - 1 instruction per cc */ + #define FOP_SETCC(op) \ diff --git a/patches.suse/kvm-emulate-fix-setcc-emulation-function-offsets-with-sls.patch b/patches.suse/kvm-emulate-fix-setcc-emulation-function-offsets-with-sls.patch new file mode 100644 index 0000000..65b436d --- /dev/null +++ b/patches.suse/kvm-emulate-fix-setcc-emulation-function-offsets-with-sls.patch @@ -0,0 +1,90 @@ +From: Borislav Petkov +Date: Wed, 16 Mar 2022 22:05:52 +0100 +Subject: kvm/emulate: Fix SETcc emulation function offsets with SLS +Git-commit: fe83f5eae432ccc8e90082d6ed506d5233547473 +Patch-mainline: v5.17 +References: bsc#1201930 + +The commit in Fixes started adding INT3 after RETs as a mitigation +against straight-line speculation. + +The fastop SETcc implementation in kvm's insn emulator uses macro magic +to generate all possible SETcc functions and to jump to them when +emulating the respective instruction. + +However, it hardcodes the size and alignment of those functions to 4: a +three-byte SETcc insn and a single-byte RET. BUT, with SLS, there's an +INT3 that gets slapped after the RET, which brings the whole scheme out +of alignment: + + 15: 0f 90 c0 seto %al + 18: c3 ret + 19: cc int3 + 1a: 0f 1f 00 nopl (%rax) + 1d: 0f 91 c0 setno %al + 20: c3 ret + 21: cc int3 + 22: 0f 1f 00 nopl (%rax) + 25: 0f 92 c0 setb %al + 28: c3 ret + 29: cc int3 + +and this explodes like this: + + int3: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 2435 Comm: qemu-system-x86 Not tainted 5.17.0-rc8-sls #1 + Hardware name: Dell Inc. Precision WorkStation T3400 /0TP412, BIOS A14 04/30/2012 + RIP: 0010:setc+0x5/0x8 [kvm] + Code: 00 00 0f 1f 00 0f b6 05 43 24 06 00 c3 cc 0f 1f 80 00 00 00 00 0f 90 c0 c3 cc 0f \ + 1f 00 0f 91 c0 c3 cc 0f 1f 00 0f 92 c0 c3 cc <0f> 1f 00 0f 93 c0 c3 cc 0f 1f 00 \ + 0f 94 c0 c3 cc 0f 1f 00 0f 95 c0 + Call Trace: + + ? x86_emulate_insn [kvm] + ? x86_emulate_instruction [kvm] + ? vmx_handle_exit [kvm_intel] + ? kvm_arch_vcpu_ioctl_run [kvm] + ? kvm_vcpu_ioctl [kvm] + ? __x64_sys_ioctl + ? do_syscall_64 + ? entry_SYSCALL_64_after_hwframe + + +Raise the alignment value when SLS is enabled and use a macro for that +instead of hard-coding naked numbers. + +Fixes: e463a09af2f0 ("x86: Add straight-line-speculation mitigation") +Reported-by: Jamie Heilman +Signed-off-by: Borislav Petkov +Acked-by: Peter Zijlstra (Intel) +Tested-by: Jamie Heilman +Link: https://lore.kernel.org/r/YjGzJwjrvxg5YZ0Z@audible.transient.net +[Add a comment and a bit of safety checking, since this is going to be changed + again for IBT support. - Paolo] +Signed-off-by: Paolo Bonzini + + [ bp: Backport only the fastop offset finding - the macros are largely + simplified in + + 79629181607e ("KVM: emulate: do not adjust size of fastop and setcc subroutines") + + so no need to backport pieces which will get removed anyway. ] + +--- + arch/x86/kvm/emulate.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 5719d8cfdbd9..e86d610dc6b7 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1047,7 +1062,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) + static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) + { + u8 rc; +- void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); ++ void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); + + flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; + asm("push %[flags]; popf; " CALL_NOSPEC + diff --git a/patches.suse/latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch b/patches.suse/latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch new file mode 100644 index 0000000..735f4e9 --- /dev/null +++ b/patches.suse/latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch @@ -0,0 +1,58 @@ +From: Vasily Gorbik +Date: Tue, 7 May 2019 16:28:15 +0200 +Subject: latent_entropy: avoid build error when plugin cflags are not set +Git-commit: 7e756f423af808b6571fed3144747db2ef7fa1c5 +Patch-mainline: v5.2-rc1 +References: git-fixes + +Some architectures set up CFLAGS for linux decompressor phase from +scratch and do not include GCC_PLUGINS_CFLAGS. Since "latent_entropy" +variable declaration is generated by the plugin code itself including +linux/random.h in decompressor code then would cause a build +error. E.g. on s390: + +In file included from ./include/linux/net.h:22, + from ./include/linux/skbuff.h:29, + from ./include/linux/if_ether.h:23, + from ./arch/s390/include/asm/diag.h:12, + from arch/s390/boot/startup.c:8: +./include/linux/random.h: In function 'add_latent_entropy': +./include/linux/random.h:26:39: error: 'latent_entropy' undeclared +(first use in this function); did you mean 'add_latent_entropy'? + 26 | add_device_randomness((const void *)&latent_entropy, + | ^~~~~~~~~~~~~~ + | add_latent_entropy +./include/linux/random.h:26:39: note: each undeclared identifier is +reported only once for each function it appears in + +The build error is triggered by commit a80313ff91ab ("s390/kernel: +introduce .dma sections") which made it into 5.2 merge window. + +To address that avoid using CONFIG_GCC_PLUGIN_LATENT_ENTROPY in +favour of LATENT_ENTROPY_PLUGIN definition which is defined as a +part of gcc plugins cflags and hence reflect more accurately when gcc +plugin is active. Besides that it is also used for similar purpose in +linux/compiler-gcc.h for latent_entropy attribute definition. + +Signed-off-by: Vasily Gorbik +Acked-by: Kees Cook +Signed-off-by: Martin Schwidefsky +Acked-by: Lee Duncan +--- + include/linux/random.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/random.h b/include/linux/random.h +index 445a0ea4ff49..d4eb9b3789ad 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -20,7 +20,7 @@ struct random_ready_callback { + + extern void add_device_randomness(const void *, unsigned int); + +-#if defined(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) && !defined(__CHECKER__) ++#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) + static inline void add_latent_entropy(void) + { + add_device_randomness((const void *)&latent_entropy, + diff --git a/patches.suse/linux-random.h-Mark-CONFIG_ARCH_RANDOM-functions-__must_check.patch b/patches.suse/linux-random.h-Mark-CONFIG_ARCH_RANDOM-functions-__must_check.patch new file mode 100644 index 0000000..34c0aa0 --- /dev/null +++ b/patches.suse/linux-random.h-Mark-CONFIG_ARCH_RANDOM-functions-__must_check.patch @@ -0,0 +1,49 @@ +From: Richard Henderson +Date: Fri, 10 Jan 2020 14:54:18 +0000 +Subject: linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check +Git-commit: 904caa6413c87aacbf7d0682da617c39ca18cf1a +Patch-mainline: v5.6-rc1 +References: git-fixes + +We must not use the pointer output without validating the +success of the random read. + +Reviewed-by: Ard Biesheuvel +Signed-off-by: Richard Henderson +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20200110145422.49141-7-broonie@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Lee Duncan +--- + include/linux/random.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/random.h b/include/linux/random.h +index ea0e2f5f1ec5..d319f9a1e429 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -167,19 +167,19 @@ static inline void prandom_seed_state(struct rnd_state *state, u64 seed) + #ifdef CONFIG_ARCH_RANDOM + # include + #else +-static inline bool arch_get_random_long(unsigned long *v) ++static inline bool __must_check arch_get_random_long(unsigned long *v) + { + return false; + } +-static inline bool arch_get_random_int(unsigned int *v) ++static inline bool __must_check arch_get_random_int(unsigned int *v) + { + return false; + } +-static inline bool arch_get_random_seed_long(unsigned long *v) ++static inline bool __must_check arch_get_random_seed_long(unsigned long *v) + { + return false; + } +-static inline bool arch_get_random_seed_int(unsigned int *v) ++static inline bool __must_check arch_get_random_seed_int(unsigned int *v) + { + return false; + } + diff --git a/patches.suse/linux-random.h-Remove-arch_has_random-arch_has_random_seed.patch b/patches.suse/linux-random.h-Remove-arch_has_random-arch_has_random_seed.patch new file mode 100644 index 0000000..a1af307 --- /dev/null +++ b/patches.suse/linux-random.h-Remove-arch_has_random-arch_has_random_seed.patch @@ -0,0 +1,49 @@ +From: Richard Henderson +Date: Fri, 10 Jan 2020 14:54:16 +0000 +Subject: linux/random.h: Remove arch_has_random, arch_has_random_seed +Git-commit: 647f50d5d9d933b644b29c54f13ac52af1b1774d +Patch-mainline: v5.6-rc1 +References: git-fixes + +The arm64 version of archrandom.h will need to be able to test for +support and read the random number without preemption, so a separate +query predicate is not practical. + +Since this part of the generic interface is unused, remove it. + +Signed-off-by: Richard Henderson +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20200110145422.49141-5-broonie@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Lee Duncan +--- + include/linux/random.h | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/include/linux/random.h b/include/linux/random.h +index f189c927fdea..7fd0360908d2 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -175,10 +175,6 @@ static inline bool arch_get_random_int(unsigned int *v) + { + return 0; + } +-static inline bool arch_has_random(void) +-{ +- return 0; +-} + static inline bool arch_get_random_seed_long(unsigned long *v) + { + return 0; +@@ -187,10 +183,6 @@ static inline bool arch_get_random_seed_int(unsigned int *v) + { + return 0; + } +-static inline bool arch_has_random_seed(void) +-{ +- return 0; +-} + #endif + + /* Pseudo random number generator from numerical recipes. */ + diff --git a/patches.suse/linux-random.h-Use-false-with-bool.patch b/patches.suse/linux-random.h-Use-false-with-bool.patch new file mode 100644 index 0000000..ee15899 --- /dev/null +++ b/patches.suse/linux-random.h-Use-false-with-bool.patch @@ -0,0 +1,49 @@ +From: Richard Henderson +Date: Fri, 10 Jan 2020 14:54:17 +0000 +Subject: linux/random.h: Use false with bool +Git-commit: 66f5ae899ada79c0e9a3d8d954f93a72344cd350 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Keep the generic fallback versions in sync with the other architecture +specific implementations and use the proper name for false. + +Suggested-by: Ard Biesheuvel +Signed-off-by: Richard Henderson +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20200110145422.49141-6-broonie@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Lee Duncan +--- + include/linux/random.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/random.h b/include/linux/random.h +index 7fd0360908d2..ea0e2f5f1ec5 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -169,19 +169,19 @@ static inline void prandom_seed_state(struct rnd_state *state, u64 seed) + #else + static inline bool arch_get_random_long(unsigned long *v) + { +- return 0; ++ return false; + } + static inline bool arch_get_random_int(unsigned int *v) + { +- return 0; ++ return false; + } + static inline bool arch_get_random_seed_long(unsigned long *v) + { +- return 0; ++ return false; + } + static inline bool arch_get_random_seed_int(unsigned int *v) + { +- return 0; ++ return false; + } + #endif + + diff --git a/patches.suse/lkdtm-disable-return-thunks-in-rodata-c.patch b/patches.suse/lkdtm-disable-return-thunks-in-rodata-c.patch new file mode 100644 index 0000000..320911e --- /dev/null +++ b/patches.suse/lkdtm-disable-return-thunks-in-rodata-c.patch @@ -0,0 +1,62 @@ +From: Josh Poimboeuf +Date: Mon, 18 Jul 2022 07:50:25 -0700 +Subject: lkdtm: Disable return thunks in rodata.c +Git-commit: efc72a665a61fd48c462f5248a9e3dc991398ddd +Patch-mainline: v5.19-rc8 +References: bsc#1114648 + +The following warning was seen: + + WARNING: CPU: 0 PID: 0 at arch/x86/kernel/alternative.c:557 apply_returns (arch/x86/kernel/alternative.c:557 (discriminator 1)) + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc4-00008-gee88d363d156 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014 + RIP: 0010:apply_returns (arch/x86/kernel/alternative.c:557 (discriminator 1)) + Code: ff ff 74 cb 48 83 c5 04 49 39 ee 0f 87 81 fe ff ff e9 22 ff ff ff 0f 0b 48 83 c5 04 49 39 ee 0f 87 6d fe ff ff e9 0e ff ff ff <0f> 0b 48 83 c5 04 49 39 ee 0f 87 59 fe ff ff e9 fa fe ff ff 48 89 + +The warning happened when apply_returns() failed to convert "JMP +__x86_return_thunk" to RET. It was instead a JMP to nowhere, due to the +thunk relocation not getting resolved. + +That rodata.o code is objcopy'd to .rodata, and later memcpy'd, so +relocations don't work (and are apparently silently ignored). + +LKDTM is only used for testing, so the naked RET should be fine. So +just disable return thunks for that file. + +While at it, disable objtool and KCSAN for the file. + +Fixes: 0b53c374b9ef ("x86/retpoline: Use -mfunction-return") +Reported-by: kernel test robot +Debugged-by: Peter Zijlstra +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/lkml/Ys58BxHxoDZ7rfpr@xsang-OptiPlex-9020/ + +Acked-by: Borislav Petkov +--- + arch/x86/Makefile | 2 ++ + drivers/misc/Makefile | 1 + + 2 files changed, 3 insertions(+) + +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -236,6 +236,8 @@ endif + RETHUNK_CFLAGS := -mfunction-return=thunk-extern + RETPOLINE_CFLAGS += $(RETHUNK_CFLAGS) + ++export RETHUNK_CFLAGS ++ + # for vdso Makefile to exclude + export RETPOLINE_CFLAGS + +--- a/drivers/misc/Makefile ++++ b/drivers/misc/Makefile +@@ -64,6 +64,7 @@ lkdtm-$(CONFIG_LKDTM) += lkdtm_rodata_o + lkdtm-$(CONFIG_LKDTM) += lkdtm_usercopy.o + + KCOV_INSTRUMENT_lkdtm_rodata.o := n ++CFLAGS_REMOVE_lkdtm_rodata.o += $(RETHUNK_CFLAGS) + + OBJCOPYFLAGS := + OBJCOPYFLAGS_lkdtm_rodata_objcopy.o := \ diff --git a/patches.suse/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch b/patches.suse/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch new file mode 100644 index 0000000..fefdb30 --- /dev/null +++ b/patches.suse/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch @@ -0,0 +1,127 @@ +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:26:12 -0400 +Subject: [PATCH] md-raid: destroy the bitmap after destroying the thread +Git-commit: e151db8ecfb019b7da31d076130a794574c89f6f +Patch-mainline: v6.0 +References: git-fixes + +When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with +kasan, we got failure in write_page. + +The reason for the failure is that md_bitmap_destroy is called before +destroying the thread and the thread may be waiting in the function +write_page for the bio to complete. When the thread finishes waiting, it +executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which +triggers the kasan warning. + +Note that the commit 48df498daf62 that caused this bug claims that it is +neede for md-cluster, you should check md-cluster and possibly find +another bugfix for it. + +Bug: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] +Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 + +Cpu: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? write_page+0x18d/0x680 [md_mod] + kasan_report+0xa8/0xe0 + ? write_page+0x18d/0x680 [md_mod] + kasan_check_range+0x13f/0x180 + write_page+0x18d/0x680 [md_mod] + ? super_sync+0x4d5/0x560 [dm_raid] + ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] + ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] + ? mutex_trylock+0x120/0x120 + ? preempt_count_add+0x6b/0xc0 + ? preempt_count_sub+0xf/0xc0 + md_update_sb+0x707/0xe40 [md_mod] + md_reap_sync_thread+0x1b2/0x4a0 [md_mod] + md_check_recovery+0x533/0x960 [md_mod] + raid1d+0xc8/0x2a20 [raid1] + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid1_end_read_request+0x2a0/0x2a0 [raid1] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 5522: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + md_bitmap_create+0xa8/0xe80 [md_mod] + md_run+0x777/0x1300 [md_mod] + raid_ctr+0x249c/0x4a30 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 5680: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x40 + kasan_set_free_info+0x20/0x40 + __kasan_slab_free+0xf7/0x140 + kfree+0x80/0x240 + md_bitmap_free+0x1c3/0x280 [md_mod] + __md_stop+0x21/0x120 [md_mod] + md_stop+0x9/0x40 [md_mod] + raid_dtr+0x1b/0x40 [dm_raid] + dm_table_destroy+0x98/0x1e0 [dm_mod] + __dm_destroy+0x199/0x360 [dm_mod] + dev_remove+0x10c/0x160 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Acked-by: NeilBrown + +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6111,10 +6111,10 @@ static void mddev_detach(struct mddev *m + static void __md_stop(struct mddev *mddev) + { + struct md_personality *pers = mddev->pers; +- md_bitmap_destroy(mddev); + mddev_detach(mddev); + /* Ensure ->event_work is done */ + flush_workqueue(md_misc_wq); ++ md_bitmap_destroy(mddev); + spin_lock(&mddev->lock); + mddev->pers = NULL; + spin_unlock(&mddev->lock); diff --git a/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch new file mode 100644 index 0000000..d981451 --- /dev/null +++ b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch @@ -0,0 +1,54 @@ +From 8dbdcc7269a83305ee9d677b75064d3530a48ee2 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 16:38:05 +0100 +Subject: [PATCH] media: dib8000: Fix a memleak in dib8000_init() +Git-commit: 8dbdcc7269a83305ee9d677b75064d3530a48ee2 +References: git-fixes +Patch-mainline: v5.17-rc1 + +In dib8000_init(), the variable fe is not freed or passed out on the +failure of dib8000_identify(&state->i2c), which could lead to a memleak. + +Fix this bug by adding a kfree of fe in the error path. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DVB_DIB8000=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/dvb-frontends/dib8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index bb02354a48b8..d67f2dd997d0 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +-- +2.35.3 + diff --git a/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch new file mode 100644 index 0000000..f249807 --- /dev/null +++ b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch @@ -0,0 +1,64 @@ +From 0407c49ebe330333478440157c640fffd986f41b Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 17:34:44 +0100 +Subject: [PATCH] media: saa7146: mxb: Fix a NULL pointer dereference in + mxb_attach() +Git-commit: 0407c49ebe330333478440157c640fffd986f41b +References: git-fixes +Patch-mainline: v5.17-rc1 + +In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a +new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of mxb_probe(dev). There is a dereference of dev->vv_data +in saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_MXB=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/pci/saa7146/mxb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 73fc901ecf3d..bf0b9b0914cd 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +-- +2.35.3 + diff --git a/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 0000000..3c3c2c8 --- /dev/null +++ b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,47 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: [PATCH] media: uvcvideo: fix division by zero at stream start +Git-commit: 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df +References: git-fixes +Patch-mainline: v5.17-rc1 + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 9f37eaf28ce7..1b4cc934109e 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1963,6 +1963,10 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream, + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + +-- +2.35.3 + diff --git a/patches.suse/mm-and-drivers-core-Convert-hugetlb_report_node_memi.patch b/patches.suse/mm-and-drivers-core-Convert-hugetlb_report_node_memi.patch new file mode 100644 index 0000000..5b925d8 --- /dev/null +++ b/patches.suse/mm-and-drivers-core-Convert-hugetlb_report_node_memi.patch @@ -0,0 +1,72 @@ +From 7981593bf083801035b1f1377661849805acb216 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Wed, 16 Sep 2020 13:40:43 -0700 +Subject: [PATCH] mm: and drivers core: Convert hugetlb_report_node_meminfo to + sysfs_emit +Git-commit: 7981593bf083801035b1f1377661849805acb216 +Patch-mainline: v5.10-rc1 +References: bsc#1200598 CVE-2022-20166 + +Convert the unbound sprintf in hugetlb_report_node_meminfo to use +sysfs_emit_at so that no possible overrun of a PAGE_SIZE buf can occur. + +Signed-off-by: Joe Perches +Acked-by: Mike Kravetz +Link: https://lore.kernel.org/r/894b351b82da6013cde7f36ff4b5493cd0ec30d0.1600285923.git.joe@perches.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Petr Mladek + +--- + drivers/base/node.c | 2 +- + include/linux/hugetlb.h | 4 ++-- + mm/hugetlb.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -143,7 +143,7 @@ static ssize_t node_read_meminfo(struct + #else + nid, K(sum_zone_node_page_state(nid, NR_SLAB_UNRECLAIMABLE))); + #endif +- len += hugetlb_report_node_meminfo(nid, buf + len); ++ len += hugetlb_report_node_meminfo(buf, len, nid); + return len; + } + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -77,7 +77,7 @@ void __unmap_hugepage_range(struct mmu_g + unsigned long start, unsigned long end, + struct page *ref_page); + void hugetlb_report_meminfo(struct seq_file *); +-int hugetlb_report_node_meminfo(int, char *); ++int hugetlb_report_node_meminfo(char *buf, int len, int nid); + void hugetlb_show_meminfo(void); + unsigned long hugetlb_total_pages(void); + int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -157,7 +157,7 @@ static inline void adjust_range_if_pmd_s + static inline void hugetlb_report_meminfo(struct seq_file *m) + { + } +-#define hugetlb_report_node_meminfo(n, buf) 0 ++#define hugetlb_report_node_meminfo(buf, len, nid) 0 + static inline void hugetlb_show_meminfo(void) + { + } +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3050,12 +3050,12 @@ void hugetlb_report_meminfo(struct seq_f + 1UL << (huge_page_order(h) + PAGE_SHIFT - 10)); + } + +-int hugetlb_report_node_meminfo(int nid, char *buf) ++int hugetlb_report_node_meminfo(char *buf, int len, int nid) + { + struct hstate *h = &default_hstate; + if (!hugepages_supported()) + return 0; +- return sprintf(buf, ++ return sysfs_emit_at(buf, len, + "Node %d HugePages_Total: %5u\n" + "Node %d HugePages_Free: %5u\n" + "Node %d HugePages_Surp: %5u\n", diff --git a/patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch b/patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch index c01752d..b11a94d 100644 --- a/patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch +++ b/patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch @@ -30,13 +30,20 @@ Link: https://lore.kernel.org/r/20220502074255.16901-1-decui@microsoft.com Signed-off-by: Wei Liu Acked-by: Olaf Hering --- - drivers/pci/host/pci-hyperv.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) + drivers/pci/host/pci-hyperv.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) -diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c --- a/drivers/pci/host/pci-hyperv.c +++ b/drivers/pci/host/pci-hyperv.c -@@ -2103,12 +2103,17 @@ static void prepopulate_bars(struct hv_pcibus_device *hbus) +@@ -1401,7 +1401,6 @@ static void prepopulate_bars(struct hv_p + struct hv_pci_dev *hpdev; + unsigned long flags; + u64 bar_val; +- u32 command; + bool high; + int i; + +@@ -1459,12 +1458,17 @@ static void prepopulate_bars(struct hv_p } } if (high_size <= 1 && low_size <= 1) { diff --git a/patches.suse/mvpp2-suppress-warning.patch b/patches.suse/mvpp2-suppress-warning.patch new file mode 100644 index 0000000..ed71e39 --- /dev/null +++ b/patches.suse/mvpp2-suppress-warning.patch @@ -0,0 +1,40 @@ +From bc7959454d947d97443230db5454ffdd6475ce01 Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Mon, 10 May 2021 18:52:32 +0200 +Subject: [PATCH 13/16] mvpp2: suppress warning +Git-commit: 4c598e5e679c31106914b63b5e3877994dfbba19 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Remove some unreachable code, so to suppress this warning: + +drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c: In function ‘mvpp2_prs_tcam_first_free’: +drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c:397:10: warning: comparison is always false due to limited range of data type [-Wtype-limits] + 397 | if (end >= MVPP2_PRS_TCAM_SRAM_SIZE) + | ^~ + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index a30eb90ba3d2..7481d3cc1cde 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -394,9 +394,6 @@ static int mvpp2_prs_tcam_first_free(struct mvpp2 *priv, unsigned char start, + if (start > end) + swap(start, end); + +- if (end >= MVPP2_PRS_TCAM_SRAM_SIZE) +- end = MVPP2_PRS_TCAM_SRAM_SIZE - 1; +- + for (tid = start; tid <= end; tid++) { + if (!priv->prs_shadow[tid].valid) + return tid; +-- +2.16.4 + diff --git a/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch b/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch new file mode 100644 index 0000000..6768d96 --- /dev/null +++ b/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch @@ -0,0 +1,39 @@ +From: Pavel Skripkin +Date: Tue, 16 Nov 2021 18:17:12 +0300 +Subject: net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove + +Git-commit: 9b5a333272a48c2f8b30add7a874e46e8b26129c +Patch-mainline: v5.16-rc2 +References: git-fixes + +Access to netdev after free_netdev() will cause use-after-free bug. +Move debug log before free_netdev() call to avoid it. + +Fixes: 7472dd9f6499 ("staging: fsl-dpaa2/eth: Move print message") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Mian Yousaf Kaukab +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +index 714e961e7a77..6451c8383639 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4550,10 +4550,10 @@ static int dpaa2_eth_remove(struct fsl_mc_device *ls_dev) + + fsl_mc_portal_free(priv->mc_io); + +- free_netdev(net_dev); +- + dev_dbg(net_dev->dev.parent, "Removed interface %s\n", net_dev->name); + ++ free_netdev(net_dev); ++ + return 0; + } + +-- +2.35.3 + diff --git a/patches.suse/net-dsa-bcm_sf2-Qualify-phydev-dev_flags-based-on-po.patch b/patches.suse/net-dsa-bcm_sf2-Qualify-phydev-dev_flags-based-on-po.patch new file mode 100644 index 0000000..a11f3fd --- /dev/null +++ b/patches.suse/net-dsa-bcm_sf2-Qualify-phydev-dev_flags-based-on-po.patch @@ -0,0 +1,43 @@ +From 8217c8f4885096f127690a7af11ba6c992bfa5da Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 10 Mar 2021 14:17:58 -0800 +Subject: [PATCH 02/16] net: dsa: bcm_sf2: Qualify phydev->dev_flags based on + port +Git-commit: 47142ed6c34d544ae9f0463e58d482289cbe0d46 +Patch-mainline: v5.12-rc5 +References: git-fixes + +Similar to commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ("net: +bcmgenet: Set phydev->dev_flags only for internal PHYs") we need to +qualify the phydev->dev_flags based on whether the port is connected to +an internal or external PHY otherwise we risk having a flags collision +with a completely different interpretation depending on the driver. + +Fixes: aa9aef77c761 ("net: dsa: bcm_sf2: communicate integrated PHY revision to PHY driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/dsa/bcm_sf2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index ded1c40d7fe4..1c4af75ffe9b 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -614,8 +614,10 @@ static u32 bcm_sf2_sw_get_phy_flags(struct dsa_switch *ds, int port) + * in bits 15:8 and the patch level in bits 7:0 which is exactly what + * the REG_PHY_REVISION register layout is. + */ +- +- return priv->hw_params.gphy_rev; ++ if (priv->int_phy_mask & BIT(port)) ++ return priv->hw_params.gphy_rev; ++ else ++ return 0; + } + + static void bcm_sf2_sw_adjust_link(struct dsa_switch *ds, int port, +-- +2.16.4 + diff --git a/patches.suse/net-ethernet-aeroflex-fix-UAF-in-greth_of_remove.patch b/patches.suse/net-ethernet-aeroflex-fix-UAF-in-greth_of_remove.patch new file mode 100644 index 0000000..9522613 --- /dev/null +++ b/patches.suse/net-ethernet-aeroflex-fix-UAF-in-greth_of_remove.patch @@ -0,0 +1,53 @@ +From 31affbc1293ce527d9077ba7a0945858a4c4ec32 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 18 Jun 2021 17:57:31 +0300 +Subject: [PATCH 16/16] net: ethernet: aeroflex: fix UAF in greth_of_remove +Git-commit: e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 +Patch-mainline: v5.14-rc1 +References: git-fixes + +static int greth_of_remove(struct platform_device *of_dev) +{ +... + struct greth_private *greth = netdev_priv(ndev); +... + unregister_netdev(ndev); + free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); +... +} + +greth is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing greth +pointer. So, fix it by moving free_netdev() after of_iounmap() +call. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 4309be3724ad..a20e95b39cf7 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -1546,10 +1546,11 @@ static int greth_of_remove(struct platform_device *of_dev) + mdiobus_unregister(greth->mdio); + + unregister_netdev(ndev); +- free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); + ++ free_netdev(ndev); ++ + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch new file mode 100644 index 0000000..1e84b1c --- /dev/null +++ b/patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch @@ -0,0 +1,56 @@ +From ac61259087693b21e6cfdb76a4beabed70542db1 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 18 Jun 2021 16:49:02 +0300 +Subject: [PATCH 12/16] net: ethernet: fix potential use-after-free in + ec_bhf_remove +Git-commit: 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 +Patch-mainline: v5.13-rc7 +References: git-fixes + +static void ec_bhf_remove(struct pci_dev *dev) +{ +... + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); + free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); +... +} + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after pci_iounmap() +calls. + +Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ec_bhf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index b513c99d003b..8f2bc372ed89 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +-- +2.16.4 + diff --git a/patches.suse/net-fec-check-DMA-addressing-limitations.patch b/patches.suse/net-fec-check-DMA-addressing-limitations.patch new file mode 100644 index 0000000..494f59c --- /dev/null +++ b/patches.suse/net-fec-check-DMA-addressing-limitations.patch @@ -0,0 +1,50 @@ +From a9ed3f37063f18bd3434924e4c45f21a67d04d5c Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Thu, 2 Aug 2018 10:42:50 +0200 +Subject: [PATCH 03/16] net: fec: check DMA addressing limitations +Git-commit: 453e9dc48be466afa2adc25d072aa4c5b8774f8d +Patch-mainline: v4.19-rc1 +References: git-fixes + +Check DMA addressing limitations as suggested by the DMA API +how-to. This does not fix a particular issue seen but is +considered good style. + +Signed-off-by: Stefan Agner +Acked-by: Fugang Duan +Reviewed-by: Robin Murphy +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/freescale/fec_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index b0bea7cb2f20..70a5039faa89 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3157,6 +3157,7 @@ static int fec_enet_init(struct net_device *ndev) + unsigned dsize = fep->bufdesc_ex ? sizeof(struct bufdesc_ex) : + sizeof(struct bufdesc); + unsigned dsize_log2 = __fls(dsize); ++ int ret; + + WARN_ON(dsize != (1 << dsize_log2)); + #if defined(CONFIG_ARM) || defined(CONFIG_ARM64) +@@ -3167,6 +3168,13 @@ static int fec_enet_init(struct net_device *ndev) + fep->tx_align = 0x3; + #endif + ++ /* Check mask of the streaming and coherent API */ ++ ret = dma_set_mask_and_coherent(&fep->pdev->dev, DMA_BIT_MASK(32)); ++ if (ret < 0) { ++ dev_warn(&fep->pdev->dev, "No suitable DMA available\n"); ++ return ret; ++ } ++ + fec_enet_alloc_queue(ndev); + + bd_size = (fep->total_tx_ring_size + fep->total_rx_ring_size) * dsize; +-- +2.16.4 + diff --git a/patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch b/patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch new file mode 100644 index 0000000..dee76a9 --- /dev/null +++ b/patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch @@ -0,0 +1,64 @@ +From d8f7942cdc53e4af192760820a0d087cdfdd280f Mon Sep 17 00:00:00 2001 +From: Fugang Duan +Date: Wed, 12 May 2021 10:43:59 +0800 +Subject: [PATCH 04/16] net: fec: fix the potential memory leak in + fec_enet_init() +Git-commit: 619fee9eb13b5d29e4267cb394645608088c28a8 +Patch-mainline: v5.13-rc4 +References: git-fixes + +If the memory allocated for cbd_base is failed, it should +free the memory allocated for the queues, otherwise it causes +memory leak. + +And if the memory allocated for the queues is failed, it can +return error directly. + +Fixes: 59d0f7465644 ("net: fec: init multi queue date structure") +Signed-off-by: Fugang Duan +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/freescale/fec_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 70a5039faa89..fa0a9df96ba0 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3175,7 +3175,9 @@ static int fec_enet_init(struct net_device *ndev) + return ret; + } + +- fec_enet_alloc_queue(ndev); ++ ret = fec_enet_alloc_queue(ndev); ++ if (ret) ++ return ret; + + bd_size = (fep->total_tx_ring_size + fep->total_rx_ring_size) * dsize; + +@@ -3183,7 +3185,8 @@ static int fec_enet_init(struct net_device *ndev) + cbd_base = dmam_alloc_coherent(&fep->pdev->dev, bd_size, &bd_dma, + GFP_KERNEL); + if (!cbd_base) { +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto free_queue_mem; + } + + memset(cbd_base, 0, bd_size); +@@ -3260,6 +3263,10 @@ static int fec_enet_init(struct net_device *ndev) + fec_enet_update_ethtool_stats(ndev); + + return 0; ++ ++free_queue_mem: ++ fec_enet_free_queue(ndev); ++ return ret; + } + + #ifdef CONFIG_OF +-- +2.16.4 + diff --git a/patches.suse/net-fec_ptp-add-clock-rate-zero-check.patch b/patches.suse/net-fec_ptp-add-clock-rate-zero-check.patch new file mode 100644 index 0000000..34c6c92 --- /dev/null +++ b/patches.suse/net-fec_ptp-add-clock-rate-zero-check.patch @@ -0,0 +1,37 @@ +From 9bcab7b0b3cf02a5b887a39a262a8f62088f5717 Mon Sep 17 00:00:00 2001 +From: Fugang Duan +Date: Wed, 16 Jun 2021 17:14:25 +0800 +Subject: [PATCH 10/16] net: fec_ptp: add clock rate zero check +Git-commit: cb3cefe3f3f8af27c6076ef7d1f00350f502055d +Patch-mainline: v5.13-rc7 +References: git-fixes + +Add clock rate zero check to fix coverity issue of "divide by 0". + +Fixes: commit 85bd1798b24a ("net: fec: fix spin_lock dead lock") +Signed-off-by: Fugang Duan +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/freescale/fec_ptp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 6ebad3fac81d..07a471144bfe 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -579,6 +579,10 @@ void fec_ptp_init(struct platform_device *pdev) + fep->ptp_caps.enable = fec_ptp_enable; + + fep->cycle_speed = clk_get_rate(fep->clk_ptp); ++ if (!fep->cycle_speed) { ++ fep->cycle_speed = NSEC_PER_SEC; ++ dev_err(&fep->pdev->dev, "clk_ptp clock rate is zero\n"); ++ } + fep->ptp_inc = NSEC_PER_SEC / fep->cycle_speed; + + spin_lock_init(&fep->tmreg_lock); +-- +2.16.4 + diff --git a/patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch new file mode 100644 index 0000000..1530082 --- /dev/null +++ b/patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch @@ -0,0 +1,111 @@ +From fe17de1809c4c0328f24c2480e4a7e97d3facc3a Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 16 Jun 2021 22:09:06 +0300 +Subject: [PATCH 11/16] net: hamradio: fix memory leak in mkiss_close +Git-commit: 7edcc682301492380fbdd604b4516af5ae667a13 +Patch-mainline: v5.13-rc7 +References: git-fixes + +My local syzbot instance hit memory leak in +mkiss_open()[1]. The problem was in missing +free_netdev() in mkiss_close(). + +In mkiss_open() netdevice is allocated and then +registered, but in mkiss_close() netdevice was +only unregistered, but not freed. + +Fail log: + +BUG: memory leak +unreferenced object 0xffff8880281ba000 (size 4096): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. + 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x98/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880141a9a00 (size 96): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... + 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... + backtrace: + [] __hw_addr_create_ex+0x5b/0x310 + [] __hw_addr_add_ex+0x1f8/0x2b0 + [] dev_addr_init+0x10b/0x1f0 + [] alloc_netdev_mqs+0x13b/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880219bfc00 (size 512): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ + 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x777/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff888029b2b200 (size 256): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x912/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index 9fd7dab42a53..2074fc55a88a 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +-- +2.16.4 + diff --git a/patches.suse/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch b/patches.suse/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch new file mode 100644 index 0000000..deb9866 --- /dev/null +++ b/patches.suse/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch @@ -0,0 +1,45 @@ +From c0c1865c3b8ad8f1231b14dbb1c9208d27c92a61 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Mon, 12 Oct 2020 00:03:29 +0200 +Subject: [PATCH 7/8] net: korina: fix kfree of rx/tx descriptor array +Git-commit: 3af5f0f5c74ecbaf757ef06c3f80d56751277637 +Patch-mainline: v5.10-rc1 +References: git-fixes + +kmalloc returns KSEG0 addresses so convert back from KSEG1 +in kfree. Also make sure array is freed when the driver is +unloaded from the kernel. + +Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") +Signed-off-by: Valentin Vidic +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 3c0a6451273d..1357d464e8c4 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1188,7 +1188,7 @@ static int korina_probe(struct platform_device *pdev) + return rc; + + probe_err_register: +- kfree(lp->td_ring); ++ kfree(KSEG0ADDR(lp->td_ring)); + probe_err_td_ring: + iounmap(lp->tx_dma_regs); + probe_err_dma_tx: +@@ -1208,6 +1208,7 @@ static int korina_remove(struct platform_device *pdev) + iounmap(lp->eth_regs); + iounmap(lp->rx_dma_regs); + iounmap(lp->tx_dma_regs); ++ kfree(KSEG0ADDR(lp->td_ring)); + + unregister_netdev(bif->dev); + free_netdev(bif->dev); +-- +2.16.4 + diff --git a/patches.suse/net-macb-mark-device-wake-capable-when-magic-packet-.patch b/patches.suse/net-macb-mark-device-wake-capable-when-magic-packet-.patch new file mode 100644 index 0000000..a160c94 --- /dev/null +++ b/patches.suse/net-macb-mark-device-wake-capable-when-magic-packet-.patch @@ -0,0 +1,49 @@ +From edf02fb08f21173db3e0801cc49d104695cc3916 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 10 Jul 2020 14:46:42 +0200 +Subject: [PATCH 6/8] net: macb: mark device wake capable when "magic-packet" + property present +Git-commit: ced4799d06375929e013eea04ba6908207afabbe +Patch-mainline: v5.8-rc5 +References: git-fixes + +Change the way the "magic-packet" DT property is handled in the +macb_probe() function, matching DT binding documentation. +Now we mark the device as "wakeup capable" instead of calling the +device_init_wakeup() function that would enable the wakeup source. + +For Ethernet WoL, enabling the wakeup_source is done by +using ethtool and associated macb_set_wol() function that +already calls device_set_wakeup_enable() for this purpose. + +That would reduce power consumption by cutting more clocks if +"magic-packet" property is set but WoL is not configured by ethtool. + +Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Sergio Prado +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/cadence/macb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c +index 77abec2064ce..acd152c70d17 100644 +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -3348,7 +3348,7 @@ static int macb_probe(struct platform_device *pdev) + bp->wol = 0; + if (of_get_property(np, "magic-packet", NULL)) + bp->wol |= MACB_WOL_HAS_MAGIC_PACKET; +- device_init_wakeup(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); ++ device_set_wakeup_capable(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); + + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { +-- +2.16.4 + diff --git a/patches.suse/net-mdio-octeon-Fix-some-double-free-issues.patch b/patches.suse/net-mdio-octeon-Fix-some-double-free-issues.patch new file mode 100644 index 0000000..f4709af --- /dev/null +++ b/patches.suse/net-mdio-octeon-Fix-some-double-free-issues.patch @@ -0,0 +1,49 @@ +From b0cd4081f0013293a7e429b2f08a4236adc340d4 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 13 May 2021 09:24:55 +0200 +Subject: [PATCH 06/16] net: mdio: octeon: Fix some double free issues +Git-commit: e1d027dd97e1e750669cdc0d3b016a4f54e473eb +Patch-mainline: v5.13-rc4 +References: git-fixes + +'bus->mii_bus' has been allocated with 'devm_mdiobus_alloc_size()' in the +probe function. So it must not be freed explicitly or there will be a +double free. + +Remove the incorrect 'mdiobus_free' in the error handling path of the +probe function and in remove function. + +Suggested-By: Andrew Lunn +Fixes: 35d2aeac9810 ("phy: mdio-octeon: Use devm_mdiobus_alloc_size()") +Signed-off-by: Christophe JAILLET +Reviewed-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/phy/mdio-octeon.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/phy/mdio-octeon.c b/drivers/net/phy/mdio-octeon.c +index ab6914f8bd50..1da104150f44 100644 +--- a/drivers/net/phy/mdio-octeon.c ++++ b/drivers/net/phy/mdio-octeon.c +@@ -75,7 +75,6 @@ static int octeon_mdiobus_probe(struct platform_device *pdev) + + return 0; + fail_register: +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return err; +@@ -89,7 +88,6 @@ static int octeon_mdiobus_remove(struct platform_device *pdev) + bus = platform_get_drvdata(pdev); + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return 0; +-- +2.16.4 + diff --git a/patches.suse/net-mdio-thunder-Fix-a-double-free-issue-in-the-.rem.patch b/patches.suse/net-mdio-thunder-Fix-a-double-free-issue-in-the-.rem.patch new file mode 100644 index 0000000..abbcafc --- /dev/null +++ b/patches.suse/net-mdio-thunder-Fix-a-double-free-issue-in-the-.rem.patch @@ -0,0 +1,40 @@ +From 17971bee9df18db674a8595b0dac7fbf8ed190bd Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 13 May 2021 09:44:49 +0200 +Subject: [PATCH 05/16] net: mdio: thunder: Fix a double free issue in the + .remove function +Git-commit: a93a0a15876d2a077a3bc260b387d2457a051f24 +Patch-mainline: v5.13-rc4 +References: git-fixes + +'bus->mii_bus' have been allocated with 'devm_mdiobus_alloc_size()' in the +probe function. So it must not be freed explicitly or there will be a +double free. + +Remove the incorrect 'mdiobus_free' in the remove function. + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Signed-off-by: Christophe JAILLET +Reviewed-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/phy/mdio-thunder.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio-thunder.c b/drivers/net/phy/mdio-thunder.c +index 564616968cad..c0c922eff760 100644 +--- a/drivers/net/phy/mdio-thunder.c ++++ b/drivers/net/phy/mdio-thunder.c +@@ -129,7 +129,6 @@ static void thunder_mdiobus_pci_remove(struct pci_dev *pdev) + continue; + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + oct_mdio_writeq(0, bus->register_base + SMI_EN); + } + pci_set_drvdata(pdev, NULL); +-- +2.16.4 + diff --git a/patches.suse/net-sched-cls_u32-fix-netns-refcount-changes-in-u32_.patch b/patches.suse/net-sched-cls_u32-fix-netns-refcount-changes-in-u32_.patch new file mode 100644 index 0000000..ceea49f --- /dev/null +++ b/patches.suse/net-sched-cls_u32-fix-netns-refcount-changes-in-u32_.patch @@ -0,0 +1,137 @@ +From: Eric Dumazet +Date: Wed, 13 Apr 2022 10:35:41 -0700 +Subject: net/sched: cls_u32: fix netns refcount changes in u32_change() +Patch-mainline: v5.18-rc4 +Git-commit: 3db09e762dc79584a69c10d74a6b98f89a9979f8 +References: CVE-2022-29581 bsc#1199665 + +We are now able to detect extra put_net() at the moment +they happen, instead of much later in correct code paths. + +u32_init_knode() / tcf_exts_init() populates the ->exts.net +pointer, but as mentioned in tcf_exts_init(), +the refcount on netns has not been elevated yet. + +The refcount is taken only once tcf_exts_get_net() +is called. + +So the two u32_destroy_key() calls from u32_change() +are attempting to release an invalid reference on the netns. + +syzbot report: + +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 0 PID: 21708 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Modules linked in: +CPU: 0 PID: 21708 Comm: syz-executor.5 Not tainted 5.18.0-rc2-next-20220412-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Code: 1d 14 b6 b2 09 31 ff 89 de e8 6d e9 89 fd 84 db 75 e0 e8 84 e5 89 fd 48 c7 c7 40 aa 26 8a c6 05 f4 b5 b2 09 01 e8 e5 81 2e 05 <0f> 0b eb c4 e8 68 e5 89 fd 0f b6 1d e3 b5 b2 09 31 ff 89 de e8 38 +RSP: 0018:ffffc900051af1b0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000040000 RSI: ffffffff8160a0c8 RDI: fffff52000a35e28 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff81604a9e R11: 0000000000000000 R12: 1ffff92000a35e3b +R13: 00000000ffffffef R14: ffff8880211a0194 R15: ffff8880577d0a00 +FS: 00007f25d183e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f19c859c028 CR3: 0000000051009000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __refcount_dec include/linux/refcount.h:344 [inline] + refcount_dec include/linux/refcount.h:359 [inline] + ref_tracker_free+0x535/0x6b0 lib/ref_tracker.c:118 + netns_tracker_free include/net/net_namespace.h:327 [inline] + put_net_track include/net/net_namespace.h:341 [inline] + tcf_exts_put_net include/net/pkt_cls.h:255 [inline] + u32_destroy_key.isra.0+0xa7/0x2b0 net/sched/cls_u32.c:394 + u32_change+0xe01/0x3140 net/sched/cls_u32.c:909 + tc_new_tfilter+0x98d/0x2200 net/sched/cls_api.c:2148 + rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:6016 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2495 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f25d0689049 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f25d183e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f25d079c030 RCX: 00007f25d0689049 +RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 +RBP: 00007f25d06e308d R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd0b752e3f R14: 00007f25d183e300 R15: 0000000000022000 + + +Fixes: 35c55fc156d8 ("cls_u32: use tcf_exts_get_net() before call_rcu()") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Cong Wang +Cc: Jiri Pirko +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/sched/cls_u32.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -398,14 +398,19 @@ static int u32_init(struct tcf_proto *tp) + return 0; + } + +-static int u32_destroy_key(struct tc_u_knode *n, bool free_pf) ++static void __u32_destroy_key(struct tc_u_knode *n) + { + struct tc_u_hnode *ht = rtnl_dereference(n->ht_down); + + tcf_exts_destroy(&n->exts); +- tcf_exts_put_net(&n->exts); + if (ht && --ht->refcnt == 0) + kfree(ht); ++ kfree(n); ++} ++ ++static void u32_destroy_key(struct tc_u_knode *n, bool free_pf) ++{ ++ tcf_exts_put_net(&n->exts); + #ifdef CONFIG_CLS_U32_PERF + if (free_pf) + free_percpu(n->pf); +@@ -414,8 +419,7 @@ static int u32_destroy_key(struct tc_u_knode *n, bool free_pf) + if (free_pf) + free_percpu(n->pcpu_success); + #endif +- kfree(n); +- return 0; ++ __u32_destroy_key(n); + } + + /* u32_delete_key_rcu should be called when free'ing a copied +@@ -918,13 +922,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + tca[TCA_RATE], ovr, extack); + + if (err) { +- u32_destroy_key(new, false); ++ __u32_destroy_key(new); + return err; + } + + err = u32_replace_hw_knode(tp, new, flags, extack); + if (err) { +- u32_destroy_key(new, false); ++ __u32_destroy_key(new); + return err; + } + diff --git a/patches.suse/net-sonic-Fix-a-resource-leak-in-an-error-handling-p.patch b/patches.suse/net-sonic-Fix-a-resource-leak-in-an-error-handling-p.patch new file mode 100644 index 0000000..009ba1a --- /dev/null +++ b/patches.suse/net-sonic-Fix-a-resource-leak-in-an-error-handling-p.patch @@ -0,0 +1,51 @@ +From 998ed7803a82be29fbe7ea7640c407bc864323ac Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Mon, 27 Apr 2020 08:18:03 +0200 +Subject: [PATCH 5/8] net/sonic: Fix a resource leak in an error handling path + in 'jazz_sonic_probe()' +Git-commit: 10e3cc180e64385edc9890c6855acf5ed9ca1339 +Patch-mainline: v5.7-rc5 +References: git-fixes + +A call to 'dma_alloc_coherent()' is hidden in 'sonic_alloc_descriptors()', +called from 'sonic_probe1()'. + +This is correctly freed in the remove function, but not in the error +handling path of the probe function. +Fix it and add the missing 'dma_free_coherent()' call. + +While at it, rename a label in order to be slightly more informative. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/natsemi/jazzsonic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/jazzsonic.c b/drivers/net/ethernet/natsemi/jazzsonic.c +index a6caeb567c0d..2bf2b0314ca9 100644 +--- a/drivers/net/ethernet/natsemi/jazzsonic.c ++++ b/drivers/net/ethernet/natsemi/jazzsonic.c +@@ -246,13 +246,15 @@ static int jazz_sonic_probe(struct platform_device *pdev) + goto out; + err = register_netdev(dev); + if (err) +- goto out1; ++ goto undo_probe1; + + printk("%s: MAC %pM IRQ %d\n", dev->name, dev->dev_addr, dev->irq); + + return 0; + +-out1: ++undo_probe1: ++ dma_free_coherent(lp->device, SIZEOF_SONIC_DESC * SONIC_BUS_SCALE(lp->dma_bitmode), ++ lp->descriptors, lp->descriptors_laddr); + release_mem_region(dev->base_addr, SONIC_MEM_SIZE); + out: + free_netdev(dev); +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-Fix-misuses-of-GENMASK-macro.patch b/patches.suse/net-stmmac-Fix-misuses-of-GENMASK-macro.patch new file mode 100644 index 0000000..9b79632 --- /dev/null +++ b/patches.suse/net-stmmac-Fix-misuses-of-GENMASK-macro.patch @@ -0,0 +1,35 @@ +From a9a7f707cc523070b6045c09cec99e48985a8d9d Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Tue, 9 Jul 2019 22:04:21 -0700 +Subject: [PATCH 2/8] net: stmmac: Fix misuses of GENMASK macro +Git-commit: aa4c0c9091b0bb4cb261bbe0718d17c2834c4690 +Patch-mainline: v5.3-rc1 +References: git-fixes + +Arguments are supposed to be ordered high then low. + +Fixes: 293e4365a1ad ("stmmac: change descriptor layout") +Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i") +Signed-off-by: Joe Perches +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/descs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/descs.h b/drivers/net/ethernet/stmicro/stmmac/descs.h +index 0c2432b1ce67..1ff402484831 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/descs.h ++++ b/drivers/net/ethernet/stmicro/stmmac/descs.h +@@ -133,7 +133,7 @@ + #define ETDES1_BUFFER2_SIZE_SHIFT 16 + + /* Extended Receive descriptor definitions */ +-#define ERDES4_IP_PAYLOAD_TYPE_MASK GENMASK(2, 6) ++#define ERDES4_IP_PAYLOAD_TYPE_MASK GENMASK(6, 2) + #define ERDES4_IP_HDR_ERR BIT(3) + #define ERDES4_IP_PAYLOAD_ERR BIT(4) + #define ERDES4_IP_CSUM_BYPASSED BIT(5) +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-dwmac1000-Disable-ACS-if-enhanced-descs-a.patch b/patches.suse/net-stmmac-dwmac1000-Disable-ACS-if-enhanced-descs-a.patch new file mode 100644 index 0000000..bc8c7cf --- /dev/null +++ b/patches.suse/net-stmmac-dwmac1000-Disable-ACS-if-enhanced-descs-a.patch @@ -0,0 +1,57 @@ +From ec1d458509d38692a9c2dc955e71fdd854a859d8 Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Wed, 27 Jul 2022 11:10:37 +0300 +Subject: [PATCH 3/8] net: stmmac: dwmac1000: Disable ACS if enhanced descs are + not used +Git-commit: b723bd933980f4956dabc8a8d84b3e83be8d094c +Patch-mainline: v5.6-rc1 +References: git-fixes + +ACS (auto PAD/FCS stripping) removes FCS off 802.3 packets (LLC) so that +there is no need to manually strip it for such packets. The enhanced DMA +descriptors allow to flag LLC packets so that the receiving callback can +use that to strip FCS manually or not. On the other hand, normal +descriptors do not support that. + +Thus in order to not truncate LLC packet ACS should be disabled when +using normal DMA descriptors. + +Fixes: 47dd7a540b8a0 ("net: add support for STMicroelectronics Ethernet controllers.") +Signed-off-by: Remi Pommarel +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index f3df4cf0cb6a..61131b957e1b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -27,12 +27,14 @@ + #include + #include + #include ++#include "stmmac.h" + #include "stmmac_pcs.h" + #include "dwmac1000.h" + + static void dwmac1000_core_init(struct mac_device_info *hw, + struct net_device *dev) + { ++ struct stmmac_priv *priv = netdev_priv(dev); + void __iomem *ioaddr = hw->pcsr; + u32 value = readl(ioaddr + GMAC_CONTROL); + int mtu = dev->mtu; +@@ -44,7 +46,7 @@ static void dwmac1000_core_init(struct mac_device_info *hw, + * Broadcom tags can look like invalid LLC/SNAP packets and cause the + * hardware to truncate packets on reception. + */ +- if (netdev_uses_dsa(dev)) ++ if (netdev_uses_dsa(dev) || !priv->plat->enh_desc) + value &= ~GMAC_CONTROL_ACS; + + if (mtu > 1500) +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-dwmac1000-Fix-extended-MAC-address-regist.patch b/patches.suse/net-stmmac-dwmac1000-Fix-extended-MAC-address-regist.patch new file mode 100644 index 0000000..c57b390 --- /dev/null +++ b/patches.suse/net-stmmac-dwmac1000-Fix-extended-MAC-address-regist.patch @@ -0,0 +1,42 @@ +From 45045e3fdf80aeda04f48d65de9feecab09a7501 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Fri, 11 Jun 2021 15:16:11 +0800 +Subject: [PATCH 07/16] net: stmmac: dwmac1000: Fix extended MAC address + registers definition +Git-commit: 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e +Patch-mainline: v5.13-rc7 +References: git-fixes + +The register starts from 0x800 is the 16th MAC address register rather +than the first one. + +Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index c02d36629c52..6f7ed3aaff1b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -87,10 +87,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-fix-incorrect-DMA-channel-intr-enable-set.patch b/patches.suse/net-stmmac-fix-incorrect-DMA-channel-intr-enable-set.patch new file mode 100644 index 0000000..30bfd14 --- /dev/null +++ b/patches.suse/net-stmmac-fix-incorrect-DMA-channel-intr-enable-set.patch @@ -0,0 +1,62 @@ +From ad7653944a07c24155f3583d6cea4c70c3eb94de Mon Sep 17 00:00:00 2001 +From: Ong Boon Leong +Date: Wed, 3 Mar 2021 20:38:40 +0530 +Subject: [PATCH 01/16] net: stmmac: fix incorrect DMA channel intr enable + setting of EQoS v4.10 +Git-commit: 879c348c35bb5fb758dd881d8a97409c1862dae8 +Patch-mainline: v5.12-rc3 +References: git-fixes + +We introduce dwmac410_dma_init_channel() here for both EQoS v4.10 and +above which use different DMA_CH(n)_Interrupt_Enable bit definitions for +NIE and AIE. + +Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx") +Signed-off-by: Ong Boon Leong +Signed-off-by: Ramesh Babu B +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +index 9749e29429c4..549e08528380 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +@@ -115,6 +115,23 @@ void dwmac4_dma_init_channel(void __iomem *ioaddr, + ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + ++static void dwmac410_dma_init_channel(void __iomem *ioaddr, ++ struct stmmac_dma_cfg *dma_cfg, u32 chan) ++{ ++ u32 value; ++ ++ /* common channel control register config */ ++ value = readl(ioaddr + DMA_CHAN_CONTROL(chan)); ++ if (dma_cfg->pblx8) ++ value = value | DMA_BUS_MODE_PBL; ++ ++ writel(value, ioaddr + DMA_CHAN_CONTROL(chan)); ++ ++ /* Mask interrupts by writing to CSR7 */ ++ writel(DMA_CHAN_INTR_DEFAULT_MASK_4_10, ++ ioaddr + DMA_CHAN_INTR_ENA(chan)); ++} ++ + static void dwmac4_dma_init(void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + u32 dma_tx, u32 dma_rx, int atds) +@@ -416,7 +433,7 @@ const struct stmmac_dma_ops dwmac4_dma_ops = { + const struct stmmac_dma_ops dwmac410_dma_ops = { + .reset = dwmac4_dma_reset, + .init = dwmac4_dma_init, +- .init_chan = dwmac4_dma_init_channel, ++ .init_chan = dwmac410_dma_init_channel, + .init_rx_chan = dwmac4_dma_init_rx_chan, + .init_tx_chan = dwmac4_dma_init_tx_chan, + .axi = dwmac4_dma_axi, +-- +2.16.4 + diff --git a/patches.suse/net-xilinx_emaclite-Do-not-print-real-IOMEM-pointer.patch b/patches.suse/net-xilinx_emaclite-Do-not-print-real-IOMEM-pointer.patch new file mode 100644 index 0000000..fa228e1 --- /dev/null +++ b/patches.suse/net-xilinx_emaclite-Do-not-print-real-IOMEM-pointer.patch @@ -0,0 +1,40 @@ +From 127b84381763bdcb238f8ac27b5f9ca21d1a3428 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 19 May 2021 10:47:04 +0800 +Subject: [PATCH 14/16] net: xilinx_emaclite: Do not print real IOMEM pointer +Git-commit: d0d62baa7f505bd4c59cd169692ff07ec49dde37 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Printing kernel pointers is discouraged because they might leak kernel +memory layout. This fixes smatch warning: + +drivers/net/ethernet/xilinx/xilinx_emaclite.c:1191 xemaclite_of_probe() warn: + argument 4 to %08lX specifier is cast from pointer + +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index 69e31ceccfae..f4aefea36221 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -1164,9 +1164,8 @@ static int xemaclite_of_probe(struct platform_device *ofdev) + } + + dev_info(dev, +- "Xilinx EmacLite at 0x%08X mapped to 0x%08X, irq=%d\n", +- (unsigned int __force)ndev->mem_start, +- (unsigned int __force)lp->base_addr, ndev->irq); ++ "Xilinx EmacLite at 0x%08lX mapped to 0x%p, irq=%d\n", ++ (unsigned long __force)ndev->mem_start, lp->base_addr, ndev->irq); + return 0; + + error: +-- +2.16.4 + diff --git a/patches.suse/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch b/patches.suse/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch new file mode 100644 index 0000000..83564ed --- /dev/null +++ b/patches.suse/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch @@ -0,0 +1,52 @@ +From 775f928976af5c52a955aa654ce9e6e16428a951 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 26 Jul 2022 12:42:06 +0200 +Subject: [PATCH] netfilter: nf_queue: do not allow packet truncation below + transport header offset +Git-commit: 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 +Patch-mainline: v5.19-rc8 +References: bsc#1201940 CVE-2022-36946 + +Domingo Dirutigliano and Nicola Guerrera report kernel panic when +sending nf_queue verdict with 1-byte nfta_payload attribute. + +The IP/IPv6 stack pulls the IP(v6) header from the packet after the +input hook. + +If user truncates the packet below the header size, this skb_pull() will +result in a malformed skb (skb->len < 0). + +Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") +Reported-by: Domingo Dirutigliano +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso +Signed-off-by: Denis Kirjanov +--- + net/netfilter/nfnetlink_queue.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 1b17a1b445a3..ec0efb709f3b 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -801,11 +801,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) + } + + static int +-nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) ++nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) + { + struct sk_buff *nskb; + + if (diff < 0) { ++ unsigned int min_len = skb_transport_offset(e->skb); ++ ++ if (data_len < min_len) ++ return -EINVAL; ++ + if (pskb_trim(e->skb, data_len)) + return -ENOMEM; + } else if (diff > 0) { +-- +2.16.4 + diff --git a/patches.suse/netxen_nic-Fix-an-error-handling-path-in-netxen_nic_.patch b/patches.suse/netxen_nic-Fix-an-error-handling-path-in-netxen_nic_.patch new file mode 100644 index 0000000..521540c --- /dev/null +++ b/patches.suse/netxen_nic-Fix-an-error-handling-path-in-netxen_nic_.patch @@ -0,0 +1,37 @@ +From 0fd1278524e424320781b67b02557ca09f01452e Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 12 Jun 2021 14:53:12 +0200 +Subject: [PATCH 09/16] netxen_nic: Fix an error handling path in + 'netxen_nic_probe()' +Git-commit: 49a10c7b176295f8fafb338911cf028e97f65f4d +Patch-mainline: v5.13-rc7 +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: e87ad5539343 ("netxen: support pci error handlers") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index 42b99b182616..a331ad406e7a 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1618,6 +1618,8 @@ netxen_nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.16.4 + diff --git a/patches.suse/openvswitch-fix-OOB-access-in-reserve_sfa_size.patch b/patches.suse/openvswitch-fix-OOB-access-in-reserve_sfa_size.patch new file mode 100644 index 0000000..10182bd --- /dev/null +++ b/patches.suse/openvswitch-fix-OOB-access-in-reserve_sfa_size.patch @@ -0,0 +1,88 @@ +From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001 +From: Paolo Valerio +Date: Fri, 15 Apr 2022 10:08:41 +0200 +Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size() +Git-commit: cefa91b2332d7009bc0be5d951d6cbbf349f90f8 +Patch-mainline: v5.18-rc4 +References: CVE-2022-2639 bsc#1202154 + +Given a sufficiently large number of actions, while copying and +reserving memory for a new action of a new flow, if next_offset is +greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does +not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE +bytes increasing actions_len by req_size. This can then lead to an OOB +write access, especially when further actions need to be copied. + +Fix it by rearranging the flow action size check. + +KASAN splat below: + +================================================================== +Bug: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] +Write of size 65360 at addr ffff888147e4001c by task handler15/836 + +Cpu: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 +... +Call Trace: + + dump_stack_lvl+0x45/0x5a + print_report.cold+0x5e/0x5db + ? __lock_text_start+0x8/0x8 + ? reserve_sfa_size+0x1ba/0x380 [openvswitch] + kasan_report+0xb5/0x130 + ? reserve_sfa_size+0x1ba/0x380 [openvswitch] + kasan_check_range+0xf5/0x1d0 + memcpy+0x39/0x60 + reserve_sfa_size+0x1ba/0x380 [openvswitch] + __add_action+0x24/0x120 [openvswitch] + ovs_nla_add_action+0xe/0x20 [openvswitch] + ovs_ct_copy_action+0x29d/0x1130 [openvswitch] + ? __kernel_text_address+0xe/0x30 + ? unwind_get_return_address+0x56/0xa0 + ? create_prof_cpu_mask+0x20/0x20 + ? ovs_ct_verify+0xf0/0xf0 [openvswitch] + ? prep_compound_page+0x198/0x2a0 + ? __kasan_check_byte+0x10/0x40 + ? kasan_unpoison+0x40/0x70 + ? ksize+0x44/0x60 + ? reserve_sfa_size+0x75/0x380 [openvswitch] + __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] + ? __zone_watermark_ok+0x420/0x420 + ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] + ? __alloc_pages+0x1a9/0x3e0 + ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 + ? unwind_next_frame+0x991/0x1e40 + ? __mod_node_page_state+0x99/0x120 + ? __mod_lruvec_page_state+0x2e3/0x470 + ? __kasan_kmalloc_large+0x90/0xe0 + ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] + ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] + ... + +Cc: stable@vger.kernel.org +Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation") +Signed-off-by: Paolo Valerio +Acked-by: Eelco Chaudron +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/openvswitch/flow_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 7176156d3844..4c09cf8a0ab2 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { + OVS_NLERR(log, "Flow action size exceeds max %u", + MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); +-- +2.35.3 + diff --git a/patches.suse/pNFS-Don-t-keep-retrying-if-the-server-replied-NFS4E.patch b/patches.suse/pNFS-Don-t-keep-retrying-if-the-server-replied-NFS4E.patch new file mode 100644 index 0000000..a101f0c --- /dev/null +++ b/patches.suse/pNFS-Don-t-keep-retrying-if-the-server-replied-NFS4E.patch @@ -0,0 +1,36 @@ +From: Trond Myklebust +Date: Tue, 31 May 2022 11:03:06 -0400 +Subject: [PATCH] pNFS: Don't keep retrying if the server replied + NFS4ERR_LAYOUTUNAVAILABLE +Git-commit: fe44fb23d6ccde4c914c44ef74ab8d9d9ba02bea +Patch-mainline: v5.19 +References: git-fixes + +If the server tells us that a pNFS layout is not available for a +specific file, then we should not keep pounding it with further +layoutget requests. + +Fixes: 183d9e7b112a ("pnfs: rework LAYOUTGET retry handling") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/pnfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1915,6 +1915,12 @@ lookup_again: + /* Fallthrough */ + case -EAGAIN: + break; ++ case -ENODATA: ++ /* The server returned NFS4ERR_LAYOUTUNAVAILABLE */ ++ pnfs_layout_set_fail_bit( ++ lo, pnfs_iomode_to_fail_bit(iomode)); ++ lseg = NULL; ++ goto out_put_layout_hdr; + default: + if (!nfs_error_is_fatal(PTR_ERR(lseg))) { + pnfs_layout_clear_fail_bit(lo, pnfs_iomode_to_fail_bit(iomode)); diff --git a/patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch b/patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch index 1a1e791..24f5848 100644 --- a/patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch +++ b/patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch @@ -70,7 +70,6 @@ diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/ /* need to force a gratuitous ARP on running interfaces */ rtnl_lock(); diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h -index 13fa370a87e4..593840847cd3 100644 --- a/arch/powerpc/platforms/pseries/pseries.h +++ b/arch/powerpc/platforms/pseries/pseries.h @@ -111,7 +111,7 @@ static inline unsigned long cmo_get_page_size(void) @@ -81,7 +80,7 @@ index 13fa370a87e4..593840847cd3 100644 +void pseries_setup_security_mitigations(void); void pseries_lpar_read_hblkrm_characteristics(void); - #endif /* _PSERIES_PSERIES_H */ + void pseries_rng_init(void); diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c index 3617cdb079f6..090c13f6c881 100644 --- a/arch/powerpc/platforms/pseries/setup.c diff --git a/patches.suse/powerpc-fadump-fix-PT_LOAD-segment-for-boot-memory-a.patch b/patches.suse/powerpc-fadump-fix-PT_LOAD-segment-for-boot-memory-a.patch new file mode 100644 index 0000000..c5fce0b --- /dev/null +++ b/patches.suse/powerpc-fadump-fix-PT_LOAD-segment-for-boot-memory-a.patch @@ -0,0 +1,62 @@ +From 15eb77f873255cf9f4d703b63cfbd23c46579654 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Wed, 6 Apr 2022 15:08:37 +0530 +Subject: [PATCH] powerpc/fadump: fix PT_LOAD segment for boot memory area + +References: bsc#1103269 ltc#169948 git-fixes +Patch-mainline: v5.19-rc1 +Git-commit: 15eb77f873255cf9f4d703b63cfbd23c46579654 + +Boot memory area is setup as separate PT_LOAD segment in the vmcore +as it is moved by f/w, on crash, to a destination address provided by +the kernel. Having separate PT_LOAD segment helps in handling the +different physical address and offset for boot memory area in the +vmcore. + +Commit ced1bf52f477 ("powerpc/fadump: merge adjacent memory ranges to +reduce PT_LOAD segements") inadvertly broke this pre-condition for +cases where some of the first kernel memory is available adjacent to +boot memory area. This scenario is rare but possible when memory for +fadump could not be reserved adjacent to boot memory area owing to +memory hole or such. Reading memory from a vmcore exported in such +scenario provides incorrect data. Fix it by ensuring no other region +is folded into boot memory area. + +Fixes: ced1bf52f477 ("powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements") +Signed-off-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220406093839.206608-2-hbathini@linux.ibm.com +[ms: we don't have boot_mem_top, use boot_memory_size instead] +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/fadump.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -867,7 +867,6 @@ static int fadump_alloc_mem_ranges(struct fadump_mrange_info *mrange_info) + sizeof(struct fadump_memory_range)); + return 0; + } +- + static inline int fadump_add_mem_range(struct fadump_mrange_info *mrange_info, + u64 base, u64 end) + { +@@ -886,7 +885,12 @@ static inline int fadump_add_mem_range(struct fadump_mrange_info *mrange_info, + start = mem_ranges[mrange_info->mem_range_cnt - 1].base; + size = mem_ranges[mrange_info->mem_range_cnt - 1].size; + +- if ((start + size) == base) ++ /* ++ * Boot memory area needs separate PT_LOAD segment(s) as it ++ * is moved to a different location at the time of crash. ++ * So, fold only if the region is not boot memory area. ++ */ ++ if ((start + size) == base && start >= fw_dump.boot_memory_size) + is_adjacent = true; + } + if (!is_adjacent) { +-- +2.35.3 + diff --git a/patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch b/patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch index c53f8fc..a6d0c36 100644 --- a/patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch +++ b/patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch @@ -103,8 +103,8 @@ Acked-by: Michal Suchanek +static atomic_t cpus_in_fadump; + static DEFINE_MUTEX(fadump_mutex); - struct fad_crash_memory_ranges *crash_memory_ranges; - int crash_memory_ranges_size; + struct fadump_mrange_info crash_mrange_info = { "crash", NULL, 0, 0, 0 }; + @@ -665,8 +675,11 @@ static int register_fw_dump(struct fadum void crash_fadump(struct pt_regs *regs, const char *str) diff --git a/patches.suse/powerpc-fadump-make-crash-memory-ranges-array-alloca.patch b/patches.suse/powerpc-fadump-make-crash-memory-ranges-array-alloca.patch new file mode 100644 index 0000000..a665270 --- /dev/null +++ b/patches.suse/powerpc-fadump-make-crash-memory-ranges-array-alloca.patch @@ -0,0 +1,277 @@ +From e4fc48fb4d34f7e7d42eb980a9c130bb93aba3b9 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Wed, 11 Sep 2019 20:25:05 +0530 +Subject: [PATCH] powerpc/fadump: make crash memory ranges array allocation + generic + +References: bsc#1103269 ltc#169948 git-fixes +Patch-mainline: v5.4-rc1 +Git-commit: e4fc48fb4d34f7e7d42eb980a9c130bb93aba3b9 + +Make allocate_crash_memory_ranges() and free_crash_memory_ranges() +functions generic to reuse them for memory management of all types of +dynamic memory range arrays. This change helps in memory management +of reserved ranges array to be added later. + +Signed-off-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/156821369863.5656.4375667005352155892.stgit@hbathini.in.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/fadump-internal.h | 15 ++- + arch/powerpc/kernel/fadump.c | 113 +++++++++++---------- + 2 files changed, 72 insertions(+), 56 deletions(-) + +diff --git a/arch/powerpc/include/asm/fadump-internal.h b/arch/powerpc/include/asm/fadump-internal.h +--- a/arch/powerpc/include/asm/fadump.h ++++ b/arch/powerpc/include/asm/fadump.h +@@ -72,9 +72,18 @@ struct fadump_crash_info_header { + struct cpumask online_mask; + }; + +-struct fad_crash_memory_ranges { +- unsigned long long base; +- unsigned long long size; ++struct fadump_memory_range { ++ u64 base; ++ u64 size; ++}; ++ ++/* fadump memory ranges info */ ++struct fadump_mrange_info { ++ char name[16]; ++ struct fadump_memory_range *mem_ranges; ++ u32 mem_ranges_sz; ++ u32 mem_range_cnt; ++ u32 max_mem_ranges; + }; + + extern int is_fadump_memory_area(u64 addr, ulong size); +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -35,10 +35,7 @@ + #endif + + static DEFINE_MUTEX(fadump_mutex); +-struct fad_crash_memory_ranges *crash_memory_ranges; +-int crash_memory_ranges_size; +-int crash_mem_ranges; +-int max_crash_mem_ranges; ++struct fadump_mrange_info crash_mrange_info = { "crash", NULL, 0, 0, 0 }; + + #ifdef CONFIG_CMA + /* +@@ -629,46 +626,48 @@ void fadump_free_cpu_notes_buf(void) + return 0; + } + +-static void free_crash_memory_ranges(void) ++static void fadump_free_mem_ranges(struct fadump_mrange_info *mrange_info) + { +- kfree(crash_memory_ranges); +- crash_memory_ranges = NULL; +- crash_memory_ranges_size = 0; +- max_crash_mem_ranges = 0; ++ kfree(mrange_info->mem_ranges); ++ mrange_info->mem_ranges = NULL; ++ mrange_info->mem_ranges_sz = 0; ++ mrange_info->max_mem_ranges = 0; + } + + /* +- * Allocate or reallocate crash memory ranges array in incremental units ++ * Allocate or reallocate mem_ranges array in incremental units + * of PAGE_SIZE. + */ +-static int allocate_crash_memory_ranges(void) ++static int fadump_alloc_mem_ranges(struct fadump_mrange_info *mrange_info) + { +- struct fad_crash_memory_ranges *new_array; ++ struct fadump_memory_range *new_array; + u64 new_size; + +- new_size = crash_memory_ranges_size + PAGE_SIZE; +- pr_debug("Allocating %llu bytes of memory for crash memory ranges\n", +- new_size); ++ new_size = mrange_info->mem_ranges_sz + PAGE_SIZE; ++ pr_debug("Allocating %llu bytes of memory for %s memory ranges\n", ++ new_size, mrange_info->name); + +- new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL); ++ new_array = krealloc(mrange_info->mem_ranges, new_size, GFP_KERNEL); + if (new_array == NULL) { +- pr_err("Insufficient memory for setting up crash memory ranges\n"); +- free_crash_memory_ranges(); ++ pr_err("Insufficient memory for setting up %s memory ranges\n", ++ mrange_info->name); ++ fadump_free_mem_ranges(mrange_info); + return -ENOMEM; + } + +- crash_memory_ranges = new_array; +- crash_memory_ranges_size = new_size; +- max_crash_mem_ranges = (new_size / +- sizeof(struct fad_crash_memory_ranges)); ++ mrange_info->mem_ranges = new_array; ++ mrange_info->mem_ranges_sz = new_size; ++ mrange_info->max_mem_ranges = (new_size / ++ sizeof(struct fadump_memory_range)); + return 0; + } + +-static inline int fadump_add_crash_memory(unsigned long long base, +- unsigned long long end) ++static inline int fadump_add_mem_range(struct fadump_mrange_info *mrange_info, ++ u64 base, u64 end) + { +- u64 start, size; ++ struct fadump_memory_range *mem_ranges = mrange_info->mem_ranges; + bool is_adjacent = false; ++ u64 start, size; + + if (base == end) + return 0; +@@ -677,38 +676,41 @@ static inline int fadump_add_crash_memory(unsigned long long base, + * Fold adjacent memory ranges to bring down the memory ranges/ + * PT_LOAD segments count. + */ +- if (crash_mem_ranges) { +- start = crash_memory_ranges[crash_mem_ranges - 1].base; +- size = crash_memory_ranges[crash_mem_ranges - 1].size; ++ if (mrange_info->mem_range_cnt) { ++ start = mem_ranges[mrange_info->mem_range_cnt - 1].base; ++ size = mem_ranges[mrange_info->mem_range_cnt - 1].size; + + if ((start + size) == base) + is_adjacent = true; + } + if (!is_adjacent) { + /* resize the array on reaching the limit */ +- if (crash_mem_ranges == max_crash_mem_ranges) { ++ if (mrange_info->mem_range_cnt == mrange_info->max_mem_ranges) { + int ret; + +- ret = allocate_crash_memory_ranges(); ++ ret = fadump_alloc_mem_ranges(mrange_info); + if (ret) + return ret; ++ ++ /* Update to the new resized array */ ++ mem_ranges = mrange_info->mem_ranges; + } + + start = base; +- crash_memory_ranges[crash_mem_ranges].base = start; +- crash_mem_ranges++; ++ mem_ranges[mrange_info->mem_range_cnt].base = start; ++ mrange_info->mem_range_cnt++; + } + +- crash_memory_ranges[crash_mem_ranges - 1].size = (end - start); +- pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n", +- (crash_mem_ranges - 1), start, end - 1, (end - start)); ++ mem_ranges[mrange_info->mem_range_cnt - 1].size = (end - start); ++ pr_debug("%s_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n", ++ mrange_info->name, (mrange_info->mem_range_cnt - 1), ++ start, end - 1, (end - start)); + return 0; + } + +-static int fadump_exclude_reserved_area(unsigned long long start, +- unsigned long long end) ++static int fadump_exclude_reserved_area(u64 start, u64 end) + { +- unsigned long long ra_start, ra_end; ++ u64 ra_start, ra_end; + int ret = 0; + + ra_start = fw_dump.reserve_dump_area_start; +@@ -716,18 +718,22 @@ static int fadump_exclude_reserved_area(unsigned long long start, + + if ((ra_start < end) && (ra_end > start)) { + if ((start < ra_start) && (end > ra_end)) { +- ret = fadump_add_crash_memory(start, ra_start); ++ ret = fadump_add_mem_range(&crash_mrange_info, ++ start, ra_start); + if (ret) + return ret; + +- ret = fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_mem_range(&crash_mrange_info, ++ ra_end, end); + } else if (start < ra_start) { +- ret = fadump_add_crash_memory(start, ra_start); ++ ret = fadump_add_mem_range(&crash_mrange_info, ++ start, ra_start); + } else if (ra_end < end) { +- ret = fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_mem_range(&crash_mrange_info, ++ ra_end, end); + } + } else +- ret = fadump_add_crash_memory(start, end); ++ ret = fadump_add_mem_range(&crash_mrange_info, start, end); + + return ret; + } +@@ -772,11 +778,11 @@ static int fadump_init_elfcore_header(char *bufp) + static int fadump_setup_crash_memory_ranges(void) + { + struct memblock_region *reg; +- unsigned long long start, end; ++ u64 start, end; + int ret; + + pr_debug("Setup crash memory ranges.\n"); +- crash_mem_ranges = 0; ++ crash_mrange_info.mem_range_cnt = 0; + + /* + * add the first memory chunk (RMA_START through boot_memory_size) as +@@ -785,13 +791,14 @@ static int fadump_setup_crash_memory_ranges(void) + * specified during fadump registration. We need to create a separate + * program header for this chunk with the correct offset. + */ +- ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ ret = fadump_add_mem_range(&crash_mrange_info, ++ RMA_START, fw_dump.boot_memory_size); + if (ret) + return ret; + + for_each_memblock(memory, reg) { +- start = (unsigned long long)reg->base; +- end = start + (unsigned long long)reg->size; ++ start = (u64)reg->base; ++ end = start + (u64)reg->size; + + /* + * skip the first memory chunk that is already added (RMA_START +@@ -876,11 +883,11 @@ static int fadump_create_elfcore_headers(char *bufp) + + /* setup PT_LOAD sections. */ + +- for (i = 0; i < crash_mem_ranges; i++) { +- unsigned long long mbase, msize; +- mbase = crash_memory_ranges[i].base; +- msize = crash_memory_ranges[i].size; ++ for (i = 0; i < crash_mrange_info.mem_range_cnt; i++) { ++ u64 mbase, msize; + ++ mbase = crash_mrange_info.mem_ranges[i].base; ++ msize = crash_mrange_info.mem_ranges[i].size; + if (!msize) + continue; + +@@ -973,7 +980,7 @@ void fadump_cleanup(void) + } else if (fw_dump.dump_registered) { + /* Un-register Firmware-assisted dump if it was registered. */ + fadump_unregister_dump(&fdm); +- free_crash_memory_ranges(); ++ fadump_free_mem_ranges(&crash_mrange_info); + } + } + +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-Avoid-crashing-if-rng-is-NULL.patch b/patches.suse/powerpc-powernv-Avoid-crashing-if-rng-is-NULL.patch new file mode 100644 index 0000000..aa121e1 --- /dev/null +++ b/patches.suse/powerpc-powernv-Avoid-crashing-if-rng-is-NULL.patch @@ -0,0 +1,44 @@ +From 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Thu, 28 Jul 2022 00:32:17 +1000 +Subject: [PATCH] powerpc/powernv: Avoid crashing if rng is NULL + +References: bsc#1065729 +Patch-mainline: v6.0-rc1 +Git-commit: 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a + +On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a +malicious QEMU and guest that ignore the absence of the +KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a +NULL pointer. + +In practice all Power8 machines have an "ibm,power-rng", but let's not +rely on that, add a NULL check and early return in +powernv_get_random_real_mode(). + +Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.") +Cc: stable@vger.kernel.org # v4.1+ +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/rng.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index 3805ad13b8f3..2287c9cd0cd5 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -63,6 +63,8 @@ int powernv_get_random_real_mode(unsigned long *v) + struct powernv_rng *rng; + + rng = raw_cpu_read(powernv_rng); ++ if (!rng) ++ return 0; + + *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real)); + +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-Staticify-functions-without-prototyp.patch b/patches.suse/powerpc-powernv-Staticify-functions-without-prototyp.patch new file mode 100644 index 0000000..be5c7be --- /dev/null +++ b/patches.suse/powerpc-powernv-Staticify-functions-without-prototyp.patch @@ -0,0 +1,44 @@ +From 3b70464aa78917e88c1d4bfc2100c344c0eda8e0 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Tue, 4 Aug 2020 10:54:07 +1000 +Subject: [PATCH] powerpc/powernv: Staticify functions without prototypes + +References: bsc#1065729 +Patch-mainline: v5.10-rc1 +Git-commit: 3b70464aa78917e88c1d4bfc2100c344c0eda8e0 + +There's a few scattered in the powernv platform. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Joel Stanley +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804005410.146094-4-oohall@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/eeh-powernv.c | 4 ++-- + arch/powerpc/platforms/powernv/rng.c | 2 +- + arch/powerpc/platforms/powernv/vas-window.c | 9 ++++----- + 3 files changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/platforms/powernv/eeh-powernv.c ++++ b/arch/powerpc/platforms/powernv/eeh-powernv.c +@@ -44,7 +44,7 @@ + static bool pnv_eeh_nb_init = false; + static int eeh_event_irq = -EINVAL; + +-void pnv_pcibios_bus_add_device(struct pci_dev *pdev) ++static void pnv_pcibios_bus_add_device(struct pci_dev *pdev) + { + struct pci_dn *pdn = pci_get_pdn(pdev); + +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -69,7 +69,7 @@ int powernv_get_random_real_mode(unsigne + return 1; + } + +-int powernv_get_random_darn(unsigned long *v) ++static int powernv_get_random_darn(unsigned long *v) + { + unsigned long val; + diff --git a/patches.suse/powerpc-powernv-Use-darn-instruction-for-get_random_.patch b/patches.suse/powerpc-powernv-Use-darn-instruction-for-get_random_.patch new file mode 100644 index 0000000..95f5ada --- /dev/null +++ b/patches.suse/powerpc-powernv-Use-darn-instruction-for-get_random_.patch @@ -0,0 +1,125 @@ +From e66ca3db5917f4bcad039d3a3df9f1003797c249 Mon Sep 17 00:00:00 2001 +From: Matt Brown +Date: Fri, 4 Aug 2017 11:12:18 +1000 +Subject: [PATCH] powerpc/powernv: Use darn instruction for get_random_seed() + on Power9 + +References: bsc#1065729 +Patch-mainline: v4.14-rc1 +Git-commit: e66ca3db5917f4bcad039d3a3df9f1003797c249 + +This adds powernv_get_random_darn() which utilises the darn instruction, +introduced in ISA v3.0/POWER9. + +The darn instruction can potentially return an error, which is supported +by the get_random_seed() API, in normal usage if we see an error we just +return that to the caller. + +However when detecting whether darn is functional at boot we try up to +10 times, before deciding that darn doesn't work and failing the +registration of get_random_seed(). That way an intermittent failure +at boot doesn't deprive the system of randomness until the next reboot. + +Signed-off-by: Matt Brown +[mpe: Move init into a function, tweak change log] +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/ppc-opcode.h | 4 +++ + arch/powerpc/platforms/powernv/rng.c | 39 +++++++++++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h +index fa9ebaead91e..041ba15aa2b9 100644 +--- a/arch/powerpc/include/asm/ppc-opcode.h ++++ b/arch/powerpc/include/asm/ppc-opcode.h +@@ -193,6 +193,7 @@ + #define PPC_INST_CLRBHRB 0x7c00035c + #define PPC_INST_COPY 0x7c20060c + #define PPC_INST_CP_ABORT 0x7c00068c ++#define PPC_INST_DARN 0x7c0005e6 + #define PPC_INST_DCBA 0x7c0005ec + #define PPC_INST_DCBA_MASK 0xfc0007fe + #define PPC_INST_DCBAL 0x7c2005ec +@@ -395,6 +396,9 @@ + #define PPC_CP_ABORT stringify_in_c(.long PPC_INST_CP_ABORT) + #define PPC_COPY(a, b) stringify_in_c(.long PPC_INST_COPY | \ + ___PPC_RA(a) | ___PPC_RB(b)) ++#define PPC_DARN(t, l) stringify_in_c(.long PPC_INST_DARN | \ ++ ___PPC_RT(t) | \ ++ (((l) & 0x3) << 16)) + #define PPC_DCBAL(a, b) stringify_in_c(.long PPC_INST_DCBAL | \ + __PPC_RA(a) | __PPC_RB(b)) + #define PPC_DCBZL(a, b) stringify_in_c(.long PPC_INST_DCBZL | \ +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index 1a9d84371a4d..c5ce3a8bd4c9 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -16,11 +16,13 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + ++#define DARN_ERR 0xFFFFFFFFFFFFFFFFul + + struct powernv_rng { + void __iomem *regs; +@@ -67,6 +69,41 @@ int powernv_get_random_real_mode(unsigned long *v) + return 1; + } + ++int powernv_get_random_darn(unsigned long *v) ++{ ++ unsigned long val; ++ ++ /* Using DARN with L=1 - 64-bit conditioned random number */ ++ asm volatile(PPC_DARN(%0, 1) : "=r"(val)); ++ ++ if (val == DARN_ERR) ++ return 0; ++ ++ *v = val; ++ ++ return 1; ++} ++ ++static int initialise_darn(void) ++{ ++ unsigned long val; ++ int i; ++ ++ if (!cpu_has_feature(CPU_FTR_ARCH_300)) ++ return -ENODEV; ++ ++ for (i = 0; i < 10; i++) { ++ if (powernv_get_random_darn(&val)) { ++ ppc_md.get_random_seed = powernv_get_random_darn; ++ return 0; ++ } ++ } ++ ++ pr_warn("Unable to use DARN for get_random_seed()\n"); ++ ++ return -EIO; ++} ++ + int powernv_get_random_long(unsigned long *v) + { + struct powernv_rng *rng; +@@ -150,6 +187,8 @@ static __init int rng_init(void) + of_platform_device_create(dn, NULL, NULL); + } + ++ initialise_darn(); ++ + return 0; + } + machine_subsys_initcall(powernv, rng_init); +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-delay-rng-platform-device-creation-u.patch b/patches.suse/powerpc-powernv-delay-rng-platform-device-creation-u.patch new file mode 100644 index 0000000..443edd1 --- /dev/null +++ b/patches.suse/powerpc-powernv-delay-rng-platform-device-creation-u.patch @@ -0,0 +1,79 @@ +From 887502826549caa7e4215fd9e628f48f14c0825a Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 30 Jun 2022 14:16:54 +0200 +Subject: [PATCH] powerpc/powernv: delay rng platform device creation until + later in boot + +References: bsc#1065729 +Patch-mainline: v5.19-rc6 +Git-commit: 887502826549caa7e4215fd9e628f48f14c0825a + +The platform device for the rng must be created much later in boot. +Otherwise it tries to connect to a parent that doesn't yet exist, +resulting in this splat: + + [ 0.000478] kobject: '(null)' ((____ptrval____)): is not initialized, yet kobject_get() is being called. + [ 0.002925] [c000000002a0fb30] [c00000000073b0bc] kobject_get+0x8c/0x100 (unreliable) + [ 0.003071] [c000000002a0fba0] [c00000000087e464] device_add+0xf4/0xb00 + [ 0.003194] [c000000002a0fc80] [c000000000a7f6e4] of_device_add+0x64/0x80 + [ 0.003321] [c000000002a0fcb0] [c000000000a800d0] of_platform_device_create_pdata+0xd0/0x1b0 + [ 0.003476] [c000000002a0fd00] [c00000000201fa44] pnv_get_random_long_early+0x240/0x2e4 + [ 0.003623] [c000000002a0fe20] [c000000002060c38] random_init+0xc0/0x214 + +This patch fixes the issue by doing the platform device creation inside +of machine_subsys_initcall. + +Fixes: f3eac426657d ("powerpc/powernv: wire up rng during setup_arch") +Cc: stable@vger.kernel.org +Reported-by: Sachin Sant +Signed-off-by: Jason A. Donenfeld +Tested-by: Sachin Sant +[mpe: Change "of node" to "platform device" in change log] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220630121654.1939181-1-Jason@zx2c4.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/rng.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index 463c78c52cc5..3805ad13b8f3 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -176,12 +176,8 @@ static int __init pnv_get_random_long_early(unsigned long *v) + NULL) != pnv_get_random_long_early) + return 0; + +- for_each_compatible_node(dn, NULL, "ibm,power-rng") { +- if (rng_create(dn)) +- continue; +- /* Create devices for hwrng driver */ +- of_platform_device_create(dn, NULL, NULL); +- } ++ for_each_compatible_node(dn, NULL, "ibm,power-rng") ++ rng_create(dn); + + if (!ppc_md.get_random_seed) + return 0; +@@ -205,10 +201,18 @@ void __init pnv_rng_init(void) + + static int __init pnv_rng_late_init(void) + { ++ struct device_node *dn; + unsigned long v; ++ + /* In case it wasn't called during init for some other reason. */ + if (ppc_md.get_random_seed == pnv_get_random_long_early) + pnv_get_random_long_early(&v); ++ ++ if (ppc_md.get_random_seed == powernv_get_random_long) { ++ for_each_compatible_node(dn, NULL, "ibm,power-rng") ++ of_platform_device_create(dn, NULL, NULL); ++ } ++ + return 0; + } + machine_subsys_initcall(powernv, pnv_rng_late_init); +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-kvm-Use-darn-for-H_RANDOM-on-Power9.patch b/patches.suse/powerpc-powernv-kvm-Use-darn-for-H_RANDOM-on-Power9.patch new file mode 100644 index 0000000..f1bc160 --- /dev/null +++ b/patches.suse/powerpc-powernv-kvm-Use-darn-for-H_RANDOM-on-Power9.patch @@ -0,0 +1,151 @@ +From 7ef3d06f1bc4a5e62273726f3dc2bd258ae1c71f Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 28 Jul 2022 00:32:18 +1000 +Subject: [PATCH] powerpc/powernv/kvm: Use darn for H_RANDOM on Power9 + +References: bsc#1065729 +Patch-mainline: v6.0-rc1 +Git-commit: 7ef3d06f1bc4a5e62273726f3dc2bd258ae1c71f + +The existing logic in KVM to support guests calling H_RANDOM only works +on Power8, because it looks for an RNG in the device tree, but on Power9 +we just use darn. + +In addition the existing code needs to work in real mode, so we have the +special cased powernv_get_random_real_mode() to deal with that. + +Instead just have KVM call ppc_md.get_random_seed(), and do the real +mode check inside of there, that way we use whatever RNG is available, +including darn on Power9. + +Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.") +Cc: stable@vger.kernel.org # v4.1+ +Signed-off-by: Jason A. Donenfeld +Tested-by: Sachin Sant +[mpe: Rebase on previous commit, update change log appropriately] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220727143219.2684192-2-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/archrandom.h | 5 ---- + arch/powerpc/kvm/book3s_hv_builtin.c | 7 +++--- + arch/powerpc/platforms/powernv/rng.c | 36 ++++++--------------------- + 3 files changed, 12 insertions(+), 36 deletions(-) + +diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h +index 9a53e29680f4..258174304904 100644 +--- a/arch/powerpc/include/asm/archrandom.h ++++ b/arch/powerpc/include/asm/archrandom.h +@@ -38,12 +38,7 @@ static inline bool __must_check arch_get_random_seed_int(unsigned int *v) + #endif /* CONFIG_ARCH_RANDOM */ + + #ifdef CONFIG_PPC_POWERNV +-int powernv_hwrng_present(void); + int powernv_get_random_long(unsigned long *v); +-int powernv_get_random_real_mode(unsigned long *v); +-#else +-static inline int powernv_hwrng_present(void) { return 0; } +-static inline int powernv_get_random_real_mode(unsigned long *v) { return 0; } + #endif + + #endif /* _ASM_POWERPC_ARCHRANDOM_H */ +diff --git a/arch/powerpc/kvm/book3s_hv_builtin.c b/arch/powerpc/kvm/book3s_hv_builtin.c +--- a/arch/powerpc/kvm/book3s_hv_builtin.c ++++ b/arch/powerpc/kvm/book3s_hv_builtin.c +@@ -19,7 +19,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -176,20 +176,14 @@ EXPORT_SYMBOL_GPL(kvmppc_hcall_impl_hv_realmode); + + int kvmppc_hwrng_present(void) + { +- return powernv_hwrng_present(); ++ return ppc_md.get_random_seed != NULL; + } + EXPORT_SYMBOL_GPL(kvmppc_hwrng_present); + + long kvmppc_h_random(struct kvm_vcpu *vcpu) + { +- int r; +- +- /* Only need to do the expensive mfmsr() on radix */ +- if (kvm_is_radix(vcpu->kvm) && (mfmsr() & MSR_IR)) +- r = powernv_get_random_long(&vcpu->arch.regs.gpr[4]); +- else +- r = powernv_get_random_real_mode(&vcpu->arch.regs.gpr[4]); +- if (r) ++ if (ppc_md.get_random_seed && ++ ppc_md.get_random_seed(&vcpu->arch.regs.gpr[4])) + return H_SUCCESS; + + return H_HARDWARE; +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index 2287c9cd0cd5..d19305292e1e 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -29,15 +29,6 @@ struct powernv_rng { + + static DEFINE_PER_CPU(struct powernv_rng *, powernv_rng); + +-int powernv_hwrng_present(void) +-{ +- struct powernv_rng *rng; +- +- rng = get_cpu_var(powernv_rng); +- put_cpu_var(rng); +- return rng != NULL; +-} +- + static unsigned long rng_whiten(struct powernv_rng *rng, unsigned long val) + { + unsigned long parity; +@@ -58,19 +49,6 @@ static unsigned long rng_whiten(struct powernv_rng *rng, unsigned long val) + return val; + } + +-int powernv_get_random_real_mode(unsigned long *v) +-{ +- struct powernv_rng *rng; +- +- rng = raw_cpu_read(powernv_rng); +- if (!rng) +- return 0; +- +- *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real)); +- +- return 1; +-} +- + static int powernv_get_random_darn(unsigned long *v) + { + unsigned long val; +@@ -107,12 +85,14 @@ int powernv_get_random_long(unsigned long *v) + { + struct powernv_rng *rng; + +- rng = get_cpu_var(powernv_rng); +- +- *v = rng_whiten(rng, in_be64(rng->regs)); +- +- put_cpu_var(rng); +- ++ if (mfmsr() & MSR_DR) { ++ rng = get_cpu_var(powernv_rng); ++ *v = rng_whiten(rng, in_be64(rng->regs)); ++ put_cpu_var(rng); ++ } else { ++ rng = raw_cpu_read(powernv_rng); ++ *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real)); ++ } + return 1; + } + EXPORT_SYMBOL_GPL(powernv_get_random_long); +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-rename-remaining-rng-powernv_-functi.patch b/patches.suse/powerpc-powernv-rename-remaining-rng-powernv_-functi.patch new file mode 100644 index 0000000..480bf48 --- /dev/null +++ b/patches.suse/powerpc-powernv-rename-remaining-rng-powernv_-functi.patch @@ -0,0 +1,167 @@ +From 978030f054ff97d9079b35f0178e2013918fb316 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 28 Jul 2022 00:32:19 +1000 +Subject: [PATCH] powerpc/powernv: rename remaining rng powernv_ functions to + pnv_ + +References: bsc#1065729 +Patch-mainline: v6.0-rc1 +Git-commit: 978030f054ff97d9079b35f0178e2013918fb316 + +The preferred nomenclature is pnv_, not powernv_, but rng.c used +powernv_ for some reason, which isn't consistent with the rest. A recent +commit added a few pnv_ functions to rng.c, making the file a bit of a +mishmash. This commit just replaces the rest of them. + +Fixes: f3eac426657d ("powerpc/powernv: wire up rng during setup_arch") +Signed-off-by: Jason A. Donenfeld +Tested-by: Sachin Sant +[mpe: Reorder after bug fix commits] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220727143219.2684192-3-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/archrandom.h | 2 +- + arch/powerpc/platforms/powernv/rng.c | 34 +++++++++++++-------------- + drivers/char/hw_random/powernv-rng.c | 2 +- + 3 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h +index 258174304904..3af27bb84a3d 100644 +--- a/arch/powerpc/include/asm/archrandom.h ++++ b/arch/powerpc/include/asm/archrandom.h +@@ -38,7 +38,7 @@ static inline bool __must_check arch_get_random_seed_int(unsigned int *v) + #endif /* CONFIG_ARCH_RANDOM */ + + #ifdef CONFIG_PPC_POWERNV +-int powernv_get_random_long(unsigned long *v); ++int pnv_get_random_long(unsigned long *v); + #endif + + #endif /* _ASM_POWERPC_ARCHRANDOM_H */ +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index d19305292e1e..196aa70fe043 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -21,15 +21,15 @@ + + #define DARN_ERR 0xFFFFFFFFFFFFFFFFul + +-struct powernv_rng { ++struct pnv_rng { + void __iomem *regs; + void __iomem *regs_real; + unsigned long mask; + }; + +-static DEFINE_PER_CPU(struct powernv_rng *, powernv_rng); ++static DEFINE_PER_CPU(struct pnv_rng *, pnv_rng); + +-static unsigned long rng_whiten(struct powernv_rng *rng, unsigned long val) ++static unsigned long rng_whiten(struct pnv_rng *rng, unsigned long val) + { + unsigned long parity; + +@@ -49,7 +49,7 @@ static unsigned long rng_whiten(struct powernv_rng *rng, unsigned long val) + return val; + } + +-static int powernv_get_random_darn(unsigned long *v) ++static int pnv_get_random_darn(unsigned long *v) + { + unsigned long val; + +@@ -73,31 +73,31 @@ static int __init initialise_darn(void) + return -ENODEV; + + for (i = 0; i < 10; i++) { +- if (powernv_get_random_darn(&val)) { +- ppc_md.get_random_seed = powernv_get_random_darn; ++ if (pnv_get_random_darn(&val)) { ++ ppc_md.get_random_seed = pnv_get_random_darn; + return 0; + } + } + return -EIO; + } + +-int powernv_get_random_long(unsigned long *v) ++int pnv_get_random_long(unsigned long *v) + { +- struct powernv_rng *rng; ++ struct pnv_rng *rng; + + if (mfmsr() & MSR_DR) { +- rng = get_cpu_var(powernv_rng); ++ rng = get_cpu_var(pnv_rng); + *v = rng_whiten(rng, in_be64(rng->regs)); + put_cpu_var(rng); + } else { +- rng = raw_cpu_read(powernv_rng); ++ rng = raw_cpu_read(pnv_rng); + *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real)); + } + return 1; + } +-EXPORT_SYMBOL_GPL(powernv_get_random_long); ++EXPORT_SYMBOL_GPL(pnv_get_random_long); + +-static __init void rng_init_per_cpu(struct powernv_rng *rng, ++static __init void rng_init_per_cpu(struct pnv_rng *rng, + struct device_node *dn) + { + int chip_id, cpu; +@@ -107,16 +107,16 @@ static __init void rng_init_per_cpu(struct powernv_rng *rng, + pr_warn("No ibm,chip-id found for %pOF.\n", dn); + + for_each_possible_cpu(cpu) { +- if (per_cpu(powernv_rng, cpu) == NULL || ++ if (per_cpu(pnv_rng, cpu) == NULL || + cpu_to_chip_id(cpu) == chip_id) { +- per_cpu(powernv_rng, cpu) = rng; ++ per_cpu(pnv_rng, cpu) = rng; + } + } + } + + static __init int rng_create(struct device_node *dn) + { +- struct powernv_rng *rng; ++ struct pnv_rng *rng; + struct resource res; + unsigned long val; + +@@ -142,7 +142,7 @@ static __init int rng_create(struct device_node *dn) + + rng_init_per_cpu(rng, dn); + +- ppc_md.get_random_seed = powernv_get_random_long; ++ ppc_md.get_random_seed = pnv_get_random_long; + + return 0; + } +@@ -190,7 +190,7 @@ static int __init pnv_rng_late_init(void) + if (ppc_md.get_random_seed == pnv_get_random_long_early) + pnv_get_random_long_early(&v); + +- if (ppc_md.get_random_seed == powernv_get_random_long) { ++ if (ppc_md.get_random_seed == pnv_get_random_long) { + for_each_compatible_node(dn, NULL, "ibm,power-rng") + of_platform_device_create(dn, NULL, NULL); + } +diff --git a/drivers/char/hw_random/powernv-rng.c b/drivers/char/hw_random/powernv-rng.c +index 8da1d7917bdc..429e956f34e1 100644 +--- a/drivers/char/hw_random/powernv-rng.c ++++ b/drivers/char/hw_random/powernv-rng.c +@@ -23,7 +23,7 @@ static int powernv_rng_read(struct hwrng *rng, void *data, size_t max, bool wait + buf = (unsigned long *)data; + + for (i = 0; i < len; i++) +- powernv_get_random_long(buf++); ++ pnv_get_random_long(buf++); + + return len * sizeof(unsigned long); + } +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-wire-up-rng-during-setup_arch.patch b/patches.suse/powerpc-powernv-wire-up-rng-during-setup_arch.patch new file mode 100644 index 0000000..84d9dab --- /dev/null +++ b/patches.suse/powerpc-powernv-wire-up-rng-during-setup_arch.patch @@ -0,0 +1,155 @@ +From f3eac426657d985b97c92fa5f7ae1d43f04721f3 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Tue, 21 Jun 2022 16:08:49 +0200 +Subject: [PATCH] powerpc/powernv: wire up rng during setup_arch + +References: bsc#1065729 +Patch-mainline: v5.19-rc4 +Git-commit: f3eac426657d985b97c92fa5f7ae1d43f04721f3 + +The platform's RNG must be available before random_init() in order to be +useful for initial seeding, which in turn means that it needs to be +called from setup_arch(), rather than from an init call. + +Complicating things, however, is that POWER8 systems need some per-cpu +state and kmalloc, which isn't available at this stage. So we split +things up into an early phase and a later opportunistic phase. This +commit also removes some noisy log messages that don't add much. + +Fixes: a4da0d50b2a0 ("powerpc: Implement arch_get_random_long/int() for powernv") +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Christophe Leroy +[mpe: Add of_node_put(), use pnv naming, minor change log editing] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220621140849.127227-1-Jason@zx2c4.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/powernv.h | 2 + + arch/powerpc/platforms/powernv/rng.c | 52 ++++++++++++++++-------- + arch/powerpc/platforms/powernv/setup.c | 2 + + 3 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/powernv.h b/arch/powerpc/platforms/powernv/powernv.h +--- a/arch/powerpc/platforms/powernv/powernv.h ++++ b/arch/powerpc/platforms/powernv/powernv.h +@@ -42,4 +42,6 @@ ssize_t memcons_copy(struct memcons *mc, char *to, loff_t pos, size_t count); + + bool cpu_core_split_required(void); + ++void pnv_rng_init(void); ++ + #endif /* _POWERNV_H */ +diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c +index e3d44b36ae98..463c78c52cc5 100644 +--- a/arch/powerpc/platforms/powernv/rng.c ++++ b/arch/powerpc/platforms/powernv/rng.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include "powernv.h" + + #define DARN_ERR 0xFFFFFFFFFFFFFFFFul + +@@ -28,7 +29,6 @@ struct powernv_rng { + + static DEFINE_PER_CPU(struct powernv_rng *, powernv_rng); + +- + int powernv_hwrng_present(void) + { + struct powernv_rng *rng; +@@ -98,9 +98,6 @@ static int __init initialise_darn(void) + return 0; + } + } +- +- pr_warn("Unable to use DARN for get_random_seed()\n"); +- + return -EIO; + } + +@@ -163,32 +160,55 @@ static __init int rng_create(struct device_node *dn) + + rng_init_per_cpu(rng, dn); + +- pr_info_once("Registering arch random hook.\n"); +- + ppc_md.get_random_seed = powernv_get_random_long; + + return 0; + } + +-static __init int rng_init(void) ++static int __init pnv_get_random_long_early(unsigned long *v) + { + struct device_node *dn; +- int rc; ++ ++ if (!slab_is_available()) ++ return 0; ++ ++ if (cmpxchg(&ppc_md.get_random_seed, pnv_get_random_long_early, ++ NULL) != pnv_get_random_long_early) ++ return 0; + + for_each_compatible_node(dn, NULL, "ibm,power-rng") { +- rc = rng_create(dn); +- if (rc) { +- pr_err("Failed creating rng for %pOF (%d).\n", +- dn, rc); ++ if (rng_create(dn)) + continue; +- } +- + /* Create devices for hwrng driver */ + of_platform_device_create(dn, NULL, NULL); + } + +- initialise_darn(); ++ if (!ppc_md.get_random_seed) ++ return 0; ++ return ppc_md.get_random_seed(v); ++} ++ ++void __init pnv_rng_init(void) ++{ ++ struct device_node *dn; + ++ /* Prefer darn over the rest. */ ++ if (!initialise_darn()) ++ return; ++ ++ dn = of_find_compatible_node(NULL, NULL, "ibm,power-rng"); ++ if (dn) ++ ppc_md.get_random_seed = pnv_get_random_long_early; ++ ++ of_node_put(dn); ++} ++ ++static int __init pnv_rng_late_init(void) ++{ ++ unsigned long v; ++ /* In case it wasn't called during init for some other reason. */ ++ if (ppc_md.get_random_seed == pnv_get_random_long_early) ++ pnv_get_random_long_early(&v); + return 0; + } +-machine_subsys_initcall(powernv, rng_init); ++machine_subsys_initcall(powernv, pnv_rng_late_init); +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -203,6 +203,8 @@ static void __init pnv_setup_arch(void) + powersave_nap = 1; + + /* XXX PMCS */ ++ ++ pnv_rng_init(); + } + + static void __init pnv_init(void) +-- +2.35.3 + diff --git a/patches.suse/powerpc-pseries-wire-up-rng-during-setup_arch.patch b/patches.suse/powerpc-pseries-wire-up-rng-during-setup_arch.patch new file mode 100644 index 0000000..aadaef4 --- /dev/null +++ b/patches.suse/powerpc-pseries-wire-up-rng-during-setup_arch.patch @@ -0,0 +1,88 @@ +From e561e472a3d441753bd012333b057f48fef1045b Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sat, 11 Jun 2022 17:10:15 +0200 +Subject: [PATCH] powerpc/pseries: wire up rng during setup_arch() + +References: bsc#1065729 +Patch-mainline: v5.19-rc4 +Git-commit: e561e472a3d441753bd012333b057f48fef1045b + +The platform's RNG must be available before random_init() in order to be +useful for initial seeding, which in turn means that it needs to be +called from setup_arch(), rather than from an init call. Fortunately, +each platform already has a setup_arch function pointer, which means +it's easy to wire this up. This commit also removes some noisy log +messages that don't add much. + +Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220611151015.548325-4-Jason@zx2c4.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/pseries.h | 2 ++ + arch/powerpc/platforms/pseries/rng.c | 11 +++-------- + arch/powerpc/platforms/pseries/setup.c | 1 + + 3 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h +--- a/arch/powerpc/platforms/pseries/pseries.h ++++ b/arch/powerpc/platforms/pseries/pseries.h +@@ -122,4 +122,6 @@ void pseries_lpar_read_hblkrm_characteristics(void); + void pseries_setup_rfi_flush(void); + void pseries_lpar_read_hblkrm_characteristics(void); + ++void pseries_rng_init(void); ++ + #endif /* _PSERIES_PSERIES_H */ +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c +index 6268545947b8..6ddfdeaace9e 100644 +--- a/arch/powerpc/platforms/pseries/rng.c ++++ b/arch/powerpc/platforms/pseries/rng.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include "pseries.h" + + + static int pseries_get_random_long(unsigned long *v) +@@ -24,19 +25,13 @@ static int pseries_get_random_long(unsigned long *v) + return 0; + } + +-static __init int rng_init(void) ++void __init pseries_rng_init(void) + { + struct device_node *dn; + + dn = of_find_compatible_node(NULL, NULL, "ibm,random"); + if (!dn) +- return -ENODEV; +- +- pr_info("Registering arch random hook.\n"); +- ++ return; + ppc_md.get_random_seed = pseries_get_random_long; +- + of_node_put(dn); +- return 0; + } +-machine_subsys_initcall(pseries, rng_init); +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index afb074269b42..ee4f1db49515 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -839,6 +839,7 @@ static void __init pSeries_setup_arch(void) + } + + ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare; ++ pseries_rng_init(); + } + + static void pseries_panic(char *str) +-- +2.35.3 + diff --git a/patches.suse/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch b/patches.suse/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch index cac74e9..693426a 100644 --- a/patches.suse/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch +++ b/patches.suse/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch @@ -4,7 +4,7 @@ Date: Wed, 2 Sep 2020 14:00:45 +0200 Subject: [PATCH] pty: do tty_flip_buffer_push without port->lock in pty_write Git-commit: 71a174b39f10b4b93223d374722aa894b5d8a82e Patch-mainline: v5.10-rc1 -References: git-fixes +References: bsc#1198829 CVE-2022-1462 b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" puts tty_flip_buffer_push under port->lock introducing the following diff --git a/patches.suse/qlcnic-Fix-an-error-handling-path-in-qlcnic_probe.patch b/patches.suse/qlcnic-Fix-an-error-handling-path-in-qlcnic_probe.patch new file mode 100644 index 0000000..d29df41 --- /dev/null +++ b/patches.suse/qlcnic-Fix-an-error-handling-path-in-qlcnic_probe.patch @@ -0,0 +1,35 @@ +From eb9242d5672fc439811b37518901ab34e5e4b724 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 12 Jun 2021 14:37:46 +0200 +Subject: [PATCH 08/16] qlcnic: Fix an error handling path in 'qlcnic_probe()' +Git-commit: cb3376604a676e0302258b01893911bdd7aa5278 +Patch-mainline: v5.13-rc7 +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 451724c821c1 ("qlcnic: aer support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index 7af62f40be03..e119ad7d37e3 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2705,6 +2705,7 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.16.4 + diff --git a/patches.suse/random-always-fill-buffer-in-get_random_bytes_wait.patch b/patches.suse/random-always-fill-buffer-in-get_random_bytes_wait.patch new file mode 100644 index 0000000..55e4452 --- /dev/null +++ b/patches.suse/random-always-fill-buffer-in-get_random_bytes_wait.patch @@ -0,0 +1,39 @@ +From: "Jason A. Donenfeld" +Date: Sun, 4 Feb 2018 23:07:46 +0100 +Subject: random: always fill buffer in get_random_bytes_wait +Git-commit: 25e3fca492035a2e1d4ac6e3b1edd9c1acd48897 +Patch-mainline: v4.17-rc1 +References: git-fixes + +In the unfortunate event that a developer fails to check the return +value of get_random_bytes_wait, or simply wants to make a "best effort" +attempt, for whatever that's worth, it's much better to still fill the +buffer with _something_ rather than catastrophically failing in the case +of an interruption. This is both a defense in depth measure against +inevitable programming bugs, as well as a means of making the API a bit +more useful. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Theodore Ts'o +Acked-by: Lee Duncan +--- + include/linux/random.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/linux/random.h b/include/linux/random.h +index 4024f7d9c77d..2ddf13b4281e 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -85,10 +85,8 @@ static inline unsigned long get_random_canary(void) + static inline int get_random_bytes_wait(void *buf, int nbytes) + { + int ret = wait_for_random_bytes(); +- if (unlikely(ret)) +- return ret; + get_random_bytes(buf, nbytes); +- return 0; ++ return ret; + } + + #define declare_get_random_var_wait(var) \ + diff --git a/patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch b/patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch new file mode 100644 index 0000000..c05ad20 --- /dev/null +++ b/patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch @@ -0,0 +1,135 @@ +From: Dominik Brodowski +Date: Wed, 29 Dec 2021 22:10:03 +0100 +Subject: random: fix crash on multiple early calls to + add_bootloader_randomness() +Git-commit: f7e67b8e803185d0aabe7f29d25a35c8be724a78 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Currently, if CONFIG_RANDOM_TRUST_BOOTLOADER is enabled, multiple calls +to add_bootloader_randomness() are broken and can cause a NULL pointer +dereference, as noted by Ivan T. Ivanov. This is not only a hypothetical +problem, as qemu on arm64 may provide bootloader entropy via EFI and via +devicetree. + +On the first call to add_hwgenerator_randomness(), crng_fast_load() is +executed, and if the seed is long enough, crng_init will be set to 1. +On subsequent calls to add_bootloader_randomness() and then to +add_hwgenerator_randomness(), crng_fast_load() will be skipped. Instead, +wait_event_interruptible() and then credit_entropy_bits() will be called. +If the entropy count for that second seed is large enough, that proceeds +to crng_reseed(). + +However, both wait_event_interruptible() and crng_reseed() depends +(at least in numa_crng_init()) on workqueues. Therefore, test whether +system_wq is already initialized, which is a sufficient indicator that +workqueue_init_early() has progressed far enough. + +If we wind up hitting the !system_wq case, we later want to do what +would have been done there when wqs are up, so set a flag, and do that +work later from the rand_initialize() call. + +Reported-by: Ivan T. Ivanov +Fixes: 18b915ac6b0a ("efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness") +Cc: stable@vger.kernel.org +Signed-off-by: Dominik Brodowski +[Jason: added crng_need_done state and related logic.] +Signed-off-by: Jason A. Donenfeld +Acked-by: Ivan T. Ivanov +--- + drivers/char/random.c | 56 +++++++++++++++++++++++++++++++------------------- + 1 file changed, 35 insertions(+), 21 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -430,6 +430,7 @@ struct crng_state primary_crng = { + * its value (from 0->1->2). + */ + static int crng_init = 0; ++static bool crng_need_final_init = false; + #define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; + static unsigned long crng_global_init_time = 0; +@@ -850,6 +851,35 @@ static struct crng_state *select_crng(vo + } + #endif + ++static void crng_finalize_init(struct crng_state *crng) ++{ ++ if (crng != &primary_crng || crng_init >= 2) ++ return; ++ if (!system_wq) { ++ /* We can't call numa_crng_init until we have workqueues, ++ * so mark this for processing later. */ ++ crng_need_final_init = true; ++ return; ++ } ++ ++ invalidate_batched_entropy(); ++ numa_crng_init(); ++ crng_init = 2; ++ process_random_ready_list(); ++ wake_up_interruptible(&crng_init_wait); ++ pr_notice("crng init done\n"); ++ if (unseeded_warning.missed) { ++ pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n", ++ unseeded_warning.missed); ++ unseeded_warning.missed = 0; ++ } ++ if (urandom_warning.missed) { ++ pr_notice("%d urandom warning(s) missed due to ratelimiting\n", ++ urandom_warning.missed); ++ urandom_warning.missed = 0; ++ } ++} ++ + /* + * crng_fast_load() can be called by code in the interrupt service + * path. So we can't afford to dilly-dally. +@@ -954,26 +984,7 @@ static void crng_reseed(struct crng_stat + memzero_explicit(&buf, sizeof(buf)); + crng->init_time = jiffies; + spin_unlock_irqrestore(&crng->lock, flags); +- if (crng == &primary_crng && crng_init < 2) { +- invalidate_batched_entropy(); +- numa_crng_init(); +- crng_init = 2; +- process_random_ready_list(); +- wake_up_interruptible(&crng_init_wait); +- pr_notice("random: crng init done\n"); +- if (unseeded_warning.missed) { +- pr_notice("random: %d get_random_xx warning(s) missed " +- "due to ratelimiting\n", +- unseeded_warning.missed); +- unseeded_warning.missed = 0; +- } +- if (urandom_warning.missed) { +- pr_notice("random: %d urandom warning(s) missed " +- "due to ratelimiting\n", +- urandom_warning.missed); +- urandom_warning.missed = 0; +- } +- } ++ crng_finalize_init(crng); + } + + static void _extract_crng(struct crng_state *crng, +@@ -1767,6 +1778,8 @@ static int rand_initialize(void) + { + init_std_data(&input_pool); + init_std_data(&blocking_pool); ++ if (crng_need_final_init) ++ crng_finalize_init(&primary_crng); + crng_initialize(&primary_crng); + crng_global_init_time = jiffies; + if (ratelimit_disable) { +@@ -2289,7 +2302,8 @@ void add_hwgenerator_randomness(const ch + * We'll be woken up again once below random_write_wakeup_thresh, + * or when the calling thread is about to terminate. + */ +- wait_event_interruptible(random_write_wait, kthread_should_stop() || ++ wait_event_interruptible(random_write_wait, ++ !system_wq || kthread_should_stop() || + ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits); + mix_pool_bytes(poolp, buffer, count); + credit_entropy_bits(poolp, entropy); diff --git a/patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch b/patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch index 5690d92..363d20a 100644 --- a/patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch +++ b/patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch @@ -7,15 +7,19 @@ References: bsc#1198438 Revert Adding changes to support FCP2 Target. --- -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 88c5a8ec0e7c..4b27eebbc1b3 100644 +--- + drivers/scsi/qla2xxx/qla_init.c | 8 -------- + drivers/scsi/qla2xxx/qla_os.c | 10 ---------- + 2 files changed, 18 deletions(-) + --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -1821,13 +1821,6 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) +@@ -1835,14 +1835,6 @@ void qla2x00_handle_rscn(scsi_qla_host_t case RSCN_PORT_ADDR: fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1); if (fcport) { -- if (fcport->flags & FCF_FCP2_DEVICE) { +- if (fcport->flags & FCF_FCP2_DEVICE && +- atomic_read(&fcport->state) == FCS_ONLINE) { - ql_dbg(ql_dbg_disc, vha, 0x2115, - "Delaying session delete for FCP2 portid=%06x %8phC ", - fcport->d_id.b24, fcport->port_name); @@ -25,11 +29,9 @@ index 88c5a8ec0e7c..4b27eebbc1b3 100644 if (vha->hw->flags.edif_enabled && DBELL_ACTIVE(vha)) { /* * On ipsec start by remote port, Target port -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 850fc95f7033..9285db77b95d 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -4062,16 +4062,6 @@ qla2x00_mark_all_devices_lost(scsi_qla_host_t *vha) +@@ -4085,16 +4085,6 @@ qla2x00_mark_all_devices_lost(scsi_qla_h "Mark all dev lost\n"); list_for_each_entry(fcport, &vha->vp_fcports, list) { diff --git a/patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch b/patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch index 14284cb..e749da5 100644 --- a/patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch +++ b/patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch @@ -48,15 +48,13 @@ Override node_reclaim_distance for AMD Zen. Signed-off-by: Matt Fleming --- - arch/x86/kernel/cpu/amd.c | 5 +++++ - include/linux/topology.h | 3 +++ - kernel/sched/topology.c | 3 ++- - mm/khugepaged.c | 2 +- - mm/page_alloc.c | 2 +- + arch/x86/kernel/cpu/amd.c | 5 +++++ + include/linux/topology.h | 3 +++ + kernel/sched/topology.c | 3 ++- + mm/khugepaged.c | 2 +- + mm/page_alloc.c | 2 +- 5 files changed, 12 insertions(+), 3 deletions(-) -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 57bb2100e05b..bb2f3e98efbf 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -7,6 +7,7 @@ @@ -67,19 +65,17 @@ index 57bb2100e05b..bb2f3e98efbf 100644 #include #include #include -@@ -812,6 +813,10 @@ static void init_amd_zn(struct cpuinfo_x86 *c) - { - set_cpu_cap(c, X86_FEATURE_ZEN); +@@ -905,6 +906,10 @@ static void init_amd_zn(struct cpuinfo_x + if (!cpu_has(c, X86_FEATURE_CPB)) + set_cpu_cap(c, X86_FEATURE_CPB); +#ifdef CONFIG_NUMA + node_reclaim_distance = 32; +#endif + - /* - * Fix erratum 1076: CPB feature bit not being set in CPUID. - * Always set it, except when running under a hypervisor. -diff --git a/include/linux/topology.h b/include/linux/topology.h -index cb0775e1ee4b..74b484354ac9 100644 + /* + * Zen3 (Fam19 model < 0x10) parts are not susceptible to + * Branch Type Confusion, but predate the allocation of the --- a/include/linux/topology.h +++ b/include/linux/topology.h @@ -59,6 +59,9 @@ int arch_update_cpu_topology(void); @@ -92,8 +88,6 @@ index cb0775e1ee4b..74b484354ac9 100644 #ifndef PENALTY_FOR_NODE_WITH_CPUS #define PENALTY_FOR_NODE_WITH_CPUS (1) #endif -diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c -index 8b646058fb57..57b4afe6387a 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -1070,6 +1070,7 @@ static int *sched_domains_numa_distance; @@ -104,7 +98,7 @@ index 8b646058fb57..57b4afe6387a 100644 #endif /* -@@ -1191,7 +1192,7 @@ sd_init(struct sched_domain_topology_level *tl, +@@ -1191,7 +1192,7 @@ sd_init(struct sched_domain_topology_lev sd->idle_idx = 2; sd->flags |= SD_SERIALIZE; @@ -113,11 +107,9 @@ index 8b646058fb57..57b4afe6387a 100644 sd->flags &= ~(SD_BALANCE_EXEC | SD_BALANCE_FORK | SD_WAKE_AFFINE); -diff --git a/mm/khugepaged.c b/mm/khugepaged.c -index 2c2813d90cb2..859f6fd0cb84 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c -@@ -690,7 +690,7 @@ static bool khugepaged_scan_abort(int nid) +@@ -690,7 +690,7 @@ static bool khugepaged_scan_abort(int ni for (i = 0; i < MAX_NUMNODES; i++) { if (!khugepaged_node_load[i]) continue; @@ -126,11 +118,9 @@ index 2c2813d90cb2..859f6fd0cb84 100644 return true; } return false; -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index b8ba38dc77f4..0c8b489c0f0c 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -3191,7 +3191,7 @@ bool zone_watermark_ok_safe(struct zone *z, unsigned int order, +@@ -3238,7 +3238,7 @@ bool zone_watermark_ok_safe(struct zone static bool zone_allows_reclaim(struct zone *local_zone, struct zone *zone) { return node_distance(zone_to_nid(local_zone), zone_to_nid(zone)) <= @@ -139,6 +129,3 @@ index b8ba38dc77f4..0c8b489c0f0c 100644 } #else /* CONFIG_NUMA */ static bool zone_allows_reclaim(struct zone *local_zone, struct zone *zone) --- -2.13.7 - diff --git a/patches.suse/scsi-lpfc-Address-NULL-pointer-dereference-after-sta.patch b/patches.suse/scsi-lpfc-Address-NULL-pointer-dereference-after-sta.patch new file mode 100644 index 0000000..587f3d5 --- /dev/null +++ b/patches.suse/scsi-lpfc-Address-NULL-pointer-dereference-after-sta.patch @@ -0,0 +1,44 @@ +From: James Smart +Date: Fri, 3 Jun 2022 10:43:24 -0700 +Subject: scsi: lpfc: Address NULL pointer dereference after starget_to_rport() +Patch-mainline: v5.19-rc2 +Git-commit: 6f808bd78e8296b4ded813b7182988d57e1f6176 +References: git-fixes + +Calls to starget_to_rport() may return NULL. Add check for NULL rport +before dereference. + +Link: https://lore.kernel.org/r/20220603174329.63777-5-jsmart2021@gmail.com +Fixes: bb21fc9911ee ("scsi: lpfc: Use fc_block_rport()") +Cc: # v5.18 +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/lpfc/lpfc_scsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -6065,6 +6065,9 @@ lpfc_device_reset_handler(struct scsi_cm + int status; + u32 logit = LOG_FCP; + ++ if (!rport) ++ return FAILED; ++ + rdata = rport->dd_data; + if (!rdata || !rdata->pnode) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_TRACE_EVENT, +@@ -6143,6 +6146,9 @@ lpfc_target_reset_handler(struct scsi_cm + unsigned long flags; + DECLARE_WAIT_QUEUE_HEAD_ONSTACK(waitq); + ++ if (!rport) ++ return FAILED; ++ + rdata = rport->dd_data; + if (!rdata || !rdata->pnode) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_TRACE_EVENT, diff --git a/patches.suse/scsi-qla2xxx-Add-a-new-v2-dport-diagnostic-feature.patch b/patches.suse/scsi-qla2xxx-Add-a-new-v2-dport-diagnostic-feature.patch new file mode 100644 index 0000000..7dc4bd3 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Add-a-new-v2-dport-diagnostic-feature.patch @@ -0,0 +1,286 @@ +From: Bikash Hazarika +Date: Wed, 15 Jun 2022 22:34:59 -0700 +Subject: scsi: qla2xxx: Add a new v2 dport diagnostic feature +Patch-mainline: v5.20-rc1 +Git-commit: 476da8faa336f104cb5183ff51615335d1ff5d1f +References: bsc#1201958 + +FW requires minimum 72 bytes buffer size for D_port result. Buffer size +1024 is mentioned in the FW spec so buffer size is increased to 1024. +Rewrite the logic to handle START/RESTART command from SDMAPI. + +Link: https://lore.kernel.org/r/20220616053508.27186-3-njavali@marvell.com +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_bsg.c | 86 ++++++++++++++++++++++++++++++++++++++++ + drivers/scsi/qla2xxx/qla_bsg.h | 15 ++++++ + drivers/scsi/qla2xxx/qla_def.h | 10 ++++ + drivers/scsi/qla2xxx/qla_gbl.h | 4 + + drivers/scsi/qla2xxx/qla_init.c | 3 + + drivers/scsi/qla2xxx/qla_isr.c | 3 + + drivers/scsi/qla2xxx/qla_mbx.c | 48 ++++++++++++++++++++++ + 7 files changed, 169 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2426,6 +2426,89 @@ qla2x00_do_dport_diagnostics(struct bsg_ + } + + static int ++qla2x00_do_dport_diagnostics_v2(struct bsg_job *bsg_job) ++{ ++ struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ struct Scsi_Host *host = fc_bsg_to_shost(bsg_job); ++ scsi_qla_host_t *vha = shost_priv(host); ++ int rval; ++ struct qla_dport_diag_v2 *dd; ++ mbx_cmd_t mc; ++ mbx_cmd_t *mcp = &mc; ++ uint16_t options; ++ ++ if (!IS_DPORT_CAPABLE(vha->hw)) ++ return -EPERM; ++ ++ dd = kzalloc(sizeof(*dd), GFP_KERNEL); ++ if (!dd) ++ return -ENOMEM; ++ ++ sg_copy_to_buffer(bsg_job->request_payload.sg_list, ++ bsg_job->request_payload.sg_cnt, dd, sizeof(*dd)); ++ ++ options = dd->options; ++ ++ /* Check dport Test in progress */ ++ if (options == QLA_GET_DPORT_RESULT_V2 && ++ vha->dport_status & DPORT_DIAG_IN_PROGRESS) { ++ bsg_reply->reply_data.vendor_reply.vendor_rsp[0] = ++ EXT_STATUS_DPORT_DIAG_IN_PROCESS; ++ goto dportcomplete; ++ } ++ ++ /* Check chip reset in progress and start/restart requests arrive */ ++ if (vha->dport_status & DPORT_DIAG_CHIP_RESET_IN_PROGRESS && ++ (options == QLA_START_DPORT_TEST_V2 || ++ options == QLA_RESTART_DPORT_TEST_V2)) { ++ vha->dport_status &= ~DPORT_DIAG_CHIP_RESET_IN_PROGRESS; ++ } ++ ++ /* Check chip reset in progress and get result request arrive */ ++ if (vha->dport_status & DPORT_DIAG_CHIP_RESET_IN_PROGRESS && ++ options == QLA_GET_DPORT_RESULT_V2) { ++ bsg_reply->reply_data.vendor_reply.vendor_rsp[0] = ++ EXT_STATUS_DPORT_DIAG_NOT_RUNNING; ++ goto dportcomplete; ++ } ++ ++ rval = qla26xx_dport_diagnostics_v2(vha, dd, mcp); ++ ++ if (rval == QLA_SUCCESS) { ++ bsg_reply->reply_data.vendor_reply.vendor_rsp[0] = ++ EXT_STATUS_OK; ++ if (options == QLA_START_DPORT_TEST_V2 || ++ options == QLA_RESTART_DPORT_TEST_V2) { ++ dd->mbx1 = mcp->mb[0]; ++ dd->mbx2 = mcp->mb[1]; ++ vha->dport_status |= DPORT_DIAG_IN_PROGRESS; ++ } else if (options == QLA_GET_DPORT_RESULT_V2) { ++ dd->mbx1 = vha->dport_data[1]; ++ dd->mbx2 = vha->dport_data[2]; ++ } ++ } else { ++ dd->mbx1 = mcp->mb[0]; ++ dd->mbx2 = mcp->mb[1]; ++ bsg_reply->reply_data.vendor_reply.vendor_rsp[0] = ++ EXT_STATUS_DPORT_DIAG_ERR; ++ } ++ ++dportcomplete: ++ sg_copy_from_buffer(bsg_job->reply_payload.sg_list, ++ bsg_job->reply_payload.sg_cnt, dd, sizeof(*dd)); ++ ++ bsg_reply->reply_payload_rcv_len = sizeof(*dd); ++ bsg_job->reply_len = sizeof(*bsg_reply); ++ bsg_reply->result = DID_OK << 16; ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); ++ ++ kfree(dd); ++ ++ return 0; ++} ++ ++static int + qla2x00_get_flash_image_status(struct bsg_job *bsg_job) + { + scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job)); +@@ -2861,6 +2944,9 @@ qla2x00_process_vendor_specific(struct s + case QL_VND_DPORT_DIAGNOSTICS: + return qla2x00_do_dport_diagnostics(bsg_job); + ++ case QL_VND_DPORT_DIAGNOSTICS_V2: ++ return qla2x00_do_dport_diagnostics_v2(bsg_job); ++ + case QL_VND_EDIF_MGMT: + return qla_edif_app_mgmt(bsg_job); + +--- a/drivers/scsi/qla2xxx/qla_bsg.h ++++ b/drivers/scsi/qla2xxx/qla_bsg.h +@@ -38,6 +38,7 @@ + #define QL_VND_GET_TGT_STATS 0x25 + #define QL_VND_MANAGE_HOST_PORT 0x26 + #define QL_VND_MBX_PASSTHRU 0x2B ++#define QL_VND_DPORT_DIAGNOSTICS_V2 0x2C + + /* BSG Vendor specific subcode returns */ + #define EXT_STATUS_OK 0 +@@ -61,6 +62,9 @@ + #define EXT_STATUS_TIMEOUT 30 + #define EXT_STATUS_THREAD_FAILED 31 + #define EXT_STATUS_DATA_CMP_FAILED 32 ++#define EXT_STATUS_DPORT_DIAG_ERR 40 ++#define EXT_STATUS_DPORT_DIAG_IN_PROCESS 41 ++#define EXT_STATUS_DPORT_DIAG_NOT_RUNNING 42 + + /* BSG definations for interpreting CommandSent field */ + #define INT_DEF_LB_LOOPBACK_CMD 0 +@@ -289,6 +293,17 @@ struct qla_dport_diag { + uint8_t unused[62]; + } __packed; + ++#define QLA_GET_DPORT_RESULT_V2 0 /* Get Result */ ++#define QLA_RESTART_DPORT_TEST_V2 1 /* Restart test */ ++#define QLA_START_DPORT_TEST_V2 2 /* Start test */ ++struct qla_dport_diag_v2 { ++ uint16_t options; ++ uint16_t mbx1; ++ uint16_t mbx2; ++ uint8_t unused[58]; ++ uint8_t buf[1024]; /* Test Result */ ++} __packed; ++ + /* D_Port options */ + #define QLA_DPORT_RESULT 0x0 + #define QLA_DPORT_START 0x2 +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -1174,6 +1174,12 @@ static inline bool qla2xxx_is_valid_mbs( + + /* ISP mailbox loopback echo diagnostic error code */ + #define MBS_LB_RESET 0x17 ++ ++/* AEN mailbox Port Diagnostics test */ ++#define AEN_START_DIAG_TEST 0x0 /* start the diagnostics */ ++#define AEN_DONE_DIAG_TEST_WITH_NOERR 0x1 /* Done with no errors */ ++#define AEN_DONE_DIAG_TEST_WITH_ERR 0x2 /* Done with error.*/ ++ + /* + * Firmware options 1, 2, 3. + */ +@@ -5020,6 +5026,10 @@ typedef struct scsi_qla_host { + u64 short_link_down_cnt; + struct edif_dbell e_dbell; + struct pur_core pur_cinfo; ++ ++#define DPORT_DIAG_IN_PROGRESS BIT_0 ++#define DPORT_DIAG_CHIP_RESET_IN_PROGRESS BIT_1 ++ uint16_t dport_status; + } scsi_qla_host_t; + + struct qla27xx_image_status { +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -557,6 +557,10 @@ qla2x00_dump_mctp_data(scsi_qla_host_t * + extern int + qla26xx_dport_diagnostics(scsi_qla_host_t *, void *, uint, uint); + ++extern int ++qla26xx_dport_diagnostics_v2(scsi_qla_host_t *, ++ struct qla_dport_diag_v2 *, mbx_cmd_t *); ++ + int qla24xx_send_mb_cmd(struct scsi_qla_host *, mbx_cmd_t *); + int qla24xx_gpdb_wait(struct scsi_qla_host *, fc_port_t *, u8); + int qla24xx_gidlist_wait(struct scsi_qla_host *, void *, dma_addr_t, +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -7208,6 +7208,9 @@ qla2x00_abort_isp(scsi_qla_host_t *vha) + if (vha->flags.online) { + qla2x00_abort_isp_cleanup(vha); + ++ vha->dport_status |= DPORT_DIAG_CHIP_RESET_IN_PROGRESS; ++ vha->dport_status &= ~DPORT_DIAG_IN_PROGRESS; ++ + if (vha->hw->flags.port_isolated) + return status; + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1762,6 +1762,9 @@ qla2x00_async_event(scsi_qla_host_t *vha + break; + + case MBA_DPORT_DIAGNOSTICS: ++ if ((mb[1] & 0xF) == AEN_DONE_DIAG_TEST_WITH_NOERR || ++ (mb[1] & 0xF) == AEN_DONE_DIAG_TEST_WITH_ERR) ++ vha->dport_status &= ~DPORT_DIAG_IN_PROGRESS; + ql_dbg(ql_dbg_async, vha, 0x5052, + "D-Port Diagnostics: %04x %04x %04x %04x\n", + mb[0], mb[1], mb[2], mb[3]); +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -6472,6 +6472,54 @@ qla26xx_dport_diagnostics(scsi_qla_host_ + return rval; + } + ++int ++qla26xx_dport_diagnostics_v2(scsi_qla_host_t *vha, ++ struct qla_dport_diag_v2 *dd, mbx_cmd_t *mcp) ++{ ++ int rval; ++ dma_addr_t dd_dma; ++ uint size = sizeof(dd->buf); ++ uint16_t options = dd->options; ++ ++ ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x119f, ++ "Entered %s.\n", __func__); ++ ++ dd_dma = dma_map_single(&vha->hw->pdev->dev, ++ dd->buf, size, DMA_FROM_DEVICE); ++ if (dma_mapping_error(&vha->hw->pdev->dev, dd_dma)) { ++ ql_log(ql_log_warn, vha, 0x1194, ++ "Failed to map dma buffer.\n"); ++ return QLA_MEMORY_ALLOC_FAILED; ++ } ++ ++ memset(dd->buf, 0, size); ++ ++ mcp->mb[0] = MBC_DPORT_DIAGNOSTICS; ++ mcp->mb[1] = options; ++ mcp->mb[2] = MSW(LSD(dd_dma)); ++ mcp->mb[3] = LSW(LSD(dd_dma)); ++ mcp->mb[6] = MSW(MSD(dd_dma)); ++ mcp->mb[7] = LSW(MSD(dd_dma)); ++ mcp->mb[8] = size; ++ mcp->out_mb = MBX_8 | MBX_7 | MBX_6 | MBX_3 | MBX_2 | MBX_1 | MBX_0; ++ mcp->in_mb = MBX_3 | MBX_2 | MBX_1 | MBX_0; ++ mcp->buf_size = size; ++ mcp->flags = MBX_DMA_IN; ++ mcp->tov = MBX_TOV_SECONDS * 4; ++ rval = qla2x00_mailbox_command(vha, mcp); ++ ++ if (rval != QLA_SUCCESS) { ++ ql_dbg(ql_dbg_mbx, vha, 0x1195, "Failed=%x.\n", rval); ++ } else { ++ ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x1196, ++ "Done %s.\n", __func__); ++ } ++ ++ dma_unmap_single(&vha->hw->pdev->dev, dd_dma, size, DMA_FROM_DEVICE); ++ ++ return rval; ++} ++ + static void qla2x00_async_mb_sp_done(srb_t *sp, int res) + { + sp->u.iocb_cmd.u.mbx.rc = res; diff --git a/patches.suse/scsi-qla2xxx-Add-debug-prints-in-the-device-remove-p.patch b/patches.suse/scsi-qla2xxx-Add-debug-prints-in-the-device-remove-p.patch new file mode 100644 index 0000000..702c542 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Add-debug-prints-in-the-device-remove-p.patch @@ -0,0 +1,44 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:35:05 -0700 +Subject: scsi: qla2xxx: Add debug prints in the device remove path +Patch-mainline: v5.20-rc1 +Git-commit: f12d2d130efc49464ef0666789bfeb9073162743 +References: bsc#1201958 + +Add a debug print in the devloss callback. + +Link: https://lore.kernel.org/r/20220616053508.27186-9-njavali@marvell.com +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_attr.c | 3 +++ + drivers/scsi/qla2xxx/qla_def.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2710,6 +2710,9 @@ qla2x00_dev_loss_tmo_callbk(struct fc_rp + if (!fcport) + return; + ++ ql_dbg(ql_dbg_async, fcport->vha, 0x5101, ++ DBG_FCPORT_PRFMT(fcport, "dev_loss_tmo expiry, rport_state=%d", ++ rport->port_state)); + + /* + * Now that the rport has been deleted, set the fcport state to +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -5465,4 +5465,10 @@ struct ql_vnd_tgt_stats_resp { + #define IS_SESSION_DELETED(_fcport) (_fcport->disc_state == DSC_DELETE_PEND || \ + _fcport->disc_state == DSC_DELETED) + ++#define DBG_FCPORT_PRFMT(_fp, _fmt, _args...) \ ++ "%s: %8phC: " _fmt " (state=%d disc_state=%d scan_state=%d loopid=0x%x deleted=%d flags=0x%x)\n", \ ++ __func__, _fp->port_name, ##_args, atomic_read(&_fp->state), \ ++ _fp->disc_state, _fp->scan_state, _fp->loop_id, _fp->deleted, \ ++ _fp->flags ++ + #endif diff --git a/patches.suse/scsi-qla2xxx-Check-correct-variable-in-qla24xx_async.patch b/patches.suse/scsi-qla2xxx-Check-correct-variable-in-qla24xx_async.patch new file mode 100644 index 0000000..53ad084 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Check-correct-variable-in-qla24xx_async.patch @@ -0,0 +1,33 @@ +From: Dan Carpenter +Date: Wed, 22 Jun 2022 09:21:55 +0300 +Subject: scsi: qla2xxx: Check correct variable in qla24xx_async_gffid() +Patch-mainline: v5.20-rc1 +Git-commit: 7c33e477bd883f79cccec418980cb8f7f2d50347 +References: bsc#1201958 + +There is a copy and paste bug here. It should check ".rsp" instead of +".req". The error message is copy and pasted as well so update that too. + +Link: https://lore.kernel.org/r/YrK1A/t3L6HKnswO@kili +Fixes: 9c40c36e75ff ("scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_gs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3390,9 +3390,9 @@ int qla24xx_async_gffid(scsi_qla_host_t + sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); +- if (!sp->u.iocb_cmd.u.ctarg.req) { ++ if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd041, +- "%s: Failed to allocate ct_sns request.\n", ++ "%s: Failed to allocate ct_sns response.\n", + __func__); + goto done_free_sp; + } diff --git a/patches.suse/scsi-qla2xxx-Fix-crash-due-to-stale-SRB-access-aroun.patch b/patches.suse/scsi-qla2xxx-Fix-crash-due-to-stale-SRB-access-aroun.patch new file mode 100644 index 0000000..3e72fc1 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-crash-due-to-stale-SRB-access-aroun.patch @@ -0,0 +1,118 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:35:02 -0700 +Subject: scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts +Patch-mainline: v5.20-rc1 +Git-commit: c39587bc0abaf16593f7abcdf8aeec3c038c7d52 +References: bsc#1201958 + +Ensure SRB is returned during I/O timeout error escalation. If that is not +possible fail the escalation path. + +Following crash stack was seen: + +BUG: unable to handle kernel paging request at 0000002f56aa90f8 +IP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx] +Call Trace: + ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx] + ? qla2x00_start_sp+0x116/0x1170 [qla2xxx] + ? dma_pool_alloc+0x1d6/0x210 + ? mempool_alloc+0x54/0x130 + ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx] + ? qla_do_work+0x2d/0x40 [qla2xxx] + ? process_one_work+0x14c/0x390 + +Link: https://lore.kernel.org/r/20220616053508.27186-6-njavali@marvell.com +Fixes: d74595278f4a ("scsi: qla2xxx: Add multiple queue pair functionality.") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_os.c | 43 ++++++++++++++++++++++++++++++------------ + 1 file changed, 31 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1355,21 +1355,20 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + /* + * Returns: QLA_SUCCESS or QLA_FUNCTION_FAILED. + */ +-int +-qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t, +- uint64_t l, enum nexus_wait_type type) ++static int ++__qla2x00_eh_wait_for_pending_commands(struct qla_qpair *qpair, unsigned int t, ++ uint64_t l, enum nexus_wait_type type) + { + int cnt, match, status; + unsigned long flags; +- struct qla_hw_data *ha = vha->hw; +- struct req_que *req; ++ scsi_qla_host_t *vha = qpair->vha; ++ struct req_que *req = qpair->req; + srb_t *sp; + struct scsi_cmnd *cmd; + + status = QLA_SUCCESS; + +- spin_lock_irqsave(&ha->hardware_lock, flags); +- req = vha->req; ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); + for (cnt = 1; status == QLA_SUCCESS && + cnt < req->num_outstanding_cmds; cnt++) { + sp = req->outstanding_cmds[cnt]; +@@ -1396,12 +1395,32 @@ qla2x00_eh_wait_for_pending_commands(scs + if (!match) + continue; + +- spin_unlock_irqrestore(&ha->hardware_lock, flags); ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + status = qla2x00_eh_wait_on_command(cmd); +- spin_lock_irqsave(&ha->hardware_lock, flags); ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); + } +- spin_unlock_irqrestore(&ha->hardware_lock, flags); ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ return status; ++} ++ ++int ++qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t, ++ uint64_t l, enum nexus_wait_type type) ++{ ++ struct qla_qpair *qpair; ++ struct qla_hw_data *ha = vha->hw; ++ int i, status = QLA_SUCCESS; + ++ status = __qla2x00_eh_wait_for_pending_commands(ha->base_qpair, t, l, ++ type); ++ for (i = 0; status == QLA_SUCCESS && i < ha->max_qpairs; i++) { ++ qpair = ha->queue_pair_map[i]; ++ if (!qpair) ++ continue; ++ status = __qla2x00_eh_wait_for_pending_commands(qpair, t, l, ++ type); ++ } + return status; + } + +@@ -1438,7 +1457,7 @@ qla2xxx_eh_device_reset(struct scsi_cmnd + return err; + + if (fcport->deleted) +- return SUCCESS; ++ return FAILED; + + ql_log(ql_log_info, vha, 0x8009, + "DEVICE RESET ISSUED nexus=%ld:%d:%llu cmd=%p.\n", vha->host_no, +@@ -1506,7 +1525,7 @@ qla2xxx_eh_target_reset(struct scsi_cmnd + return err; + + if (fcport->deleted) +- return SUCCESS; ++ return FAILED; + + ql_log(ql_log_info, vha, 0x8009, + "TARGET RESET ISSUED nexus=%ld:%d cmd=%p.\n", vha->host_no, diff --git a/patches.suse/scsi-qla2xxx-Fix-discovery-issues-in-FC-AL-topology.patch b/patches.suse/scsi-qla2xxx-Fix-discovery-issues-in-FC-AL-topology.patch new file mode 100644 index 0000000..5dffbe7 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-discovery-issues-in-FC-AL-topology.patch @@ -0,0 +1,105 @@ +From: Arun Easi +Date: Tue, 12 Jul 2022 22:20:42 -0700 +Subject: scsi: qla2xxx: Fix discovery issues in FC-AL topology +Patch-mainline: v5.20-rc1 +Git-commit: 47ccb113cead905bdc236571bf8ac6fed90321b3 +References: bsc#1201651 + +A direct attach tape device, when gets swapped with another, was not +discovered. Fix this by looking at loop map and reinitialize link if there +are devices present. + +Link: https://lore.kernel.org/linux-scsi/baef87c3-5dad-3b47-44c1-6914bfc90108@cybernetics.com/ +Link: https://lore.kernel.org/r/20220713052045.10683-8-njavali@marvell.com +Cc: stable@vger.kernel.org +Reported-by: Tony Battersby +Tested-by: Tony Battersby +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_gbl.h | 3 ++- + drivers/scsi/qla2xxx/qla_init.c | 29 +++++++++++++++++++++++++++++ + drivers/scsi/qla2xxx/qla_mbx.c | 5 ++++- + 3 files changed, 35 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -437,7 +437,8 @@ extern int + qla2x00_get_resource_cnts(scsi_qla_host_t *); + + extern int +-qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map); ++qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map, ++ u8 *num_entries); + + extern int + qla2x00_get_link_status(scsi_qla_host_t *, uint16_t, struct link_statistics *, +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5495,6 +5495,22 @@ static int qla2x00_configure_n2n_loop(sc + return QLA_FUNCTION_FAILED; + } + ++static void ++qla_reinitialize_link(scsi_qla_host_t *vha) ++{ ++ int rval; ++ ++ atomic_set(&vha->loop_state, LOOP_DOWN); ++ atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME); ++ rval = qla2x00_full_login_lip(vha); ++ if (rval == QLA_SUCCESS) { ++ ql_dbg(ql_dbg_disc, vha, 0xd050, "Link reinitialized\n"); ++ } else { ++ ql_dbg(ql_dbg_disc, vha, 0xd051, ++ "Link reinitialization failed (%d)\n", rval); ++ } ++} ++ + /* + * qla2x00_configure_local_loop + * Updates Fibre Channel Device Database with local loop devices. +@@ -5546,6 +5562,19 @@ qla2x00_configure_local_loop(scsi_qla_ho + spin_unlock_irqrestore(&vha->work_lock, flags); + + if (vha->scan.scan_retry < MAX_SCAN_RETRIES) { ++ u8 loop_map_entries = 0; ++ int rc; ++ ++ rc = qla2x00_get_fcal_position_map(vha, NULL, ++ &loop_map_entries); ++ if (rc == QLA_SUCCESS && loop_map_entries > 1) { ++ /* ++ * There are devices that are still not logged ++ * in. Reinitialize to give them a chance. ++ */ ++ qla_reinitialize_link(vha); ++ return QLA_FUNCTION_FAILED; ++ } + set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags); + set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags); + } +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -3069,7 +3069,8 @@ qla2x00_get_resource_cnts(scsi_qla_host_ + * Kernel context. + */ + int +-qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map) ++qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map, ++ u8 *num_entries) + { + int rval; + mbx_cmd_t mc; +@@ -3109,6 +3110,8 @@ qla2x00_get_fcal_position_map(scsi_qla_h + + if (pos_map) + memcpy(pos_map, pmap, FCAL_MAP_SIZE); ++ if (num_entries) ++ *num_entries = pmap[0]; + } + dma_pool_free(ha->s_dma_pool, pmap, pmap_dma); + diff --git a/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch b/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch deleted file mode 100644 index 8b5e0db..0000000 --- a/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Quinn Tran -Date: Thu, 10 Mar 2022 01:25:53 -0800 -Subject: scsi: qla2xxx: Fix disk failure to rediscover -Patch-mainline: v5.18-rc1 -Git-commit: 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99 -References: bsc#1197661 - -User experienced some of the LUN failed to get rediscovered after long -cable pull test. The issue is triggered by a race condition between driver -setting session online state vs starting the LUN scan process at the same -time. Current code set the online state after notifying the session is -available. In this case, trigger to start the LUN scan process happened -before driver could set the session in online state. LUN scan ends up with -failure due to the session online check was failing. - -Set the online state before reporting of the availability of the session. - -Link: https://lore.kernel.org/r/20220310092604.22950-3-njavali@marvell.com -Fixes: aecf043443d3 ("scsi: qla2xxx: Fix Remote port registration") -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Acked-by: Daniel Wagner ---- - drivers/scsi/qla2xxx/qla_init.c | 5 +++-- - drivers/scsi/qla2xxx/qla_nvme.c | 5 +++++ - 2 files changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -5759,6 +5759,8 @@ qla2x00_reg_remote_port(scsi_qla_host_t - if (atomic_read(&fcport->state) == FCS_ONLINE) - return; - -+ qla2x00_set_fcport_state(fcport, FCS_ONLINE); -+ - rport_ids.node_name = wwn_to_u64(fcport->node_name); - rport_ids.port_name = wwn_to_u64(fcport->port_name); - rport_ids.port_id = fcport->d_id.b.domain << 16 | -@@ -5859,6 +5861,7 @@ qla2x00_update_fcport(scsi_qla_host_t *v - qla2x00_reg_remote_port(vha, fcport); - break; - case MODE_TARGET: -+ qla2x00_set_fcport_state(fcport, FCS_ONLINE); - if (!vha->vha_tgt.qla_tgt->tgt_stop && - !vha->vha_tgt.qla_tgt->tgt_stopped) - qlt_fc_port_added(vha, fcport); -@@ -5876,8 +5879,6 @@ qla2x00_update_fcport(scsi_qla_host_t *v - if (NVME_TARGET(vha->hw, fcport)) - qla_nvme_register_remote(vha, fcport); - -- qla2x00_set_fcport_state(fcport, FCS_ONLINE); -- - if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) { - if (fcport->id_changed) { - fcport->id_changed = 0; ---- a/drivers/scsi/qla2xxx/qla_nvme.c -+++ b/drivers/scsi/qla2xxx/qla_nvme.c -@@ -36,6 +36,11 @@ int qla_nvme_register_remote(struct scsi - (fcport->nvme_flag & NVME_FLAG_REGISTERED)) - return 0; - -+ if (atomic_read(&fcport->state) == FCS_ONLINE) -+ return 0; -+ -+ qla2x00_set_fcport_state(fcport, FCS_ONLINE); -+ - fcport->nvme_flag &= ~NVME_FLAG_RESETTING; - - memset(&req, 0, sizeof(struct nvme_fc_port_info)); diff --git a/patches.suse/scsi-qla2xxx-Fix-erroneous-mailbox-timeout-after-PCI.patch b/patches.suse/scsi-qla2xxx-Fix-erroneous-mailbox-timeout-after-PCI.patch new file mode 100644 index 0000000..3c4c6a0 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-erroneous-mailbox-timeout-after-PCI.patch @@ -0,0 +1,60 @@ +From: Quinn Tran +Date: Wed, 15 Jun 2022 22:35:07 -0700 +Subject: scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error + injection +Patch-mainline: v5.20-rc1 +Git-commit: f260694e6463b63ae550aad25ddefe94cb1904da +References: bsc#1201958 + +Clear wait for mailbox interrupt flag to prevent stale mailbox: + +Feb 22 05:22:56 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-500a:4: LOOP UP detected (16 Gbps). +Feb 22 05:22:59 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-d04c:4: MBX Command timeout for cmd 69, ... + +To fix the issue, driver needs to clear the MBX_INTR_WAIT flag on purging +the mailbox. When the stale mailbox completion does arrive, it will be +dropped. + +Link: https://lore.kernel.org/r/20220616053508.27186-11-njavali@marvell.com +Fixes: b6faaaf796d7 ("scsi: qla2xxx: Serialize mailbox request") +Cc: Naresh Bannoth +Cc: Kyle Mahlkuch +Cc: stable@vger.kernel.org +Reported-by: Naresh Bannoth +Tested-by: Naresh Bannoth +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_mbx.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -275,6 +275,12 @@ qla2x00_mailbox_command(scsi_qla_host_t + atomic_inc(&ha->num_pend_mbx_stage3); + if (!wait_for_completion_timeout(&ha->mbx_intr_comp, + mcp->tov * HZ)) { ++ ql_dbg(ql_dbg_mbx, vha, 0x117a, ++ "cmd=%x Timeout.\n", command); ++ spin_lock_irqsave(&ha->hardware_lock, flags); ++ clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags); ++ spin_unlock_irqrestore(&ha->hardware_lock, flags); ++ + if (chip_reset != ha->chip_reset) { + eeh_delay = ha->flags.eeh_busy ? 1 : 0; + +@@ -287,12 +293,6 @@ qla2x00_mailbox_command(scsi_qla_host_t + rval = QLA_ABORTED; + goto premature_exit; + } +- ql_dbg(ql_dbg_mbx, vha, 0x117a, +- "cmd=%x Timeout.\n", command); +- spin_lock_irqsave(&ha->hardware_lock, flags); +- clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags); +- spin_unlock_irqrestore(&ha->hardware_lock, flags); +- + } else if (ha->flags.purge_mbox || + chip_reset != ha->chip_reset) { + eeh_delay = ha->flags.eeh_busy ? 1 : 0; diff --git a/patches.suse/scsi-qla2xxx-Fix-excessive-I-O-error-messages-by-def.patch b/patches.suse/scsi-qla2xxx-Fix-excessive-I-O-error-messages-by-def.patch new file mode 100644 index 0000000..f03cdf7 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-excessive-I-O-error-messages-by-def.patch @@ -0,0 +1,41 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:34:58 -0700 +Subject: scsi: qla2xxx: Fix excessive I/O error messages by default +Patch-mainline: v5.20-rc1 +Git-commit: bff4873c709085e09d0ffae0c25b8e65256e3205 +References: bsc#1201958 + +Disable printing I/O error messages by default. The messages will be +printed only when logging was enabled. + +Link: https://lore.kernel.org/r/20220616053508.27186-2-njavali@marvell.com +Fixes: 8e2d81c6b5be ("scsi: qla2xxx: Fix excessive messages during device logout") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2646,7 +2646,7 @@ static void qla24xx_nvme_iocb_entry(scsi + } + + if (unlikely(logit)) +- ql_log(ql_dbg_io, fcport->vha, 0x5060, ++ ql_dbg(ql_dbg_io, fcport->vha, 0x5060, + "NVME-%s ERR Handling - hdl=%x status(%x) tr_len:%x resid=%x ox_id=%x\n", + sp->name, sp->handle, comp_status, + fd->transferred_length, le32_to_cpu(sts->residual_len), +@@ -3513,7 +3513,7 @@ qla2x00_status_entry(scsi_qla_host_t *vh + + out: + if (logit) +- ql_log(ql_dbg_io, fcport->vha, 0x3022, ++ ql_dbg(ql_dbg_io, fcport->vha, 0x3022, + "FCP command status: 0x%x-0x%x (0x%x) nexus=%ld:%d:%llu portid=%02x%02x%02x oxid=0x%x cdb=%10phN len=0x%x rsp_info=0x%x resid=0x%x fw_resid=0x%x sp=%p cp=%p.\n", + comp_status, scsi_status, res, vha->host_no, + cp->device->id, cp->device->lun, fcport->d_id.b.domain, diff --git a/patches.suse/scsi-qla2xxx-Fix-imbalance-vha-vref_count.patch b/patches.suse/scsi-qla2xxx-Fix-imbalance-vha-vref_count.patch new file mode 100644 index 0000000..119cda1 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-imbalance-vha-vref_count.patch @@ -0,0 +1,54 @@ +From: Quinn Tran +Date: Tue, 12 Jul 2022 22:20:41 -0700 +Subject: scsi: qla2xxx: Fix imbalance vha->vref_count +Patch-mainline: v5.20-rc1 +Git-commit: 63fa7f2644b4b48e1913af33092c044bf48e9321 +References: bsc#1201651 + +vref_count took an extra decrement in the task management path. Add an +extra ref count to compensate the imbalance. + +Link: https://lore.kernel.org/r/20220713052045.10683-7-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -162,6 +162,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_s + struct srb_iocb *abt_iocb; + srb_t *sp; + int rval = QLA_FUNCTION_FAILED; ++ uint8_t bail; + + /* ref: INIT for ABTS command */ + sp = qla2xxx_get_qpair_sp(cmd_sp->vha, cmd_sp->qpair, cmd_sp->fcport, +@@ -169,6 +170,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_s + if (!sp) + return QLA_MEMORY_ALLOC_FAILED; + ++ QLA_VHA_MARK_BUSY(vha, bail); + abt_iocb = &sp->u.iocb_cmd; + sp->type = SRB_ABT_CMD; + sp->name = "abort"; +@@ -2003,12 +2005,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + struct srb_iocb *tm_iocb; + srb_t *sp; + int rval = QLA_FUNCTION_FAILED; ++ uint8_t bail; + + /* ref: INIT */ + sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL); + if (!sp) + goto done; + ++ QLA_VHA_MARK_BUSY(vha, bail); + sp->type = SRB_TM_CMD; + sp->name = "tmf"; + qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha), diff --git a/patches.suse/scsi-qla2xxx-Fix-incorrect-display-of-max-frame-size.patch b/patches.suse/scsi-qla2xxx-Fix-incorrect-display-of-max-frame-size.patch new file mode 100644 index 0000000..5375de8 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-incorrect-display-of-max-frame-size.patch @@ -0,0 +1,97 @@ +From: Bikash Hazarika +Date: Tue, 12 Jul 2022 22:20:37 -0700 +Subject: scsi: qla2xxx: Fix incorrect display of max frame size +Patch-mainline: v5.20-rc1 +Git-commit: cf3b4fb655796674e605268bd4bfb47a47c8bce6 +References: bsc#1201958 + +Replace display field with the correct field. + +Link: https://lore.kernel.org/r/20220713052045.10683-3-njavali@marvell.com +Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_gs.c | 9 +++------ + drivers/scsi/qla2xxx/qla_init.c | 2 ++ + drivers/scsi/qla2xxx/qla_isr.c | 4 +--- + 4 files changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3976,6 +3976,7 @@ struct qla_hw_data { + /* SRB cache. */ + #define SRB_MIN_REQ 128 + mempool_t *srb_mempool; ++ u8 port_name[WWN_SIZE]; + + volatile struct { + uint32_t mbox_int :1; +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -1597,7 +1597,6 @@ qla2x00_hba_attributes(scsi_qla_host_t * + unsigned int callopt) + { + struct qla_hw_data *ha = vha->hw; +- struct init_cb_24xx *icb24 = (void *)ha->init_cb; + struct new_utsname *p_sysid = utsname(); + struct ct_fdmi_hba_attr *eiter; + uint16_t alen; +@@ -1759,8 +1758,8 @@ qla2x00_hba_attributes(scsi_qla_host_t * + /* MAX CT Payload Length */ + eiter = entries + size; + eiter->type = cpu_to_be16(FDMI_HBA_MAXIMUM_CT_PAYLOAD_LENGTH); +- eiter->a.max_ct_len = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ? +- icb24->frame_payload_size : ha->init_cb->frame_payload_size)); ++ eiter->a.max_ct_len = cpu_to_be32(ha->frame_payload_size >> 2); ++ + alen = sizeof(eiter->a.max_ct_len); + alen += FDMI_ATTR_TYPELEN(eiter); + eiter->len = cpu_to_be16(alen); +@@ -1852,7 +1851,6 @@ qla2x00_port_attributes(scsi_qla_host_t + unsigned int callopt) + { + struct qla_hw_data *ha = vha->hw; +- struct init_cb_24xx *icb24 = (void *)ha->init_cb; + struct new_utsname *p_sysid = utsname(); + char *hostname = p_sysid ? + p_sysid->nodename : fc_host_system_hostname(vha->host); +@@ -1904,8 +1902,7 @@ qla2x00_port_attributes(scsi_qla_host_t + /* Max frame size. */ + eiter = entries + size; + eiter->type = cpu_to_be16(FDMI_PORT_MAX_FRAME_SIZE); +- eiter->a.max_frame_size = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ? +- icb24->frame_payload_size : ha->init_cb->frame_payload_size)); ++ eiter->a.max_frame_size = cpu_to_be32(ha->frame_payload_size); + alen = sizeof(eiter->a.max_frame_size); + alen += FDMI_ATTR_TYPELEN(eiter); + eiter->len = cpu_to_be16(alen); +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4510,6 +4510,8 @@ qla2x00_init_rings(scsi_qla_host_t *vha) + BIT_6) != 0; + ql_dbg(ql_dbg_init, vha, 0x00bc, "FA-WWPN Support: %s.\n", + (ha->flags.fawwpn_enabled) ? "enabled" : "disabled"); ++ /* Init_cb will be reused for other command(s). Save a backup copy of port_name */ ++ memcpy(ha->port_name, ha->init_cb->port_name, WWN_SIZE); + } + + /* ELS pass through payload is limit by frame size. */ +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1355,9 +1355,7 @@ qla2x00_async_event(scsi_qla_host_t *vha + if (!vha->vp_idx) { + if (ha->flags.fawwpn_enabled && + (ha->current_topology == ISP_CFG_F)) { +- void *wwpn = ha->init_cb->port_name; +- +- memcpy(vha->port_name, wwpn, WWN_SIZE); ++ memcpy(vha->port_name, ha->port_name, WWN_SIZE); + fc_host_port_name(vha->host) = + wwn_to_u64(vha->port_name); + ql_dbg(ql_dbg_init + ql_dbg_verbose, diff --git a/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-during-port-pe.patch b/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-during-port-pe.patch new file mode 100644 index 0000000..cc7f857 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-during-port-pe.patch @@ -0,0 +1,34 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:35:03 -0700 +Subject: scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation + tests +Patch-mainline: v5.20-rc1 +Git-commit: 58d1c124cd79ea686b512043c5bd515590b2ed95 +References: bsc#1201958 + +When a mix of FCP-2 (tape) and non-FCP-2 targets are present, FCP-2 target +state was incorrectly transitioned when both of the targets were gone. Fix +this by ignoring state transition for FCP-2 targets. + +Link: https://lore.kernel.org/r/20220616053508.27186-7-njavali@marvell.com +Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_gs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3633,7 +3633,7 @@ void qla24xx_async_gnnft_done(scsi_qla_h + do_delete) { + if (fcport->loop_id != FC_NO_LOOP_ID) { + if (fcport->flags & FCF_FCP2_DEVICE) +- fcport->logout_on_delete = 0; ++ continue; + + ql_log(ql_log_warn, vha, 0x20f0, + "%s %d %8phC post del sess\n", diff --git a/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-on-long-port-d.patch b/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-on-long-port-d.patch new file mode 100644 index 0000000..a6dc773 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-on-long-port-d.patch @@ -0,0 +1,65 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:35:06 -0700 +Subject: scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with + I/Os +Patch-mainline: v5.20-rc1 +Git-commit: 2416ccd3815ba1613e10a6da0a24ef21acfe5633 +References: bsc#1201958 + +FCP-2 devices were not coming back online once they were lost, login +retries exhausted, and then came back up. Fix this by accepting RSCN when +the device is not online. + +Link: https://lore.kernel.org/r/20220616053508.27186-10-njavali@marvell.com +Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_init.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1835,7 +1835,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t + case RSCN_PORT_ADDR: + fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1); + if (fcport) { +- if (fcport->flags & FCF_FCP2_DEVICE) { ++ if (fcport->flags & FCF_FCP2_DEVICE && ++ atomic_read(&fcport->state) == FCS_ONLINE) { + ql_dbg(ql_dbg_disc, vha, 0x2115, + "Delaying session delete for FCP2 portid=%06x %8phC ", + fcport->d_id.b24, fcport->port_name); +@@ -1867,7 +1868,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t + break; + case RSCN_AREA_ADDR: + list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->flags & FCF_FCP2_DEVICE) ++ if (fcport->flags & FCF_FCP2_DEVICE && ++ atomic_read(&fcport->state) == FCS_ONLINE) + continue; + + if ((ea->id.b24 & 0xffff00) == (fcport->d_id.b24 & 0xffff00)) { +@@ -1878,7 +1880,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t + break; + case RSCN_DOM_ADDR: + list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->flags & FCF_FCP2_DEVICE) ++ if (fcport->flags & FCF_FCP2_DEVICE && ++ atomic_read(&fcport->state) == FCS_ONLINE) + continue; + + if ((ea->id.b24 & 0xff0000) == (fcport->d_id.b24 & 0xff0000)) { +@@ -1890,7 +1893,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t + case RSCN_FAB_ADDR: + default: + list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->flags & FCF_FCP2_DEVICE) ++ if (fcport->flags & FCF_FCP2_DEVICE && ++ atomic_read(&fcport->state) == FCS_ONLINE) + continue; + + fcport->scan_needed = 1; diff --git a/patches.suse/scsi-qla2xxx-Fix-losing-target-when-it-reappears-dur.patch b/patches.suse/scsi-qla2xxx-Fix-losing-target-when-it-reappears-dur.patch new file mode 100644 index 0000000..ea052e1 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-losing-target-when-it-reappears-dur.patch @@ -0,0 +1,77 @@ +From: Arun Easi +Date: Wed, 15 Jun 2022 22:35:04 -0700 +Subject: scsi: qla2xxx: Fix losing target when it reappears during delete +Patch-mainline: v5.20-rc1 +Git-commit: 118b0c863c8f5629cc5271fc24d72d926e0715d9 +References: bsc#1201958 + +FC target disappeared during port perturbation tests due to a race that +tramples target state. Fix the issue by adding state checks before +proceeding. + +Link: https://lore.kernel.org/r/20220616053508.27186-8-njavali@marvell.com +Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_attr.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2710,17 +2710,24 @@ qla2x00_dev_loss_tmo_callbk(struct fc_rp + if (!fcport) + return; + +- /* Now that the rport has been deleted, set the fcport state to +- FCS_DEVICE_DEAD */ +- qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD); ++ ++ /* ++ * Now that the rport has been deleted, set the fcport state to ++ * FCS_DEVICE_DEAD, if the fcport is still lost. ++ */ ++ if (fcport->scan_state != QLA_FCPORT_FOUND) ++ qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD); + + /* + * Transport has effectively 'deleted' the rport, clear + * all local references. + */ + spin_lock_irqsave(host->host_lock, flags); +- fcport->rport = fcport->drport = NULL; +- *((fc_port_t **)rport->dd_data) = NULL; ++ /* Confirm port has not reappeared before clearing pointers. */ ++ if (rport->port_state != FC_PORTSTATE_ONLINE) { ++ fcport->rport = fcport->drport = NULL; ++ *((fc_port_t **)rport->dd_data) = NULL; ++ } + spin_unlock_irqrestore(host->host_lock, flags); + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) +@@ -2753,9 +2760,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + /* + * At this point all fcport's software-states are cleared. Perform any + * final cleanup of firmware resources (PCBs and XCBs). ++ * ++ * Attempt to cleanup only lost devices. + */ + if (fcport->loop_id != FC_NO_LOOP_ID) { +- if (IS_FWI2_CAPABLE(fcport->vha->hw)) { ++ if (IS_FWI2_CAPABLE(fcport->vha->hw) && ++ fcport->scan_state != QLA_FCPORT_FOUND) { + if (fcport->loop_id != FC_NO_LOOP_ID) + fcport->logout_on_delete = 1; + +@@ -2765,7 +2775,7 @@ qla2x00_terminate_rport_io(struct fc_rpo + __LINE__); + qlt_schedule_sess_for_deletion(fcport); + } +- } else { ++ } else if (!IS_FWI2_CAPABLE(fcport->vha->hw)) { + qla2x00_port_logout(fcport->vha, fcport); + } + } diff --git a/patches.suse/scsi-qla2xxx-Fix-response-queue-handler-reading-stal.patch b/patches.suse/scsi-qla2xxx-Fix-response-queue-handler-reading-stal.patch new file mode 100644 index 0000000..0b6f71b --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-response-queue-handler-reading-stal.patch @@ -0,0 +1,116 @@ +From: Arun Easi +Date: Tue, 12 Jul 2022 22:20:39 -0700 +Subject: scsi: qla2xxx: Fix response queue handler reading stale packets +Patch-mainline: v5.20-rc1 +Git-commit: b1f707146923335849fb70237eec27d4d1ae7d62 +References: bsc#1201651 + +On some platforms, the current logic of relying on finding new packet +solely based on signature pattern can lead to driver reading stale +packets. Though this is a bug in those platforms, reduce such exposures by +limiting reading packets until the IN pointer. + +Two module parameters are introduced: + + ql2xrspq_follow_inptr: + + When set, on newer adapters that has queue pointer shadowing, look for + response packets only until response queue in pointer. + + When reset, response packets are read based on a signature pattern + logic (old way). + + ql2xrspq_follow_inptr_legacy: + + Like ql2xrspq_follow_inptr, but for those adapters where there is no + queue pointer shadowing. + +Link: https://lore.kernel.org/r/20220713052045.10683-5-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_gbl.h | 2 ++ + drivers/scsi/qla2xxx/qla_isr.c | 24 +++++++++++++++++++++++- + drivers/scsi/qla2xxx/qla_os.c | 9 +++++++++ + 3 files changed, 34 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -195,6 +195,8 @@ extern int ql2xsecenable; + extern int ql2xenforce_iocb_limit; + extern int ql2xabts_wait_nvme; + extern u32 ql2xnvme_queues; ++extern int ql2xrspq_follow_inptr; ++extern int ql2xrspq_follow_inptr_legacy; + + extern int qla2x00_loop_reset(scsi_qla_host_t *); + extern void qla2x00_abort_all_cmds(scsi_qla_host_t *, int); +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3790,6 +3790,8 @@ void qla24xx_process_response_queue(stru + struct qla_hw_data *ha = vha->hw; + struct purex_entry_24xx *purex_entry; + struct purex_item *pure_item; ++ u16 rsp_in = 0; ++ int follow_inptr, is_shadow_hba; + + if (!ha->flags.fw_started) + return; +@@ -3799,7 +3801,25 @@ void qla24xx_process_response_queue(stru + qla_cpu_update(rsp->qpair, smp_processor_id()); + } + +- while (rsp->ring_ptr->signature != RESPONSE_PROCESSED) { ++#define __update_rsp_in(_update, _is_shadow_hba, _rsp, _rsp_in) \ ++ do { \ ++ if (_update) { \ ++ _rsp_in = _is_shadow_hba ? *(_rsp)->in_ptr : \ ++ rd_reg_dword_relaxed((_rsp)->rsp_q_in); \ ++ } \ ++ } while (0) ++ ++ is_shadow_hba = IS_SHADOW_REG_CAPABLE(ha); ++ follow_inptr = is_shadow_hba ? ql2xrspq_follow_inptr : ++ ql2xrspq_follow_inptr_legacy; ++ ++ __update_rsp_in(follow_inptr, is_shadow_hba, rsp, rsp_in); ++ ++ while ((likely(follow_inptr && ++ rsp->ring_index != rsp_in && ++ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) || ++ (!follow_inptr && ++ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { + pkt = (struct sts_entry_24xx *)rsp->ring_ptr; + + rsp->ring_index++; +@@ -3912,6 +3932,8 @@ void qla24xx_process_response_queue(stru + } + pure_item = qla27xx_copy_fpin_pkt(vha, + (void **)&pkt, &rsp); ++ __update_rsp_in(follow_inptr, is_shadow_hba, ++ rsp, rsp_in); + if (!pure_item) + break; + qla24xx_queue_purex_item(vha, pure_item, +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -339,6 +339,15 @@ module_param(ql2xabts_wait_nvme, int, 04 + MODULE_PARM_DESC(ql2xabts_wait_nvme, + "To wait for ABTS response on I/O timeouts for NVMe. (default: 1)"); + ++int ql2xrspq_follow_inptr = 1; ++module_param(ql2xrspq_follow_inptr, int, 0644); ++MODULE_PARM_DESC(ql2xrspq_follow_inptr, ++ "Follow RSP IN pointer for RSP updates for HBAs 27xx and newer (default: 1)."); ++ ++int ql2xrspq_follow_inptr_legacy = 1; ++module_param(ql2xrspq_follow_inptr_legacy, int, 0644); ++MODULE_PARM_DESC(ql2xrspq_follow_inptr_legacy, ++ "Follow RSP IN pointer for RSP updates for HBAs older than 27XX. (default: 1)."); + + u32 ql2xdelay_before_pci_error_handling = 5; + module_param(ql2xdelay_before_pci_error_handling, uint, 0644); diff --git a/patches.suse/scsi-qla2xxx-Fix-sparse-warning-for-dport_data.patch b/patches.suse/scsi-qla2xxx-Fix-sparse-warning-for-dport_data.patch new file mode 100644 index 0000000..da6f84d --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-sparse-warning-for-dport_data.patch @@ -0,0 +1,51 @@ +From: Nilesh Javali +Date: Tue, 12 Jul 2022 22:20:43 -0700 +Subject: scsi: qla2xxx: Fix sparse warning for dport_data +Patch-mainline: v5.20-rc1 +Git-commit: 166d74b876b7d8eb2e41b0587db93d23cef85221 +References: bsc#1201651 + +Use le16_to_cpu to fix sparse warning reported for dport_data. + +sparse warnings: (new ones prefixed by >>) +>> drivers/scsi/qla2xxx/qla_bsg.c:2485:34: sparse: sparse: incorrect +>> type in assignment (different base types) @@ expected unsigned +>> short [usertype] mbx1 @@ got restricted __le16 @@ + drivers/scsi/qla2xxx/qla_bsg.c:2485:34: sparse: expected unsigned short [usertype] mbx1 + drivers/scsi/qla2xxx/qla_bsg.c:2485:34: sparse: got restricted __le16 +>> drivers/scsi/qla2xxx/qla_bsg.c:2486:34: sparse: sparse: +>> incorrect type in assignment (different base types) @@ +>> expected unsigned short [usertype] mbx2 @@ got restricted __le16 @@ + drivers/scsi/qla2xxx/qla_bsg.c:2486:34: sparse: expected unsigned short [usertype] mbx2 + drivers/scsi/qla2xxx/qla_bsg.c:2486:34: sparse: got restricted __le16 + +Link: https://lore.kernel.org/r/20220713052045.10683-9-njavali@marvell.com +Fixes: 476da8faa336 ("scsi: qla2xxx: Add a new v2 dport diagnostic feature") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Reviewed-by: Himanshu Madhani +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index 299c5cba92f4..5db9bf69dcff 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2482,8 +2482,8 @@ qla2x00_do_dport_diagnostics_v2(struct bsg_job *bsg_job) + dd->mbx2 = mcp->mb[1]; + vha->dport_status |= DPORT_DIAG_IN_PROGRESS; + } else if (options == QLA_GET_DPORT_RESULT_V2) { +- dd->mbx1 = vha->dport_data[1]; +- dd->mbx2 = vha->dport_data[2]; ++ dd->mbx1 = le16_to_cpu(vha->dport_data[1]); ++ dd->mbx2 = le16_to_cpu(vha->dport_data[2]); + } + } else { + dd->mbx1 = mcp->mb[0]; +-- +2.35.3 + diff --git a/patches.suse/scsi-qla2xxx-Remove-setting-of-req-and-rsp-parameter.patch b/patches.suse/scsi-qla2xxx-Remove-setting-of-req-and-rsp-parameter.patch new file mode 100644 index 0000000..26ad8e8 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Remove-setting-of-req-and-rsp-parameter.patch @@ -0,0 +1,43 @@ +From: Tom Rix +Date: Sat, 21 May 2022 16:16:07 -0400 +Subject: scsi: qla2xxx: Remove setting of 'req' and 'rsp' parameters +Patch-mainline: v5.19-rc1 +Git-commit: e250bd2699e0e7418cd54ea2a762acfcfad43ffd +References: bsc#1201958 + +cppcheck reports +[drivers/scsi/qla2xxx/qla_mid.c:594]: (warning) Assignment of function parameter has no effect outside the function. Did you forget dereferencing it? +[drivers/scsi/qla2xxx/qla_mid.c:620]: (warning) Assignment of function parameter has no effect outside the function. Did you forget dereferencing it? + +The functions qla25xx_free_req_que() and qla25xx_free_rsp_que() are +similar. They free a 'req' and a 'rsp' parameter respectively. The last +statement of both functions is setting the parameter to NULL. This has no +effect and can be removed. + +Link: https://lore.kernel.org/r/20220521201607.4145298-1-trix@redhat.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Tom Rix +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_mid.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -592,7 +592,6 @@ qla25xx_free_req_que(struct scsi_qla_hos + } + kfree(req->outstanding_cmds); + kfree(req); +- req = NULL; + } + + static void +@@ -618,7 +617,6 @@ qla25xx_free_rsp_que(struct scsi_qla_hos + mutex_unlock(&ha->vport_lock); + } + kfree(rsp); +- rsp = NULL; + } + + int diff --git a/patches.suse/scsi-qla2xxx-Remove-unused-ql_dm_tgt_ex_pct-paramete.patch b/patches.suse/scsi-qla2xxx-Remove-unused-ql_dm_tgt_ex_pct-paramete.patch new file mode 100644 index 0000000..8f0b867 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Remove-unused-ql_dm_tgt_ex_pct-paramete.patch @@ -0,0 +1,39 @@ +From: Gleb Chesnokov +Date: Mon, 23 May 2022 09:24:59 +0000 +Subject: scsi: qla2xxx: Remove unused 'ql_dm_tgt_ex_pct' parameter +Patch-mainline: v5.19-rc1 +Git-commit: aa2a4ded05058f134a4dee1424f829d662e00cda +References: bsc#1201958 + +The ql_dm_tgt_ex_pct parameter was introduced in commit ead038556f64 +("qla2xxx: Add Dual mode support in the driver"). Then the use of this +parameter was dropped in commit 99e1b683c4be ("scsi: qla2xxx: Add +ql2xiniexchg parameter"). + +Thus, remove ql_dm_tgt_ex_pct since it is no longer used. + +Link: https://lore.kernel.org/r/AM9PR10MB41185ADE95B92B4E6926BE639DD49@AM9PR10MB4118.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_target.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -57,13 +57,6 @@ MODULE_PARM_DESC(qlini_mode, + "when ready " + "\"enabled\" (default) - initiator mode will always stay enabled."); + +-static int ql_dm_tgt_ex_pct = 0; +-module_param(ql_dm_tgt_ex_pct, int, S_IRUGO|S_IWUSR); +-MODULE_PARM_DESC(ql_dm_tgt_ex_pct, +- "For Dual Mode (qlini_mode=dual), this parameter determines " +- "the percentage of exchanges/cmds FW will allocate resources " +- "for Target mode."); +- + int ql2xuctrlirq = 1; + module_param(ql2xuctrlirq, int, 0644); + MODULE_PARM_DESC(ql2xuctrlirq, diff --git a/patches.suse/scsi-qla2xxx-Turn-off-multi-queue-for-8G-adapters.patch b/patches.suse/scsi-qla2xxx-Turn-off-multi-queue-for-8G-adapters.patch new file mode 100644 index 0000000..59f0e3a --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Turn-off-multi-queue-for-8G-adapters.patch @@ -0,0 +1,59 @@ +From: Quinn Tran +Date: Wed, 15 Jun 2022 22:35:01 -0700 +Subject: scsi: qla2xxx: Turn off multi-queue for 8G adapters +Patch-mainline: v5.20-rc1 +Git-commit: 5304673bdb1635e27555bd636fd5d6956f1cd552 +References: bsc#1201958 + +For 8G adapters, multi-queue was enabled accidentally. Make sure +multi-queue is not enabled. + +Link: https://lore.kernel.org/r/20220616053508.27186-5-njavali@marvell.com +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 4 ++-- + drivers/scsi/qla2xxx/qla_isr.c | 16 ++++++---------- + 2 files changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -4274,8 +4274,8 @@ struct qla_hw_data { + #define IS_OEM_001(ha) ((ha)->device_type & DT_OEM_001) + #define HAS_EXTENDED_IDS(ha) ((ha)->device_type & DT_EXTENDED_IDS) + #define IS_CT6_SUPPORTED(ha) ((ha)->device_type & DT_CT6_SUPPORTED) +-#define IS_MQUE_CAPABLE(ha) ((ha)->mqenable || IS_QLA83XX(ha) || \ +- IS_QLA27XX(ha) || IS_QLA28XX(ha)) ++#define IS_MQUE_CAPABLE(ha) (IS_QLA83XX(ha) || IS_QLA27XX(ha) || \ ++ IS_QLA28XX(ha)) + #define IS_BIDI_CAPABLE(ha) \ + (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha)) + /* Bit 21 of fw_attributes decides the MCTP capabilities */ +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -4440,16 +4440,12 @@ qla24xx_enable_msix(struct qla_hw_data * + } + + /* Enable MSI-X vector for response queue update for queue 0 */ +- if (IS_QLA83XX(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha)) { +- if (ha->msixbase && ha->mqiobase && +- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 || +- ql2xmqsupport)) +- ha->mqenable = 1; +- } else +- if (ha->mqiobase && +- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 || +- ql2xmqsupport)) +- ha->mqenable = 1; ++ if (IS_MQUE_CAPABLE(ha) && ++ (ha->msixbase && ha->mqiobase && ha->max_qpairs)) ++ ha->mqenable = 1; ++ else ++ ha->mqenable = 0; ++ + ql_dbg(ql_dbg_multiq, vha, 0xc005, + "mqiobase=%p, max_rsp_queues=%d, max_req_queues=%d.\n", + ha->mqiobase, ha->max_rsp_queues, ha->max_req_queues); diff --git a/patches.suse/scsi-qla2xxx-Update-manufacturer-details.patch b/patches.suse/scsi-qla2xxx-Update-manufacturer-details.patch new file mode 100644 index 0000000..725a07f --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Update-manufacturer-details.patch @@ -0,0 +1,43 @@ +From: Bikash Hazarika +Date: Tue, 12 Jul 2022 22:20:44 -0700 +Subject: scsi: qla2xxx: Update manufacturer details +Patch-mainline: v5.20-rc1 +Git-commit: 1ccad27716ecad1fd58c35e579bedb81fa5e1ad5 +References: bsc#1201958 + +Update manufacturer details to indicate Marvell Semiconductors. + +Link: https://lore.kernel.org/r/20220713052045.10683-10-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 2 +- + drivers/scsi/qla2xxx/qla_gs.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -79,7 +79,7 @@ typedef union { + #include "qla_nvme.h" + #define QLA2XXX_DRIVER_NAME "qla2xxx" + #define QLA2XXX_APIDEV "ql2xapidev" +-#define QLA2XXX_MANUFACTURER "QLogic Corporation" ++#define QLA2XXX_MANUFACTURER "Marvell Semiconductor, Inc." + + /* + * We have MAILBOX_REGISTER_COUNT sized arrays in a few places, +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -1617,7 +1617,7 @@ qla2x00_hba_attributes(scsi_qla_host_t * + eiter->type = cpu_to_be16(FDMI_HBA_MANUFACTURER); + alen = scnprintf( + eiter->a.manufacturer, sizeof(eiter->a.manufacturer), +- "%s", "QLogic Corporation"); ++ "%s", QLA2XXX_MANUFACTURER); + alen += FDMI_ATTR_ALIGNMENT(alen); + alen += FDMI_ATTR_TYPELEN(eiter); + eiter->len = cpu_to_be16(alen); diff --git a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.500-k.patch b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.500-k.patch new file mode 100644 index 0000000..6a372b7 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.500-k.patch @@ -0,0 +1,29 @@ +From: Nilesh Javali +Date: Mon, 6 Jun 2022 21:46:27 -0700 +Subject: scsi: qla2xxx: Update version to 10.02.07.500-k +Patch-mainline: v5.20-rc1 +Git-commit: 4dc48a107a146cade61097958ff2366c13da1f60 +References: bsc#1201958 + +Link: https://lore.kernel.org/r/20220607044627.19563-12-njavali@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_version.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_version.h ++++ b/drivers/scsi/qla2xxx/qla_version.h +@@ -7,9 +7,9 @@ + /* + * Driver version + */ +-#define QLA2XXX_VERSION "10.02.07.400-k" ++#define QLA2XXX_VERSION "10.02.07.500-k" + + #define QLA_DRIVER_MAJOR_VER 10 + #define QLA_DRIVER_MINOR_VER 2 + #define QLA_DRIVER_PATCH_VER 7 +-#define QLA_DRIVER_BETA_VER 400 ++#define QLA_DRIVER_BETA_VER 500 diff --git a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.600-k.patch b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.600-k.patch new file mode 100644 index 0000000..98bb05a --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.600-k.patch @@ -0,0 +1,30 @@ +From: Nilesh Javali +Date: Wed, 8 Jun 2022 04:58:49 -0700 +Subject: scsi: qla2xxx: Update version to 10.02.07.600-k +Patch-mainline: v5.20-rc1 +Git-commit: 0f4d7d556125019287833e8b312b3b6f0a10e58a +References: bsc#1201958 + +Link: https://lore.kernel.org/r/20220608115849.16693-11-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_version.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_version.h ++++ b/drivers/scsi/qla2xxx/qla_version.h +@@ -7,9 +7,9 @@ + /* + * Driver version + */ +-#define QLA2XXX_VERSION "10.02.07.500-k" ++#define QLA2XXX_VERSION "10.02.07.600-k" + + #define QLA_DRIVER_MAJOR_VER 10 + #define QLA_DRIVER_MINOR_VER 2 + #define QLA_DRIVER_PATCH_VER 7 +-#define QLA_DRIVER_BETA_VER 500 ++#define QLA_DRIVER_BETA_VER 600 diff --git a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.700-k.patch b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.700-k.patch new file mode 100644 index 0000000..819ad7d --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.700-k.patch @@ -0,0 +1,29 @@ +From: Nilesh Javali +Date: Wed, 15 Jun 2022 22:35:08 -0700 +Subject: scsi: qla2xxx: Update version to 10.02.07.700-k +Patch-mainline: v5.20-rc1 +Git-commit: 4de0d18da901bd271d9e4f13415c4a6eedee0591 +References: bsc#1201958 + +Link: https://lore.kernel.org/r/20220616053508.27186-12-njavali@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_version.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_version.h ++++ b/drivers/scsi/qla2xxx/qla_version.h +@@ -7,9 +7,9 @@ + /* + * Driver version + */ +-#define QLA2XXX_VERSION "10.02.07.600-k" ++#define QLA2XXX_VERSION "10.02.07.700-k" + + #define QLA_DRIVER_MAJOR_VER 10 + #define QLA_DRIVER_MINOR_VER 2 + #define QLA_DRIVER_PATCH_VER 7 +-#define QLA_DRIVER_BETA_VER 600 ++#define QLA_DRIVER_BETA_VER 700 diff --git a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.800-k.patch b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.800-k.patch new file mode 100644 index 0000000..5b5ca15 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.800-k.patch @@ -0,0 +1,30 @@ +From: Nilesh Javali +Date: Tue, 12 Jul 2022 22:20:45 -0700 +Subject: scsi: qla2xxx: Update version to 10.02.07.800-k +Patch-mainline: v5.20-rc1 +Git-commit: 6c20cc4885c5c11065a83c82dd8ce2074fe5c774 +References: bsc#1201958 + +Link: https://lore.kernel.org/r/20220713052045.10683-11-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_version.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_version.h ++++ b/drivers/scsi/qla2xxx/qla_version.h +@@ -7,9 +7,9 @@ + /* + * Driver version + */ +-#define QLA2XXX_VERSION "10.02.07.700-k" ++#define QLA2XXX_VERSION "10.02.07.800-k" + + #define QLA_DRIVER_MAJOR_VER 10 + #define QLA_DRIVER_MINOR_VER 2 + #define QLA_DRIVER_PATCH_VER 7 +-#define QLA_DRIVER_BETA_VER 700 ++#define QLA_DRIVER_BETA_VER 800 diff --git a/patches.suse/scsi-qla2xxx-Wind-down-adapter-after-PCIe-error.patch b/patches.suse/scsi-qla2xxx-Wind-down-adapter-after-PCIe-error.patch new file mode 100644 index 0000000..28e4a8f --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Wind-down-adapter-after-PCIe-error.patch @@ -0,0 +1,197 @@ +From: Quinn Tran +Date: Wed, 15 Jun 2022 22:35:00 -0700 +Subject: scsi: qla2xxx: Wind down adapter after PCIe error +Patch-mainline: v5.20-rc1 +Git-commit: d3117c83ba316b3200d9f2fe900f2b9a5525a25c +References: bsc#1201958 + +Put adapter into a wind down state if OS does not make any attempt to +recover the adapter after PCIe error. + +Link: https://lore.kernel.org/r/20220616053508.27186-4-njavali@marvell.com +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_bsg.c | 10 +++++++- + drivers/scsi/qla2xxx/qla_def.h | 4 +++ + drivers/scsi/qla2xxx/qla_init.c | 20 ++++++++++++++++ + drivers/scsi/qla2xxx/qla_os.c | 48 ++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 81 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -3062,6 +3062,13 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_ + + ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n", + __func__, bsg_job); ++ ++ if (qla2x00_isp_reg_stat(ha)) { ++ ql_log(ql_log_info, vha, 0x9007, ++ "PCI/Register disconnect.\n"); ++ qla_pci_set_eeh_busy(vha); ++ } ++ + /* find the bsg job from the active list of commands */ + spin_lock_irqsave(&ha->hardware_lock, flags); + for (que = 0; que < ha->max_req_queues; que++) { +@@ -3079,7 +3086,8 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_ + sp->u.bsg_job == bsg_job) { + req->outstanding_cmds[cnt] = NULL; + spin_unlock_irqrestore(&ha->hardware_lock, flags); +- if (ha->isp_ops->abort_command(sp)) { ++ ++ if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) { + ql_log(ql_log_warn, vha, 0x7089, + "mbx abort_command failed.\n"); + bsg_reply->result = -EIO; +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -4054,6 +4054,9 @@ struct qla_hw_data { + uint32_t n2n_fw_acc_sec:1; + uint32_t plogi_template_valid:1; + uint32_t port_isolated:1; ++ uint32_t eeh_flush:2; ++#define EEH_FLUSH_RDY 1 ++#define EEH_FLUSH_DONE 2 + } flags; + + uint16_t max_exchg; +@@ -4088,6 +4091,7 @@ struct qla_hw_data { + uint32_t rsp_que_len; + uint32_t req_que_off; + uint32_t rsp_que_off; ++ unsigned long eeh_jif; + + /* Multi queue data structs */ + device_reg_t *mqiobase; +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -48,6 +48,7 @@ qla2x00_sp_timeout(unsigned long __data) + { + srb_t *sp = (srb_t *)__data; + struct srb_iocb *iocb; ++ scsi_qla_host_t *vha = sp->vha; + + WARN_ON(irqs_disabled()); + iocb = &sp->u.iocb_cmd; +@@ -55,6 +56,12 @@ qla2x00_sp_timeout(unsigned long __data) + + /* ref: TMR */ + kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ ++ if (vha && qla2x00_isp_reg_stat(vha->hw)) { ++ ql_log(ql_log_info, vha, 0x9008, ++ "PCI/Register disconnect.\n"); ++ qla_pci_set_eeh_busy(vha); ++ } + } + + void qla2x00_sp_free(srb_t *sp) +@@ -9671,6 +9678,12 @@ int qla2xxx_disable_port(struct Scsi_Hos + + vha->hw->flags.port_isolated = 1; + ++ if (qla2x00_isp_reg_stat(vha->hw)) { ++ ql_log(ql_log_info, vha, 0x9006, ++ "PCI/Register disconnect, exiting.\n"); ++ qla_pci_set_eeh_busy(vha); ++ return FAILED; ++ } + if (qla2x00_chip_is_down(vha)) + return 0; + +@@ -9686,6 +9699,13 @@ int qla2xxx_enable_port(struct Scsi_Host + { + scsi_qla_host_t *vha = shost_priv(host); + ++ if (qla2x00_isp_reg_stat(vha->hw)) { ++ ql_log(ql_log_info, vha, 0x9001, ++ "PCI/Register disconnect, exiting.\n"); ++ qla_pci_set_eeh_busy(vha); ++ return FAILED; ++ } ++ + vha->hw->flags.port_isolated = 0; + /* Set the flag to 1, so that isp_abort can proceed */ + vha->flags.online = 1; +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -340,6 +340,11 @@ MODULE_PARM_DESC(ql2xabts_wait_nvme, + "To wait for ABTS response on I/O timeouts for NVMe. (default: 1)"); + + ++u32 ql2xdelay_before_pci_error_handling = 5; ++module_param(ql2xdelay_before_pci_error_handling, uint, 0644); ++MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling, ++ "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n"); ++ + static void qla2x00_clear_drv_active(struct qla_hw_data *); + static void qla2x00_free_device(scsi_qla_host_t *); + static int qla2xxx_map_queues(struct Scsi_Host *shost); +@@ -7275,6 +7280,44 @@ static void qla_heart_beat(struct scsi_q + } + } + ++static void qla_wind_down_chip(scsi_qla_host_t *vha) ++{ ++ struct qla_hw_data *ha = vha->hw; ++ ++ if (!ha->flags.eeh_busy) ++ return; ++ if (ha->pci_error_state) ++ /* system is trying to recover */ ++ return; ++ ++ /* ++ * Current system is not handling PCIE error. At this point, this is ++ * best effort to wind down the adapter. ++ */ ++ if (time_after_eq(jiffies, ha->eeh_jif + ql2xdelay_before_pci_error_handling * HZ) && ++ !ha->flags.eeh_flush) { ++ ql_log(ql_log_info, vha, 0x9009, ++ "PCI Error detected, attempting to reset hardware.\n"); ++ ++ ha->isp_ops->reset_chip(vha); ++ ha->isp_ops->disable_intrs(ha); ++ ++ ha->flags.eeh_flush = EEH_FLUSH_RDY; ++ ha->eeh_jif = jiffies; ++ ++ } else if (ha->flags.eeh_flush == EEH_FLUSH_RDY && ++ time_after_eq(jiffies, ha->eeh_jif + 5 * HZ)) { ++ pci_clear_master(ha->pdev); ++ ++ /* flush all command */ ++ qla2x00_abort_isp_cleanup(vha); ++ ha->flags.eeh_flush = EEH_FLUSH_DONE; ++ ++ ql_log(ql_log_info, vha, 0x900a, ++ "PCI Error handling complete, all IOs aborted.\n"); ++ } ++} ++ + /************************************************************************** + * qla2x00_timer + * +@@ -7297,6 +7340,8 @@ qla2x00_timer(scsi_qla_host_t *vha) + fc_port_t *fcport = NULL; + + if (ha->flags.eeh_busy) { ++ qla_wind_down_chip(vha); ++ + ql_dbg(ql_dbg_timer, vha, 0x6000, + "EEH = %d, restarting timer.\n", + ha->flags.eeh_busy); +@@ -7877,6 +7922,9 @@ void qla_pci_set_eeh_busy(struct scsi_ql + + spin_lock_irqsave(&base_vha->work_lock, flags); + if (!ha->flags.eeh_busy) { ++ ha->eeh_jif = jiffies; ++ ha->flags.eeh_flush = 0; ++ + ha->flags.eeh_busy = 1; + do_cleanup = true; + } diff --git a/patches.suse/scsi-qla2xxx-Zero-undefined-mailbox-IN-registers.patch b/patches.suse/scsi-qla2xxx-Zero-undefined-mailbox-IN-registers.patch new file mode 100644 index 0000000..d426e33 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Zero-undefined-mailbox-IN-registers.patch @@ -0,0 +1,34 @@ +From: Bikash Hazarika +Date: Tue, 12 Jul 2022 22:20:38 -0700 +Subject: scsi: qla2xxx: Zero undefined mailbox IN registers +Patch-mainline: v5.20-rc1 +Git-commit: 6c96a3c7d49593ef15805f5e497601c87695abc9 +References: bsc#1201651 + +While requesting a new mailbox command, driver does not write any data to +unused registers. Initialize the unused register value to zero while +requesting a new mailbox command to prevent stale entry access by firmware. + +Link: https://lore.kernel.org/r/20220713052045.10683-4-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Bikash Hazarika +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_mbx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -239,6 +239,8 @@ qla2x00_mailbox_command(scsi_qla_host_t + ql_dbg(ql_dbg_mbx, vha, 0x1112, + "mbox[%d]<-0x%04x\n", cnt, *iptr); + wrt_reg_word(optr, *iptr); ++ } else { ++ wrt_reg_word(optr, 0); + } + + mboxes >>= 1; diff --git a/patches.suse/scsi-qla2xxx-edif-Add-bsg-interface-to-read-doorbell.patch b/patches.suse/scsi-qla2xxx-edif-Add-bsg-interface-to-read-doorbell.patch new file mode 100644 index 0000000..11f72e9 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Add-bsg-interface-to-read-doorbell.patch @@ -0,0 +1,433 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:20 -0700 +Subject: scsi: qla2xxx: edif: Add bsg interface to read doorbell events +Patch-mainline: v5.20-rc1 +Git-commit: 5ecd241bd7b1088a189581c0b560a13fe93621f6 +References: bsc#1201958 + +Add bsg interface for app to read doorbell events. This interface lets +driver know how much app can read based on return buffer size. When the +next event(s) occur, driver will return the bsg_job with the event(s) in +the return buffer. + +If there is no event to read, driver will hold on to the bsg_job up to few +seconds as a way to control the polling interval. + +Link: https://lore.kernel.org/r/20220607044627.19563-5-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_dbg.h | 2 + drivers/scsi/qla2xxx/qla_edif.c | 249 +++++++++++++++++++++++++----------- + drivers/scsi/qla2xxx/qla_edif.h | 3 + drivers/scsi/qla2xxx/qla_edif_bsg.h | 14 ++ + 4 files changed, 195 insertions(+), 73 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_dbg.h ++++ b/drivers/scsi/qla2xxx/qla_dbg.h +@@ -384,5 +384,5 @@ ql_mask_match(uint level) + if (ql2xextended_error_logging == 1) + ql2xextended_error_logging = QL_DBG_DEFAULT1_MASK; + +- return (level & ql2xextended_error_logging) == level; ++ return level && ((level & ql2xextended_error_logging) == level); + } +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -52,6 +52,31 @@ const char *sc_to_str(uint16_t cmd) + return "unknown"; + } + ++static struct edb_node *qla_edb_getnext(scsi_qla_host_t *vha) ++{ ++ unsigned long flags; ++ struct edb_node *edbnode = NULL; ++ ++ spin_lock_irqsave(&vha->e_dbell.db_lock, flags); ++ ++ /* db nodes are fifo - no qualifications done */ ++ if (!list_empty(&vha->e_dbell.head)) { ++ edbnode = list_first_entry(&vha->e_dbell.head, ++ struct edb_node, list); ++ list_del_init(&edbnode->list); ++ } ++ ++ spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); ++ ++ return edbnode; ++} ++ ++static void qla_edb_node_free(scsi_qla_host_t *vha, struct edb_node *node) ++{ ++ list_del_init(&node->list); ++ kfree(node); ++} ++ + static struct edif_list_entry *qla_edif_list_find_sa_index(fc_port_t *fcport, + uint16_t handle) + { +@@ -1071,6 +1096,130 @@ qla_edif_ack(scsi_qla_host_t *vha, struc + return 0; + } + ++static int qla_edif_consume_dbell(scsi_qla_host_t *vha, struct bsg_job *bsg_job) ++{ ++ struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ u32 sg_skip, reply_payload_len; ++ bool keep; ++ struct edb_node *dbnode = NULL; ++ struct edif_app_dbell ap; ++ int dat_size = 0; ++ ++ sg_skip = 0; ++ reply_payload_len = bsg_job->reply_payload.payload_len; ++ ++ while ((reply_payload_len - sg_skip) >= sizeof(struct edb_node)) { ++ dbnode = qla_edb_getnext(vha); ++ if (dbnode) { ++ keep = true; ++ dat_size = 0; ++ ap.event_code = dbnode->ntype; ++ switch (dbnode->ntype) { ++ case VND_CMD_AUTH_STATE_SESSION_SHUTDOWN: ++ case VND_CMD_AUTH_STATE_NEEDED: ++ ap.port_id = dbnode->u.plogi_did; ++ dat_size += sizeof(ap.port_id); ++ break; ++ case VND_CMD_AUTH_STATE_ELS_RCVD: ++ ap.port_id = dbnode->u.els_sid; ++ dat_size += sizeof(ap.port_id); ++ break; ++ case VND_CMD_AUTH_STATE_SAUPDATE_COMPL: ++ ap.port_id = dbnode->u.sa_aen.port_id; ++ memcpy(&ap.event_data, &dbnode->u, ++ sizeof(struct edif_sa_update_aen)); ++ dat_size += sizeof(struct edif_sa_update_aen); ++ break; ++ default: ++ keep = false; ++ ql_log(ql_log_warn, vha, 0x09102, ++ "%s unknown DB type=%d %p\n", ++ __func__, dbnode->ntype, dbnode); ++ break; ++ } ++ ap.event_data_size = dat_size; ++ /* 8 = sizeof(ap.event_code + ap.event_data_size) */ ++ dat_size += 8; ++ if (keep) ++ sg_skip += sg_copy_buffer(bsg_job->reply_payload.sg_list, ++ bsg_job->reply_payload.sg_cnt, ++ &ap, dat_size, sg_skip, false); ++ ++ ql_dbg(ql_dbg_edif, vha, 0x09102, ++ "%s Doorbell consumed : type=%d %p\n", ++ __func__, dbnode->ntype, dbnode); ++ ++ kfree(dbnode); ++ } else { ++ break; ++ } ++ } ++ ++ SET_DID_STATUS(bsg_reply->result, DID_OK); ++ bsg_reply->reply_payload_rcv_len = sg_skip; ++ bsg_job->reply_len = sizeof(struct fc_bsg_reply); ++ ++ return 0; ++} ++ ++static void __qla_edif_dbell_bsg_done(scsi_qla_host_t *vha, struct bsg_job *bsg_job, ++ u32 delay) ++{ ++ struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ ++ /* small sleep for doorbell events to accumulate */ ++ if (delay) ++ msleep(delay); ++ ++ qla_edif_consume_dbell(vha, bsg_job); ++ ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++} ++ ++static void qla_edif_dbell_bsg_done(scsi_qla_host_t *vha) ++{ ++ unsigned long flags; ++ struct bsg_job *prev_bsg_job = NULL; ++ ++ spin_lock_irqsave(&vha->e_dbell.db_lock, flags); ++ if (vha->e_dbell.dbell_bsg_job) { ++ prev_bsg_job = vha->e_dbell.dbell_bsg_job; ++ vha->e_dbell.dbell_bsg_job = NULL; ++ } ++ spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); ++ ++ if (prev_bsg_job) ++ __qla_edif_dbell_bsg_done(vha, prev_bsg_job, 0); ++} ++ ++static int ++qla_edif_dbell_bsg(scsi_qla_host_t *vha, struct bsg_job *bsg_job) ++{ ++ unsigned long flags; ++ bool return_bsg = false; ++ ++ /* flush previous dbell bsg */ ++ qla_edif_dbell_bsg_done(vha); ++ ++ spin_lock_irqsave(&vha->e_dbell.db_lock, flags); ++ if (list_empty(&vha->e_dbell.head) && DBELL_ACTIVE(vha)) { ++ /* ++ * when the next db event happens, bsg_job will return. ++ * Otherwise, timer will return it. ++ */ ++ vha->e_dbell.dbell_bsg_job = bsg_job; ++ vha->e_dbell.bsg_expire = jiffies + 10 * HZ; ++ } else { ++ return_bsg = true; ++ } ++ spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); ++ ++ if (return_bsg) ++ __qla_edif_dbell_bsg_done(vha, bsg_job, 1); ++ ++ return 0; ++} ++ + int32_t + qla_edif_app_mgmt(struct bsg_job *bsg_job) + { +@@ -1082,8 +1231,13 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + bool done = true; + int32_t rval = 0; + uint32_t vnd_sc = bsg_request->rqst_data.h_vendor.vendor_cmd[1]; ++ u32 level = ql_dbg_edif; + +- ql_dbg(ql_dbg_edif, vha, 0x911d, "%s vnd subcmd=%x\n", ++ /* doorbell is high traffic */ ++ if (vnd_sc == QL_VND_SC_READ_DBELL) ++ level = 0; ++ ++ ql_dbg(level, vha, 0x911d, "%s vnd subcmd=%x\n", + __func__, vnd_sc); + + sg_copy_to_buffer(bsg_job->request_payload.sg_list, +@@ -1092,7 +1246,7 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + + if (!vha->hw->flags.edif_enabled || + test_bit(VPORT_DELETE, &vha->dpc_flags)) { +- ql_dbg(ql_dbg_edif, vha, 0x911d, ++ ql_dbg(level, vha, 0x911d, + "%s edif not enabled or vp delete. bsg ptr done %p. dpc_flags %lx\n", + __func__, bsg_job, vha->dpc_flags); + +@@ -1101,7 +1255,7 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + } + + if (!qla_edif_app_check(vha, appcheck)) { +- ql_dbg(ql_dbg_edif, vha, 0x911d, ++ ql_dbg(level, vha, 0x911d, + "%s app checked failed.\n", + __func__); + +@@ -1136,6 +1290,10 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + case QL_VND_SC_AEN_COMPLETE: + rval = qla_edif_ack(vha, bsg_job); + break; ++ case QL_VND_SC_READ_DBELL: ++ rval = qla_edif_dbell_bsg(vha, bsg_job); ++ done = false; ++ break; + default: + ql_dbg(ql_dbg_edif, vha, 0x911d, "%s unknown cmd=%x\n", + __func__, +@@ -1147,7 +1305,7 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + + done: + if (done) { +- ql_dbg(ql_dbg_user, vha, 0x7009, ++ ql_dbg(level, vha, 0x7009, + "%s: %d bsg ptr done %p\n", __func__, __LINE__, bsg_job); + bsg_job_done(bsg_job, bsg_reply->result, + bsg_reply->reply_payload_rcv_len); +@@ -1859,30 +2017,6 @@ qla_edb_init(scsi_qla_host_t *vha) + /* initialize lock which protects doorbell & init list */ + spin_lock_init(&vha->e_dbell.db_lock); + INIT_LIST_HEAD(&vha->e_dbell.head); +- +- /* create and initialize doorbell */ +- init_completion(&vha->e_dbell.dbell); +-} +- +-static void +-qla_edb_node_free(scsi_qla_host_t *vha, struct edb_node *node) +-{ +- /* +- * releases the space held by this edb node entry +- * this function does _not_ free the edb node itself +- * NB: the edb node entry passed should not be on any list +- * +- * currently for doorbell there's no additional cleanup +- * needed, but here as a placeholder for furture use. +- */ +- +- if (!node) { +- ql_dbg(ql_dbg_edif, vha, 0x09122, +- "%s error - no valid node passed\n", __func__); +- return; +- } +- +- node->ntype = N_UNDEF; + } + + static void qla_edb_clear(scsi_qla_host_t *vha, port_id_t portid) +@@ -1929,11 +2063,8 @@ static void qla_edb_clear(scsi_qla_host_ + } + spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); + +- list_for_each_entry_safe(e, tmp, &edb_list, list) { ++ list_for_each_entry_safe(e, tmp, &edb_list, list) + qla_edb_node_free(vha, e); +- list_del_init(&e->list); +- kfree(e); +- } + } + + /* function called when app is stopping */ +@@ -1961,14 +2092,10 @@ qla_edb_stop(scsi_qla_host_t *vha) + "%s freeing edb_node type=%x\n", + __func__, node->ntype); + qla_edb_node_free(vha, node); +- list_del(&node->list); +- +- kfree(node); + } + spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); + +- /* wake up doorbell waiters - they'll be dismissed with error code */ +- complete_all(&vha->e_dbell.dbell); ++ qla_edif_dbell_bsg_done(vha); + } + + static struct edb_node * +@@ -2006,9 +2133,6 @@ qla_edb_node_add(scsi_qla_host_t *vha, s + list_add_tail(&ptr->list, &vha->e_dbell.head); + spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); + +- /* ring doorbell for waiters */ +- complete(&vha->e_dbell.dbell); +- + return true; + } + +@@ -2077,43 +2201,24 @@ qla_edb_eventcreate(scsi_qla_host_t *vha + default: + ql_dbg(ql_dbg_edif, vha, 0x09102, + "%s unknown type: %x\n", __func__, dbtype); +- qla_edb_node_free(vha, edbnode); + kfree(edbnode); + edbnode = NULL; + break; + } + +- if (edbnode && (!qla_edb_node_add(vha, edbnode))) { ++ if (edbnode) { ++ if (!qla_edb_node_add(vha, edbnode)) { ++ ql_dbg(ql_dbg_edif, vha, 0x09102, ++ "%s unable to add dbnode\n", __func__); ++ kfree(edbnode); ++ return; ++ } + ql_dbg(ql_dbg_edif, vha, 0x09102, +- "%s unable to add dbnode\n", __func__); +- qla_edb_node_free(vha, edbnode); +- kfree(edbnode); +- return; +- } +- if (edbnode && fcport) +- fcport->edif.auth_state = dbtype; +- ql_dbg(ql_dbg_edif, vha, 0x09102, +- "%s Doorbell produced : type=%d %p\n", __func__, dbtype, edbnode); +-} +- +-static struct edb_node * +-qla_edb_getnext(scsi_qla_host_t *vha) +-{ +- unsigned long flags; +- struct edb_node *edbnode = NULL; +- +- spin_lock_irqsave(&vha->e_dbell.db_lock, flags); +- +- /* db nodes are fifo - no qualifications done */ +- if (!list_empty(&vha->e_dbell.head)) { +- edbnode = list_first_entry(&vha->e_dbell.head, +- struct edb_node, list); +- list_del(&edbnode->list); ++ "%s Doorbell produced : type=%d %p\n", __func__, dbtype, edbnode); ++ qla_edif_dbell_bsg_done(vha); ++ if (fcport) ++ fcport->edif.auth_state = dbtype; + } +- +- spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); +- +- return edbnode; + } + + void +@@ -2141,6 +2246,9 @@ qla_edif_timer(scsi_qla_host_t *vha) + ha->edif_post_stop_cnt_down = 60; + } + } ++ ++ if (vha->e_dbell.dbell_bsg_job && time_after_eq(jiffies, vha->e_dbell.bsg_expire)) ++ qla_edif_dbell_bsg_done(vha); + } + + /* +@@ -2208,7 +2316,6 @@ edif_doorbell_show(struct device *dev, s + "%s Doorbell consumed : type=%d %p\n", + __func__, dbnode->ntype, dbnode); + /* we're done with the db node, so free it up */ +- qla_edb_node_free(vha, dbnode); + kfree(dbnode); + } else { + break; +--- a/drivers/scsi/qla2xxx/qla_edif.h ++++ b/drivers/scsi/qla2xxx/qla_edif.h +@@ -51,7 +51,8 @@ struct edif_dbell { + enum db_flags_t db_flags; + spinlock_t db_lock; + struct list_head head; +- struct completion dbell; ++ struct bsg_job *dbell_bsg_job; ++ unsigned long bsg_expire; + }; + + #define SA_UPDATE_IOCB_TYPE 0x71 /* Security Association Update IOCB entry */ +--- a/drivers/scsi/qla2xxx/qla_edif_bsg.h ++++ b/drivers/scsi/qla2xxx/qla_edif_bsg.h +@@ -183,6 +183,20 @@ struct qla_sa_update_frame { + #define QL_VND_SC_GET_FCINFO 7 + #define QL_VND_SC_GET_STATS 8 + #define QL_VND_SC_AEN_COMPLETE 9 ++#define QL_VND_SC_READ_DBELL 10 ++ ++/* ++ * bsg caller to provide empty buffer for doorbell events. ++ * ++ * sg_io_v4.din_xferp = empty buffer for door bell events ++ * sg_io_v4.dout_xferp = struct edif_read_dbell *buf ++ */ ++struct edif_read_dbell { ++ struct app_id app_info; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; ++}; + + + /* Application interface data structure for rtn data */ diff --git a/patches.suse/scsi-qla2xxx-edif-Add-retry-for-ELS-passthrough.patch b/patches.suse/scsi-qla2xxx-edif-Add-retry-for-ELS-passthrough.patch new file mode 100644 index 0000000..289d575 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Add-retry-for-ELS-passthrough.patch @@ -0,0 +1,133 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:23 -0700 +Subject: scsi: qla2xxx: edif: Add retry for ELS passthrough +Patch-mainline: v5.20-rc1 +Git-commit: 0b3f3143d473b489a7aa0779c43bcdb344bd3014 +References: bsc#1201958 + +Relating to EDIF, when sending IKE message, updating key or deleting key, +driver can encounter IOCB queue full. Add additional retries to reduce +higher level recovery. + +Link: https://lore.kernel.org/r/20220607044627.19563-8-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 52 ++++++++++++++++++++++++++++------------ + drivers/scsi/qla2xxx/qla_os.c | 2 - + 2 files changed, 38 insertions(+), 16 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -1467,6 +1467,8 @@ qla24xx_check_sadb_avail_slot(struct bsg + + #define QLA_SA_UPDATE_FLAGS_RX_KEY 0x0 + #define QLA_SA_UPDATE_FLAGS_TX_KEY 0x2 ++#define EDIF_MSLEEP_INTERVAL 100 ++#define EDIF_RETRY_COUNT 50 + + int + qla24xx_sadb_update(struct bsg_job *bsg_job) +@@ -1479,7 +1481,7 @@ qla24xx_sadb_update(struct bsg_job *bsg_ + struct edif_list_entry *edif_entry = NULL; + int found = 0; + int rval = 0; +- int result = 0; ++ int result = 0, cnt; + struct qla_sa_update_frame sa_frame; + struct srb_iocb *iocb_cmd; + port_id_t portid; +@@ -1720,11 +1722,23 @@ qla24xx_sadb_update(struct bsg_job *bsg_ + sp->done = qla2x00_bsg_job_done; + iocb_cmd = &sp->u.iocb_cmd; + iocb_cmd->u.sa_update.sa_frame = sa_frame; +- ++ cnt = 0; ++retry: + rval = qla2x00_start_sp(sp); +- if (rval != QLA_SUCCESS) { ++ switch (rval) { ++ case QLA_SUCCESS: ++ break; ++ case EAGAIN: ++ msleep(EDIF_MSLEEP_INTERVAL); ++ cnt++; ++ if (cnt < EDIF_RETRY_COUNT) ++ goto retry; ++ ++ /* fallthrough */ ++ default: + ql_log(ql_dbg_edif, vha, 0x70e3, +- "qla2x00_start_sp failed=%d.\n", rval); ++ "%s qla2x00_start_sp failed=%d.\n", ++ __func__, rval); + + qla2x00_rel_sp(sp); + rval = -EIO; +@@ -2398,7 +2412,6 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + rval = qla2x00_start_sp(sp); + + if (rval != QLA_SUCCESS) { +- rval = QLA_FUNCTION_FAILED; + goto done_free_sp; + } + +@@ -3530,7 +3543,7 @@ int qla_edif_process_els(scsi_qla_host_t + fc_port_t *fcport = NULL; + struct qla_hw_data *ha = vha->hw; + srb_t *sp; +- int rval = (DID_ERROR << 16); ++ int rval = (DID_ERROR << 16), cnt; + port_id_t d_id; + struct qla_bsg_auth_els_request *p = + (struct qla_bsg_auth_els_request *)bsg_job->request; +@@ -3625,17 +3638,26 @@ int qla_edif_process_els(scsi_qla_host_t + sp->free = qla2x00_bsg_sp_free; + sp->done = qla2x00_bsg_job_done; + ++ cnt = 0; ++retry: + rval = qla2x00_start_sp(sp); +- +- ql_dbg(ql_dbg_edif, vha, 0x700a, +- "%s %s %8phN xchg %x ctlflag %x hdl %x reqlen %xh bsg ptr %p\n", +- __func__, sc_to_str(p->e.sub_cmd), fcport->port_name, +- p->e.extra_rx_xchg_address, p->e.extra_control_flags, +- sp->handle, sp->remap.req.len, bsg_job); +- +- if (rval != QLA_SUCCESS) { ++ switch (rval) { ++ case QLA_SUCCESS: ++ ql_dbg(ql_dbg_edif, vha, 0x700a, ++ "%s %s %8phN xchg %x ctlflag %x hdl %x reqlen %xh bsg ptr %p\n", ++ __func__, sc_to_str(p->e.sub_cmd), fcport->port_name, ++ p->e.extra_rx_xchg_address, p->e.extra_control_flags, ++ sp->handle, sp->remap.req.len, bsg_job); ++ break; ++ case EAGAIN: ++ msleep(EDIF_MSLEEP_INTERVAL); ++ cnt++; ++ if (cnt < EDIF_RETRY_COUNT) ++ goto retry; ++ /* fallthrough */ ++ default: + ql_log(ql_log_warn, vha, 0x700e, +- "qla2x00_start_sp failed = %d\n", rval); ++ "%s qla2x00_start_sp failed = %d\n", __func__, rval); + SET_DID_STATUS(bsg_reply->result, DID_IMM_RETRY); + rval = -EIO; + goto done_free_remap_rsp; +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5509,7 +5509,7 @@ qla2x00_do_work(struct scsi_qla_host *vh + e->u.fcport.fcport, false); + break; + case QLA_EVT_SA_REPLACE: +- qla24xx_issue_sa_replace_iocb(vha, e); ++ rc = qla24xx_issue_sa_replace_iocb(vha, e); + break; + } + diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-I-O-timeout-due-to-over-subscr.patch b/patches.suse/scsi-qla2xxx-edif-Fix-I-O-timeout-due-to-over-subscr.patch new file mode 100644 index 0000000..e47ab89 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-I-O-timeout-due-to-over-subscr.patch @@ -0,0 +1,44 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:40 -0700 +Subject: scsi: qla2xxx: edif: Fix I/O timeout due to over-subscription +Patch-mainline: v5.20-rc1 +Git-commit: 63ab6cb582fad3757a03f466db671729b97f2df8 +References: bsc#1201958 + +The current edif code does not keep track of FW IOCB resources. This led +to IOCB queue full on error recovery (I/O timeout). Make use of the +existing code that tracks IOCB resources to prevent over-subscription. + +Link: https://lore.kernel.org/r/20220608115849.16693-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2951,6 +2951,12 @@ qla28xx_start_scsi_edif(srb_t *sp) + + tot_dsds = nseg; + req_cnt = qla24xx_calc_iocbs(vha, tot_dsds); ++ ++ sp->iores.res_type = RESOURCE_INI; ++ sp->iores.iocb_cnt = req_cnt; ++ if (qla_get_iocbs(sp->qpair, &sp->iores)) ++ goto queuing_error; ++ + if (req->cnt < (req_cnt + 2)) { + cnt = IS_SHADOW_REG_CAPABLE(ha) ? *req->out_ptr : + rd_reg_dword(req->req_q_out); +@@ -3142,6 +3148,7 @@ qla28xx_start_scsi_edif(srb_t *sp) + mempool_free(sp->u.scmd.ct6_ctx, ha->ctx_mempool); + sp->u.scmd.ct6_ctx = NULL; + } ++ qla_put_iocbs(sp->qpair, &sp->iores); + spin_unlock_irqrestore(lock, flags); + + return QLA_FUNCTION_FAILED; diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-dropped-IKE-message.patch b/patches.suse/scsi-qla2xxx-edif-Fix-dropped-IKE-message.patch new file mode 100644 index 0000000..7950fb5 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-dropped-IKE-message.patch @@ -0,0 +1,119 @@ +From: Quinn Tran +Date: Tue, 12 Jul 2022 22:20:40 -0700 +Subject: scsi: qla2xxx: edif: Fix dropped IKE message +Patch-mainline: v5.20-rc1 +Git-commit: c019cd656e717349ff22d0c41d6fbfc773f48c52 +References: bsc#1201651 + +This patch fixes IKE message being dropped due to error in processing Purex +IOCB and Continuation IOCBs. + +Link: https://lore.kernel.org/r/20220713052045.10683-6-njavali@marvell.com +Fixes: fac2807946c1 ("scsi: qla2xxx: edif: Add extraction of auth_els from the wire") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_isr.c | 54 ++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 30 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3720,12 +3720,11 @@ void qla24xx_nvme_ls4_iocb(struct scsi_q + * Return: 0 all iocbs has arrived, xx- all iocbs have not arrived. + */ + static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha, +- struct rsp_que *rsp, response_t *pkt) ++ struct rsp_que *rsp, response_t *pkt, u32 rsp_q_in) + { +- int start_pkt_ring_index, end_pkt_ring_index, n_ring_index; +- response_t *end_pkt; ++ int start_pkt_ring_index; ++ u32 iocb_cnt = 0; + int rc = 0; +- u32 rsp_q_in; + + if (pkt->entry_count == 1) + return rc; +@@ -3736,34 +3735,18 @@ static int qla_chk_cont_iocb_avail(struc + else + start_pkt_ring_index = rsp->ring_index - 1; + +- if ((start_pkt_ring_index + pkt->entry_count) >= rsp->length) +- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - +- rsp->length - 1; ++ if (rsp_q_in < start_pkt_ring_index) ++ /* q in ptr is wrapped */ ++ iocb_cnt = rsp->length - start_pkt_ring_index + rsp_q_in; + else +- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - 1; ++ iocb_cnt = rsp_q_in - start_pkt_ring_index; + +- end_pkt = rsp->ring + end_pkt_ring_index; +- +- /* next pkt = end_pkt + 1 */ +- n_ring_index = end_pkt_ring_index + 1; +- if (n_ring_index >= rsp->length) +- n_ring_index = 0; +- +- rsp_q_in = rsp->qpair->use_shadow_reg ? *rsp->in_ptr : +- rd_reg_dword(rsp->rsp_q_in); +- +- /* rsp_q_in is either wrapped or pointing beyond endpkt */ +- if ((rsp_q_in < start_pkt_ring_index && rsp_q_in < n_ring_index) || +- rsp_q_in >= n_ring_index) +- /* all IOCBs arrived. */ +- rc = 0; +- else ++ if (iocb_cnt < pkt->entry_count) + rc = -EIO; + +- ql_dbg(ql_dbg_init + ql_dbg_verbose, vha, 0x5091, +- "%s - ring %p pkt %p end pkt %p entry count %#x rsp_q_in %d rc %d\n", +- __func__, rsp->ring, pkt, end_pkt, pkt->entry_count, +- rsp_q_in, rc); ++ ql_dbg(ql_dbg_init, vha, 0x5091, ++ "%s - ring %p pkt %p entry count %d iocb_cnt %d rsp_q_in %d rc %d\n", ++ __func__, rsp->ring, pkt, pkt->entry_count, iocb_cnt, rsp_q_in, rc); + + return rc; + } +@@ -3780,7 +3763,7 @@ void qla24xx_process_response_queue(stru + struct qla_hw_data *ha = vha->hw; + struct purex_entry_24xx *purex_entry; + struct purex_item *pure_item; +- u16 rsp_in = 0; ++ u16 rsp_in = 0, cur_ring_index; + int follow_inptr, is_shadow_hba; + + if (!ha->flags.fw_started) +@@ -3811,6 +3794,7 @@ void qla24xx_process_response_queue(stru + (!follow_inptr && + rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { + pkt = (struct sts_entry_24xx *)rsp->ring_ptr; ++ cur_ring_index = rsp->ring_index; + + rsp->ring_index++; + if (rsp->ring_index == rsp->length) { +@@ -3931,7 +3915,17 @@ void qla24xx_process_response_queue(stru + break; + + case ELS_AUTH_ELS: +- if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt)) { ++ if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt, rsp_in)) { ++ /* ++ * ring_ptr and ring_index were ++ * pre-incremented above. Reset them ++ * back to current. Wait for next ++ * interrupt with all IOCBs to arrive ++ * and re-process. ++ */ ++ rsp->ring_ptr = (response_t *)pkt; ++ rsp->ring_index = cur_ring_index; ++ + ql_dbg(ql_dbg_init, vha, 0x5091, + "Defer processing ELS opcode %#x...\n", + purex_entry->els_frame_payload[3]); diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-n2n-discovery-issue-with-secur.patch b/patches.suse/scsi-qla2xxx-edif-Fix-n2n-discovery-issue-with-secur.patch new file mode 100644 index 0000000..1f8e923 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-n2n-discovery-issue-with-secur.patch @@ -0,0 +1,34 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:25 -0700 +Subject: scsi: qla2xxx: edif: Fix n2n discovery issue with secure target +Patch-mainline: v5.20-rc1 +Git-commit: 789d54a4178634850e441f60c0326124138e7269 +References: bsc#1201958 + +User failed to see disk via n2n topology. Driver used up all login retries +before authentication application started. When authentication application +started, driver did not have enough login retries to connect securely. On +app_start, driver will reset the login retry attempt count. + +Link: https://lore.kernel.org/r/20220607044627.19563-10-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -515,6 +515,9 @@ qla_edif_app_start(scsi_qla_host_t *vha, + } + + if (N2N_TOPO(vha->hw)) { ++ list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) ++ fcport->n2n_link_reset_cnt = 0; ++ + if (vha->hw->flags.n2n_fw_acc_sec) + set_bit(N2N_LINK_RESET, &vha->dpc_flags); + else diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-n2n-login-retry-for-secure-dev.patch b/patches.suse/scsi-qla2xxx-edif-Fix-n2n-login-retry-for-secure-dev.patch new file mode 100644 index 0000000..f1f7de7 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-n2n-login-retry-for-secure-dev.patch @@ -0,0 +1,39 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:26 -0700 +Subject: scsi: qla2xxx: edif: Fix n2n login retry for secure device +Patch-mainline: v5.20-rc1 +Git-commit: aec55325ddec975216119da000092cb8664a3399 +References: bsc#1201958 + +After initiator has burned up all login retries, target authentication +application begins to run. This triggers a link bounce on target side. +Initiator will attempt another login. Due to N2N, the PRLI [nvme | fcp] can +fail because of the mode mismatch with target. This patch add a few more +login retries to revive the connection. + +Link: https://lore.kernel.org/r/20220607044627.19563-11-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2126,6 +2126,13 @@ qla24xx_handle_prli_done_event(struct sc + } + + if (N2N_TOPO(vha->hw)) { ++ if (ea->fcport->n2n_link_reset_cnt == ++ vha->hw->login_retry_count && ++ ea->fcport->flags & FCF_FCSP_DEVICE) { ++ /* remote authentication app just started */ ++ ea->fcport->n2n_link_reset_cnt = 0; ++ } ++ + if (ea->fcport->n2n_link_reset_cnt < + vha->hw->login_retry_count) { + ea->fcport->n2n_link_reset_cnt++; diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-no-login-after-app-start.patch b/patches.suse/scsi-qla2xxx-edif-Fix-no-login-after-app-start.patch new file mode 100644 index 0000000..5e4ea17 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-no-login-after-app-start.patch @@ -0,0 +1,39 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:43 -0700 +Subject: scsi: qla2xxx: edif: Fix no login after app start +Patch-mainline: v5.20-rc1 +Git-commit: 24c796098f5395477f7f7ebf8e24f3f08a139f71 +References: bsc#1201958 + +The scenario is this: User loaded driver but has not started authentication +app. All sessions to secure device will exhaust all login attempts, fail, +and in stay in deleted state. Then some time later the app is started. The +driver will replenish the login retry count, trigger delete to prepare for +secure login. After deletion, relogin is triggered. + +For the session that is already deleted, the delete trigger is a no-op. If +none of the sessions trigger a relogin, no progress is made. + +Add a relogin trigger. + +Link: https://lore.kernel.org/r/20220608115849.16693-5-njavali@marvell.com +Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -567,6 +567,7 @@ qla_edif_app_start(scsi_qla_host_t *vha, + qlt_schedule_sess_for_deletion(fcport); + qla_edif_sa_ctl_init(vha, fcport); + } ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); + } + + if (vha->pur_cinfo.enode_flags != ENODE_ACTIVE) { diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-no-logout-on-delete-for-N2N.patch b/patches.suse/scsi-qla2xxx-edif-Fix-no-logout-on-delete-for-N2N.patch new file mode 100644 index 0000000..7fc827b --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-no-logout-on-delete-for-N2N.patch @@ -0,0 +1,36 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:46 -0700 +Subject: scsi: qla2xxx: edif: Fix no logout on delete for N2N +Patch-mainline: v5.20-rc1 +Git-commit: ec538eb838f334453b10e7e9b260f0c358018a37 +References: bsc#1201958 + +The driver failed to send implicit logout on session delete. For edif, this +failed to flush any lingering SA index in FW. + +Set a flag to turn on implicit logout early in the session recovery to make +sure the logout will go out in case of error. + +Link: https://lore.kernel.org/r/20220608115849.16693-8-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2885,6 +2885,9 @@ static void qla2x00_els_dcmd2_sp_done(sr + sp->name, res, sp->handle, fcport->d_id.b24, fcport->port_name); + + fcport->flags &= ~(FCF_ASYNC_SENT|FCF_ASYNC_ACTIVE); ++ /* For edif, set logout on delete to ensure any residual key from FW is flushed.*/ ++ fcport->logout_on_delete = 1; ++ fcport->chip_reset = vha->hw->base_qpair->chip_reset; + + if (sp->flags & SRB_WAKEUP_ON_COMP) + complete(&lio->u.els_plogi.comp); diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-potential-stuck-session-in-sa-.patch b/patches.suse/scsi-qla2xxx-edif-Fix-potential-stuck-session-in-sa-.patch new file mode 100644 index 0000000..c0db2c7 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-potential-stuck-session-in-sa-.patch @@ -0,0 +1,72 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:21 -0700 +Subject: scsi: qla2xxx: edif: Fix potential stuck session in sa update +Patch-mainline: v5.20-rc1 +Git-commit: e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09 +References: bsc#1201958 + +When a thread is in the process of reestablish a session, a flag is set to +prevent multiple threads/triggers from doing the same task. This flag was +left on, and any attempt to relogin was locked out. Clear this flag if the +attempt has failed. + +Link: https://lore.kernel.org/r/20220607044627.19563-6-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2331,6 +2331,7 @@ edif_doorbell_show(struct device *dev, s + + static void qla_noop_sp_done(srb_t *sp, int res) + { ++ sp->fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); + /* ref: INIT */ + kref_put(&sp->cmd_kref, qla2x00_sp_release); + } +@@ -2355,7 +2356,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + if (!sa_ctl) { + ql_dbg(ql_dbg_edif, vha, 0x70e6, + "sa_ctl allocation failed\n"); +- return -ENOMEM; ++ rval = -ENOMEM; ++ goto done; + } + + fcport = sa_ctl->fcport; +@@ -2365,7 +2367,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + if (!sp) { + ql_dbg(ql_dbg_edif, vha, 0x70e6, + "SRB allocation failed\n"); +- return -ENOMEM; ++ rval = -ENOMEM; ++ goto done; + } + + fcport->flags |= FCF_ASYNC_SENT; +@@ -2394,10 +2397,18 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + + rval = qla2x00_start_sp(sp); + +- if (rval != QLA_SUCCESS) ++ if (rval != QLA_SUCCESS) { + rval = QLA_FUNCTION_FAILED; ++ goto done_free_sp; ++ } + + return rval; ++done_free_sp: ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ fcport->flags &= ~FCF_ASYNC_SENT; ++done: ++ fcport->flags &= ~FCF_ASYNC_ACTIVE; ++ return rval; + } + + void qla24xx_sa_update_iocb(srb_t *sp, struct sa_update_28xx *sa_update_iocb) diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-session-thrash.patch b/patches.suse/scsi-qla2xxx-edif-Fix-session-thrash.patch new file mode 100644 index 0000000..b64ba15 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-session-thrash.patch @@ -0,0 +1,67 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:45 -0700 +Subject: scsi: qla2xxx: edif: Fix session thrash +Patch-mainline: v5.20-rc1 +Git-commit: a8fdfb0b39c2b31722c70bdf2272b949d5af4b7b +References: bsc#1201958 + +Current code prematurely sends out PRLI before authentication application +has given the OK to do so. This causes PRLI failure and session teardown. + +Prevents PRLI from going out before authentication app gives the OK. + +Link: https://lore.kernel.org/r/20220608115849.16693-7-njavali@marvell.com +Fixes: 91f6f5fbe87b ("scsi: qla2xxx: edif: Reduce connection thrash") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 2 +- + drivers/scsi/qla2xxx/qla_edif.h | 4 ++++ + drivers/scsi/qla2xxx/qla_init.c | 10 +++++++++- + 3 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -3517,7 +3517,7 @@ int qla_edif_process_els(scsi_qla_host_t + if (qla_bsg_check(vha, bsg_job, fcport)) + return 0; + +- if (fcport->loop_id == FC_NO_LOOP_ID) { ++ if (EDIF_SESS_DELETE(fcport)) { + ql_dbg(ql_dbg_edif, vha, 0x910d, + "%s ELS code %x, no loop id.\n", __func__, + bsg_request->rqst_data.r_els.els_code); +--- a/drivers/scsi/qla2xxx/qla_edif.h ++++ b/drivers/scsi/qla2xxx/qla_edif.h +@@ -141,4 +141,8 @@ struct enode { + (DBELL_ACTIVE(_fcport->vha) && \ + (_fcport->disc_state == DSC_LOGIN_AUTH_PEND)) + ++#define EDIF_SESS_DELETE(_s) \ ++ (qla_ini_mode_enabled(_s->vha) && (_s->disc_state == DSC_DELETE_PEND || \ ++ _s->disc_state == DSC_DELETED)) ++ + #endif /* __QLA_EDIF_H */ +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1765,8 +1765,16 @@ int qla24xx_fcport_handle_login(struct s + break; + + case DSC_LOGIN_PEND: +- if (fcport->fw_login_state == DSC_LS_PLOGI_COMP) ++ if (vha->hw->flags.edif_enabled) ++ break; ++ ++ if (fcport->fw_login_state == DSC_LS_PLOGI_COMP) { ++ ql_dbg(ql_dbg_disc, vha, 0x2118, ++ "%s %d %8phC post %s PRLI\n", ++ __func__, __LINE__, fcport->port_name, ++ NVME_TARGET(vha->hw, fcport) ? "NVME" : "FC"); + qla24xx_post_prli_work(vha, fcport); ++ } + break; + + case DSC_UPD_FCPORT: diff --git a/patches.suse/scsi-qla2xxx-edif-Fix-slow-session-teardown.patch b/patches.suse/scsi-qla2xxx-edif-Fix-slow-session-teardown.patch new file mode 100644 index 0000000..cf5d490 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Fix-slow-session-teardown.patch @@ -0,0 +1,85 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:48 -0700 +Subject: scsi: qla2xxx: edif: Fix slow session teardown +Patch-mainline: v5.20-rc1 +Git-commit: bcf536072f7475c65f21fd1681e94f99c04f9d15 +References: bsc#1201958 + +User experience slow recovery when target device went through a stop/start +of the authentication application (app_stop/app_start). + +Between the period of app_stop and app_start on the target device, target +device choose to send ELS Reject for any receive AUTH ELS command. At this +time, authentication application does not do ELS reject if it encounters +error. + +Therefore, AUTH ELS reject signify authentication application is not +running. If driver passes up the AUTH ELS Reject to the authentication +application, then it would result in authentication application +retrying/resending the same AUTH ELS command again + delay. + +As a work around, driver should trigger a session tear down where it tells +the local authentication application to also tear down. At the next +relogin, both sides are then synchronized. + +Link: https://lore.kernel.org/r/20220608115849.16693-10-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_isr.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2246,9 +2246,9 @@ qla24xx_els_ct_entry(scsi_qla_host_t *v, + res = DID_ERROR << 16; + } + +- if (logit) { +- if (sp->remap.remapped && +- ((u8 *)sp->remap.rsp.buf)[0] == ELS_LS_RJT) { ++ if (sp->remap.remapped && ++ ((u8 *)sp->remap.rsp.buf)[0] == ELS_LS_RJT) { ++ if (logit) { + ql_dbg(ql_dbg_user, vha, 0x503f, + "%s IOCB Done LS_RJT hdl=%x comp_status=0x%x\n", + type, sp->handle, comp_status); +@@ -2260,18 +2260,24 @@ qla24xx_els_ct_entry(scsi_qla_host_t *v, + pkt)->total_byte_count), + e->s_id[0], e->s_id[2], e->s_id[1], + e->d_id[2], e->d_id[1], e->d_id[0]); +- } else { +- ql_log(ql_log_info, vha, 0x503f, +- "%s IOCB Done hdl=%x comp_status=0x%x\n", +- type, sp->handle, comp_status); +- ql_log(ql_log_info, vha, 0x503f, +- "subcode 1=0x%x subcode 2=0x%x bytes=0x%x %02x%02x%02x -> %02x%02x%02x\n", +- fw_status[1], fw_status[2], +- le32_to_cpu(((struct els_sts_entry_24xx *) +- pkt)->total_byte_count), +- e->s_id[0], e->s_id[2], e->s_id[1], +- e->d_id[2], e->d_id[1], e->d_id[0]); + } ++ if (sp->fcport && sp->fcport->flags & FCF_FCSP_DEVICE && ++ sp->type == SRB_ELS_CMD_HST_NOLOGIN) { ++ ql_dbg(ql_dbg_edif, vha, 0x911e, ++ "%s rcv reject. Sched delete\n", __func__); ++ qlt_schedule_sess_for_deletion(sp->fcport); ++ } ++ } else if (logit) { ++ ql_log(ql_log_info, vha, 0x503f, ++ "%s IOCB Done hdl=%x comp_status=0x%x\n", ++ type, sp->handle, comp_status); ++ ql_log(ql_log_info, vha, 0x503f, ++ "subcode 1=0x%x subcode 2=0x%x bytes=0x%x %02x%02x%02x -> %02x%02x%02x\n", ++ fw_status[1], fw_status[2], ++ le32_to_cpu(((struct els_sts_entry_24xx *) ++ pkt)->total_byte_count), ++ e->s_id[0], e->s_id[2], e->s_id[1], ++ e->d_id[2], e->d_id[1], e->d_id[0]); + } + } + goto els_ct_done; diff --git a/patches.suse/scsi-qla2xxx-edif-Reduce-Initiator-Initiator-thrashi.patch b/patches.suse/scsi-qla2xxx-edif-Reduce-Initiator-Initiator-thrashi.patch new file mode 100644 index 0000000..3c2aa2b --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Reduce-Initiator-Initiator-thrashi.patch @@ -0,0 +1,310 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:17 -0700 +Subject: scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing +Patch-mainline: v5.20-rc1 +Git-commit: 9c40c36e75ffd49952cd4ead0672defc4b4dbdf7 +References: bsc#1201958 + +This patch uses GFFID switch command to scan whether remote device is +Target or Initiator mode. Based on that info, driver will not pass up +Initiator info to authentication application. This helps reduce unnecessary +stress for authentication application to deal with unused connections. + +Link: https://lore.kernel.org/r/20220607044627.19563-2-njavali@marvell.com +Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 2 + drivers/scsi/qla2xxx/qla_edif.c | 32 +++++++++- + drivers/scsi/qla2xxx/qla_gbl.h | 3 - + drivers/scsi/qla2xxx/qla_gs.c | 118 +++++++++++++++++++++++++++++----------- + drivers/scsi/qla2xxx/qla_iocb.c | 2 + 5 files changed, 120 insertions(+), 37 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3205,6 +3205,8 @@ struct ct_sns_rsp { + #define GFF_NVME_OFFSET 23 /* type = 28h */ + struct { + uint8_t fc4_features[128]; ++#define FC4_FF_TARGET BIT_0 ++#define FC4_FF_INITIATOR BIT_1 + } gff_id; + struct { + uint8_t reserved; +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -517,16 +517,28 @@ qla_edif_app_start(scsi_qla_host_t *vha, + if (atomic_read(&vha->loop_state) == LOOP_DOWN) + break; + +- fcport->edif.app_started = 1; + fcport->login_retry = vha->hw->login_retry_count; + +- /* no activity */ + fcport->edif.app_stop = 0; ++ fcport->edif.app_sess_online = 0; ++ fcport->edif.app_started = 1; ++ ++ if (fcport->scan_state != QLA_FCPORT_FOUND) ++ continue; ++ ++ if (fcport->port_type == FCT_UNKNOWN && ++ !fcport->fc4_features) ++ rval = qla24xx_async_gffid(vha, fcport, true); ++ ++ if (!rval && !(fcport->fc4_features & FC4_FF_TARGET || ++ fcport->port_type & (FCT_TARGET|FCT_NVME_TARGET))) ++ continue; ++ ++ rval = 0; + + ql_dbg(ql_dbg_edif, vha, 0x911e, + "%s wwpn %8phC calling qla_edif_reset_auth_wait\n", + __func__, fcport->port_name); +- fcport->edif.app_sess_online = 0; + qlt_schedule_sess_for_deletion(fcport); + qla_edif_sa_ctl_init(vha, fcport); + } +@@ -883,6 +895,20 @@ qla_edif_app_getfcinfo(scsi_qla_host_t * + app_reply->ports[pcnt].rekey_count = + fcport->edif.rekey_cnt; + ++ if (fcport->scan_state != QLA_FCPORT_FOUND) ++ continue; ++ ++ if (fcport->port_type == FCT_UNKNOWN && !fcport->fc4_features) ++ rval = qla24xx_async_gffid(vha, fcport, true); ++ ++ if (!rval && ++ !(fcport->fc4_features & FC4_FF_TARGET || ++ fcport->port_type & ++ (FCT_TARGET | FCT_NVME_TARGET))) ++ continue; ++ ++ rval = 0; ++ + app_reply->ports[pcnt].remote_type = + VND_CMD_RTYPE_UNKNOWN; + if (fcport->port_type & (FCT_NVME_TARGET | FCT_TARGET)) +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -337,6 +337,7 @@ extern int qla24xx_configure_prot_mode(s + extern int qla24xx_issue_sa_replace_iocb(scsi_qla_host_t *vha, + struct qla_work_evt *e); + void qla2x00_sp_release(struct kref *kref); ++void qla2x00_els_dcmd2_iocb_timeout(void *data); + + /* + * Global Function Prototypes in qla_mbx.c source file. +@@ -729,7 +730,7 @@ int qla24xx_async_gpsc(scsi_qla_host_t * + void qla24xx_handle_gpsc_event(scsi_qla_host_t *, struct event_arg *); + int qla2x00_mgmt_svr_login(scsi_qla_host_t *); + void qla24xx_handle_gffid_event(scsi_qla_host_t *vha, struct event_arg *ea); +-int qla24xx_async_gffid(scsi_qla_host_t *vha, fc_port_t *fcport); ++int qla24xx_async_gffid(scsi_qla_host_t *vha, fc_port_t *fcport, bool); + int qla24xx_async_gpnft(scsi_qla_host_t *, u8, srb_t *); + void qla24xx_async_gpnft_done(scsi_qla_host_t *, srb_t *); + void qla24xx_async_gnnft_done(scsi_qla_host_t *, srb_t *); +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3281,19 +3281,12 @@ int qla24xx_async_gpnid(scsi_qla_host_t + return rval; + } + +-void qla24xx_handle_gffid_event(scsi_qla_host_t *vha, struct event_arg *ea) +-{ +- fc_port_t *fcport = ea->fcport; +- +- qla24xx_post_gnl_work(vha, fcport); +-} + + void qla24xx_async_gffid_sp_done(srb_t *sp, int res) + { + struct scsi_qla_host *vha = sp->vha; + fc_port_t *fcport = sp->fcport; + struct ct_sns_rsp *ct_rsp; +- struct event_arg ea; + uint8_t fc4_scsi_feat; + uint8_t fc4_nvme_feat; + +@@ -3301,10 +3294,10 @@ void qla24xx_async_gffid_sp_done(srb_t * + "Async done-%s res %x ID %x. %8phC\n", + sp->name, res, fcport->d_id.b24, fcport->port_name); + +- fcport->flags &= ~FCF_ASYNC_SENT; +- ct_rsp = &fcport->ct_desc.ct_sns->p.rsp; ++ ct_rsp = sp->u.iocb_cmd.u.ctarg.rsp; + fc4_scsi_feat = ct_rsp->rsp.gff_id.fc4_features[GFF_FCP_SCSI_OFFSET]; + fc4_nvme_feat = ct_rsp->rsp.gff_id.fc4_features[GFF_NVME_OFFSET]; ++ sp->rc = res; + + /* + * FC-GS-7, 5.2.3.12 FC-4 Features - format +@@ -3325,24 +3318,42 @@ void qla24xx_async_gffid_sp_done(srb_t * + } + } + +- memset(&ea, 0, sizeof(ea)); +- ea.sp = sp; +- ea.fcport = sp->fcport; +- ea.rc = res; ++ if (sp->flags & SRB_WAKEUP_ON_COMP) { ++ complete(sp->comp); ++ } else { ++ if (sp->u.iocb_cmd.u.ctarg.req) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.req, ++ sp->u.iocb_cmd.u.ctarg.req_dma); ++ sp->u.iocb_cmd.u.ctarg.req = NULL; ++ } + +- qla24xx_handle_gffid_event(vha, &ea); +- /* ref: INIT */ +- kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ if (sp->u.iocb_cmd.u.ctarg.rsp) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.rsp, ++ sp->u.iocb_cmd.u.ctarg.rsp_dma); ++ sp->u.iocb_cmd.u.ctarg.rsp = NULL; ++ } ++ ++ /* ref: INIT */ ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ /* we should not be here */ ++ dump_stack(); ++ } + } + + /* Get FC4 Feature with Nport ID. */ +-int qla24xx_async_gffid(scsi_qla_host_t *vha, fc_port_t *fcport) ++int qla24xx_async_gffid(scsi_qla_host_t *vha, fc_port_t *fcport, bool wait) + { + int rval = QLA_FUNCTION_FAILED; + struct ct_sns_req *ct_req; + srb_t *sp; ++ DECLARE_COMPLETION_ONSTACK(comp); + +- if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT)) ++ /* this routine does not have handling for no wait */ ++ if (!vha->flags.online || !wait) + return rval; + + /* ref: INIT */ +@@ -3350,43 +3361,86 @@ int qla24xx_async_gffid(scsi_qla_host_t + if (!sp) + return rval; + +- fcport->flags |= FCF_ASYNC_SENT; + sp->type = SRB_CT_PTHRU_CMD; + sp->name = "gffid"; + sp->gen1 = fcport->rscn_gen; + sp->gen2 = fcport->login_gen; + qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha) + 2, + qla24xx_async_gffid_sp_done); ++ sp->comp = ∁ ++ sp->u.iocb_cmd.timeout = qla2x00_els_dcmd2_iocb_timeout; ++ ++ if (wait) ++ sp->flags = SRB_WAKEUP_ON_COMP; ++ ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); ++ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, ++ &sp->u.iocb_cmd.u.ctarg.req_dma, ++ GFP_KERNEL); ++ if (!sp->u.iocb_cmd.u.ctarg.req) { ++ ql_log(ql_log_warn, vha, 0xd041, ++ "%s: Failed to allocate ct_sns request.\n", ++ __func__); ++ goto done_free_sp; ++ } ++ ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); ++ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, ++ &sp->u.iocb_cmd.u.ctarg.rsp_dma, ++ GFP_KERNEL); ++ if (!sp->u.iocb_cmd.u.ctarg.req) { ++ ql_log(ql_log_warn, vha, 0xd041, ++ "%s: Failed to allocate ct_sns request.\n", ++ __func__); ++ goto done_free_sp; ++ } + + /* CT_IU preamble */ +- ct_req = qla2x00_prep_ct_req(fcport->ct_desc.ct_sns, GFF_ID_CMD, +- GFF_ID_RSP_SIZE); ++ ct_req = qla2x00_prep_ct_req(sp->u.iocb_cmd.u.ctarg.req, GFF_ID_CMD, GFF_ID_RSP_SIZE); + + ct_req->req.gff_id.port_id[0] = fcport->d_id.b.domain; + ct_req->req.gff_id.port_id[1] = fcport->d_id.b.area; + ct_req->req.gff_id.port_id[2] = fcport->d_id.b.al_pa; + +- sp->u.iocb_cmd.u.ctarg.req = fcport->ct_desc.ct_sns; +- sp->u.iocb_cmd.u.ctarg.req_dma = fcport->ct_desc.ct_sns_dma; +- sp->u.iocb_cmd.u.ctarg.rsp = fcport->ct_desc.ct_sns; +- sp->u.iocb_cmd.u.ctarg.rsp_dma = fcport->ct_desc.ct_sns_dma; + sp->u.iocb_cmd.u.ctarg.req_size = GFF_ID_REQ_SIZE; + sp->u.iocb_cmd.u.ctarg.rsp_size = GFF_ID_RSP_SIZE; + sp->u.iocb_cmd.u.ctarg.nport_handle = NPH_SNS; + +- ql_dbg(ql_dbg_disc, vha, 0x2132, +- "Async-%s hdl=%x %8phC.\n", sp->name, +- sp->handle, fcport->port_name); +- + rval = qla2x00_start_sp(sp); +- if (rval != QLA_SUCCESS) ++ ++ if (rval != QLA_SUCCESS) { ++ rval = QLA_FUNCTION_FAILED; + goto done_free_sp; ++ } else { ++ ql_dbg(ql_dbg_disc, vha, 0x3074, ++ "Async-%s hdl=%x portid %06x\n", ++ sp->name, sp->handle, fcport->d_id.b24); ++ } ++ ++ wait_for_completion(sp->comp); ++ rval = sp->rc; + +- return rval; + done_free_sp: ++ if (sp->u.iocb_cmd.u.ctarg.req) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.req, ++ sp->u.iocb_cmd.u.ctarg.req_dma); ++ sp->u.iocb_cmd.u.ctarg.req = NULL; ++ } ++ ++ if (sp->u.iocb_cmd.u.ctarg.rsp) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.rsp, ++ sp->u.iocb_cmd.u.ctarg.rsp_dma); ++ sp->u.iocb_cmd.u.ctarg.rsp = NULL; ++ } ++ + /* ref: INIT */ + kref_put(&sp->cmd_kref, qla2x00_sp_release); +- fcport->flags &= ~FCF_ASYNC_SENT; + return rval; + } + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2822,7 +2822,7 @@ qla24xx_els_logo_iocb(srb_t *sp, struct + sp->vha->qla_stats.control_requests++; + } + +-static void ++void + qla2x00_els_dcmd2_iocb_timeout(void *data) + { + srb_t *sp = data; diff --git a/patches.suse/scsi-qla2xxx-edif-Reduce-N2N-thrashing-at-app_start-.patch b/patches.suse/scsi-qla2xxx-edif-Reduce-N2N-thrashing-at-app_start-.patch new file mode 100644 index 0000000..5674a0f --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Reduce-N2N-thrashing-at-app_start-.patch @@ -0,0 +1,93 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:47 -0700 +Subject: scsi: qla2xxx: edif: Reduce N2N thrashing at app_start time +Patch-mainline: v5.20-rc1 +Git-commit: 37be3f9d6993a721bc019f03c97ea0fe66319997 +References: bsc#1201958 + +For N2N + remote WWPN is bigger than local adapter, remote adapter will +login to local adapter while authentication application is not running. +When authentication application starts, the current session in FW needs to +to be invalidated. + +Make sure the old session is torn down before triggering a relogin. + +Link: https://lore.kernel.org/r/20220608115849.16693-9-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 51 ++++++++++++++++++++++++++++------------ + 1 file changed, 36 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -517,11 +517,28 @@ qla_edif_app_start(scsi_qla_host_t *vha, + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) + fcport->n2n_link_reset_cnt = 0; + +- if (vha->hw->flags.n2n_fw_acc_sec) +- set_bit(N2N_LINK_RESET, &vha->dpc_flags); +- else ++ if (vha->hw->flags.n2n_fw_acc_sec) { ++ list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) ++ qla_edif_sa_ctl_init(vha, fcport); ++ ++ /* ++ * While authentication app was not running, remote device ++ * could still try to login with this local port. Let's ++ * clear the state and try again. ++ */ ++ qla2x00_wait_for_sess_deletion(vha); ++ ++ /* bounce the link to get the other guy to relogin */ ++ if (!vha->hw->flags.n2n_bigger) { ++ set_bit(N2N_LINK_RESET, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ } ++ } else { ++ qla2x00_wait_for_hba_online(vha); + set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); +- qla2xxx_wake_dpc(vha); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_hba_online(vha); ++ } + } else { + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + ql_dbg(ql_dbg_edif, vha, 0x2058, +@@ -920,17 +937,21 @@ qla_edif_app_getfcinfo(scsi_qla_host_t * + if (tdid.b24 != 0 && tdid.b24 != fcport->d_id.b24) + continue; + +- if (fcport->scan_state != QLA_FCPORT_FOUND) +- continue; +- +- if (fcport->port_type == FCT_UNKNOWN && !fcport->fc4_features) +- rval = qla24xx_async_gffid(vha, fcport, true); +- +- if (!rval && +- !(fcport->fc4_features & FC4_FF_TARGET || +- fcport->port_type & +- (FCT_TARGET | FCT_NVME_TARGET))) +- continue; ++ if (!N2N_TOPO(vha->hw)) { ++ if (fcport->scan_state != QLA_FCPORT_FOUND) ++ continue; ++ ++ if (fcport->port_type == FCT_UNKNOWN && ++ !fcport->fc4_features) ++ rval = qla24xx_async_gffid(vha, fcport, ++ true); ++ ++ if (!rval && ++ !(fcport->fc4_features & FC4_FF_TARGET || ++ fcport->port_type & ++ (FCT_TARGET | FCT_NVME_TARGET))) ++ continue; ++ } + + rval = 0; + diff --git a/patches.suse/scsi-qla2xxx-edif-Reduce-disruption-due-to-multiple-.patch b/patches.suse/scsi-qla2xxx-edif-Reduce-disruption-due-to-multiple-.patch new file mode 100644 index 0000000..743d017 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Reduce-disruption-due-to-multiple-.patch @@ -0,0 +1,41 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:42 -0700 +Subject: scsi: qla2xxx: edif: Reduce disruption due to multiple app start +Patch-mainline: v5.20-rc1 +Git-commit: 0dbfce5255fe8d069a1a3b712a25b263264cfa58 +References: bsc#1201958 + +Multiple app start can trigger a session bounce. Make driver skip over +session teardown if app start is seen more than once. + +Link: https://lore.kernel.org/r/20220608115849.16693-4-njavali@marvell.com +Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -510,8 +510,7 @@ qla_edif_app_start(scsi_qla_host_t *vha, + /* mark doorbell as active since an app is now present */ + vha->e_dbell.db_flags |= EDB_ACTIVE; + } else { +- ql_dbg(ql_dbg_edif, vha, 0x911e, "%s doorbell already active\n", +- __func__); ++ goto out; + } + + if (N2N_TOPO(vha->hw)) { +@@ -578,6 +577,7 @@ qla_edif_app_start(scsi_qla_host_t *vha, + __func__); + } + ++out: + appreply.host_support_edif = vha->hw->flags.edif_enabled; + appreply.edif_enode_active = vha->pur_cinfo.enode_flags; + appreply.edif_edb_active = vha->e_dbell.db_flags; diff --git a/patches.suse/scsi-qla2xxx-edif-Remove-old-doorbell-interface.patch b/patches.suse/scsi-qla2xxx-edif-Remove-old-doorbell-interface.patch new file mode 100644 index 0000000..2ef5323 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Remove-old-doorbell-interface.patch @@ -0,0 +1,141 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:24 -0700 +Subject: scsi: qla2xxx: edif: Remove old doorbell interface +Patch-mainline: v5.20-rc1 +Git-commit: 1040e5f75ddf56fdd571a2a14b4d1a9e8ed846a9 +References: bsc#1201958 + +Recently driver has implemented a new doorbell mechanism via bsg. The new +doorbell tells driver the exact buffer size application has where driver +can fill it up with events. The old doorbell guestimated application buffer +size is 256. + +Remove duplicate functionality, the application has moved on to the new +doorbell interface. + +Link: https://lore.kernel.org/r/20220607044627.19563-9-njavali@marvell.com +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_attr.c | 2 - + drivers/scsi/qla2xxx/qla_edif.c | 78 ---------------------------------------- + drivers/scsi/qla2xxx/qla_gbl.h | 1 + 3 files changed, 81 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2477,7 +2477,6 @@ static DEVICE_ATTR(port_speed, 0644, qla + qla2x00_port_speed_store); + static DEVICE_ATTR(port_no, 0444, qla2x00_port_no_show, NULL); + static DEVICE_ATTR(fw_attr, 0444, qla2x00_fw_attr_show, NULL); +-static DEVICE_ATTR_RO(edif_doorbell); + + + struct device_attribute *qla2x00_host_attrs[] = { +@@ -2523,7 +2522,6 @@ struct device_attribute *qla2x00_host_at + &dev_attr_port_no, + &dev_attr_fw_attr, + &dev_attr_dport_diagnostics, +- &dev_attr_edif_doorbell, + &dev_attr_mpi_pause, + NULL, /* reserve for qlini_mode */ + NULL, /* reserve for ql2xiniexchg */ +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2265,84 +2265,6 @@ qla_edif_timer(scsi_qla_host_t *vha) + qla_edif_dbell_bsg_done(vha); + } + +-/* +- * app uses separate thread to read this. It'll wait until the doorbell +- * is rung by the driver or the max wait time has expired +- */ +-ssize_t +-edif_doorbell_show(struct device *dev, struct device_attribute *attr, +- char *buf) +-{ +- scsi_qla_host_t *vha = shost_priv(class_to_shost(dev)); +- struct edb_node *dbnode = NULL; +- struct edif_app_dbell *ap = (struct edif_app_dbell *)buf; +- uint32_t dat_siz, buf_size, sz; +- +- /* TODO: app currently hardcoded to 256. Will transition to bsg */ +- sz = 256; +- +- /* stop new threads from waiting if we're not init'd */ +- if (DBELL_INACTIVE(vha)) { +- ql_dbg(ql_dbg_edif + ql_dbg_verbose, vha, 0x09122, +- "%s error - edif db not enabled\n", __func__); +- return 0; +- } +- +- if (!vha->hw->flags.edif_enabled) { +- /* edif not enabled */ +- ql_dbg(ql_dbg_edif + ql_dbg_verbose, vha, 0x09122, +- "%s error - edif not enabled\n", __func__); +- return -1; +- } +- +- buf_size = 0; +- while ((sz - buf_size) >= sizeof(struct edb_node)) { +- /* remove the next item from the doorbell list */ +- dat_siz = 0; +- dbnode = qla_edb_getnext(vha); +- if (dbnode) { +- ap->event_code = dbnode->ntype; +- switch (dbnode->ntype) { +- case VND_CMD_AUTH_STATE_SESSION_SHUTDOWN: +- case VND_CMD_AUTH_STATE_NEEDED: +- ap->port_id = dbnode->u.plogi_did; +- dat_siz += sizeof(ap->port_id); +- break; +- case VND_CMD_AUTH_STATE_ELS_RCVD: +- ap->port_id = dbnode->u.els_sid; +- dat_siz += sizeof(ap->port_id); +- break; +- case VND_CMD_AUTH_STATE_SAUPDATE_COMPL: +- ap->port_id = dbnode->u.sa_aen.port_id; +- memcpy(ap->event_data, &dbnode->u, +- sizeof(struct edif_sa_update_aen)); +- dat_siz += sizeof(struct edif_sa_update_aen); +- break; +- default: +- /* unknown node type, rtn unknown ntype */ +- ap->event_code = VND_CMD_AUTH_STATE_UNDEF; +- memcpy(ap->event_data, &dbnode->ntype, 4); +- dat_siz += 4; +- break; +- } +- +- ql_dbg(ql_dbg_edif, vha, 0x09102, +- "%s Doorbell consumed : type=%d %p\n", +- __func__, dbnode->ntype, dbnode); +- /* we're done with the db node, so free it up */ +- kfree(dbnode); +- } else { +- break; +- } +- +- ap->event_data_size = dat_siz; +- /* 8bytes = ap->event_code + ap->event_data_size */ +- buf_size += dat_siz + 8; +- ap = (struct edif_app_dbell *)(buf + buf_size); +- } +- return buf_size; +-} +- + static void qla_noop_sp_done(srb_t *sp, int res) + { + sp->fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -994,7 +994,6 @@ fc_port_t *qla2x00_find_fcport_by_pid(sc + void qla_edb_eventcreate(scsi_qla_host_t *vha, uint32_t dbtype, uint32_t data, uint32_t data2, + fc_port_t *fcport); + void qla_edb_stop(scsi_qla_host_t *vha); +-ssize_t edif_doorbell_show(struct device *dev, struct device_attribute *attr, char *buf); + int32_t qla_edif_app_mgmt(struct bsg_job *bsg_job); + void qla_enode_init(scsi_qla_host_t *vha); + void qla_enode_stop(scsi_qla_host_t *vha); diff --git a/patches.suse/scsi-qla2xxx-edif-Send-LOGO-for-unexpected-IKE-messa.patch b/patches.suse/scsi-qla2xxx-edif-Send-LOGO-for-unexpected-IKE-messa.patch new file mode 100644 index 0000000..9e6594f --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Send-LOGO-for-unexpected-IKE-messa.patch @@ -0,0 +1,70 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:41 -0700 +Subject: scsi: qla2xxx: edif: Send LOGO for unexpected IKE message +Patch-mainline: v5.20-rc1 +Git-commit: 2b659ed67a12f39f56d8dcad9b5d5a74d67c01b3 +References: bsc#1201958 + +If the session is down and the local port continues to receive AUTH ELS +messages, the driver needs to send back LOGO so that the remote device +knows to tear down its session. Terminate and clean up the AUTH ELS +exchange followed by a passthrough LOGO. + +Link: https://lore.kernel.org/r/20220608115849.16693-3-njavali@marvell.com +Fixes: 225479296c4f ("scsi: qla2xxx: edif: Reject AUTH ELS on session down") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 19 +++++++++++++++++-- + drivers/scsi/qla2xxx/qla_fw.h | 2 +- + 2 files changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2565,8 +2565,7 @@ void qla24xx_auth_els(scsi_qla_host_t *v + + fcport = qla2x00_find_fcport_by_pid(host, &purex->pur_info.pur_sid); + +- if (DBELL_INACTIVE(vha) || +- (fcport && EDIF_SESSION_DOWN(fcport))) { ++ if (DBELL_INACTIVE(vha)) { + ql_dbg(ql_dbg_edif, host, 0x0910c, "%s e_dbell.db_flags =%x %06x\n", + __func__, host->e_dbell.db_flags, + fcport ? fcport->d_id.b24 : 0); +@@ -2576,6 +2575,22 @@ void qla24xx_auth_els(scsi_qla_host_t *v + return; + } + ++ if (fcport && EDIF_SESSION_DOWN(fcport)) { ++ ql_dbg(ql_dbg_edif, host, 0x13b6, ++ "%s terminate exchange. Send logo to 0x%x\n", ++ __func__, a.did.b24); ++ ++ a.tx_byte_count = a.tx_len = 0; ++ a.tx_addr = 0; ++ a.control_flags = EPD_RX_XCHG; /* EPD_RX_XCHG = terminate cmd */ ++ qla_els_reject_iocb(host, (*rsp)->qpair, &a); ++ qla_enode_free(host, ptr); ++ /* send logo to let remote port knows to tear down session */ ++ fcport->send_els_logo = 1; ++ qlt_schedule_sess_for_deletion(fcport); ++ return; ++ } ++ + /* add the local enode to the list */ + qla_enode_add(host, ptr); + +--- a/drivers/scsi/qla2xxx/qla_fw.h ++++ b/drivers/scsi/qla2xxx/qla_fw.h +@@ -808,7 +808,7 @@ struct els_entry_24xx { + #define EPD_ELS_COMMAND (0 << 13) + #define EPD_ELS_ACC (1 << 13) + #define EPD_ELS_RJT (2 << 13) +-#define EPD_RX_XCHG (3 << 13) ++#define EPD_RX_XCHG (3 << 13) /* terminate exchange */ + #define ECF_CLR_PASSTHRU_PEND BIT_12 + #define ECF_INCL_FRAME_HDR BIT_11 + #define ECF_SEC_LOGIN BIT_3 diff --git a/patches.suse/scsi-qla2xxx-edif-Synchronize-NPIV-deletion-with-aut.patch b/patches.suse/scsi-qla2xxx-edif-Synchronize-NPIV-deletion-with-aut.patch new file mode 100644 index 0000000..fbd075d --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Synchronize-NPIV-deletion-with-aut.patch @@ -0,0 +1,48 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:22 -0700 +Subject: scsi: qla2xxx: edif: Synchronize NPIV deletion with authentication + application +Patch-mainline: v5.20-rc1 +Git-commit: cf79716e6636400ae38c37bc8a652b1e522abbba +References: bsc#1201958 + +Notify authentication application of a NPIV deletion event is about to +occur. This allows app to perform cleanup. + +Link: https://lore.kernel.org/r/20220607044627.19563-7-njavali@marvell.com +Fixes: 9efea843a906 ("scsi: qla2xxx: edif: Add detection of secure device") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif_bsg.h | 2 ++ + drivers/scsi/qla2xxx/qla_mid.c | 6 +++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_edif_bsg.h ++++ b/drivers/scsi/qla2xxx/qla_edif_bsg.h +@@ -253,4 +253,6 @@ struct aen_complete_cmd { + + #define RX_DELAY_DELETE_TIMEOUT 20 + ++#define FCH_EVT_VENDOR_UNIQUE_VPORT_DOWN 1 ++ + #endif /* QLA_EDIF_BSG_H */ +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -167,9 +167,13 @@ qla24xx_disable_vp(scsi_qla_host_t *vha) + int ret = QLA_SUCCESS; + fc_port_t *fcport; + +- if (vha->hw->flags.edif_enabled) ++ if (vha->hw->flags.edif_enabled) { ++ if (DBELL_ACTIVE(vha)) ++ qla2x00_post_aen_work(vha, FCH_EVT_VENDOR_UNIQUE, ++ FCH_EVT_VENDOR_UNIQUE_VPORT_DOWN); + /* delete sessions and flush sa_indexes */ + qla2x00_wait_for_sess_deletion(vha); ++ } + + if (vha->hw->flags.fw_started) + ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL); diff --git a/patches.suse/scsi-qla2xxx-edif-Tear-down-session-if-keys-have-bee.patch b/patches.suse/scsi-qla2xxx-edif-Tear-down-session-if-keys-have-bee.patch new file mode 100644 index 0000000..93e75ba --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Tear-down-session-if-keys-have-bee.patch @@ -0,0 +1,45 @@ +From: Quinn Tran +Date: Wed, 8 Jun 2022 04:58:44 -0700 +Subject: scsi: qla2xxx: edif: Tear down session if keys have been removed +Patch-mainline: v5.20-rc1 +Git-commit: d7e2e4a68fc047a025afcd200e6b7e1fbc8b1999 +References: bsc#1201958 + +If all keys for a session have been deleted, trigger a session teardown. + +Link: https://lore.kernel.org/r/20220608115849.16693-6-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 5 +++++ + drivers/scsi/qla2xxx/qla_isr.c | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -2159,6 +2159,11 @@ typedef struct { + #define CS_IOCB_ERROR 0x31 /* Generic error for IOCB request + failure */ + #define CS_REJECT_RECEIVED 0x4E /* Reject received */ ++#define CS_EDIF_AUTH_ERROR 0x63 /* decrypt error */ ++#define CS_EDIF_PAD_LEN_ERROR 0x65 /* pad > frame size, not 4byte align */ ++#define CS_EDIF_INV_REQ 0x66 /* invalid request */ ++#define CS_EDIF_SPI_ERROR 0x67 /* rx frame unable to locate sa */ ++#define CS_EDIF_HDR_ERROR 0x69 /* data frame != expected len */ + #define CS_BAD_PAYLOAD 0x80 /* Driver defined */ + #define CS_UNKNOWN 0x81 /* Driver defined */ + #define CS_RETRY 0x82 /* Driver defined */ +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3436,6 +3436,7 @@ qla2x00_status_entry(scsi_qla_host_t *vh + case CS_PORT_UNAVAILABLE: + case CS_TIMEOUT: + case CS_RESET: ++ case CS_EDIF_INV_REQ: + + /* + * We are going to have the fc class block the rport diff --git a/patches.suse/scsi-qla2xxx-edif-Wait-for-app-to-ack-on-sess-down.patch b/patches.suse/scsi-qla2xxx-edif-Wait-for-app-to-ack-on-sess-down.patch new file mode 100644 index 0000000..c5ddcf6 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-Wait-for-app-to-ack-on-sess-down.patch @@ -0,0 +1,231 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:19 -0700 +Subject: scsi: qla2xxx: edif: Wait for app to ack on sess down +Patch-mainline: v5.20-rc1 +Git-commit: df648afa39da9c4d3af99c6c03dc3e9c7dfa99b0 +References: bsc#1201958 + +On session deletion, wait for app to acknowledge before moving on. This +allows both app and driver to stay in sync. In addition, this gives a +chance for authentication app to do any type of cleanup before moving on. + +Link: https://lore.kernel.org/r/20220607044627.19563-4-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_def.h | 2 - + drivers/scsi/qla2xxx/qla_edif.c | 66 +++++++++++++++++++++++++++++++------- + drivers/scsi/qla2xxx/qla_init.c | 4 -- + drivers/scsi/qla2xxx/qla_target.c | 35 ++++++++++---------- + 4 files changed, 74 insertions(+), 33 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -2627,7 +2627,6 @@ typedef struct fc_port { + struct { + uint32_t enable:1; /* device is edif enabled/req'd */ + uint32_t app_stop:2; +- uint32_t app_started:1; + uint32_t aes_gmac:1; + uint32_t app_sess_online:1; + uint32_t tx_sa_set:1; +@@ -2638,6 +2637,7 @@ typedef struct fc_port { + uint32_t rx_rekey_cnt; + uint64_t tx_bytes; + uint64_t rx_bytes; ++ uint8_t sess_down_acked; + uint8_t auth_state; + uint16_t authok:1; + uint16_t rekey_cnt; +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -257,14 +257,8 @@ qla2x00_find_fcport_by_pid(scsi_qla_host + + f = NULL; + list_for_each_entry_safe(f, tf, &vha->vp_fcports, list) { +- if ((f->flags & FCF_FCSP_DEVICE)) { +- ql_dbg(ql_dbg_edif + ql_dbg_verbose, vha, 0x2058, +- "Found secure fcport - nn %8phN pn %8phN portid=0x%x, 0x%x.\n", +- f->node_name, f->port_name, +- f->d_id.b24, id->b24); +- if (f->d_id.b24 == id->b24) +- return f; +- } ++ if (f->d_id.b24 == id->b24) ++ return f; + } + return NULL; + } +@@ -526,7 +520,6 @@ qla_edif_app_start(scsi_qla_host_t *vha, + + fcport->edif.app_stop = 0; + fcport->edif.app_sess_online = 0; +- fcport->edif.app_started = 1; + + if (fcport->scan_state != QLA_FCPORT_FOUND) + continue; +@@ -628,9 +621,6 @@ qla_edif_app_stop(scsi_qla_host_t *vha, + + fcport->send_els_logo = 1; + qlt_schedule_sess_for_deletion(fcport); +- +- /* qla_edif_flush_sa_ctl_lists(fcport); */ +- fcport->edif.app_started = 0; + } + } + +@@ -1047,6 +1037,40 @@ qla_edif_app_getstats(scsi_qla_host_t *v + return rval; + } + ++static int32_t ++qla_edif_ack(scsi_qla_host_t *vha, struct bsg_job *bsg_job) ++{ ++ struct fc_port *fcport; ++ struct aen_complete_cmd ack; ++ struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ ++ sg_copy_to_buffer(bsg_job->request_payload.sg_list, ++ bsg_job->request_payload.sg_cnt, &ack, sizeof(ack)); ++ ++ ql_dbg(ql_dbg_edif, vha, 0x70cf, ++ "%s: %06x event_code %x\n", ++ __func__, ack.port_id.b24, ack.event_code); ++ ++ fcport = qla2x00_find_fcport_by_pid(vha, &ack.port_id); ++ SET_DID_STATUS(bsg_reply->result, DID_OK); ++ ++ if (!fcport) { ++ ql_dbg(ql_dbg_edif, vha, 0x70cf, ++ "%s: unable to find fcport %06x \n", ++ __func__, ack.port_id.b24); ++ return 0; ++ } ++ ++ switch (ack.event_code) { ++ case VND_CMD_AUTH_STATE_SESSION_SHUTDOWN: ++ fcport->edif.sess_down_acked = 1; ++ break; ++ default: ++ break; ++ } ++ return 0; ++} ++ + int32_t + qla_edif_app_mgmt(struct bsg_job *bsg_job) + { +@@ -1109,6 +1133,9 @@ qla_edif_app_mgmt(struct bsg_job *bsg_jo + case QL_VND_SC_GET_STATS: + rval = qla_edif_app_getstats(vha, bsg_job); + break; ++ case QL_VND_SC_AEN_COMPLETE: ++ rval = qla_edif_ack(vha, bsg_job); ++ break; + default: + ql_dbg(ql_dbg_edif, vha, 0x911d, "%s unknown cmd=%x\n", + __func__, +@@ -3512,14 +3539,29 @@ int qla_edif_process_els(scsi_qla_host_t + + void qla_edif_sess_down(struct scsi_qla_host *vha, struct fc_port *sess) + { ++ u16 cnt = 0; ++ + if (sess->edif.app_sess_online && DBELL_ACTIVE(vha)) { + ql_dbg(ql_dbg_disc, vha, 0xf09c, + "%s: sess %8phN send port_offline event\n", + __func__, sess->port_name); + sess->edif.app_sess_online = 0; ++ sess->edif.sess_down_acked = 0; + qla_edb_eventcreate(vha, VND_CMD_AUTH_STATE_SESSION_SHUTDOWN, + sess->d_id.b24, 0, sess); + qla2x00_post_aen_work(vha, FCH_EVT_PORT_OFFLINE, sess->d_id.b24); ++ ++ while (!READ_ONCE(sess->edif.sess_down_acked) && ++ !test_bit(VPORT_DELETE, &vha->dpc_flags)) { ++ msleep(100); ++ cnt++; ++ if (cnt > 100) ++ break; ++ } ++ sess->edif.sess_down_acked = 0; ++ ql_dbg(ql_dbg_disc, vha, 0xf09c, ++ "%s: sess %8phN port_offline event completed\n", ++ __func__, sess->port_name); + } + } + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1483,7 +1483,6 @@ static int qla_chk_secure_login(scsi_qla + ql_dbg(ql_dbg_disc, vha, 0x20ef, + "%s %d %8phC EDIF: post DB_AUTH: AUTH needed\n", + __func__, __LINE__, fcport->port_name); +- fcport->edif.app_started = 1; + fcport->edif.app_sess_online = 1; + + qla_edb_eventcreate(vha, VND_CMD_AUTH_STATE_NEEDED, +@@ -5274,9 +5273,6 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vh + INIT_LIST_HEAD(&fcport->edif.tx_sa_list); + INIT_LIST_HEAD(&fcport->edif.rx_sa_list); + +- if (vha->e_dbell.db_flags == EDB_ACTIVE) +- fcport->edif.app_started = 1; +- + spin_lock_init(&fcport->edif.indx_list_lock); + INIT_LIST_HEAD(&fcport->edif.edif_indx_list); + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -990,22 +990,6 @@ void qlt_free_session_done(struct work_s + sess->send_els_logo); + + if (!IS_SW_RESV_ADDR(sess->d_id)) { +- if (ha->flags.edif_enabled && +- (!own || own->iocb.u.isp24.status_subcode == ELS_PLOGI)) { +- sess->edif.authok = 0; +- if (!ha->flags.host_shutting_down) { +- ql_dbg(ql_dbg_edif, vha, 0x911e, +- "%s wwpn %8phC calling qla2x00_release_all_sadb\n", +- __func__, sess->port_name); +- qla2x00_release_all_sadb(vha, sess); +- } else { +- ql_dbg(ql_dbg_edif, vha, 0x911e, +- "%s bypassing release_all_sadb\n", +- __func__); +- } +- qla_edif_clear_appdata(vha, sess); +- qla_edif_sess_down(vha, sess); +- } + qla2x00_mark_device_lost(vha, sess, 0); + + if (sess->send_els_logo) { +@@ -1051,6 +1035,25 @@ void qlt_free_session_done(struct work_s + sess->nvme_flag |= NVME_FLAG_DELETING; + qla_nvme_unregister_remote_port(sess); + } ++ ++ if (ha->flags.edif_enabled && ++ (!own || (own && ++ own->iocb.u.isp24.status_subcode == ELS_PLOGI))) { ++ sess->edif.authok = 0; ++ if (!ha->flags.host_shutting_down) { ++ ql_dbg(ql_dbg_edif, vha, 0x911e, ++ "%s wwpn %8phC calling qla2x00_release_all_sadb\n", ++ __func__, sess->port_name); ++ qla2x00_release_all_sadb(vha, sess); ++ } else { ++ ql_dbg(ql_dbg_edif, vha, 0x911e, ++ "%s bypassing release_all_sadb\n", ++ __func__); ++ } ++ ++ qla_edif_clear_appdata(vha, sess); ++ qla_edif_sess_down(vha, sess); ++ } + } + + /* diff --git a/patches.suse/scsi-qla2xxx-edif-bsg-refactor.patch b/patches.suse/scsi-qla2xxx-edif-bsg-refactor.patch new file mode 100644 index 0000000..5053530 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-edif-bsg-refactor.patch @@ -0,0 +1,329 @@ +From: Quinn Tran +Date: Mon, 6 Jun 2022 21:46:18 -0700 +Subject: scsi: qla2xxx: edif: bsg refactor +Patch-mainline: v5.20-rc1 +Git-commit: 7a7b0b4865d3490f62d6ef1a3aa39fa2b47859a4 +References: bsc#1201958 + + - Add version field to edif bsg for future enhancement. + + - Add version edif bsg version check + + - Remove unused interfaces and fields. + +Link: https://lore.kernel.org/r/20220607044627.19563-3-njavali@marvell.com +Fixes: dd30706e73b7 ("scsi: qla2xxx: edif: Add key update") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_edif.c | 32 +++++++++--- + drivers/scsi/qla2xxx/qla_edif_bsg.h | 90 ++++++++++++++++++++++-------------- + 2 files changed, 79 insertions(+), 43 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif_bsg.h ++++ b/drivers/scsi/qla2xxx/qla_edif_bsg.h +@@ -7,13 +7,15 @@ + #ifndef __QLA_EDIF_BSG_H + #define __QLA_EDIF_BSG_H + ++#define EDIF_VERSION1 1 ++ + /* BSG Vendor specific commands */ + #define ELS_MAX_PAYLOAD 2112 + #ifndef WWN_SIZE + #define WWN_SIZE 8 + #endif +-#define VND_CMD_APP_RESERVED_SIZE 32 +- ++#define VND_CMD_APP_RESERVED_SIZE 28 ++#define VND_CMD_PAD_SIZE 3 + enum auth_els_sub_cmd { + SEND_ELS = 0, + SEND_ELS_REPLY, +@@ -28,7 +30,9 @@ struct extra_auth_els { + #define BSG_CTL_FLAG_LS_ACC 1 + #define BSG_CTL_FLAG_LS_RJT 2 + #define BSG_CTL_FLAG_TRM 3 +- uint8_t extra_rsvd[3]; ++ uint8_t version; ++ uint8_t pad[2]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct qla_bsg_auth_els_request { +@@ -39,51 +43,46 @@ struct qla_bsg_auth_els_request { + struct qla_bsg_auth_els_reply { + struct fc_bsg_reply r; + uint32_t rx_xchg_address; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + }; + + struct app_id { + int app_vid; +- uint8_t app_key[32]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct app_start_reply { + uint32_t host_support_edif; + uint32_t edif_enode_active; + uint32_t edif_edb_active; +- uint32_t reserved[VND_CMD_APP_RESERVED_SIZE]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct app_start { + struct app_id app_info; +- uint32_t prli_to; +- uint32_t key_shred; + uint8_t app_start_flags; +- uint8_t reserved[VND_CMD_APP_RESERVED_SIZE - 1]; ++ uint8_t version; ++ uint8_t pad[2]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct app_stop { + struct app_id app_info; +- char buf[16]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct app_plogi_reply { + uint32_t prli_status; +- uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; +-} __packed; +- +-#define RECFG_TIME 1 +-#define RECFG_BYTES 2 +- +-struct app_rekey_cfg { +- struct app_id app_info; +- uint8_t rekey_mode; +- port_id_t d_id; +- uint8_t force; +- union { +- int64_t bytes; +- int64_t time; +- } rky_units; +- ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; + uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + +@@ -91,7 +90,9 @@ struct app_pinfo_req { + struct app_id app_info; + uint8_t num_ports; + port_id_t remote_pid; +- uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + struct app_pinfo { +@@ -103,11 +104,8 @@ struct app_pinfo { + #define VND_CMD_RTYPE_INITIATOR 2 + uint8_t remote_state; + uint8_t auth_state; +- uint8_t rekey_mode; +- int64_t rekey_count; +- int64_t rekey_config_value; +- int64_t rekey_consumed_value; +- ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; + uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + +@@ -120,6 +118,8 @@ struct app_pinfo { + + struct app_pinfo_reply { + uint8_t port_count; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; + uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + struct app_pinfo ports[0]; + } __packed; +@@ -127,6 +127,8 @@ struct app_pinfo_reply { + struct app_sinfo_req { + struct app_id app_info; + uint8_t num_ports; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; + uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + +@@ -140,6 +142,9 @@ struct app_sinfo { + + struct app_stats_reply { + uint8_t elem_count; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + struct app_sinfo elem[0]; + } __packed; + +@@ -163,9 +168,11 @@ struct qla_sa_update_frame { + uint8_t node_name[WWN_SIZE]; + uint8_t port_name[WWN_SIZE]; + port_id_t port_id; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved2[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + +-// used for edif mgmt bsg interface + #define QL_VND_SC_UNDEF 0 + #define QL_VND_SC_SA_UPDATE 1 + #define QL_VND_SC_APP_START 2 +@@ -175,6 +182,8 @@ struct qla_sa_update_frame { + #define QL_VND_SC_REKEY_CONFIG 6 + #define QL_VND_SC_GET_FCINFO 7 + #define QL_VND_SC_GET_STATS 8 ++#define QL_VND_SC_AEN_COMPLETE 9 ++ + + /* Application interface data structure for rtn data */ + #define EXT_DEF_EVENT_DATA_SIZE 64 +@@ -191,7 +200,9 @@ struct edif_sa_update_aen { + port_id_t port_id; + uint32_t key_type; /* Tx (1) or RX (2) */ + uint32_t status; /* 0 succes, 1 failed, 2 timeout , 3 error */ +- uint8_t reserved[16]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + #define QL_VND_SA_STAT_SUCCESS 0 +@@ -212,7 +223,18 @@ struct auth_complete_cmd { + uint8_t wwpn[WWN_SIZE]; + port_id_t d_id; + } u; +- uint32_t reserved[VND_CMD_APP_RESERVED_SIZE]; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; ++} __packed; ++ ++struct aen_complete_cmd { ++ struct app_id app_info; ++ port_id_t port_id; ++ uint32_t event_code; ++ uint8_t version; ++ uint8_t pad[VND_CMD_PAD_SIZE]; ++ uint8_t reserved[VND_CMD_APP_RESERVED_SIZE]; + } __packed; + + #define RX_DELAY_DELETE_TIMEOUT 20 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -280,14 +280,19 @@ qla_edif_app_check(scsi_qla_host_t *vha, + { + /* check that the app is allow/known to the driver */ + +- if (appid.app_vid == EDIF_APP_ID) { +- ql_dbg(ql_dbg_edif + ql_dbg_verbose, vha, 0x911d, "%s app id ok\n", __func__); +- return true; ++ if (appid.app_vid != EDIF_APP_ID) { ++ ql_dbg(ql_dbg_edif, vha, 0x911d, "%s app id not ok (%x)", ++ __func__, appid.app_vid); ++ return false; ++ } ++ ++ if (appid.version != EDIF_VERSION1) { ++ ql_dbg(ql_dbg_edif, vha, 0x911d, "%s app version is not ok (%x)", ++ __func__, appid.version); ++ return false; + } +- ql_dbg(ql_dbg_edif, vha, 0x911d, "%s app id not ok (%x)", +- __func__, appid.app_vid); + +- return false; ++ return true; + } + + static void +@@ -555,6 +560,7 @@ qla_edif_app_start(scsi_qla_host_t *vha, + appreply.host_support_edif = vha->hw->flags.edif_enabled; + appreply.edif_enode_active = vha->pur_cinfo.enode_flags; + appreply.edif_edb_active = vha->e_dbell.db_flags; ++ appreply.version = EDIF_VERSION1; + + bsg_job->reply_len = sizeof(struct fc_bsg_reply); + +@@ -684,6 +690,7 @@ qla_edif_app_authok(scsi_qla_host_t *vha + portid.b.area = appplogiok.u.d_id.b.area; + portid.b.al_pa = appplogiok.u.d_id.b.al_pa; + ++ appplogireply.version = EDIF_VERSION1; + switch (appplogiok.type) { + case PL_TYPE_WWPN: + fcport = qla2x00_find_fcport_by_wwpn(vha, +@@ -876,6 +883,8 @@ qla_edif_app_getfcinfo(scsi_qla_host_t * + } else { + struct fc_port *fcport = NULL, *tf; + ++ app_reply->version = EDIF_VERSION1; ++ + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + if (!(fcport->flags & FCF_FCSP_DEVICE)) + continue; +@@ -892,9 +901,6 @@ qla_edif_app_getfcinfo(scsi_qla_host_t * + if (tdid.b24 != 0 && tdid.b24 != fcport->d_id.b24) + continue; + +- app_reply->ports[pcnt].rekey_count = +- fcport->edif.rekey_cnt; +- + if (fcport->scan_state != QLA_FCPORT_FOUND) + continue; + +@@ -909,6 +915,7 @@ qla_edif_app_getfcinfo(scsi_qla_host_t * + + rval = 0; + ++ app_reply->ports[pcnt].version = EDIF_VERSION1; + app_reply->ports[pcnt].remote_type = + VND_CMD_RTYPE_UNKNOWN; + if (fcport->port_type & (FCT_NVME_TARGET | FCT_TARGET)) +@@ -1005,6 +1012,8 @@ qla_edif_app_getstats(scsi_qla_host_t *v + } else { + struct fc_port *fcport = NULL, *tf; + ++ app_reply->version = EDIF_VERSION1; ++ + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + if (fcport->edif.enable) { + if (pcnt > app_req.num_ports) +@@ -2036,6 +2045,7 @@ qla_edb_eventcreate(scsi_qla_host_t *vha + edbnode->u.sa_aen.port_id = fcport->d_id; + edbnode->u.sa_aen.status = data; + edbnode->u.sa_aen.key_type = data2; ++ edbnode->u.sa_aen.version = EDIF_VERSION1; + break; + default: + ql_dbg(ql_dbg_edif, vha, 0x09102, +@@ -3379,6 +3389,10 @@ int qla_edif_process_els(scsi_qla_host_t + port_id_t d_id; + struct qla_bsg_auth_els_request *p = + (struct qla_bsg_auth_els_request *)bsg_job->request; ++ struct qla_bsg_auth_els_reply *rpl = ++ (struct qla_bsg_auth_els_reply *)bsg_job->reply; ++ ++ rpl->version = EDIF_VERSION1; + + d_id.b.al_pa = bsg_request->rqst_data.h_els.port_id[2]; + d_id.b.area = bsg_request->rqst_data.h_els.port_id[1]; diff --git a/patches.suse/serial-mvebu-uart-correctly-report-configured-baudra.patch b/patches.suse/serial-mvebu-uart-correctly-report-configured-baudra.patch new file mode 100644 index 0000000..2a07b7d --- /dev/null +++ b/patches.suse/serial-mvebu-uart-correctly-report-configured-baudra.patch @@ -0,0 +1,92 @@ +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Tue, 28 Jun 2022 12:09:22 +0200 +Subject: serial: mvebu-uart: correctly report configured baudrate value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4f532c1e25319e42996ec18a1f473fd50c8e575d +Patch-mainline: v5.19-rc7 +References: git-fixes + +Functions tty_termios_encode_baud_rate() and uart_update_timeout() should +be called with the baudrate value which was set to hardware. Linux then +report exact values via ioctl(TCGETS2) to userspace. + +Change mvebu_uart_baud_rate_set() function to return baudrate value which +was set to hardware and propagate this value to above mentioned functions. + +With this change userspace would see precise value in termios c_ospeed +field. + +Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") +Cc: stable +Reviewed-by: Ilpo Järvinen +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220628100922.10717-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Mian Yousaf Kaukab +--- + drivers/tty/serial/mvebu-uart.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -453,13 +453,13 @@ static void mvebu_uart_shutdown(struct u + } + } + +-static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) ++static unsigned int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) + { + unsigned int d_divisor, m_divisor; + u32 brdv; + + if (!port->uartclk) +- return -EOPNOTSUPP; ++ return 0; + + /* + * The baudrate is derived from the UART clock thanks to two divisors: +@@ -479,7 +479,7 @@ static int mvebu_uart_baud_rate_set(stru + brdv |= d_divisor; + writel(brdv, port->membase + UART_BRDV); + +- return 0; ++ return DIV_ROUND_CLOSEST(port->uartclk, d_divisor * m_divisor); + } + + static void mvebu_uart_set_termios(struct uart_port *port, +@@ -516,15 +516,11 @@ static void mvebu_uart_set_termios(struc + max_baud = 230400; + + baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud); +- if (mvebu_uart_baud_rate_set(port, baud)) { +- /* No clock available, baudrate cannot be changed */ +- if (old) +- baud = uart_get_baud_rate(port, old, NULL, +- min_baud, max_baud); +- } else { +- tty_termios_encode_baud_rate(termios, baud, baud); +- uart_update_timeout(port, termios->c_cflag, baud); +- } ++ baud = mvebu_uart_baud_rate_set(port, baud); ++ ++ /* In case baudrate cannot be changed, report previous old value */ ++ if (baud == 0 && old) ++ baud = tty_termios_baud_rate(old); + + /* Only the following flag changes are supported */ + if (old) { +@@ -535,6 +531,11 @@ static void mvebu_uart_set_termios(struc + termios->c_cflag |= CS8; + } + ++ if (baud != 0) { ++ tty_termios_encode_baud_rate(termios, baud, baud); ++ uart_update_timeout(port, termios->c_cflag, baud); ++ } ++ + spin_unlock_irqrestore(&port->lock, flags); + } + diff --git a/patches.suse/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys.patch b/patches.suse/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys.patch new file mode 100644 index 0000000..ec0e5a3 --- /dev/null +++ b/patches.suse/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys.patch @@ -0,0 +1,138 @@ +From 2efc459d06f1630001e3984854848a5647086232 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Wed, 16 Sep 2020 13:40:38 -0700 +Subject: [PATCH] sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs + output +Git-commit: 2efc459d06f1630001e3984854848a5647086232 +Patch-mainline: v5.10-rc1 +References: bsc#1200598 CVE-2022-20166 + +Output defects can exist in sysfs content using sprintf and snprintf. + +sprintf does not know the PAGE_SIZE maximum of the temporary buffer +used for outputting sysfs content and it's possible to overrun the +PAGE_SIZE buffer length. + +Add a generic sysfs_emit function that knows that the size of the +temporary buffer and ensures that no overrun is done. + +Add a generic sysfs_emit_at function that can be used in multiple +call situations that also ensures that no overrun is done. + +Validate the output buffer argument to be page aligned. +Validate the offset len argument to be within the PAGE_SIZE buf. + +Signed-off-by: Joe Perches +Link: https://lore.kernel.org/r/884235202216d464d61ee975f7465332c86f76b2.1600285923.git.joe@perches.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Petr Mladek + +[pmladek@suse.com: Removed changes in the documentation. The new API is not + used everywhere in the old code base. +] + +--- + fs/sysfs/file.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/sysfs.h | 16 ++++++++++++++ + 2 files changed, 71 insertions(+) + +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "sysfs.h" + #include "../kernfs/kernfs-internal.h" +@@ -549,3 +550,57 @@ void sysfs_remove_bin_file(struct kobjec + kernfs_remove_by_name(kobj->sd, attr->attr.name); + } + EXPORT_SYMBOL_GPL(sysfs_remove_bin_file); ++ ++/** ++ * sysfs_emit - scnprintf equivalent, aware of PAGE_SIZE buffer. ++ * @buf: start of PAGE_SIZE buffer. ++ * @fmt: format ++ * @...: optional arguments to @format ++ * ++ * ++ * Returns number of characters written to @buf. ++ */ ++int sysfs_emit(char *buf, const char *fmt, ...) ++{ ++ va_list args; ++ int len; ++ ++ if (WARN(!buf || offset_in_page(buf), ++ "invalid sysfs_emit: buf:%p\n", buf)) ++ return 0; ++ ++ va_start(args, fmt); ++ len = vscnprintf(buf, PAGE_SIZE, fmt, args); ++ va_end(args); ++ ++ return len; ++} ++EXPORT_SYMBOL_GPL(sysfs_emit); ++ ++/** ++ * sysfs_emit_at - scnprintf equivalent, aware of PAGE_SIZE buffer. ++ * @buf: start of PAGE_SIZE buffer. ++ * @at: offset in @buf to start write in bytes ++ * @at must be >= 0 && < PAGE_SIZE ++ * @fmt: format ++ * @...: optional arguments to @fmt ++ * ++ * ++ * Returns number of characters written starting at &@buf[@at]. ++ */ ++int sysfs_emit_at(char *buf, int at, const char *fmt, ...) ++{ ++ va_list args; ++ int len; ++ ++ if (WARN(!buf || offset_in_page(buf) || at < 0 || at >= PAGE_SIZE, ++ "invalid sysfs_emit_at: buf:%p at:%d\n", buf, at)) ++ return 0; ++ ++ va_start(args, fmt); ++ len = vscnprintf(buf + at, PAGE_SIZE - at, fmt, args); ++ va_end(args); ++ ++ return len; ++} ++EXPORT_SYMBOL_GPL(sysfs_emit_at); +--- a/include/linux/sysfs.h ++++ b/include/linux/sysfs.h +@@ -300,6 +300,11 @@ static inline void sysfs_enable_ns(struc + return kernfs_enable_ns(kn); + } + ++__printf(2, 3) ++int sysfs_emit(char *buf, const char *fmt, ...); ++__printf(3, 4) ++int sysfs_emit_at(char *buf, int at, const char *fmt, ...); ++ + #else /* CONFIG_SYSFS */ + + static inline int sysfs_create_dir_ns(struct kobject *kobj, const void *ns) +@@ -506,6 +511,17 @@ static inline void sysfs_enable_ns(struc + { + } + ++__printf(2, 3) ++static inline int sysfs_emit(char *buf, const char *fmt, ...) ++{ ++ return 0; ++} ++ ++__printf(3, 4) ++static inline int sysfs_emit_at(char *buf, int at, const char *fmt, ...) ++{ ++ return 0; ++} + #endif /* CONFIG_SYSFS */ + + static inline int __must_check sysfs_create_file(struct kobject *kobj, diff --git a/patches.suse/tty-extract-tty_flip_buffer_commit-from-tty_flip_buf.patch b/patches.suse/tty-extract-tty_flip_buffer_commit-from-tty_flip_buf.patch new file mode 100644 index 0000000..a8d4ec2 --- /dev/null +++ b/patches.suse/tty-extract-tty_flip_buffer_commit-from-tty_flip_buf.patch @@ -0,0 +1,53 @@ +From: Jiri Slaby +Date: Thu, 7 Jul 2022 10:25:57 +0200 +Subject: tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git#tty-linus +Git-commit: 716b10580283fda66f2b88140e3964f8a7f9da89 +Patch-mainline: Queued in subsystem maintainer repository +References: bsc#1198829 CVE-2022-1462 + +We will need this new helper in the next patch. + +Cc: Hillf Danton +Cc: 一只狗 +Cc: Dan Carpenter +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220707082558.9250-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_buffer.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -387,6 +387,15 @@ int __tty_insert_flip_char(struct tty_po + } + EXPORT_SYMBOL(__tty_insert_flip_char); + ++static inline void tty_flip_buffer_commit(struct tty_buffer *tail) ++{ ++ /* ++ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees ++ * buffer data. ++ */ ++ smp_store_release(&tail->commit, tail->used); ++} ++ + /** + * tty_schedule_flip - push characters to ldisc + * @port: tty port to push from +@@ -400,10 +409,7 @@ void tty_schedule_flip(struct tty_port * + { + struct tty_bufhead *buf = &port->buf; + +- /* paired w/ acquire in flush_to_ldisc(); ensures +- * flush_to_ldisc() sees buffer data. +- */ +- smp_store_release(&buf->tail->commit, buf->tail->used); ++ tty_flip_buffer_commit(buf->tail); + queue_work(system_unbound_wq, &buf->work); + } + EXPORT_SYMBOL(tty_schedule_flip); diff --git a/patches.suse/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch b/patches.suse/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch new file mode 100644 index 0000000..37519cf --- /dev/null +++ b/patches.suse/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch @@ -0,0 +1,117 @@ +From: Sherry Sun +Date: Mon, 21 Mar 2022 19:22:11 +0800 +Subject: tty: serial: fsl_lpuart: fix potential bug when using both + of_alias_get_id and ida_simple_get + +Git-commit: f398e0aa325c61fa20903833a5b534ecb8e6e418 +Patch-mainline: v5.19-rc1 +References: git-fixes + +Now fsl_lpuart driver use both of_alias_get_id() and ida_simple_get() in +.probe(), which has the potential bug. For example, when remove the +lpuart7 alias in dts, of_alias_get_id() will return error, then call +ida_simple_get() to allocate the id 0 for lpuart7, this may confilct +with the lpuart4 which has alias 0. + + aliases { + ... + serial0 = &lpuart4; + serial1 = &lpuart5; + serial2 = &lpuart6; + serial3 = &lpuart7; + } + +So remove the ida_simple_get() in .probe(), return an error directly +when calling of_alias_get_id() fails, which is consistent with other +uart drivers behavior. + +Fixes: 3bc3206e1c0f ("serial: fsl_lpuart: Remove the alias node dependence") +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20220321112211.8895-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Mian Yousaf Kaukab +--- + drivers/tty/serial/fsl_lpuart.c | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 8fea7fd915d2..a2b39a1f5212 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -239,8 +239,6 @@ + /* IMX lpuart has four extra unused regs located at the beginning */ + #define IMX_REG_OFF 0x10 + +-static DEFINE_IDA(fsl_lpuart_ida); +- + enum lpuart_type { + VF610_LPUART, + LS1021A_LPUART, +@@ -276,7 +274,6 @@ struct lpuart_port { + int rx_dma_rng_buf_len; + unsigned int dma_tx_nents; + wait_queue_head_t dma_wait; +- bool id_allocated; + }; + + struct lpuart_soc_data { +@@ -2684,23 +2681,18 @@ static int lpuart_probe(struct platform_device *pdev) + + ret = of_alias_get_id(np, "serial"); + if (ret < 0) { +- ret = ida_simple_get(&fsl_lpuart_ida, 0, UART_NR, GFP_KERNEL); +- if (ret < 0) { +- dev_err(&pdev->dev, "port line is full, add device failed\n"); +- return ret; +- } +- sport->id_allocated = true; ++ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); ++ return ret; + } + if (ret >= ARRAY_SIZE(lpuart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", ret); +- ret = -EINVAL; +- goto failed_out_of_range; ++ return -EINVAL; + } + sport->port.line = ret; + + ret = lpuart_enable_clks(sport); + if (ret) +- goto failed_clock_enable; ++ return ret; + sport->port.uartclk = lpuart_get_baud_clk_rate(sport); + + lpuart_ports[sport->port.line] = sport; +@@ -2749,10 +2741,6 @@ static int lpuart_probe(struct platform_device *pdev) + failed_attach_port: + failed_irq_request: + lpuart_disable_clks(sport); +-failed_clock_enable: +-failed_out_of_range: +- if (sport->id_allocated) +- ida_simple_remove(&fsl_lpuart_ida, sport->port.line); + return ret; + } + +@@ -2762,9 +2750,6 @@ static int lpuart_remove(struct platform_device *pdev) + + uart_remove_one_port(&lpuart_reg, &sport->port); + +- if (sport->id_allocated) +- ida_simple_remove(&fsl_lpuart_ida, sport->port.line); +- + lpuart_disable_clks(sport); + + if (sport->dma_tx_chan) +@@ -2894,7 +2879,6 @@ static int __init lpuart_serial_init(void) + + static void __exit lpuart_serial_exit(void) + { +- ida_destroy(&fsl_lpuart_ida); + platform_driver_unregister(&lpuart_driver); + uart_unregister_driver(&lpuart_reg); + } +-- +2.35.3 + diff --git a/patches.suse/tty-use-new-tty_insert_flip_string_and_push_buffer-i.patch b/patches.suse/tty-use-new-tty_insert_flip_string_and_push_buffer-i.patch new file mode 100644 index 0000000..b935a45 --- /dev/null +++ b/patches.suse/tty-use-new-tty_insert_flip_string_and_push_buffer-i.patch @@ -0,0 +1,117 @@ +From: Jiri Slaby +Date: Thu, 7 Jul 2022 10:25:58 +0200 +Subject: tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git#tty-linus +Git-commit: a501ab75e7624d133a5a3c7ec010687c8b961d23 +Patch-mainline: Queued in subsystem maintainer repository +References: bsc#1198829 CVE-2022-1462 + +There is a race in pty_write(). pty_write() can be called in parallel +with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to +the buffer. Provided, tty_flip_buffer_push() in pty_write() is called +outside the lock, it can commit inconsistent tail. This can lead to out +of bounds writes and other issues. See the Link below. + +To fix this, we have to introduce a new helper called +tty_insert_flip_string_and_push_buffer(). It does both +tty_insert_flip_string() and tty_flip_buffer_commit() under the port +lock. It also calls queue_work(), but outside the lock. See +71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in +pty_write) for the reasons. + +Keep the helper internal-only (in drivers' tty.h). It is not intended to +be used widely. + +Link: https://seclists.org/oss-sec/2022/q2/155 +Fixes: 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write) +Cc: 一只狗 +Cc: Dan Carpenter +Suggested-by: Hillf Danton +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/pty.c | 14 ++------------ + drivers/tty/tty_buffer.c | 31 +++++++++++++++++++++++++++++++ + include/linux/tty.h | 3 +++ + 3 files changed, 36 insertions(+), 12 deletions(-) + +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -111,21 +111,11 @@ static void pty_unthrottle(struct tty_st + static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + { + struct tty_struct *to = tty->link; +- unsigned long flags; + +- if (tty->stopped) ++ if (tty->stopped || !c) + return 0; + +- if (c > 0) { +- spin_lock_irqsave(&to->port->lock, flags); +- /* Stuff the data into the input queue of the other end */ +- c = tty_insert_flip_string(to->port, buf, c); +- spin_unlock_irqrestore(&to->port->lock, flags); +- /* And shovel */ +- if (c) +- tty_flip_buffer_push(to->port); +- } +- return c; ++ return tty_insert_flip_string_and_push_buffer(to->port, buf, c); + } + + /** +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -567,6 +567,37 @@ void tty_flip_buffer_push(struct tty_por + EXPORT_SYMBOL(tty_flip_buffer_push); + + /** ++ * tty_insert_flip_string_and_push_buffer - add characters to the tty buffer and ++ * push ++ * @port: tty port ++ * @chars: characters ++ * @size: size ++ * ++ * The function combines tty_insert_flip_string() and tty_flip_buffer_push() ++ * with the exception of properly holding the @port->lock. ++ * ++ * To be used only internally (by pty currently). ++ * ++ * Returns: the number added. ++ */ ++int tty_insert_flip_string_and_push_buffer(struct tty_port *port, ++ const unsigned char *chars, size_t size) ++{ ++ struct tty_bufhead *buf = &port->buf; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ size = tty_insert_flip_string(port, chars, size); ++ if (size) ++ tty_flip_buffer_commit(buf->tail); ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ queue_work(system_unbound_wq, &buf->work); ++ ++ return size; ++} ++ ++/** + * tty_buffer_init - prepare a tty buffer structure + * @tty: tty to initialise + * +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -798,4 +798,7 @@ static inline void proc_tty_unregister_d + #define tty_info_ratelimited(tty, f, ...) \ + tty_msg(pr_info_ratelimited, tty, f, ##__VA_ARGS__) + ++int tty_insert_flip_string_and_push_buffer(struct tty_port *port, ++ const unsigned char *chars, size_t cnt); ++ + #endif diff --git a/patches.suse/vrf-Fix-IPv6-with-qdisc-and-xfrm.patch b/patches.suse/vrf-Fix-IPv6-with-qdisc-and-xfrm.patch new file mode 100644 index 0000000..1709144 --- /dev/null +++ b/patches.suse/vrf-Fix-IPv6-with-qdisc-and-xfrm.patch @@ -0,0 +1,40 @@ +From f7c4b49fcf5dc1858f52589d5c7c3815e8e97b95 Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Wed, 27 Jul 2022 11:23:59 +0300 +Subject: [PATCH 4/8] vrf: Fix IPv6 with qdisc and xfrm +Git-commit: a53c102872ad6e34e1518e25899dc9498c27f8b1 +Patch-mainline: v5.7-rc3 +References: git-fixes + +When a qdisc is attached to the VRF device, the packet goes down the ndo +xmit function which is setup to send the packet back to the VRF driver +which does a lookup to send the packet out. The lookup in the VRF driver +is not considering xfrm policies. Change it to use ip6_dst_lookup_flow +rather than ip6_route_output. + +Fixes: 35402e313663 ("net: Add IPv6 support to VRF device") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/vrf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 50139b8a6f4e..8a91e6480e6a 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -192,8 +192,8 @@ static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb, + fl6.flowi6_proto = iph->nexthdr; + fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF; + +- dst = ip6_route_output(net, NULL, &fl6); +- if (dst == dst_null) ++ dst = ip6_dst_lookup_flow__net(net, NULL, &fl6, NULL); ++ if (IS_ERR(dst) || dst == dst_null) + goto err; + + skb_dst_drop(skb); +-- +2.16.4 + diff --git a/patches.suse/vt-drop-old-FONT-ioctls.patch b/patches.suse/vt-drop-old-FONT-ioctls.patch new file mode 100644 index 0000000..eb5327d --- /dev/null +++ b/patches.suse/vt-drop-old-FONT-ioctls.patch @@ -0,0 +1,287 @@ +From: Jiri Slaby +Date: Tue, 5 Jan 2021 13:02:35 +0100 +Subject: vt: drop old FONT ioctls +Git-commit: ff2047fb755d4415ec3c70ac799889371151796d +Patch-mainline: 5.12-rc1 +References: bsc#1201636 CVE-2021-33656 + +Drop support for these ioctls: +* PIO_FONT, PIO_FONTX +* GIO_FONT, GIO_FONTX +* PIO_FONTRESET + +As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use +the tty pointer they were actually passed), these ioctls are not used +from userspace, as: +1) they used to be broken (set up font on current console, not the open + one) and racy (before the commit above) +2) KDFONTOP ioctl is used for years instead + +Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set +on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes +PIO_FONTRESET just return an error. + +We are removing KD_FONT_FLAG_OLD here as it was used only by these +removed ioctls. kd.h header exists both in kernel and uapi headers, so +we can remove the kernel one completely. Everyone includeing kd.h will +now automatically get the uapi one. + +There are now unused definitions of the ioctl numbers and "struct +consolefontdesc" in kd.h, but as it is a uapi header, I am not touching +these. + +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt.c | 34 ---------- + drivers/tty/vt/vt_ioctl.c | 149 ---------------------------------------------- + include/linux/kd.h | 7 -- + 3 files changed, 3 insertions(+), 187 deletions(-) + delete mode 100644 include/linux/kd.h + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -4085,16 +4085,8 @@ static int con_font_get(struct vc_data * + + if (op->data && font.charcount > op->charcount) + rc = -ENOSPC; +- if (!(op->flags & KD_FONT_FLAG_OLD)) { +- if (font.width > op->width || font.height > op->height) +- rc = -ENOSPC; +- } else { +- if (font.width != 8) +- rc = -EIO; +- else if ((op->height && font.height > op->height) || +- font.height > 32) +- rc = -ENOSPC; +- } ++ if (font.width > op->width || font.height > op->height) ++ rc = -ENOSPC; + if (rc) + goto out; + +@@ -4122,27 +4114,7 @@ static int con_font_set(struct vc_data * + return -EINVAL; + if (op->charcount > 512) + return -EINVAL; +- if (!op->height) { /* Need to guess font height [compat] */ +- int h, i; +- u8 __user *charmap = op->data; +- u8 tmp; +- +- /* If from KDFONTOP ioctl, don't allow things which can be done in userland, +- so that we can get rid of this soon */ +- if (!(op->flags & KD_FONT_FLAG_OLD)) +- return -EINVAL; +- for (h = 32; h > 0; h--) +- for (i = 0; i < op->charcount; i++) { +- if (get_user(tmp, &charmap[32*i+h-1])) +- return -EFAULT; +- if (tmp) +- goto nonzero; +- } +- return -EINVAL; +- nonzero: +- op->height = h; +- } +- if (op->width <= 0 || op->width > 32 || op->height > 32) ++ if (op->width <= 0 || op->width > 32 || !op->height || op->height > 32) + return -EINVAL; + size = (op->width+7)/8 * 32 * op->charcount; + if (size > max_font_size) +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -219,48 +219,6 @@ int vt_waitactive(int n) + #define GPLAST 0x3df + #define GPNUM (GPLAST - GPFIRST + 1) + +- +- +-static inline int +-do_fontx_ioctl(struct vc_data *vc, int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op) +-{ +- struct consolefontdesc cfdarg; +- int i; +- +- if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc))) +- return -EFAULT; +- +- switch (cmd) { +- case PIO_FONTX: +- if (!perm) +- return -EPERM; +- op->op = KD_FONT_OP_SET; +- op->flags = KD_FONT_FLAG_OLD; +- op->width = 8; +- op->height = cfdarg.charheight; +- op->charcount = cfdarg.charcount; +- op->data = cfdarg.chardata; +- return con_font_op(vc, op); +- +- case GIO_FONTX: +- op->op = KD_FONT_OP_GET; +- op->flags = KD_FONT_FLAG_OLD; +- op->width = 8; +- op->height = cfdarg.charheight; +- op->charcount = cfdarg.charcount; +- op->data = cfdarg.chardata; +- i = con_font_op(vc, op); +- if (i) +- return i; +- cfdarg.charheight = op->height; +- cfdarg.charcount = op->charcount; +- if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc))) +- return -EFAULT; +- return 0; +- } +- return -EINVAL; +-} +- + static inline int + do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc) + { +@@ -907,30 +865,6 @@ int vt_ioctl(struct tty_struct *tty, + break; + } + +- case PIO_FONT: { +- if (!perm) +- return -EPERM; +- op.op = KD_FONT_OP_SET; +- op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC; /* Compatibility */ +- op.width = 8; +- op.height = 0; +- op.charcount = 256; +- op.data = up; +- ret = con_font_op(vc, &op); +- break; +- } +- +- case GIO_FONT: { +- op.op = KD_FONT_OP_GET; +- op.flags = KD_FONT_FLAG_OLD; +- op.width = 8; +- op.height = 32; +- op.charcount = 256; +- op.data = up; +- ret = con_font_op(vc, &op); +- break; +- } +- + case PIO_CMAP: + if (!perm) + ret = -EPERM; +@@ -942,36 +876,6 @@ int vt_ioctl(struct tty_struct *tty, + ret = con_get_cmap(up); + break; + +- case PIO_FONTX: +- case GIO_FONTX: +- ret = do_fontx_ioctl(vc, cmd, up, perm, &op); +- break; +- +- case PIO_FONTRESET: +- { +- if (!perm) +- return -EPERM; +- +-#ifdef BROKEN_GRAPHICS_PROGRAMS +- /* With BROKEN_GRAPHICS_PROGRAMS defined, the default +- font is not saved. */ +- ret = -ENOSYS; +- break; +-#else +- { +- op.op = KD_FONT_OP_SET_DEFAULT; +- op.data = NULL; +- ret = con_font_op(vc, &op); +- if (ret) +- break; +- console_lock(); +- con_set_default_unimap(vc); +- console_unlock(); +- break; +- } +-#endif +- } +- + case KDFONTOP: { + if (copy_from_user(&op, up, sizeof(op))) { + ret = -EFAULT; +@@ -1085,54 +989,6 @@ void vc_SAK(struct work_struct *work) + + #ifdef CONFIG_COMPAT + +-struct compat_consolefontdesc { +- unsigned short charcount; /* characters in font (256 or 512) */ +- unsigned short charheight; /* scan lines per character (1-32) */ +- compat_caddr_t chardata; /* font data in expanded form */ +-}; +- +-static inline int +-compat_fontx_ioctl(struct vc_data *vc, int cmd, +- struct compat_consolefontdesc __user *user_cfd, +- int perm, struct console_font_op *op) +-{ +- struct compat_consolefontdesc cfdarg; +- int i; +- +- if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc))) +- return -EFAULT; +- +- switch (cmd) { +- case PIO_FONTX: +- if (!perm) +- return -EPERM; +- op->op = KD_FONT_OP_SET; +- op->flags = KD_FONT_FLAG_OLD; +- op->width = 8; +- op->height = cfdarg.charheight; +- op->charcount = cfdarg.charcount; +- op->data = compat_ptr(cfdarg.chardata); +- return con_font_op(vc, op); +- +- case GIO_FONTX: +- op->op = KD_FONT_OP_GET; +- op->flags = KD_FONT_FLAG_OLD; +- op->width = 8; +- op->height = cfdarg.charheight; +- op->charcount = cfdarg.charcount; +- op->data = compat_ptr(cfdarg.chardata); +- i = con_font_op(vc, op); +- if (i) +- return i; +- cfdarg.charheight = op->height; +- cfdarg.charcount = op->charcount; +- if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc))) +- return -EFAULT; +- return 0; +- } +- return -EINVAL; +-} +- + struct compat_console_font_op { + compat_uint_t op; /* operation code KD_FONT_OP_* */ + compat_uint_t flags; /* KD_FONT_FLAG_* */ +@@ -1228,10 +1228,6 @@ long vt_compat_ioctl(struct tty_struct * + /* + * these need special handlers for incompatible data structures + */ +- case PIO_FONTX: +- case GIO_FONTX: +- return compat_fontx_ioctl(vc, cmd, up, perm, &op); +- + case KDFONTOP: + return compat_kdfontop_ioctl(up, perm, &op, vc); + +--- a/include/linux/kd.h ++++ /dev/null +@@ -1,7 +0,0 @@ +-#ifndef _LINUX_KD_H +-#define _LINUX_KD_H +- +-#include +- +-#define KD_FONT_FLAG_OLD 0x80000000 /* Invoked via old interface [compat] */ +-#endif /* _LINUX_KD_H */ diff --git a/patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch b/patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch index feaaf8b..e4e58d6 100644 --- a/patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch +++ b/patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch @@ -4,7 +4,7 @@ Date: Sat, 21 Mar 2020 20:43:04 -0700 Subject: [PATCH] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console Git-commit: ca4463bf8438b403596edd0ec961ca0d4fbe0220 -References: git-fixes +References: bsc#1201429 CVE-2020-36557 Patch-mainline: v5.7-rc1 The VT_DISALLOCATE ioctl can free a virtual console while tty_release() diff --git a/patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch b/patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch index 0e091e3..5b863a0 100644 --- a/patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch +++ b/patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch @@ -3,7 +3,7 @@ From: Eric Dumazet Date: Mon, 10 Feb 2020 11:07:21 -0800 Subject: [PATCH] vt: vt_ioctl: fix race in VT_RESIZEX Git-commit: 6cd1ed50efd88261298577cd92a14f2768eddeeb -References: git-fixes +References: bsc#1200910 CVE-2020-36558 Patch-mainline: v5.6-rc3 We need to make sure vc_cons[i].d is not NULL after grabbing diff --git a/patches.suse/x86-Add-magic-AMD-return-thunk.patch b/patches.suse/x86-Add-magic-AMD-return-thunk.patch index 63642de..8216ed6 100644 --- a/patches.suse/x86-Add-magic-AMD-return-thunk.patch +++ b/patches.suse/x86-Add-magic-AMD-return-thunk.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:48 +0200 Subject: x86: Add magic AMD return-thunk Git-commit: a149180fbcf336e97ce4eb2cdc13672727feb94d -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Note: needs to be in a section distinct from Retpolines such that the @@ -27,14 +26,14 @@ Signed-off-by: Borislav Petkov Reviewed-by: Josh Poimboeuf Signed-off-by: Borislav Petkov --- - arch/x86/entry/entry_64.S | 11 ++++++ - arch/x86/entry/entry_64_compat.S | 7 +++ + arch/x86/entry/entry_64.S | 10 +++++ + arch/x86/entry/entry_64_compat.S | 5 ++ arch/x86/include/asm/cpufeatures.h | 1 arch/x86/include/asm/nospec-branch.h | 17 +++++++++ arch/x86/kernel/vmlinux.lds.S | 2 - arch/x86/kvm/svm.c | 4 ++ - arch/x86/lib/retpoline.S | 64 +++++++++++++++++++++++++++++++++-- - 7 files changed, 103 insertions(+), 3 deletions(-) + arch/x86/lib/retpoline.S | 63 ++++++++++++++++++++++++++++++++++- + 7 files changed, 100 insertions(+), 2 deletions(-) --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -46,7 +45,7 @@ Signed-off-by: Borislav Petkov #include #include -@@ -107,6 +108,8 @@ ENTRY(entry_SYSENTER_compat) +@@ -105,6 +106,8 @@ ENTRY(entry_SYSENTER_compat) xorl %r15d, %r15d /* nospec r15 */ cld @@ -55,16 +54,7 @@ Signed-off-by: Borislav Petkov /* * SYSENTER doesn't filter flags, so we need to clear NT and AC * ourselves. To save a few cycles, we can check whether -@@ -248,6 +251,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram - /* Restrict Indirect Branch Speculation. All registers are saved already */ - RESTRICT_IB_SPEC_CLOBBER - -+ UNTRAIN_RET -+ - /* User mode is traced as though IRQs are on, and SYSENTER - * turned them off. - */ -@@ -433,6 +438,8 @@ ENTRY(entry_INT80_compat) +@@ -416,6 +419,8 @@ ENTRY(entry_INT80_compat) */ TRACE_IRQS_OFF @@ -75,7 +65,7 @@ Signed-off-by: Borislav Petkov .Lsyscall_32_done: --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S -@@ -233,6 +233,9 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) +@@ -229,6 +229,9 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) /* IRQs are off. */ movq %rsp, %rdi @@ -85,61 +75,51 @@ Signed-off-by: Borislav Petkov call do_syscall_64 /* returns with IRQs disabled */ TRACE_IRQS_IRETQ /* we're about to change IF */ -@@ -716,6 +719,7 @@ native_irq_return_ldt: +@@ -709,6 +712,7 @@ native_irq_return_ldt: pushq %rdi /* Stash user RDI */ SWAPGS /* to kernel GS */ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */ + UNTRAIN_RET - /* - * There is no point in disabling Indirect Branch Speculation -@@ -870,8 +874,11 @@ ENTRY(switch_to_thread_stack) + movq PER_CPU_VAR(espfix_waddr), %rdi + movq %rax, (0*8)(%rdi) /* user RAX */ +@@ -856,6 +860,9 @@ ENTRY(switch_to_thread_stack) SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi movq %rsp, %rdi movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp + - /* Restrict Indirect Branch Speculation */ - RESTRICT_IB_SPEC + UNTRAIN_RET + UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI pushq 7*8(%rdi) /* regs->ss */ -@@ -1250,6 +1257,7 @@ ENTRY(error_entry) +@@ -1228,6 +1235,7 @@ ENTRY(error_entry) + FENCE_SWAPGS_USER_ENTRY + /* We have user CR3. Change to kernel CR3. */ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - /* Restrict Indirect Branch Speculation */ - RESTRICT_IB_SPEC_CLOBBER + UNTRAIN_RET .Lerror_entry_from_usermode_after_swapgs: /* Put us onto the real thread stack. */ -@@ -1301,6 +1309,7 @@ ENTRY(error_entry) +@@ -1277,6 +1285,7 @@ ENTRY(error_entry) + SWAPGS + FENCE_SWAPGS_USER_ENTRY SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - /* Restrict Indirect Branch Speculation */ - RESTRICT_IB_SPEC_CLOBBER + UNTRAIN_RET jmp .Lerror_entry_done .Lbstep_iret: -@@ -1318,6 +1327,7 @@ ENTRY(error_entry) - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - /* Restrict Indirect Branch Speculation */ - RESTRICT_IB_SPEC -+ UNTRAIN_RET - - /* - * Pretend that the exception came from user mode: set up pt_regs -@@ -1415,6 +1425,7 @@ ENTRY(nmi) +@@ -1368,6 +1377,7 @@ ENTRY(nmi) - /* Restrict Indirect Branch Speculation */ - RESTRICT_IB_SPEC + testb $3, CS-RIP+8(%rsp) + jz .Lnmi_from_kernel + UNTRAIN_RET - UNWIND_HINT_IRET_REGS base=%rdx offset=8 - pushq 5*8(%rdx) /* pt_regs->ss */ + /* + * NMI from user mode. We need to run on the thread stack, but we --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h -@@ -288,6 +288,7 @@ +@@ -287,6 +287,7 @@ #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ @@ -213,7 +193,7 @@ Signed-off-by: Borislav Petkov * speculative use. --- a/arch/x86/lib/retpoline.S +++ b/arch/x86/lib/retpoline.S -@@ -53,11 +53,71 @@ GENERATE_THUNK(r15) +@@ -50,9 +50,70 @@ GENERATE_THUNK(r15) * This function name is magical and is used by -mfunction-return=thunk-extern * for the compiler to generate JMPs to it. */ @@ -267,7 +247,7 @@ Signed-off-by: Borislav Petkov ENTRY(__x86_return_thunk) ret int3 --ENDPROC(__x86_return_thunk) + ENDPROC(__x86_return_thunk) -__EXPORT_THUNK(__x86_return_thunk) + /* @@ -285,5 +265,3 @@ Signed-off-by: Borislav Petkov +__EXPORT_THUNK(zen_untrain_ret) + +EXPORT_SYMBOL(__x86_return_thunk) - #endif /* CONFIG_RETPOLINE */ - diff --git a/patches.suse/x86-Undo-return-thunk-damage.patch b/patches.suse/x86-Undo-return-thunk-damage.patch index b81a31a..5efcf04 100644 --- a/patches.suse/x86-Undo-return-thunk-damage.patch +++ b/patches.suse/x86-Undo-return-thunk-damage.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:37 +0200 Subject: x86: Undo return-thunk damage Git-commit: 15e67227c49a57837108acfe1c80570e1bd9f962 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Introduce X86_FEATURE_RETHUNK for those afflicted with needing this. diff --git a/patches.suse/x86-Use-return-thunk-in-asm-code.patch b/patches.suse/x86-Use-return-thunk-in-asm-code.patch index 0e55b79..5ea454b 100644 --- a/patches.suse/x86-Use-return-thunk-in-asm-code.patch +++ b/patches.suse/x86-Use-return-thunk-in-asm-code.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:45 +0200 Subject: x86: Use return-thunk in asm code Git-commit: aa3d480315ba6c3025a60958e1981072ea37c3df -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Use the return thunk in asm code. If the thunk isn't needed, it will diff --git a/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch index 576310f..3461e59 100644 --- a/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch +++ b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch @@ -2,8 +2,7 @@ From: Alexandre Chartre Date: Tue, 14 Jun 2022 23:15:50 +0200 Subject: x86/bugs: Add AMD retbleed= boot parameter Git-commit: 7fbf47c7ce50b38a64576b150e7011ae73d54669 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Add the "retbleed=" boot parameter to select a mitigation for diff --git a/patches.suse/x86-bugs-Add-retbleed-ibpb.patch b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch index 4dd3300..13fad12 100644 --- a/patches.suse/x86-bugs-Add-retbleed-ibpb.patch +++ b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:16:02 +0200 Subject: x86/bugs: Add retbleed=ibpb Git-commit: 3ebc170068885b6fc7bedda6c667bb2c4d533159 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 jmp2ret mitigates the easy-to-attack case at relatively low overhead. diff --git a/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch b/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch index 5191fac..41cc68c 100644 --- a/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch +++ b/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch @@ -2,8 +2,7 @@ From: Josh Poimboeuf Date: Tue, 14 Jun 2022 15:07:19 -0700 Subject: x86/bugs: Do IBPB fallback check only once Git-commit: 0fe4aeea9c01baabecc8c3afc7889c809d939bc2 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 When booting with retbleed=auto, if the kernel wasn't built with diff --git a/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch b/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch index ac19510..17da90c 100644 --- a/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch +++ b/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch @@ -1,9 +1,8 @@ From: Thadeu Lima de Souza Cascardo Date: Thu, 7 Jul 2022 13:41:52 -0300 Subject: [PATCH] x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported -Patch-mainline: Queued in tip for 5.19 -Git-commit: 31b74c1dfb6cb530920fdcd047614e2b5eb72f74 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 +Git-commit: 2259da159fbe5dba8ac00b560cf00b6a6537fa18 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 There are some VM configurations which have Skylake model but do not @@ -15,14 +14,19 @@ do not fallback to IBPB on AMD/Hygon systems if it is not supported. Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") Signed-off-by: Thadeu Lima de Souza Cascardo + + [ bp: The fallback to IBPB when RETBLEED_CMD_AUTO doesn't make sense for our + trees because upstream has fine-grained config options which we didn't + backport. ] + Signed-off-by: Borislav Petkov --- - arch/x86/kernel/cpu/bugs.c | 7 +++++++ - 1 file changed, 7 insertions(+) + arch/x86/kernel/cpu/bugs.c | 5 +++++ + 1 file changed, 5 insertions(+) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -930,14 +930,21 @@ static void __init retbleed_select_mitig +@@ -930,9 +930,14 @@ static void __init retbleed_select_mitig break; case RETBLEED_CMD_IBPB: @@ -37,10 +41,3 @@ Signed-off-by: Borislav Petkov case RETBLEED_CMD_AUTO: default: if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || - boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) - retbleed_mitigation = RETBLEED_MITIGATION_UNRET; -+ else if (boot_cpu_has(X86_FEATURE_IBPB)) -+ retbleed_mitigation = RETBLEED_MITIGATION_IBPB; - - /* - * The Intel mitigation (IBRS or eIBRS) was already selected in diff --git a/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch index 652f968..a8ef471 100644 --- a/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch +++ b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch @@ -2,8 +2,7 @@ From: Kim Phillips Date: Tue, 14 Jun 2022 23:15:51 +0200 Subject: x86/bugs: Enable STIBP for JMP2RET Git-commit: e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 For untrained return thunks to be fully effective, STIBP must be enabled diff --git a/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch b/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch index 0e4dbb9..6879699 100644 --- a/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch +++ b/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:30:12 -0700 Subject: x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations Git-commit: e5925fb867290ee924fcf2fe3ca887b792714366 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 MDS, TAA and Processor MMIO Stale Data mitigations rely on clearing CPU diff --git a/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch b/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch index 304217c..ffabe2e 100644 --- a/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch +++ b/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:52 +0200 Subject: x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value Git-commit: caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Due to TIF_SSBD and TIF_SPEC_IB the actual IA32_SPEC_CTRL value can diff --git a/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch b/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch index 5de05a8..4052102 100644 --- a/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch +++ b/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:54 +0200 Subject: x86/bugs: Optimize SPEC_CTRL MSR writes Git-commit: c779bc1a9002fa474175b80e72b85c9bf628abb0 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 When changing SPEC_CTRL for user control, the WRMSR can be delayed @@ -51,7 +50,7 @@ Signed-off-by: Borislav Petkov + * When KERNEL_IBRS this MSR is written on return-to-user, unless + * forced the update can be delayed until that time. + */ -+ if (force || !cpu_feature_enabled(X86_FEATURE_USE_IBRS)) ++ if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS)) + wrmsrl(MSR_IA32_SPEC_CTRL, val); } diff --git a/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch b/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch index 1360e26..31bfa34 100644 --- a/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch +++ b/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch @@ -2,8 +2,7 @@ From: Alexandre Chartre Date: Tue, 14 Jun 2022 23:15:49 +0200 Subject: x86/bugs: Report AMD retbleed vulnerability Git-commit: 6b80b59b3555706508008f1f127b5412c89c7fd8 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Report that AMD x86 CPUs are vulnerable to the RETBleed (Arbitrary @@ -29,7 +28,7 @@ Signed-off-by: Borislav Petkov --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h -@@ -407,5 +407,6 @@ +@@ -406,5 +406,6 @@ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */ @@ -38,8 +37,8 @@ Signed-off-by: Borislav Petkov #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -1882,6 +1882,11 @@ static ssize_t srbds_show_state(char *bu - return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); +@@ -1867,6 +1867,11 @@ static ssize_t spectre_v2_show_state(cha + spectre_v2_module_string()); } +static ssize_t retbleed_show_state(char *buf) @@ -50,7 +49,7 @@ Signed-off-by: Borislav Petkov static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { -@@ -1929,6 +1934,9 @@ static ssize_t cpu_show_common(struct de +@@ -1914,6 +1919,9 @@ static ssize_t cpu_show_common(struct de case X86_BUG_MMIO_STALE_DATA: return mmio_stale_data_show_state(buf); @@ -60,7 +59,7 @@ Signed-off-by: Borislav Petkov default: break; } -@@ -1985,4 +1993,9 @@ ssize_t cpu_show_mmio_stale_data(struct +@@ -1970,4 +1978,9 @@ ssize_t cpu_show_mmio_stale_data(struct { return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); } diff --git a/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch b/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch index f004843..27dc4ed 100644 --- a/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch +++ b/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Fri, 24 Jun 2022 13:48:58 +0200 Subject: x86/bugs: Report Intel retbleed vulnerability Git-commit: 6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Skylake suffers from RSB underflow speculation issues; report this diff --git a/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch b/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch index c204225..ae2b8c3 100644 --- a/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch +++ b/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch @@ -3,8 +3,7 @@ Date: Tue, 14 Jun 2022 23:15:56 +0200 Subject: x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() Git-commit: 166115c08a9b0b846b783088808a27d739be6e8d -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 retbleed will depend on spectre_v2, while spectre_v2_user depends on diff --git a/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch b/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch index cfe5893..6dffde9 100644 --- a/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch +++ b/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Fri, 24 Jun 2022 14:03:25 +0200 Subject: x86/common: Stamp out the stepping madness Git-commit: 7a05bc95ed1c5a59e47aaade9fb4083c27de9e62 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 The whole MMIO/RETBLEED enumeration went overboard on steppings. Get diff --git a/patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch b/patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch index dfa10c7..87d5465 100644 --- a/patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch +++ b/patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch @@ -2,7 +2,7 @@ From: Mark Gross Date: Thu, 16 Apr 2020 17:23:10 +0200 Subject: x86/cpu: Add a steppings field to struct x86_cpu_id Git-commit: e9d7144597b10ff13ff2264c059f7d4a7fbc89ac -Patch-mainline: v5.7 or v5.7-rc6 (next release) +Patch-mainline: v5.7-rc2 References: bsc#1154824 CVE-2020-0543 Intel uses the same family/model for several CPUs. Sometimes the diff --git a/patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch b/patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch index 660d0b8..644b45e 100644 --- a/patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch +++ b/patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch @@ -2,7 +2,7 @@ From: Mark Gross Date: Thu, 16 Apr 2020 17:32:42 +0200 Subject: x86/cpu: Add 'table' argument to cpu_matches() Git-commit: 93920f61c2ad7edb01e63323832585796af75fc9 -Patch-mainline: v5.7 or v5.7-rc3 (next release) +Patch-mainline: v5.7-rc2 References: bsc#1154824 CVE-2020-0543 To make cpu_matches() reusable for other matching tables, have it take a diff --git a/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch b/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch index 65561a2..a341c50 100644 --- a/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch +++ b/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:16:04 +0200 Subject: x86/cpu/amd: Add Spectral Chicken Git-commit: d7caac991feeef1b871ee6988fd2c9725df09039 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Zen2 uarchs have an undocumented, unnamed, MSR that contains a chicken diff --git a/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch b/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch index 3bef428..18ed40a 100644 --- a/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch +++ b/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch @@ -2,8 +2,7 @@ From: Andrew Cooper Date: Fri, 24 Jun 2022 14:41:21 +0100 Subject: x86/cpu/amd: Enumerate BTC_NO Git-commit: 26aae8ccbc1972233afd08fb3f368947c0314265 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 BTC_NO indicates that hardware is not susceptible to Branch Type Confusion. @@ -25,7 +24,7 @@ Signed-off-by: Borislav Petkov --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h -@@ -304,6 +304,7 @@ +@@ -303,6 +303,7 @@ #define X86_FEATURE_AMD_SSBD (13*32+24) /* "" Speculative Store Bypass Disable */ #define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ #define X86_FEATURE_AMD_SSB_NO (13*32+26) /* "" Speculative Store Bypass is fixed in hardware. */ @@ -35,9 +34,9 @@ Signed-off-by: Borislav Petkov #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c -@@ -903,12 +903,21 @@ static void init_amd_zn(struct cpuinfo_x - node_reclaim_distance = 32; - #endif +@@ -898,12 +898,21 @@ static void init_amd_zn(struct cpuinfo_x + { + set_cpu_cap(c, X86_FEATURE_ZEN); - /* - * Fix erratum 1076: CPB feature bit not being set in CPUID. diff --git a/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch b/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch index 967fc39..8e82d6d 100644 --- a/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch +++ b/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:33 +0200 Subject: x86/cpufeatures: Move RETPOLINE flags to word 11 Git-commit: a883d624aed463c84c22596006e5a96f5b44db31 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 In order to extend the RETPOLINE features to 4, move them to word 11 diff --git a/patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch b/patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch deleted file mode 100644 index 2038777..0000000 --- a/patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch +++ /dev/null @@ -1,142 +0,0 @@ -From: Tim Chen -Date: Tue, 9 Jan 2018 18:26:46 -0800 -Subject: x86/enter: Create macros to restrict/unrestrict Indirect Branch - Speculation -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git -Git-commit: 1dc8355cd7232e5343cb5d96ee27c11322cde270 -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1068032 CVE-2017-5753 - -Create macros to control Indirect Branch Speculation. - -Name them so they reflect what they are actually doing. -The macros are used to restrict and unrestrict the indirect branch speculation. -They do not *disable* (or *enable*) indirect branch speculation. A trip back to -user-space after *restricting* speculation would still affect the BTB. - -Quoting from a commit by Tim Chen: - -""" - If IBRS is set, near returns and near indirect jumps/calls will not allow - their predicted target address to be controlled by code that executed in a - less privileged prediction mode *BEFORE* the IBRS mode was last written with - a value of 1 or on another logical processor so long as all Return Stack - Buffer (RSB) entries from the previous less privileged prediction mode are - overwritten. - - Thus a near indirect jump/call/return may be affected by code in a less - privileged prediction mode that executed *AFTER* IBRS mode was last written - with a value of 1. -""" - -[ tglx: Changed macro names and rewrote changelog ] -[ karahmed: changed macro names *again* and rewrote changelog ] - -Signed-off-by: Tim Chen -Signed-off-by: Thomas Gleixner -Signed-off-by: KarimAllah Ahmed -Cc: Andrea Arcangeli -Cc: Andi Kleen -Cc: Peter Zijlstra -Cc: Greg KH -Cc: Dave Hansen -Cc: Andy Lutomirski -Cc: Paolo Bonzini -Cc: Dan Williams -Cc: Arjan Van De Ven -Cc: Linus Torvalds -Cc: David Woodhouse -Cc: Ashok Raj -Link: https://lkml.kernel.org/r/3aab341725ee6a9aafd3141387453b45d788d61a.1515542293.git.tim.c.chen@linux.intel.com -Signed-off-by: David Woodhouse -Signed-off-by: Jiri Slaby ---- - arch/x86/entry/calling.h | 73 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 73 insertions(+) - ---- a/arch/x86/entry/calling.h -+++ b/arch/x86/entry/calling.h -@@ -5,6 +5,8 @@ - #include - #include - #include -+#include -+#include - - /* - -@@ -337,3 +339,74 @@ For 32-bit we have the following convent - .Lafter_call_\@: - #endif - .endm -+ -+/* -+ * IBRS related macros -+ */ -+.macro PUSH_MSR_REGS -+ pushq %rax -+ pushq %rcx -+ pushq %rdx -+.endm -+ -+.macro POP_MSR_REGS -+ popq %rdx -+ popq %rcx -+ popq %rax -+.endm -+ -+.macro WRMSR_ASM msr_nr:req edx_val:req eax_val:req -+ movl \msr_nr, %ecx -+ movl \edx_val, %edx -+ movl \eax_val, %eax -+ wrmsr -+.endm -+ -+.macro RESTRICT_IB_SPEC -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ PUSH_MSR_REGS -+ WRMSR_ASM $MSR_IA32_SPEC_CTRL, $0, $SPEC_CTRL_IBRS -+ POP_MSR_REGS -+.Lskip_\@: -+.endm -+ -+.macro UNRESTRICT_IB_SPEC -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ PUSH_MSR_REGS -+ WRMSR_ASM $MSR_IA32_SPEC_CTRL, $0, $0 -+ POP_MSR_REGS -+.Lskip_\@: -+.endm -+ -+.macro RESTRICT_IB_SPEC_CLOBBER -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ WRMSR_ASM $MSR_IA32_SPEC_CTRL, $0, $SPEC_CTRL_IBRS -+.Lskip_\@: -+.endm -+ -+.macro UNRESTRICT_IB_SPEC_CLOBBER -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ WRMSR_ASM $MSR_IA32_SPEC_CTRL, $0, $0 -+.Lskip_\@: -+.endm -+ -+.macro RESTRICT_IB_SPEC_SAVE_AND_CLOBBER save_reg:req -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ movl $MSR_IA32_SPEC_CTRL, %ecx -+ rdmsr -+ movl %eax, \save_reg -+ movl $0, %edx -+ movl $SPEC_CTRL_IBRS, %eax -+ wrmsr -+.Lskip_\@: -+.endm -+ -+.macro RESTORE_IB_SPEC_CLOBBER save_reg:req -+ ALTERNATIVE "jmp .Lskip_\@", "", X86_FEATURE_USE_IBRS -+ /* Set IBRS to the value saved in the save_reg */ -+ movl $MSR_IA32_SPEC_CTRL, %ecx -+ movl $0, %edx -+ movl \save_reg, %eax -+ wrmsr -+.Lskip_\@: -+.endm diff --git a/patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch b/patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch deleted file mode 100644 index 4238045..0000000 --- a/patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch +++ /dev/null @@ -1,258 +0,0 @@ -From: Tim Chen -Date: Tue, 9 Jan 2018 18:26:47 -0800 -Subject: x86/enter: Use IBRS on syscall and interrupts -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git -Git-commit: a6bd2df2ed25411e2ecd800504e21efe0f2b52f4 -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1068032 CVE-2017-5753 - -Stop Indirect Branch Speculation on every user space to kernel space -transition and reenable it when returning to user space./ - -The NMI interrupt save/restore of IBRS state was based on Andrea -Arcangeli's implementation. Here's an explanation by Dave Hansen on why we -save IBRS state for NMI. - -The normal interrupt code uses the 'error_entry' path which uses the -Code Segment (CS) of the instruction that was interrupted to tell -whether it interrupted the kernel or userspace and thus has to switch -IBRS, or leave it alone. - -The NMI code is different. It uses 'paranoid_entry' because it can -interrupt the kernel while it is running with a userspace IBRS (and %GS -and CR3) value, but has a kernel CS. If we used the same approach as -the normal interrupt code, we might do the following; - - SYSENTER_entry -<-------------- NMI HERE - IBRS=1 - do_something() - IBRS=0 - SYSRET - -The NMI code might notice that we are running in the kernel and decide -that it is OK to skip the IBRS=1. This would leave it running -unprotected with IBRS=0, which is bad. - -However, if we unconditionally set IBRS=1, in the NMI, we might get the -following case: - - SYSENTER_entry - IBRS=1 - do_something() - IBRS=0 -<-------------- NMI HERE (set IBRS=1) - SYSRET - -and we would return to userspace with IBRS=1. Userspace would run -slowly until we entered and exited the kernel again. - -Instead of those two approaches, we chose a third one where we simply -save the IBRS value in a scratch register (%r13) and then restore that -value, verbatim. - -[karahmed use the new SPEC_CTRL_IBRS defines] - -Co-developed-by: Andrea Arcangeli -Signed-off-by: Andrea Arcangeli -Signed-off-by: Tim Chen -Signed-off-by: Thomas Gleixner -Signed-off-by: KarimAllah Ahmed -Cc: Andi Kleen -Cc: Peter Zijlstra -Cc: Greg KH -Cc: Dave Hansen -Cc: Andy Lutomirski -Cc: Paolo Bonzini -Cc: Dan Williams -Cc: Arjan Van De Ven -Cc: Linus Torvalds -Cc: David Woodhouse -Cc: Ashok Raj -Link: https://lkml.kernel.org/r/d5e4c03ec290c61dfbe5a769f7287817283fa6b7.1515542293.git.tim.c.chen@linux.intel.com -Signed-off-by: Jiri Slaby ---- - arch/x86/entry/entry_64.S | 35 ++++++++++++++++++++++++++++++++++- - arch/x86/entry/entry_64_compat.S | 21 +++++++++++++++++++-- - 2 files changed, 53 insertions(+), 3 deletions(-) - ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -170,6 +170,8 @@ ENTRY(entry_SYSCALL_64_trampoline) - - /* Load the top of the task stack into RSP */ - movq CPU_ENTRY_AREA_tss + TSS_sp1 + CPU_ENTRY_AREA, %rsp -+ /* Restrict indirect branch speculation */ -+ RESTRICT_IB_SPEC - - /* Start building the simulated IRET frame. */ - pushq $__USER_DS /* pt_regs->ss */ -@@ -213,6 +215,8 @@ ENTRY(entry_SYSCALL_64) - */ - movq %rsp, PER_CPU_VAR(rsp_scratch) - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC - - /* Construct struct pt_regs on stack */ - pushq $__USER_DS /* pt_regs->ss */ -@@ -313,6 +317,8 @@ syscall_return_via_sysret: - pushq RSP-RDI(%rdi) /* RSP */ - pushq (%rdi) /* RDI */ - -+ /* Unrestrict Indirect Branch Speculation */ -+ UNRESTRICT_IB_SPEC - /* - * We are on the trampoline stack. All regs except RDI are live. - * We can do future final exit work right here. -@@ -613,11 +619,12 @@ GLOBAL(swapgs_restore_regs_and_return_to - /* Push user RDI on the trampoline stack. */ - pushq (%rdi) - -+ /* Unrestrict Indirect Branch Speculation */ -+ UNRESTRICT_IB_SPEC - /* - * We are on the trampoline stack. All regs except RDI are live. - * We can do future final exit work right here. - */ -- - SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi - - /* Restore RDI. */ -@@ -704,6 +711,13 @@ native_irq_return_ldt: - SWAPGS /* to kernel GS */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */ - -+ /* -+ * There is no point in disabling Indirect Branch Speculation -+ * here as this is going to return to user space immediately -+ * after fixing ESPFIX stack. There is no vulnerable code -+ * to protect so spare two MSR writes. -+ */ -+ - movq PER_CPU_VAR(espfix_waddr), %rdi - movq %rax, (0*8)(%rdi) /* user RAX */ - movq (1*8)(%rsp), %rax /* user RIP */ -@@ -850,6 +864,8 @@ ENTRY(switch_to_thread_stack) - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi - movq %rsp, %rdi - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC - UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI - - pushq 7*8(%rdi) /* regs->ss */ -@@ -1170,6 +1186,8 @@ ENTRY(paranoid_entry) - - 1: - SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 -+ /* Restrict Indirect Branch speculation */ -+ RESTRICT_IB_SPEC_SAVE_AND_CLOBBER save_reg=%r13d - /* - * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an - * unconditional CR3 write, even in the PTI case. So do an lfence -@@ -1199,6 +1217,8 @@ ENTRY(paranoid_exit) - testl %ebx, %ebx /* swapgs needed? */ - jnz .Lparanoid_exit_no_swapgs - TRACE_IRQS_IRETQ -+ /* Restore Indirect Branch Speculation to the previous state */ -+ RESTORE_IB_SPEC_CLOBBER save_reg=%r13d - RESTORE_CR3 scratch_reg=%rbx save_reg=%r14 - SWAPGS_UNSAFE_STACK - jmp .Lparanoid_exit_restore -@@ -1228,6 +1248,8 @@ ENTRY(error_entry) - FENCE_SWAPGS_USER_ENTRY - /* We have user CR3. Change to kernel CR3. */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC_CLOBBER - - .Lerror_entry_from_usermode_after_swapgs: - /* Put us onto the real thread stack. */ -@@ -1277,6 +1299,8 @@ ENTRY(error_entry) - SWAPGS - FENCE_SWAPGS_USER_ENTRY - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC_CLOBBER - jmp .Lerror_entry_done - - .Lbstep_iret: -@@ -1292,6 +1316,8 @@ ENTRY(error_entry) - SWAPGS - FENCE_SWAPGS_USER_ENTRY - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC - - /* - * Pretend that the exception came from user mode: set up pt_regs -@@ -1386,6 +1412,10 @@ ENTRY(nmi) - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx - movq %rsp, %rdx - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -+ -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC -+ - UNWIND_HINT_IRET_REGS base=%rdx offset=8 - pushq 5*8(%rdx) /* pt_regs->ss */ - pushq 4*8(%rdx) /* pt_regs->rsp */ -@@ -1620,6 +1650,9 @@ end_repeat_nmi: - movq $-1, %rsi - call do_nmi - -+ /* Restore Indirect Branch speculation to the previous state */ -+ RESTORE_IB_SPEC_CLOBBER save_reg=%r13d -+ - RESTORE_CR3 scratch_reg=%r15 save_reg=%r14 - - testl %ebx, %ebx /* swapgs needed? */ ---- a/arch/x86/entry/entry_64_compat.S -+++ b/arch/x86/entry/entry_64_compat.S -@@ -53,6 +53,8 @@ ENTRY(entry_SYSENTER_compat) - SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp - - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC - - /* - * User tracing code (ptrace or signal handlers) might assume that -@@ -243,12 +245,18 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram - pushq $0 /* pt_regs->r15 = 0 */ - xorl %r15d, %r15d /* nospec r15 */ - -- /* -- * User mode is traced as though IRQs are on, and SYSENTER -+ /* Restrict Indirect Branch Speculation. All registers are saved already */ -+ RESTRICT_IB_SPEC_CLOBBER -+ -+ /* User mode is traced as though IRQs are on, and SYSENTER - * turned them off. - */ - TRACE_IRQS_OFF - -+ /* -+ * We just saved %rdi so it is safe to clobber. It is not -+ * preserved during the C calls inside TRACE_IRQS_OFF anyway. -+ */ - movq %rsp, %rdi - call do_fast_syscall_32 - /* XEN PV guests always use IRET path */ -@@ -258,6 +266,15 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram - /* Opportunistic SYSRET */ - sysret32_from_system_call: - TRACE_IRQS_ON /* User mode traces as IRQs on. */ -+ -+ /* -+ * Unrestrict Indirect Branch Speculation. This is safe to do here -+ * because there are no indirect branches between here and the -+ * return to userspace (sysretl). -+ * Clobber of %rax, %rcx, %rdx is OK before register restoring. -+ */ -+ UNRESTRICT_IB_SPEC_CLOBBER -+ - movq RBX(%rsp), %rbx /* pt_regs->rbx */ - movq RBP(%rsp), %rbp /* pt_regs->rbp */ - movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */ diff --git a/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch b/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch deleted file mode 100644 index b7ed0fc..0000000 --- a/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch +++ /dev/null @@ -1,126 +0,0 @@ -From: Peter Zijlstra -Date: Tue, 14 Jun 2022 23:15:53 +0200 -Subject: x86/entry: Add kernel IBRS implementation -Git-commit: 2dbb887e875b1de3ca8f40ddf26bcfe55798c609 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 - -Implement Kernel IBRS - currently the only known option to mitigate RSB -underflow speculation issues on Skylake hardware. - -Note: since IBRS_ENTER requires fuller context established than -UNTRAIN_RET, it must be placed after it. However, since UNTRAIN_RET -itself implies a RET, it must come after IBRS_ENTER. This means -IBRS_ENTER needs to also move UNTRAIN_RET. - -Note 2: KERNEL_IBRS is sub-optimal for XenPV. - -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Reviewed-by: Josh Poimboeuf - - [ bp: Use the IBRS implementation which is already present in the SLE kernel ] - -Signed-off-by: Borislav Petkov ---- - arch/x86/entry/entry_64.S | 14 ++++++++------ - arch/x86/entry/entry_64_compat.S | 8 ++++---- - 2 files changed, 12 insertions(+), 10 deletions(-) - ---- a/arch/x86/entry/entry_64_compat.S -+++ b/arch/x86/entry/entry_64_compat.S -@@ -3,7 +3,6 @@ - * - * Copyright 2000-2002 Andi Kleen, SuSE Labs. - */ --#include "calling.h" - #include - #include - #include -@@ -17,6 +16,8 @@ - #include - #include - -+#include "calling.h" -+ - .section .entry.text, "ax" - - /* -@@ -54,8 +55,6 @@ ENTRY(entry_SYSENTER_compat) - SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp - - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -- /* Restrict Indirect Branch Speculation */ -- RESTRICT_IB_SPEC - - /* - * User tracing code (ptrace or signal handlers) might assume that -@@ -108,6 +107,8 @@ ENTRY(entry_SYSENTER_compat) - xorl %r15d, %r15d /* nospec r15 */ - cld - -+ -+ RESTRICT_IB_SPEC - UNTRAIN_RET - - /* -@@ -250,7 +251,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram - - /* Restrict Indirect Branch Speculation. All registers are saved already */ - RESTRICT_IB_SPEC_CLOBBER -- - UNTRAIN_RET - - /* User mode is traced as though IRQs are on, and SYSENTER ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -215,8 +215,6 @@ ENTRY(entry_SYSCALL_64) - */ - movq %rsp, PER_CPU_VAR(rsp_scratch) - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -- /* Restrict Indirect Branch Speculation */ -- RESTRICT_IB_SPEC - - /* Construct struct pt_regs on stack */ - pushq $__USER_DS /* pt_regs->ss */ -@@ -234,6 +232,9 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) - /* IRQs are off. */ - movq %rsp, %rdi - -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC -+ - UNTRAIN_RET - - call do_syscall_64 /* returns with IRQs disabled */ -@@ -1192,6 +1193,7 @@ ENTRY(paranoid_entry) - SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 - /* Restrict Indirect Branch speculation */ - RESTRICT_IB_SPEC_SAVE_AND_CLOBBER save_reg=%r13d -+ UNTRAIN_RET - /* - * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an - * unconditional CR3 write, even in the PTI case. So do an lfence -@@ -1420,10 +1422,6 @@ ENTRY(nmi) - movq %rsp, %rdx - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp - -- /* Restrict Indirect Branch Speculation */ -- RESTRICT_IB_SPEC -- UNTRAIN_RET -- - UNWIND_HINT_IRET_REGS base=%rdx offset=8 - pushq 5*8(%rdx) /* pt_regs->ss */ - pushq 4*8(%rdx) /* pt_regs->rsp */ -@@ -1435,6 +1433,10 @@ ENTRY(nmi) - PUSH_AND_CLEAR_REGS rdx=(%rdx) - ENCODE_FRAME_POINTER - -+ /* Restrict Indirect Branch Speculation */ -+ RESTRICT_IB_SPEC -+ UNTRAIN_RET -+ - /* - * At this point we no longer need to worry about stack damage - * due to nesting -- we're on the normal thread stack and we're diff --git a/patches.suse/x86-entry-add-kernel-ibrs-implementation.patch b/patches.suse/x86-entry-add-kernel-ibrs-implementation.patch new file mode 100644 index 0000000..1349577 --- /dev/null +++ b/patches.suse/x86-entry-add-kernel-ibrs-implementation.patch @@ -0,0 +1,323 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:53 +0200 +Subject: x86/entry: Add kernel IBRS implementation +Git-commit: 2dbb887e875b1de3ca8f40ddf26bcfe55798c609 +Patch-mainline: v5.19-rc7 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Implement Kernel IBRS - currently the only known option to mitigate RSB +underflow speculation issues on Skylake hardware. + +Note: since IBRS_ENTER requires fuller context established than +UNTRAIN_RET, it must be placed after it. However, since UNTRAIN_RET +itself implies a RET, it must come after IBRS_ENTER. This means +IBRS_ENTER needs to also move UNTRAIN_RET. + +Note 2: KERNEL_IBRS is sub-optimal for XenPV. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/entry/calling.h | 58 +++++++++++++++++++++++++++++++++++++ + arch/x86/entry/entry_64.S | 41 ++++++++++++++++++++++++-- + arch/x86/entry/entry_64_compat.S | 12 +++++-- + arch/x86/include/asm/cpufeatures.h | 2 - + 4 files changed, 106 insertions(+), 7 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -5,6 +5,8 @@ + #include + #include + #include ++#include ++#include + + /* + +@@ -336,6 +338,62 @@ For 32-bit we have the following convent + #endif + + /* ++ * IBRS kernel mitigation for Spectre_v2. ++ * ++ * Assumes full context is established (PUSH_REGS, CR3 and GS) and it clobbers ++ * the regs it uses (AX, CX, DX). Must be called before the first RET ++ * instruction (NOTE! UNTRAIN_RET includes a RET instruction) ++ * ++ * The optional argument is used to save/restore the current value, ++ * which is used on the paranoid paths. ++ * ++ * Assumes x86_spec_ctrl_{base,current} to have SPEC_CTRL_IBRS set. ++ */ ++.macro IBRS_ENTER save_reg ++ ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS ++ movl $MSR_IA32_SPEC_CTRL, %ecx ++ ++.ifnb \save_reg ++ rdmsr ++ shl $32, %rdx ++ or %rdx, %rax ++ mov %rax, \save_reg ++ test $SPEC_CTRL_IBRS, %eax ++ jz .Ldo_wrmsr_\@ ++ lfence ++ jmp .Lend_\@ ++.Ldo_wrmsr_\@: ++.endif ++ ++ movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx ++ movl %edx, %eax ++ shr $32, %rdx ++ wrmsr ++.Lend_\@: ++.endm ++ ++/* ++ * Similar to IBRS_ENTER, requires KERNEL GS,CR3 and clobbers (AX, CX, DX) ++ * regs. Must be called after the last RET. ++ */ ++.macro IBRS_EXIT save_reg ++ ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS ++ movl $MSR_IA32_SPEC_CTRL, %ecx ++ ++.ifnb \save_reg ++ mov \save_reg, %rdx ++.else ++ movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx ++ andl $(~SPEC_CTRL_IBRS), %edx ++.endif ++ ++ movl %edx, %eax ++ shr $32, %rdx ++ wrmsr ++.Lend_\@: ++.endm ++ ++/* + * Mitigate Spectre v1 for conditional swapgs code paths. + * + * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -3,7 +3,6 @@ + * + * Copyright 2000-2002 Andi Kleen, SuSE Labs. + */ +-#include "calling.h" + #include + #include + #include +@@ -17,6 +16,8 @@ + #include + #include + ++#include "calling.h" ++ + .section .entry.text, "ax" + + /* +@@ -106,6 +107,7 @@ ENTRY(entry_SYSENTER_compat) + xorl %r15d, %r15d /* nospec r15 */ + cld + ++ IBRS_ENTER + UNTRAIN_RET + + /* +@@ -252,6 +254,9 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + */ + TRACE_IRQS_OFF + ++ IBRS_ENTER ++ UNTRAIN_RET ++ + movq %rsp, %rdi + call do_fast_syscall_32 + /* XEN PV guests always use IRET path */ +@@ -261,6 +266,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + /* Opportunistic SYSRET */ + sysret32_from_system_call: + TRACE_IRQS_ON /* User mode traces as IRQs on. */ ++ IBRS_EXIT ++ + movq RBX(%rsp), %rbx /* pt_regs->rbx */ + movq RBP(%rsp), %rbp /* pt_regs->rbp */ + movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */ +@@ -321,8 +328,6 @@ ENTRY(switch_to_thread_stack_compat) + ALTERNATIVE "movq %rsp, %rdi", "jmp .Lcompat_keep_stack", X86_FEATURE_XENPV + movq %rsp, %rdi + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp +- /* Restrict Indirect Branch Speculation */ +- RESTRICT_IB_SPEC + UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI + + pushq 7*8(%rdi) /* regs->ss */ +@@ -419,6 +424,7 @@ ENTRY(entry_INT80_compat) + */ + TRACE_IRQS_OFF + ++ IBRS_ENTER + UNTRAIN_RET + + movq %rsp, %rdi +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -230,6 +230,8 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + /* IRQs are off. */ + movq %rsp, %rdi + ++ /* clobbers %rax, make sure it is after saving the syscall nr */ ++ IBRS_ENTER + UNTRAIN_RET + + call do_syscall_64 /* returns with IRQs disabled */ +@@ -302,6 +304,7 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + * perf profiles. Nothing jumps here. + */ + syscall_return_via_sysret: ++ IBRS_EXIT + POP_REGS pop_rdi=0 + + /* +@@ -554,6 +557,9 @@ END(irq_entries_start) + */ + TRACE_IRQS_OFF + ++ IBRS_ENTER ++ UNTRAIN_RET ++ + CALL_enter_from_user_mode + + 1: +@@ -590,6 +596,7 @@ GLOBAL(retint_user) + TRACE_IRQS_IRETQ + + GLOBAL(swapgs_restore_regs_and_return_to_usermode) ++ IBRS_EXIT + #ifdef CONFIG_DEBUG_ENTRY + /* Assert that pt_regs indicates user mode. */ + testb $3, CS(%rsp) +@@ -1160,6 +1167,8 @@ idtentry machine_check do_mce has_err + * Save all registers in pt_regs, and switch gs if needed. + * Use slow, but surefire "are we in kernel?" check. + * Return: ebx=0: need swapgs on exit, ebx=1: otherwise ++ * R14 - old CR3 ++ * R15 - old SPEC_CTRL + */ + ENTRY(paranoid_entry) + UNWIND_HINT_FUNC +@@ -1173,7 +1182,6 @@ ENTRY(paranoid_entry) + js 1f /* negative -> in kernel */ + SWAPGS + xorl %ebx, %ebx +- + 1: + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 + /* +@@ -1183,7 +1191,14 @@ ENTRY(paranoid_entry) + */ + FENCE_SWAPGS_KERNEL_ENTRY + +- ret ++ /* ++ * Once we have CR3 and %GS setup save and set SPEC_CTRL. Just like ++ * CR3 above, keep the old value in a callee saved register. ++ */ ++ IBRS_ENTER save_reg=%r15 ++ UNTRAIN_RET ++ ++ RET + END(paranoid_entry) + + /* +@@ -1197,9 +1212,19 @@ END(paranoid_entry) + * to try to handle preemption here. + * + * On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) ++ * ++ * R14 - old CR3 ++ * R15 - old SPEC_CTRL + */ + ENTRY(paranoid_exit) + UNWIND_HINT_REGS ++ ++ /* ++ * Must restore IBRS state before both CR3 and %GS since we need access ++ * to the per-CPU x86_spec_ctrl_shadow variable. ++ */ ++ IBRS_EXIT save_reg=%r15 ++ + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF_DEBUG + testl %ebx, %ebx /* swapgs needed? */ +@@ -1234,9 +1259,11 @@ ENTRY(error_entry) + FENCE_SWAPGS_USER_ENTRY + /* We have user CR3. Change to kernel CR3. */ + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax ++ IBRS_ENTER + UNTRAIN_RET + + .Lerror_entry_from_usermode_after_swapgs: ++ + /* Put us onto the real thread stack. */ + popq %r12 /* save return addr in %12 */ + movq %rsp, %rdi /* arg0 = pt_regs pointer */ +@@ -1284,6 +1311,7 @@ ENTRY(error_entry) + SWAPGS + FENCE_SWAPGS_USER_ENTRY + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax ++ IBRS_ENTER + UNTRAIN_RET + jmp .Lerror_entry_done + +@@ -1300,6 +1328,8 @@ ENTRY(error_entry) + SWAPGS + FENCE_SWAPGS_USER_ENTRY + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax ++ IBRS_ENTER ++ UNTRAIN_RET + + /* + * Pretend that the exception came from user mode: set up pt_regs +@@ -1376,7 +1406,6 @@ ENTRY(nmi) + + testb $3, CS-RIP+8(%rsp) + jz .Lnmi_from_kernel +- UNTRAIN_RET + + /* + * NMI from user mode. We need to run on the thread stack, but we +@@ -1406,6 +1435,9 @@ ENTRY(nmi) + PUSH_AND_CLEAR_REGS rdx=(%rdx) + ENCODE_FRAME_POINTER + ++ IBRS_ENTER ++ UNTRAIN_RET ++ + /* + * At this point we no longer need to worry about stack damage + * due to nesting -- we're on the normal thread stack and we're +@@ -1629,6 +1661,9 @@ end_repeat_nmi: + movq $-1, %rsi + call do_nmi + ++ /* Always restore stashed SPEC_CTRL value (see paranoid_entry) */ ++ IBRS_EXIT save_reg=%r15 ++ + RESTORE_CR3 scratch_reg=%r15 save_reg=%r14 + + testl %ebx, %ebx /* swapgs needed? */ +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -203,7 +203,7 @@ + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ + #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */ + #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ +-/* FREE! ( 7*32+12) */ ++#define X86_FEATURE_KERNEL_IBRS ( 7*32+12) /* "" Set/clear IBRS on kernel entry/exit */ + /* FREE! ( 7*32+13) */ + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ + #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ diff --git a/patches.suse/x86-entry-remove-skip_r11rcx.patch b/patches.suse/x86-entry-remove-skip_r11rcx.patch new file mode 100644 index 0000000..3514a90 --- /dev/null +++ b/patches.suse/x86-entry-remove-skip_r11rcx.patch @@ -0,0 +1,64 @@ +From: Peter Zijlstra +Date: Fri, 6 May 2022 14:14:35 +0200 +Subject: x86/entry: Remove skip_r11rcx +Git-commit: 1b331eeea7b8676fc5dbdf80d0a07e41be226177 +Patch-mainline: v5.19-rc1 +References: bsc#1201644 + +Yes, r11 and rcx have been restored previously, but since they're being +popped anyway (into rsi) might as well pop them into their own regs -- +setting them to the value they already are. + +Less magical code. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220506121631.365070674@infradead.org +--- + arch/x86/entry/calling.h | 10 +--------- + arch/x86/entry/entry_64.S | 3 +-- + 2 files changed, 2 insertions(+), 11 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -153,27 +153,19 @@ For 32-bit we have the following convent + + .endm + +-.macro POP_REGS pop_rdi=1 skip_r11rcx=0 ++.macro POP_REGS pop_rdi=1 + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx +- .if \skip_r11rcx +- popq %rsi +- .else + popq %r11 +- .endif + popq %r10 + popq %r9 + popq %r8 + popq %rax +- .if \skip_r11rcx +- popq %rsi +- .else + popq %rcx +- .endif + popq %rdx + popq %rsi + .if \pop_rdi +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -299,8 +299,7 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + * perf profiles. Nothing jumps here. + */ + syscall_return_via_sysret: +- /* rcx and r11 are already restored (see code above) */ +- POP_REGS pop_rdi=0 skip_r11rcx=1 ++ POP_REGS pop_rdi=0 + + /* + * Now all regs are restored except RSP and RDI. diff --git a/patches.suse/x86-kexec-Disable-RET-on-kexec.patch b/patches.suse/x86-kexec-Disable-RET-on-kexec.patch deleted file mode 100644 index f4455be..0000000 --- a/patches.suse/x86-kexec-Disable-RET-on-kexec.patch +++ /dev/null @@ -1,144 +0,0 @@ -From: Konrad Rzeszutek Wilk -Date: Fri, 8 Jul 2022 19:10:11 +0200 -Subject: [PATCH] x86/kexec: Disable RET on kexec -Git-commit: 4c5d5e03fbcc1ebfee05498edc7b47915921c76c -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 - -All the invocations unroll to __x86_return_thunk and this file -must be PIC independent. - -This fixes kexec on 64-bit AMD boxes. - -Reported-by: Edward Tran -Reported-by: Awais Tanveer -Suggested-by: Ankur Arora -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Alexandre Chartre -Signed-off-by: Borislav Petkov ---- - arch/x86/kernel/relocate_kernel_32.S | 16 +++++++++++----- - arch/x86/kernel/relocate_kernel_64.S | 18 ++++++++++++------ - 2 files changed, 23 insertions(+), 11 deletions(-) - ---- a/arch/x86/kernel/relocate_kernel_32.S -+++ b/arch/x86/kernel/relocate_kernel_32.S -@@ -12,7 +12,8 @@ - #include - - /* -- * Must be relocatable PIC code callable as a C function -+ * Must be relocatable PIC code callable as a C function, in particular -+ * there must be a plain RET and not jump to return thunk. - */ - - #define PTR(x) (x << 2) -@@ -94,7 +95,8 @@ relocate_kernel: - movl %edi, %eax - addl $(identity_mapped - relocate_kernel), %eax - pushl %eax -- RET -+ ret -+ int3 - - identity_mapped: - /* set return address to 0 if not preserving context */ -@@ -161,12 +163,14 @@ identity_mapped: - xorl %edx, %edx - xorl %esi, %esi - xorl %ebp, %ebp -- RET -+ ret -+ int3 - 1: - popl %edx - movl CP_PA_SWAP_PAGE(%edi), %esp - addl $PAGE_SIZE, %esp - 2: -+ ANNOTATE_RETPOLINE_SAFE - call *%edx - - /* get the re-entry point of the peer system */ -@@ -209,7 +213,8 @@ virtual_mapped: - popl %edi - popl %esi - popl %ebx -- RET -+ ret -+ int3 - - /* Do the copies */ - swap_pages: -@@ -271,7 +276,8 @@ swap_pages: - popl %edi - popl %ebx - popl %ebp -- RET -+ ret -+ int3 - - .globl kexec_control_code_size - .set kexec_control_code_size, . - relocate_kernel ---- a/arch/x86/kernel/relocate_kernel_64.S -+++ b/arch/x86/kernel/relocate_kernel_64.S -@@ -13,7 +13,8 @@ - #include - - /* -- * Must be relocatable PIC code callable as a C function -+ * Must be relocatable PIC code callable as a C function, in particular -+ * there must be a plain RET and not jump to return thunk. - */ - - #define PTR(x) (x << 3) -@@ -104,7 +105,8 @@ relocate_kernel: - /* jump to identity mapped page */ - addq $(identity_mapped - relocate_kernel), %r8 - pushq %r8 -- RET -+ ret -+ int3 - - identity_mapped: - /* set return address to 0 if not preserving context */ -@@ -189,7 +191,8 @@ identity_mapped: - xorl %r14d, %r14d - xorl %r15d, %r15d - -- RET -+ ret -+ int3 - - 1: - popq %rdx -@@ -210,7 +213,8 @@ identity_mapped: - call swap_pages - movq $virtual_mapped, %rax - pushq %rax -- RET -+ ret -+ int3 - - virtual_mapped: - movq RSP(%r8), %rsp -@@ -229,7 +233,8 @@ virtual_mapped: - popq %r12 - popq %rbp - popq %rbx -- RET -+ ret -+ int3 - - /* Do the copies */ - swap_pages: -@@ -284,7 +289,8 @@ swap_pages: - lea PAGE_SIZE(%rax), %rsi - jmp 0b - 3: -- RET -+ ret -+ int3 - - .globl kexec_control_code_size - .set kexec_control_code_size, . - relocate_kernel diff --git a/patches.suse/x86-kexec-disable-ret-on-kexec.patch b/patches.suse/x86-kexec-disable-ret-on-kexec.patch new file mode 100644 index 0000000..a45ad18 --- /dev/null +++ b/patches.suse/x86-kexec-disable-ret-on-kexec.patch @@ -0,0 +1,149 @@ +From: Konrad Rzeszutek Wilk +Date: Fri, 8 Jul 2022 19:10:11 +0200 +Subject: x86/kexec: Disable RET on kexec +Git-commit: 697977d8415d61f3acbc4ee6d564c9dcf0309507 +Patch-mainline: v5.19-rc7 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +All the invocations unroll to __x86_return_thunk and this file +must be PIC independent. + +This fixes kexec on 64-bit AMD boxes. + + [ bp: Fix 32-bit build. ] + +Reported-by: Edward Tran +Reported-by: Awais Tanveer +Suggested-by: Ankur Arora +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Alexandre Chartre +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/relocate_kernel_32.S | 17 ++++++++++++----- + arch/x86/kernel/relocate_kernel_64.S | 18 ++++++++++++------ + 2 files changed, 24 insertions(+), 11 deletions(-) + +--- a/arch/x86/kernel/relocate_kernel_32.S ++++ b/arch/x86/kernel/relocate_kernel_32.S +@@ -9,10 +9,12 @@ + #include + #include + #include ++#include + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 2) +@@ -94,7 +96,8 @@ relocate_kernel: + movl %edi, %eax + addl $(identity_mapped - relocate_kernel), %eax + pushl %eax +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -161,12 +164,14 @@ identity_mapped: + xorl %edx, %edx + xorl %esi, %esi + xorl %ebp, %ebp +- RET ++ ret ++ int3 + 1: + popl %edx + movl CP_PA_SWAP_PAGE(%edi), %esp + addl $PAGE_SIZE, %esp + 2: ++ ANNOTATE_RETPOLINE_SAFE + call *%edx + + /* get the re-entry point of the peer system */ +@@ -209,7 +214,8 @@ virtual_mapped: + popl %edi + popl %esi + popl %ebx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -271,7 +277,8 @@ swap_pages: + popl %edi + popl %ebx + popl %ebp +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -13,7 +13,8 @@ + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 3) +@@ -104,7 +105,8 @@ relocate_kernel: + /* jump to identity mapped page */ + addq $(identity_mapped - relocate_kernel), %r8 + pushq %r8 +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -189,7 +191,8 @@ identity_mapped: + xorl %r14d, %r14d + xorl %r15d, %r15d + +- RET ++ ret ++ int3 + + 1: + popq %rdx +@@ -210,7 +213,8 @@ identity_mapped: + call swap_pages + movq $virtual_mapped, %rax + pushq %rax +- RET ++ ret ++ int3 + + virtual_mapped: + movq RSP(%r8), %rsp +@@ -229,7 +233,8 @@ virtual_mapped: + popq %r12 + popq %rbp + popq %rbx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -284,7 +289,8 @@ swap_pages: + lea PAGE_SIZE(%rax), %rsi + jmp 0b + 3: +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel diff --git a/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch b/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch index ab5d1ba..3fb3fdd 100644 --- a/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch +++ b/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:42 +0200 Subject: x86/kvm: Fix SETcc emulation for return thunks Git-commit: af2e140f34208a5dfb6b7a8ad2d56bda88f0524d -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Prepare the SETcc fastop stuff for when RET can be larger still. diff --git a/patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch b/patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch index 5d25ab8..7e3373b 100644 --- a/patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch +++ b/patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch @@ -1,9 +1,8 @@ From: John Allen Date: Thu, 9 Apr 2020 10:34:29 -0500 Subject: x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git Git-commit: bdf89df3c54518eed879d8fac7577fcfb220c67e -Patch-mainline: queued for 5.7-rc2 +Patch-mainline: v5.7-rc2 References: bsc#1169005 Future AMD CPUs will have microcode patches that exceed the default 4K diff --git a/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch b/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch index 85d8d2c..a75f33b 100644 --- a/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch +++ b/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch @@ -20,23 +20,27 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org --- arch/x86/boot/compressed/efi_thunk_64.S | 2 - arch/x86/boot/compressed/mem_encrypt.S | 4 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 2 - arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 2 - arch/x86/crypto/aesni-intel_asm.S | 42 +++++++++++++-------------- arch/x86/crypto/blowfish-x86_64-asm_64.S | 12 +++---- - arch/x86/crypto/camellia-aesni-avx-asm_64.S | 14 ++++----- - arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 14 ++++----- + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 18 +++++------ + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 18 +++++------ + arch/x86/crypto/camellia-x86_64-asm_64.S | 12 +++---- arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 12 +++---- - arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 10 +++--- + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 16 +++++----- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 - arch/x86/crypto/crct10dif-pcl-asm_64.S | 2 - arch/x86/crypto/des3_ede-asm_64.S | 4 +- arch/x86/crypto/ghash-clmulni-intel_asm.S | 6 +-- - arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 10 +++--- - arch/x86/crypto/serpent-avx2-asm_64.S | 10 +++--- + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 16 +++++----- + arch/x86/crypto/serpent-avx2-asm_64.S | 16 +++++----- + arch/x86/crypto/serpent-sse2-i586-asm_32.S | 6 +-- + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 6 +-- arch/x86/crypto/sha512-avx-asm.S | 2 - arch/x86/crypto/sha512-avx2-asm.S | 2 - arch/x86/crypto/sha512-ssse3-asm.S | 2 - - arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 10 +++--- + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 16 +++++----- arch/x86/crypto/twofish-i586-asm_32.S | 4 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 6 +-- arch/x86/crypto/twofish-x86_64-asm_64.S | 4 +- @@ -51,6 +55,7 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org arch/x86/kernel/verify_cpu.S | 4 +- arch/x86/lib/atomic64_386_32.S | 2 - arch/x86/lib/atomic64_cx8_32.S | 16 +++++----- + arch/x86/lib/checksum_32.S | 8 ++--- arch/x86/lib/cmpxchg8b_emu.S | 4 +- arch/x86/lib/copy_page_64.S | 4 +- arch/x86/lib/copy_user_64.S | 8 ++--- @@ -80,7 +85,7 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org arch/x86/um/checksum_32.S | 4 +- arch/x86/um/setjmp_32.S | 2 - arch/x86/um/setjmp_64.S | 2 - - 62 files changed, 193 insertions(+), 193 deletions(-) + 67 files changed, 226 insertions(+), 226 deletions(-) --- a/arch/x86/boot/compressed/efi_thunk_64.S +++ b/arch/x86/boot/compressed/efi_thunk_64.S @@ -315,6 +320,17 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(aesni_xts_decrypt) #endif +--- a/arch/x86/crypto/aes-x86_64-asm_64.S ++++ b/arch/x86/crypto/aes-x86_64-asm_64.S +@@ -77,7 +77,7 @@ + movl r6 ## E,4(r9); \ + movl r7 ## E,8(r9); \ + movl r8 ## E,12(r9); \ +- ret; \ ++ RET; \ + ENDPROC(FUNC); + + #define round(TAB,OFFSET,r1,r2,r3,r4,r5,r6,r7,r8,ra,rb,rc,rd) \ --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S +++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S @@ -150,10 +150,10 @@ ENTRY(__blowfish_enc_blk) @@ -428,6 +444,24 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(camellia_cbc_dec_32way) #define inc_le128(x, minus_one, tmp) \ +@@ -1204,7 +1204,7 @@ ENTRY(camellia_ctr_32way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ctr_32way) + + #define gf128mul_x_ble(iv, mask, tmp) \ +@@ -1371,7 +1371,7 @@ camellia_xts_crypt_32way: + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_xts_crypt_32way) + + ENTRY(camellia_xts_enc_32way) --- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S +++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S @@ -193,7 +193,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_ @@ -493,6 +527,75 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(camellia_cbc_dec_16way) #define inc_le128(x, minus_one, tmp) \ +@@ -1109,7 +1109,7 @@ ENTRY(camellia_ctr_16way) + %xmm8, %rsi); + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ctr_16way) + + #define gf128mul_x_ble(iv, mask, tmp) \ +@@ -1253,7 +1253,7 @@ camellia_xts_crypt_16way: + %xmm8, %rsi); + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_xts_crypt_16way) + + ENTRY(camellia_xts_enc_16way) +--- a/arch/x86/crypto/camellia-x86_64-asm_64.S ++++ b/arch/x86/crypto/camellia-x86_64-asm_64.S +@@ -228,13 +228,13 @@ ENTRY(__camellia_enc_blk) + enc_outunpack(mov, RT1); + + movq RR12, %r12; +- ret; ++ RET; + + .L__enc_xor: + enc_outunpack(xor, RT1); + + movq RR12, %r12; +- ret; ++ RET; + ENDPROC(__camellia_enc_blk) + + ENTRY(camellia_dec_blk) +@@ -272,7 +272,7 @@ ENTRY(camellia_dec_blk) + dec_outunpack(); + + movq RR12, %r12; +- ret; ++ RET; + ENDPROC(camellia_dec_blk) + + /********************************************************************** +@@ -463,14 +463,14 @@ ENTRY(__camellia_enc_blk_2way) + + movq RR12, %r12; + popq %rbx; +- ret; ++ RET; + + .L__enc2_xor: + enc_outunpack2(xor, RT2); + + movq RR12, %r12; + popq %rbx; +- ret; ++ RET; + ENDPROC(__camellia_enc_blk_2way) + + ENTRY(camellia_dec_blk_2way) +@@ -510,5 +510,5 @@ ENTRY(camellia_dec_blk_2way) + + movq RR12, %r12; + movq RXOR, %rbx; +- ret; ++ RET; + ENDPROC(camellia_dec_blk_2way) --- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S @@ -294,7 +294,7 @@ __cast5_enc_blk16: @@ -594,6 +697,31 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(cast6_cbc_dec_8way) ENTRY(cast6_ctr_8way) +@@ -453,7 +453,7 @@ ENTRY(cast6_ctr_8way) + popq %r15; + popq %r12; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_ctr_8way) + + ENTRY(cast6_xts_enc_8way) +@@ -480,7 +480,7 @@ ENTRY(cast6_xts_enc_8way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_xts_enc_8way) + + ENTRY(cast6_xts_dec_8way) +@@ -507,5 +507,5 @@ ENTRY(cast6_xts_dec_8way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_xts_dec_8way) --- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S @@ -310,7 +310,7 @@ do_return: @@ -710,6 +838,31 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(serpent_cbc_dec_16way) ENTRY(serpent_ctr_16way) +@@ -762,7 +762,7 @@ ENTRY(serpent_ctr_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ctr_16way) + + ENTRY(serpent_xts_enc_16way) +@@ -788,7 +788,7 @@ ENTRY(serpent_xts_enc_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_xts_enc_16way) + + ENTRY(serpent_xts_dec_16way) +@@ -814,5 +814,5 @@ ENTRY(serpent_xts_dec_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_xts_dec_16way) --- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S @@ -620,7 +620,7 @@ __serpent_enc_blk8_avx: @@ -757,6 +910,80 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(serpent_cbc_dec_8way_avx) ENTRY(serpent_ctr_8way_avx) +@@ -748,7 +748,7 @@ ENTRY(serpent_ctr_8way_avx) + store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ctr_8way_avx) + + ENTRY(serpent_xts_enc_8way_avx) +@@ -770,7 +770,7 @@ ENTRY(serpent_xts_enc_8way_avx) + store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_xts_enc_8way_avx) + + ENTRY(serpent_xts_dec_8way_avx) +@@ -792,5 +792,5 @@ ENTRY(serpent_xts_dec_8way_avx) + store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_xts_dec_8way_avx) +--- a/arch/x86/crypto/serpent-sse2-i586-asm_32.S ++++ b/arch/x86/crypto/serpent-sse2-i586-asm_32.S +@@ -568,12 +568,12 @@ ENTRY(__serpent_enc_blk_4way) + + write_blocks(%eax, RA, RB, RC, RD, RT0, RT1, RE); + +- ret; ++ RET; + + .L__enc_xor4: + xor_blocks(%eax, RA, RB, RC, RD, RT0, RT1, RE); + +- ret; ++ RET; + ENDPROC(__serpent_enc_blk_4way) + + ENTRY(serpent_dec_blk_4way) +@@ -627,5 +627,5 @@ ENTRY(serpent_dec_blk_4way) + movl arg_dst(%esp), %eax; + write_blocks(%eax, RC, RD, RB, RE, RT0, RT1, RA); + +- ret; ++ RET; + ENDPROC(serpent_dec_blk_4way) +--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S ++++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S +@@ -690,13 +690,13 @@ ENTRY(__serpent_enc_blk_8way) + write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2); + +- ret; ++ RET; + + .L__enc_xor8: + xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2); + xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(__serpent_enc_blk_8way) + + ENTRY(serpent_dec_blk_8way) +@@ -750,5 +750,5 @@ ENTRY(serpent_dec_blk_8way) + write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(serpent_dec_blk_8way) --- a/arch/x86/crypto/sha512-avx2-asm.S +++ b/arch/x86/crypto/sha512-avx2-asm.S @@ -681,7 +681,7 @@ done_hash: @@ -837,6 +1064,31 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org ENDPROC(twofish_cbc_dec_8way) ENTRY(twofish_ctr_8way) +@@ -419,7 +419,7 @@ ENTRY(twofish_ctr_8way) + popq %r12; + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_ctr_8way) + + ENTRY(twofish_xts_enc_8way) +@@ -443,7 +443,7 @@ ENTRY(twofish_xts_enc_8way) + store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_xts_enc_8way) + + ENTRY(twofish_xts_dec_8way) +@@ -467,5 +467,5 @@ ENTRY(twofish_xts_dec_8way) + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_xts_dec_8way) --- a/arch/x86/crypto/twofish-i586-asm_32.S +++ b/arch/x86/crypto/twofish-i586-asm_32.S @@ -273,7 +273,7 @@ ENTRY(twofish_enc_blk) @@ -1211,6 +1463,44 @@ Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org - ret + RET ENDPROC(atomic64_inc_not_zero_cx8) +--- a/arch/x86/lib/checksum_32.S ++++ b/arch/x86/lib/checksum_32.S +@@ -131,7 +131,7 @@ ENTRY(csum_partial) + 8: + popl %ebx + popl %esi +- ret ++ RET + ENDPROC(csum_partial) + + #else +@@ -249,7 +249,7 @@ ENTRY(csum_partial) + 90: + popl %ebx + popl %esi +- ret ++ RET + ENDPROC(csum_partial) + + #endif +@@ -401,7 +401,7 @@ DST( movb %cl, (%edi) ) + popl %esi + popl %edi + popl %ecx # equivalent to addl $4,%esp +- ret ++ RET + ENDPROC(csum_partial_copy_generic) + + #else +@@ -486,7 +486,7 @@ DST( movb %dl, (%edi) ) + popl %esi + popl %edi + popl %ebx +- ret ++ RET + ENDPROC(csum_partial_copy_generic) + + #undef ROUND --- a/arch/x86/lib/cmpxchg8b_emu.S +++ b/arch/x86/lib/cmpxchg8b_emu.S @@ -38,7 +38,7 @@ ENTRY(cmpxchg8b_emu) diff --git a/patches.suse/x86-retbleed-add-fine-grained-kconfig-knobs.patch b/patches.suse/x86-retbleed-add-fine-grained-kconfig-knobs.patch new file mode 100644 index 0000000..d882047 --- /dev/null +++ b/patches.suse/x86-retbleed-add-fine-grained-kconfig-knobs.patch @@ -0,0 +1,37 @@ +From: Peter Zijlstra +Date: Mon, 27 Jun 2022 22:21:17 +0000 +Subject: x86/retbleed: Add fine grained Kconfig knobs +Git-commit: f43b9876e857c739d407bc56df288b0ebe1a9164 +Patch-mainline: v5.19-rc7 +References: bsc#1114648 + +Do fine-grained Kconfig for all the various retbleed parts. + +NOTE: if your compiler doesn't support return thunks this will +silently 'upgrade' your mitigation to IBPB, you might not like this. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov + + [ bp: just the RETPOLINE_CFLAGS changes in order to simplify a later backport. ] +--- +--- + arch/x86/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -230,10 +230,12 @@ KBUILD_AFLAGS += $(mflags-y) + # Avoid indirect branches in kernel to deal with Spectre + ifdef CONFIG_RETPOLINE + RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) +- RETPOLINE_CFLAGS += $(call cc-option,-mfunction-return=thunk-extern) + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE + endif + ++RETHUNK_CFLAGS := -mfunction-return=thunk-extern ++RETPOLINE_CFLAGS += $(RETHUNK_CFLAGS) ++ + # for vdso Makefile to exclude + export RETPOLINE_CFLAGS + diff --git a/patches.suse/x86-retpoline-Use-mfunction-return.patch b/patches.suse/x86-retpoline-Use-mfunction-return.patch index 33c5451..c489b22 100644 --- a/patches.suse/x86-retpoline-Use-mfunction-return.patch +++ b/patches.suse/x86-retpoline-Use-mfunction-return.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:36 +0200 Subject: x86/retpoline: Use -mfunction-return Git-commit: 0b53c374b9eff2255a386f1f1cfb9a928e52a5ae -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Utilize -mfunction-return=thunk-extern when available to have the @@ -50,10 +49,10 @@ Signed-off-by: Borislav Petkov * which is ensured when CONFIG_RETPOLINE is defined. --- a/arch/x86/lib/retpoline.S +++ b/arch/x86/lib/retpoline.S -@@ -49,5 +49,15 @@ GENERATE_THUNK(r14) +@@ -46,3 +46,13 @@ GENERATE_THUNK(r13) + GENERATE_THUNK(r14) GENERATE_THUNK(r15) #endif - +/* + * This function name is magical and is used by -mfunction-return=thunk-extern + * for the compiler to generate JMPs to it. @@ -64,8 +63,6 @@ Signed-off-by: Borislav Petkov +ENDPROC(__x86_return_thunk) + +__EXPORT_THUNK(__x86_return_thunk) - #endif /* CONFIG_RETPOLINE */ - --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -230,9 +230,13 @@ KBUILD_AFLAGS += $(mflags-y) diff --git a/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch b/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch index eac41e7..0decb93 100644 --- a/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch +++ b/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch @@ -2,8 +2,7 @@ From: Kim Phillips Date: Tue, 14 Jun 2022 23:15:44 +0200 Subject: x86/sev: Avoid using __x86_return_thunk Git-commit: 0ee9073000e8791f8b134a8ded31bcc767f7f232 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Specifically, it's because __enc_copy() encrypts the kernel after diff --git a/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch b/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch index 2bfaf64..8af88d2 100644 --- a/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch +++ b/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:28:10 -0700 Subject: x86/speculation: Add a common function for MD_CLEAR mitigation update Git-commit: f52ea6c26953fed339aa4eae717ee5c2133c7ff2 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 Processor MMIO Stale Data mitigation uses similar mitigation as MDS and diff --git a/patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch b/patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch deleted file mode 100644 index 8263664..0000000 --- a/patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch +++ /dev/null @@ -1,150 +0,0 @@ -From: David Woodhouse -Date: Sat, 27 Jan 2018 15:09:34 +0000 -Subject: x86/speculation: Add basic IBRS support infrastructure -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git -Git-commit: 264b9aa1a901e5032df948d47fb3cb51f0111647 -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1068032 CVE-2017-5753 - -Not functional yet; just add the handling for it in the Spectre v2 -mitigation selection, and the X86_FEATURE_USE_IBRS flag which will -control the code to be added in later patches. - -Also take the #ifdef CONFIG_RETPOLINE from around the RSB-stuffing; IBRS -mode will want that too. - -For now we are auto-selecting IBRS on Skylake. We will probably end up -changing that but for now let's default to the safest option. - -[karahmed: simplify the switch block and get rid of all the magic] - -Signed-off-by: David Woodhouse -Signed-off-by: KarimAllah Ahmed -Signed-off-by: Jiri Slaby ---- - Documentation/admin-guide/kernel-parameters.txt | 1 + - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/include/asm/nospec-branch.h | 2 -- - arch/x86/kernel/cpu/bugs.c | 12 ++++++++++++ - arch/x86/lib/Makefile | 2 +- - arch/x86/lib/retpoline.S | 5 +++++ - 6 files changed, 20 insertions(+), 3 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -214,6 +214,7 @@ - #define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */ - #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ -+#define X86_FEATURE_USE_IBRS ( 7*32+23) /* "" Use IBRS for Spectre v2 safety */ - #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+24) /* "" Disable Speculative Store Bypass. */ - #define X86_FEATURE_LS_CFG_SSBD ( 7*32+25) /* "" AMD SSBD implementation via LS_CFG MSR */ - #define X86_FEATURE_IBRS ( 7*32+26) /* Indirect Branch Restricted Speculation */ ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -258,7 +258,6 @@ extern char __indirect_thunk_end[]; - */ - static inline void vmexit_fill_RSB(void) - { --#ifdef CONFIG_RETPOLINE - unsigned long loops; - - asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE -@@ -268,7 +267,6 @@ static inline void vmexit_fill_RSB(void) - "910:" - : "=r" (loops), ASM_CALL_CONSTRAINT - : : "memory" ); --#endif - } - - static __always_inline ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -655,6 +655,7 @@ enum spectre_v2_mitigation_cmd { - SPECTRE_V2_CMD_EIBRS, - SPECTRE_V2_CMD_EIBRS_RETPOLINE, - SPECTRE_V2_CMD_EIBRS_LFENCE, -+ SPECTRE_V2_CMD_IBRS, - }; - - enum spectre_v2_user_cmd { -@@ -816,6 +817,7 @@ static const char * const spectre_v2_str - [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", - [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", - [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", -+ [SPECTRE_V2_IBRS] = "Mitigation: Indirect Branch Restricted Speculation", - }; - - static const struct { -@@ -832,6 +834,7 @@ static const struct { - { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, - { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, - { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, -+ { "ibrs", SPECTRE_V2_CMD_IBRS, false }, - { "auto", SPECTRE_V2_CMD_AUTO, false }, - }; - -@@ -936,6 +939,11 @@ static void __init spectre_v2_select_mit - case SPECTRE_V2_CMD_NONE: - return; - -+ case SPECTRE_V2_CMD_IBRS: -+ mode = SPECTRE_V2_IBRS; -+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS); -+ goto specv2_set_mode; -+ - case SPECTRE_V2_CMD_FORCE: - case SPECTRE_V2_CMD_AUTO: - if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { -@@ -991,8 +999,12 @@ static void __init spectre_v2_select_mit - case SPECTRE_V2_EIBRS_RETPOLINE: - setup_force_cpu_cap(X86_FEATURE_RETPOLINE); - break; -+ -+ default: -+ break; - } - -+specv2_set_mode: - spectre_v2_enabled = mode; - pr_info("%s\n", spectre_v2_strings[mode]); - ---- a/arch/x86/lib/Makefile -+++ b/arch/x86/lib/Makefile -@@ -37,7 +37,7 @@ lib-y += memcpy_$(BITS).o - lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o - lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o insn-eval.o - lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o --lib-$(CONFIG_RETPOLINE) += retpoline.o -+lib-y += retpoline.o - - obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o - ---- a/arch/x86/lib/retpoline.S -+++ b/arch/x86/lib/retpoline.S -@@ -8,6 +8,8 @@ - #include - #include - -+#ifdef CONFIG_RETPOLINE -+ - .macro THUNK reg - .section .text.__x86.indirect_thunk - -@@ -46,3 +48,6 @@ GENERATE_THUNK(r13) - GENERATE_THUNK(r14) - GENERATE_THUNK(r15) - #endif -+ -+#endif /* CONFIG_RETPOLINE */ -+ ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4186,6 +4186,7 @@ - eibrs - enhanced IBRS - eibrs,retpoline - enhanced IBRS + Retpolines - eibrs,lfence - enhanced IBRS + LFENCE -+ ibrs - Intel/AMD microcode feature - - Not specifying this option is equivalent to - spectre_v2=auto. diff --git a/patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch b/patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch deleted file mode 100644 index 96727d0..0000000 --- a/patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Thomas Gleixner -Date: Mon, 15 Jan 2018 14:01:37 +0100 -Subject: x86/speculation: Add inlines to control Indirect Branch Speculation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git -Git-commit: dd9ea1967a0679ae7c44792923c046c950e762f8 -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1068032 CVE-2017-5753 - -XX: I am utterly unconvinced that having "friendly, self-explanatory" - names for the IBRS-frobbing inlines is useful. There be dragons - here for anyone who isn't intimately familiar with what's going - on, and it's almost better to just call it IBRS, put a reference - to the spec, and have a clear "you must be →this← tall to ride." - -[karahmed: switch to using ALTERNATIVES instead of static_cpu_has] -[dwmw2: wrmsr args inside the ALTERNATIVE again, bikeshed naming] - -Signed-off-by: Thomas Gleixner -Signed-off-by: KarimAllah Ahmed -Signed-off-by: David Woodhouse -Signed-off-by: Jiri Slaby ---- - arch/x86/include/asm/nospec-branch.h | 36 +++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -265,6 +265,42 @@ static inline void indirect_branch_predi - alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); - } - -+/* -+ * This also performs a barrier, and setting it again when it was already -+ * set is NOT a no-op. -+ */ -+static inline void restrict_branch_speculation(void) -+{ -+ unsigned long ax, cx, dx; -+ -+ asm volatile(ALTERNATIVE("", -+ "movl %[msr], %%ecx\n\t" -+ "movl %[val], %%eax\n\t" -+ "movl $0, %%edx\n\t" -+ "wrmsr", -+ X86_FEATURE_USE_IBRS) -+ : "=a" (ax), "=c" (cx), "=d" (dx) -+ : [msr] "i" (MSR_IA32_SPEC_CTRL), -+ [val] "i" (SPEC_CTRL_IBRS) -+ : "memory"); -+} -+ -+static inline void unrestrict_branch_speculation(void) -+{ -+ unsigned long ax, cx, dx; -+ -+ asm volatile(ALTERNATIVE("", -+ "movl %[msr], %%ecx\n\t" -+ "movl %[val], %%eax\n\t" -+ "movl $0, %%edx\n\t" -+ "wrmsr", -+ X86_FEATURE_USE_IBRS) -+ : "=a" (ax), "=c" (cx), "=d" (dx) -+ : [msr] "i" (MSR_IA32_SPEC_CTRL), -+ [val] "i" (0) -+ : "memory"); -+} -+ - /* The Intel SPEC CTRL MSR base value cache */ - extern u64 x86_spec_ctrl_base; - diff --git a/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch b/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch index 60152fa..601216d 100644 --- a/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch +++ b/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Tue, 14 Jun 2022 23:15:55 +0200 Subject: x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS Git-commit: 7c693f54c873691a4b7da05c7e0f74e67745d144 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc7 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 Extend spectre_v2= boot option with Kernel IBRS. @@ -16,12 +15,36 @@ Signed-off-by: Borislav Petkov Reviewed-by: Josh Poimboeuf Signed-off-by: Borislav Petkov --- - arch/x86/kernel/cpu/bugs.c | 59 ++++++++++++++++++++++++++++++++++----------- - 1 file changed, 45 insertions(+), 14 deletions(-) + Documentation/admin-guide/kernel-parameters.txt | 1 + arch/x86/include/asm/nospec-branch.h | 2 + arch/x86/kernel/cpu/bugs.c | 66 ++++++++++++++++++------ + 3 files changed, 54 insertions(+), 15 deletions(-) +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -244,10 +244,10 @@ enum spectre_v2_mitigation { + SPECTRE_V2_NONE, + SPECTRE_V2_RETPOLINE, + SPECTRE_V2_LFENCE, +- SPECTRE_V2_IBRS, + SPECTRE_V2_EIBRS, + SPECTRE_V2_EIBRS_RETPOLINE, + SPECTRE_V2_EIBRS_LFENCE, ++ SPECTRE_V2_IBRS, + }; + + /* The indirect branch speculation control variants */ --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -1117,11 +1117,12 @@ spectre_v2_parse_user_cmdline(enum spect +@@ -1045,6 +1045,7 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_EIBRS, + SPECTRE_V2_CMD_EIBRS_RETPOLINE, + SPECTRE_V2_CMD_EIBRS_LFENCE, ++ SPECTRE_V2_CMD_IBRS, + }; + + enum spectre_v2_user_cmd { +@@ -1116,11 +1117,12 @@ spectre_v2_parse_user_cmdline(enum spect return SPECTRE_V2_USER_CMD_AUTO; } @@ -38,7 +61,7 @@ Signed-off-by: Borislav Petkov } static void __init -@@ -1186,12 +1187,12 @@ spectre_v2_user_select_mitigation(enum s +@@ -1185,12 +1187,12 @@ spectre_v2_user_select_mitigation(enum s } /* @@ -54,7 +77,23 @@ Signed-off-by: Borislav Petkov return; spectre_v2_user_stibp = mode; -@@ -1288,6 +1289,24 @@ static enum spectre_v2_mitigation_cmd __ +@@ -1206,6 +1208,7 @@ static const char * const spectre_v2_str + [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", + [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", + [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", ++ [SPECTRE_V2_IBRS] = "Mitigation: IBRS", + }; + + static const struct { +@@ -1223,6 +1226,7 @@ static const struct { + { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, + { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, ++ { "ibrs", SPECTRE_V2_CMD_IBRS, false }, + }; + + static void __init spec_v2_print_cond(const char *reason, bool secure) +@@ -1285,6 +1289,24 @@ static enum spectre_v2_mitigation_cmd __ return SPECTRE_V2_CMD_AUTO; } @@ -79,7 +118,7 @@ Signed-off-by: Borislav Petkov spec_v2_print_cond(mitigation_options[i].option, mitigation_options[i].secure); return cmd; -@@ -1335,6 +1354,14 @@ static void __init spectre_v2_select_mit +@@ -1324,6 +1346,14 @@ static void __init spectre_v2_select_mit break; } @@ -94,7 +133,18 @@ Signed-off-by: Borislav Petkov mode = spectre_v2_select_retpoline(); break; -@@ -1367,7 +1394,7 @@ static void __init spectre_v2_select_mit +@@ -1340,6 +1370,10 @@ static void __init spectre_v2_select_mit + mode = spectre_v2_select_retpoline(); + break; + ++ case SPECTRE_V2_CMD_IBRS: ++ mode = SPECTRE_V2_IBRS; ++ break; ++ + case SPECTRE_V2_CMD_EIBRS: + mode = SPECTRE_V2_EIBRS; + break; +@@ -1356,7 +1390,7 @@ static void __init spectre_v2_select_mit if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); @@ -103,18 +153,18 @@ Signed-off-by: Borislav Petkov /* Force it so VMEXIT will restore correctly */ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; write_spec_ctrl_current(x86_spec_ctrl_base, true); -@@ -1378,6 +1405,10 @@ static void __init spectre_v2_select_mit +@@ -1367,6 +1401,10 @@ static void __init spectre_v2_select_mit case SPECTRE_V2_EIBRS: break; + case SPECTRE_V2_IBRS: -+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS); ++ setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS); + break; + case SPECTRE_V2_LFENCE: case SPECTRE_V2_EIBRS_LFENCE: setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); -@@ -1408,17 +1439,17 @@ specv2_set_mode: +@@ -1393,17 +1431,17 @@ static void __init spectre_v2_select_mit pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); /* @@ -137,7 +187,7 @@ Signed-off-by: Borislav Petkov setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); pr_info("Enabling Restricted Speculation for firmware calls\n"); } -@@ -1972,7 +2003,7 @@ static ssize_t mmio_stale_data_show_stat +@@ -1957,7 +1995,7 @@ static ssize_t mmio_stale_data_show_stat static char *stibp_state(void) { @@ -146,3 +196,13 @@ Signed-off-by: Borislav Petkov return ""; switch (spectre_v2_user_stibp) { +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4242,6 +4242,7 @@ + eibrs - enhanced IBRS + eibrs,retpoline - enhanced IBRS + Retpolines + eibrs,lfence - enhanced IBRS + LFENCE ++ ibrs - use IBRS to protect kernel + + Not specifying this option is equivalent to + spectre_v2=auto. diff --git a/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch b/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch index 5ea97f5..74ee9c1 100644 --- a/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch +++ b/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch @@ -2,8 +2,7 @@ From: Josh Poimboeuf Date: Tue, 14 Jun 2022 23:16:07 +0200 Subject: x86/speculation: Fix SPEC_CTRL write on SMT state change Git-commit: 56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 If the SMT state changes, SSBD might get accidentally disabled. Fix diff --git a/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch b/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch index c1b5e65..7581d2d 100644 --- a/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch +++ b/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch @@ -2,8 +2,7 @@ From: Josh Poimboeuf Date: Tue, 14 Jun 2022 23:16:06 +0200 Subject: x86/speculation: Fix firmware entry SPEC_CTRL handling Git-commit: e6aa13622ea8283cc699cac5d018cc40a2ba2010 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 The firmware entry code may accidentally clear STIBP or SSBD. Fix that. diff --git a/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch b/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch index e3aad1e..b4d5c58 100644 --- a/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch +++ b/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch @@ -2,8 +2,7 @@ From: Josh Poimboeuf Date: Fri, 17 Jun 2022 12:12:48 -0700 Subject: x86/speculation: Remove x86_spec_ctrl_mask Git-commit: acac5e98ef8d638a411cfa2ee676c87e1973f126 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 This mask has been made redundant by kvm_spec_ctrl_test_value(). And it diff --git a/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch b/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch index 986cc12..0ed8f9e 100644 --- a/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch +++ b/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch @@ -2,8 +2,7 @@ From: Josh Poimboeuf Date: Tue, 14 Jun 2022 23:16:08 +0200 Subject: x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit Git-commit: bbb69e8bee1bd882784947095ffb2bfe0f7c9470 -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 There's no need to recalculate the host value for every entry/exit. diff --git a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch index 3e49efe..a79770e 100644 --- a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch +++ b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch @@ -1,9 +1,8 @@ From: Mark Gross Date: Thu, 16 Apr 2020 17:54:04 +0200 -Subject: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) - mitigation +Subject: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Git-commit: 7e5b3c267d256822407a22fdce6afdf9cd13f9fb -Patch-mainline: v5.7 or v5.7-rc6 (next release) +Patch-mainline: v5.7-rc2 References: bsc#1154824 CVE-2020-0543 SRBDS is an MDS-like speculative side channel that can leak bits from the @@ -56,7 +55,7 @@ Tested-by: Neelima Krishnan --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h -@@ -354,6 +354,7 @@ +@@ -353,6 +353,7 @@ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ @@ -64,7 +63,7 @@ Tested-by: Neelima Krishnan #define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */ #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */ #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */ -@@ -398,5 +399,6 @@ +@@ -397,5 +398,6 @@ #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ @@ -73,9 +72,9 @@ Tested-by: Neelima Krishnan #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h -@@ -120,6 +120,10 @@ - - #define MSR_IA32_MCU_OPT_CTRL 0x00000123 +@@ -118,6 +118,10 @@ + #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ + #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ +/* SRBDS support */ +#define MSR_IA32_MCU_OPT_CTRL 0x00000123 @@ -86,7 +85,7 @@ Tested-by: Neelima Krishnan #define MSR_IA32_SYSENTER_EIP 0x00000176 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -41,6 +41,7 @@ static void __init l1tf_select_mitigatio +@@ -40,6 +40,7 @@ static void __init l1tf_select_mitigatio static void __init mds_select_mitigation(void); static void __init mds_print_mitigation(void); static void __init taa_select_mitigation(void); @@ -94,7 +93,7 @@ Tested-by: Neelima Krishnan /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ u64 x86_spec_ctrl_base; -@@ -108,6 +109,7 @@ void __init check_bugs(void) +@@ -107,6 +108,7 @@ void __init check_bugs(void) l1tf_select_mitigation(); mds_select_mitigation(); taa_select_mitigation(); @@ -102,7 +101,7 @@ Tested-by: Neelima Krishnan /* * As MDS and TAA mitigations are inter-related, print MDS -@@ -515,6 +517,97 @@ static int __init tsx_async_abort_parse_ +@@ -514,6 +516,97 @@ static int __init tsx_async_abort_parse_ early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); #undef pr_fmt @@ -200,8 +199,8 @@ Tested-by: Neelima Krishnan #define pr_fmt(fmt) "Spectre V1 : " fmt enum spectre_v1_mitigation { -@@ -1621,6 +1714,11 @@ static ssize_t spectre_v2_show_state(cha - spectre_v2_module_string()); +@@ -1491,6 +1584,11 @@ static char *ibpb_state(void) + return ""; } +static ssize_t srbds_show_state(char *buf) @@ -212,7 +211,7 @@ Tested-by: Neelima Krishnan static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { -@@ -1662,6 +1760,9 @@ static ssize_t cpu_show_common(struct de +@@ -1537,6 +1635,9 @@ static ssize_t cpu_show_common(struct de case X86_BUG_ITLB_MULTIHIT: return itlb_multihit_show_state(buf); @@ -222,7 +221,7 @@ Tested-by: Neelima Krishnan default: break; } -@@ -1708,4 +1809,9 @@ ssize_t cpu_show_itlb_multihit(struct de +@@ -1583,4 +1684,9 @@ ssize_t cpu_show_itlb_multihit(struct de { return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT); } @@ -308,7 +307,7 @@ Tested-by: Neelima Krishnan Date: January 2018 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4280,6 +4280,26 @@ +@@ -4247,6 +4247,26 @@ spia_pedr= spia_peddr= diff --git a/patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch b/patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch index 255e3c0..c61c771 100644 --- a/patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch +++ b/patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch @@ -2,7 +2,7 @@ From: Mark Gross Date: Thu, 16 Apr 2020 18:21:51 +0200 Subject: x86/speculation: Add SRBDS vulnerability and mitigation documentation Git-commit: 7222a1b5b87417f22265c92deea76a6aecd0fb0f -Patch-mainline: v5.7 or v5.7-rc3 (next release) +Patch-mainline: v5.7-rc2 References: bsc#1154824 CVE-2020-0543 Add documentation for the SRBDS vulnerability and its mitigation. diff --git a/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch b/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch index 7c16022..dab34f7 100644 --- a/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch +++ b/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch @@ -31,7 +31,7 @@ Reviewed-by: Thomas Gleixner #include #include -@@ -637,6 +638,16 @@ static inline const char *spectre_v2_mod +@@ -730,6 +731,16 @@ static inline const char *spectre_v2_mod static inline const char *spectre_v2_module_string(void) { return ""; } #endif @@ -48,7 +48,7 @@ Reviewed-by: Thomas Gleixner static inline bool match_option(const char *arg, int arglen, const char *opt) { int len = strlen(opt); -@@ -971,6 +982,9 @@ static void __init spectre_v2_select_mit +@@ -1064,6 +1075,9 @@ static void __init spectre_v2_select_mit break; } @@ -58,8 +58,8 @@ Reviewed-by: Thomas Gleixner if (spectre_v2_in_eibrs_mode(mode)) { /* Force it so VMEXIT will restore correctly */ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; -@@ -1578,6 +1592,20 @@ static char *ibpb_state(void) - return ""; +@@ -1676,6 +1690,20 @@ static ssize_t srbds_show_state(char *bu + return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); } +static ssize_t spectre_v2_show_state(char *buf) @@ -79,7 +79,7 @@ Reviewed-by: Thomas Gleixner static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { -@@ -1599,12 +1627,7 @@ static ssize_t cpu_show_common(struct de +@@ -1697,12 +1725,7 @@ static ssize_t cpu_show_common(struct de return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); case X86_BUG_SPECTRE_V2: diff --git a/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch b/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch index df99936..e1bdd41 100644 --- a/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch +++ b/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:29:11 -0700 Subject: x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data Git-commit: 8cb861e9e3c9a55099ad3d08e1a3b653d29c33ca -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 Processor MMIO Stale Data is a class of vulnerabilities that may diff --git a/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch b/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch index d6b3843..8521cc9 100644 --- a/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch +++ b/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:32:13 -0700 Subject: x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data Git-commit: 8d50cdf8b8341770bc6367bce40c0c1bb0e1d5b3 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 Add the sysfs reporting file for Processor MMIO Stale Data diff --git a/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch b/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch index 9eb320c..8a21c7a 100644 --- a/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch +++ b/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:31:12 -0700 Subject: x86/speculation/mmio: Enable CPU Fill buffer clearing on idle Git-commit: 99a83db5a605137424e1efe29dc0573d6a5b6316 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 When the CPU is affected by Processor MMIO Stale Data vulnerabilities, diff --git a/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch b/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch index 4d252fd..e0f24d4 100644 --- a/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch +++ b/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:27:08 -0700 Subject: x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug Git-commit: 51802186158c74a0304f51ab963e7c2b3a2b046f -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 Processor MMIO Stale Data is a class of vulnerabilities that may diff --git a/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch b/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch index 884c0f5..5aadce5 100644 --- a/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch +++ b/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:34:14 -0700 Subject: x86/speculation/mmio: Reuse SRBDS mitigation for SBDS Git-commit: a992b8a4682f119ae035a01b40d4d0665c4a2875 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 The Shared Buffers Data Sampling (SBDS) variant of Processor MMIO Stale diff --git a/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch index 6400847..1fd0df4 100644 --- a/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch +++ b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch @@ -31,24 +31,12 @@ Signed-off-by: Linus Torvalds simple: simply remove the definition of that MSR here. Thx. ] --- - arch/x86/include/asm/msr-index.h | 2 ++ - arch/x86/power/cpu.c | 14 ++++++++++++++ - 2 files changed, 16 insertions(+) + arch/x86/power/cpu.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -109,6 +109,8 @@ - #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ - #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ - -+#define MSR_IA32_MCU_OPT_CTRL 0x00000123 -+ - #define MSR_IA32_SYSENTER_CS 0x00000174 - #define MSR_IA32_SYSENTER_ESP 0x00000175 - #define MSR_IA32_SYSENTER_EIP 0x00000176 --- a/arch/x86/power/cpu.c +++ b/arch/x86/power/cpu.c -@@ -503,10 +503,24 @@ static int pm_cpu_check(const struct x86 +@@ -491,10 +491,24 @@ static int pm_cpu_check(const struct x86 return ret; } diff --git a/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch b/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch index a9b94b3..fa44018 100644 --- a/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch +++ b/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch @@ -2,8 +2,7 @@ From: Pawan Gupta Date: Thu, 19 May 2022 20:33:13 -0700 Subject: x86/speculation/srbds: Update SRBDS mitigation selection Git-commit: 22cac9c677c95f3ac5c9244f8ca0afdc7c8afb19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git -Patch-mainline: Queued in tip for v5.19 +Patch-mainline: v5.18-rc7 References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 Currently, Linux disables SRBDS mitigation on CPUs not affected by diff --git a/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch b/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch index 11ef0b5..dd8d253 100644 --- a/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch +++ b/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch @@ -2,8 +2,7 @@ From: Peter Zijlstra Date: Tue, 14 Jun 2022 23:15:43 +0200 Subject: x86/vsyscall_emu/64: Don't use RET in vsyscall emulation Git-commit: 15583e514eb16744b80be85dea0774ece153177d -Patch-mainline: Queued in tip for 5.19 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: v5.19-rc4 References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 This is userspace code and doesn't play by the normal kernel rules. diff --git a/patches.suse/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch b/patches.suse/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch new file mode 100644 index 0000000..3a02854 --- /dev/null +++ b/patches.suse/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch @@ -0,0 +1,94 @@ +From: ChenXiaoSong +Date: Wed, 27 Jul 2022 17:21:52 -0700 +Subject: xfs: fix NULL pointer dereference in xfs_getbmap() +Git-commit: 001c179c4e26d04db8c9f5e3fef9558b58356be6 +Patch-mainline: v5.20-rc1 +References: git-fixes + +Reproducer: + 1. fallocate -l 100M image + 2. mkfs.xfs -f image + 3. mount image /mnt + 4. setxattr("/mnt", "trusted.overlay.upper", NULL, 0, XATTR_CREATE) + 5. char arg[32] = "\x01\xff\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x08\x00\x00\x00\xc6\x2a\xf7"; + fd = open("/mnt", O_RDONLY|O_DIRECTORY); + ioctl(fd, _IOC(_IOC_READ|_IOC_WRITE, 0x58, 0x2c, 0x20), arg); + +NULL pointer dereference will occur when race happens between xfs_getbmap() +and xfs_bmap_set_attrforkoff(): + + ioctl | setxattr + ----------------------------|--------------------------- + xfs_getbmap | + xfs_ifork_ptr | + xfs_inode_has_attr_fork | + ip->i_forkoff == 0 | + return NULL | + ifp == NULL | + | xfs_bmap_set_attrforkoff + | ip->i_forkoff > 0 + xfs_inode_has_attr_fork | + ip->i_forkoff > 0 | + ifp == NULL | + ifp->if_format | + +Fix this by locking i_lock before xfs_ifork_ptr(). + +Fixes: abbf9e8a4507 ("xfs: rewrite getbmap using the xfs_iext_* helpers") +Signed-off-by: ChenXiaoSong +Signed-off-by: Guo Xuenan +Reviewed-by: Darrick J. Wong +[djwong: added fixes tag] +Signed-off-by: Darrick J. Wong +Acked-by: Nikolay Borisov +--- + fs/xfs/xfs_bmap_util.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -533,29 +533,27 @@ xfs_getbmap( + whichfork = XFS_COW_FORK; + else + whichfork = XFS_DATA_FORK; +- ifp = XFS_IFORK_PTR(ip, whichfork); + + xfs_ilock(ip, XFS_IOLOCK_SHARED); + switch (whichfork) { + case XFS_ATTR_FORK: ++ lock = xfs_ilock_attr_map_shared(ip); + if (!XFS_IFORK_Q(ip)) +- goto out_unlock_iolock; ++ goto out_unlock_ilock; + + max_len = 1LL << 32; +- lock = xfs_ilock_attr_map_shared(ip); + break; + case XFS_COW_FORK: ++ lock = XFS_ILOCK_SHARED; ++ xfs_ilock(ip, lock); + /* No CoW fork? Just return */ +- if (!ifp) ++ if (!XFS_IFORK_PTR(ip, whichfork)) + goto out_unlock_iolock; + + if (xfs_get_cowextsz_hint(ip)) + max_len = mp->m_super->s_maxbytes; + else + max_len = XFS_ISIZE(ip); +- +- lock = XFS_ILOCK_SHARED; +- xfs_ilock(ip, lock); + break; + case XFS_DATA_FORK: + if (!(iflags & BMV_IF_DELALLOC) && +@@ -585,6 +583,8 @@ xfs_getbmap( + break; + } + ++ ifp = XFS_IFORK_PTR(ip, whichfork); ++ + switch (XFS_IFORK_FORMAT(ip, whichfork)) { + case XFS_DINODE_FMT_EXTENTS: + case XFS_DINODE_FMT_BTREE: diff --git a/rpm/check-for-config-changes b/rpm/check-for-config-changes index 0418cab..fb31586 100755 --- a/rpm/check-for-config-changes +++ b/rpm/check-for-config-changes @@ -14,6 +14,7 @@ declare -a IGNORED_CONFIGS_RE=( 'FTRACE_MCOUNT_USE_CC' 'FTRACE_MCOUNT_USE_RECORDMCOUNT' 'GCC_VERSION' + 'G*CC[0-9]*_NO_[A-Z_]*' 'HAVE_[A-Z]*_COMPILER' 'LD_VERSION' 'PAHOLE_VERSION' diff --git a/rpm/constraints.in b/rpm/constraints.in index b3c7789..31c83f9 100644 --- a/rpm/constraints.in +++ b/rpm/constraints.in @@ -38,6 +38,7 @@ 8 + SLOW_DISK @@ -88,7 +89,7 @@ @BINARY_PACKAGES_XML@ - 8 + 8 @@ -101,7 +102,7 @@ @BINARY_PACKAGES_XML@ - 4 + 4 @@ -114,7 +115,7 @@ @BINARY_PACKAGES_XML@ - 2 + 2 diff --git a/rpm/dtb.spec.in.in b/rpm/dtb.spec.in.in index 100a985..01b9e77 100644 --- a/rpm/dtb.spec.in.in +++ b/rpm/dtb.spec.in.in @@ -65,9 +65,9 @@ cd linux-%srcversion %build source=linux-%srcversion cp $source/COPYING . -SRCDIR=`pwd`/$source +SRCDIR=$PWD/$source mkdir pp -PPDIR=`pwd`/pp +PPDIR=$PWD/pp export DTC_FLAGS="-R 4 -p 0x1000" %if 0%{?dtc_symbols} DTC_FLAGS="$DTC_FLAGS -@" diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 6f68fdb..d2e5857 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -137,6 +137,10 @@ BuildRequires: modutils # Used to sign the kernel in the buildservice BuildRequires: openssl BuildRequires: pesign-obs-integration +%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300 +# pahole for CONFIG_DEBUG_INFO_BTF +BuildRequires: dwarves >= 1.22 +%endif # for objtool BuildRequires: libelf-devel # required for 50-check-kernel-build-id rpm check @@ -443,6 +447,11 @@ if echo %_project | grep -Eqx -f %_sourcedir/release-projects; then fi %endif +DEBUG_INFO_TYPE="$(grep "CONFIG_DEBUG_INFO_DWARF.*=y" .config)" +DEBUG_INFO_TYPE="${DEBUG_INFO_TYPE%%=y}" +DEBUG_INFO_TYPE="${DEBUG_INFO_TYPE##CONFIG_DEBUG_INFO_}" +echo "Kernel debuginfo type: ${DEBUG_INFO_TYPE}" + ../scripts/config \ --set-str CONFIG_LOCALVERSION -%source_rel-%build_flavor \ --enable CONFIG_SUSE_KERNEL \ @@ -450,7 +459,9 @@ fi %if 0%{?__debug_package:1} --enable CONFIG_DEBUG_INFO %else - --disable CONFIG_DEBUG_INFO + --disable CONFIG_DEBUG_INFO \ + --disable CONFIG_DEBUG_INFO_"${DEBUG_INFO_TYPE}" \ + --enable CONFIG_DEBUG_INFO_NONE %endif if [ %CONFIG_MODULE_SIG = "y" ]; then @@ -664,7 +675,11 @@ add_vmlinux() find man -name '*.9' -exec install -m 644 -D '{}' %buildroot/usr/share/man/man9/ ';' %endif %if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300 - objcopy -R .rodata.compressed arch/s390/boot/compressed/vmlinux %buildroot/boot/zdebug-%kernelrelease-%build_flavor + s390x_vmlinux=arch/s390/boot/compressed/vmlinux + if [ ! -f "$s390x_vmlinux" ]; then + s390x_vmlinux=arch/s390/boot/vmlinux + fi + objcopy -R .rodata.compressed "$s390x_vmlinux" %buildroot/boot/zdebug-%kernelrelease-%build_flavor %endif %endif %ifarch %arm @@ -835,7 +850,7 @@ if [ %CONFIG_MODULES = y ]; then # pointless to rely on its contents. Replacing by zeros to make the # checksums always the same for several builds of the same package. test -s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep && \ - dd if=/dev/zero of=%buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep ibs=`stat -c%s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep` count=1 + dd if=/dev/zero of=%buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep ibs=$(stat -c%s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep) count=1 res=0 if test -e %my_builddir/kabi/%cpu_arch/symvers-%build_flavor; then @@ -1349,7 +1364,7 @@ Requires: kernel-source-vanilla = %version-%source_rel Supplements: packageand(%name:kernel-source-vanilla) %endif %if "%CONFIG_DEBUG_INFO_BTF_MODULES" == "y" -Requires: dwarves >= 1.21 +Requires: dwarves >= 1.22 %endif @PROVIDES_OBSOLETES_DEVEL@ %obsolete_rebuilds %name-devel diff --git a/rpm/kernel-obs-build.spec.in b/rpm/kernel-obs-build.spec.in index e73b418..c5999c8 100644 --- a/rpm/kernel-obs-build.spec.in +++ b/rpm/kernel-obs-build.spec.in @@ -121,7 +121,7 @@ echo "DefaultTasksAccounting=no" >> /etc/systemd/system.conf # a longer list to have them also available for qemu cross builds where x86_64 kernel runs in eg. arm env. # this list of modules where available on build workers of build.opensuse.org, so we stay compatible. -export KERNEL_MODULES="loop dm-crypt essiv dm-mod dm-snapshot binfmt-misc fuse kqemu squashfs ext2 ext3 ext4 reiserfs btrfs xfs nf_conntrack_ipv6 binfmt_misc virtio_pci virtio_mmio virtio_blk virtio_rng fat vfat nls_cp437 nls_iso8859-1 ibmvscsi sd_mod e1000 ibmveth overlay 9p 9pnet_virtio" +export KERNEL_MODULES="loop dm-crypt essiv dm-mod dm-snapshot binfmt-misc fuse kqemu squashfs ext2 ext3 ext4 reiserfs btrfs xfs nf_conntrack_ipv6 binfmt_misc virtio_pci virtio_mmio virtio_blk virtio_rng fat vfat nls_cp437 nls_iso8859-1 ibmvscsi sd_mod e1000 ibmveth overlay 9p 9pnet_virtio qemu_fw_cfg" # manually load all modules to make sure they're available for i in $KERNEL_MODULES; do @@ -151,14 +151,17 @@ ROOT="" -m "$KERNEL_MODULES" \ -k /boot/%{kernel_name}-*-default -M /boot/System.map-*-default -i /tmp/initrd.kvm -B %else +# --host-only mode is needed for unlimited TasksMax workaround (boo#965564) dracut --reproducible --host-only --no-hostonly-cmdline \ --no-early-microcode --nofscks --strip --hardlink \ --drivers="$KERNEL_MODULES" --force /tmp/initrd.kvm \ +%if 0%{?suse_version} > 1550 + --modules="obs qemu base rootfs-block dracut-systemd terminfo" \ +%endif %if 0%{?suse_version} > 1550 || 0%{?sle_version} > 150200 - --modules="obs qemu base rootfs-block" \ --compress "zstd -19 -T0" \ %endif - `echo /boot/%{kernel_name}-*%{kernel_flavor} | sed -n -e 's,[^-]*-\(.*'%{kernel_flavor}'\),\1,p'` + $(echo /boot/%{kernel_name}-*%{kernel_flavor} | sed -n -e 's,[^-]*-\(.*'%{kernel_flavor}'\),\1,p') %endif #cleanup diff --git a/rpm/kernel-source.spec.in b/rpm/kernel-source.spec.in index 7c9958e..4009769 100644 --- a/rpm/kernel-source.spec.in +++ b/rpm/kernel-source.spec.in @@ -130,6 +130,10 @@ Recommends: bison Recommends: flex Recommends: libelf-devel Recommends: openssl-devel +# pahole needed for BTF +%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 +Recommends: dwarves >= 1.22 +%endif # dracut no longer carries installkernel %if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 Recommends: kernel-install-tools @@ -189,6 +193,10 @@ AutoReqProv: off Provides: %name-vanilla = %version-%source_rel Provides: multiversion(kernel) Requires: kernel-macros +# dracut no longer carries installkernel +%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 +Recommends: kernel-install-tools +%endif %description vanilla Vanilla Linux kernel sources with minor build fixes. diff --git a/rpm/macros.kernel-source b/rpm/macros.kernel-source index 6bc027d..3097b62 100644 --- a/rpm/macros.kernel-source +++ b/rpm/macros.kernel-source @@ -4,7 +4,7 @@ if ((tonumber(rpm.expand("0%{?suse_version}")) > 1500) or (tonumber(rpm.expand(" print( "bash-sh" ) \ else \ print( "" ) \ -end \ +end } %kernel_module_package_release 1 %kernel_module_package_buildreqs modutils kernel-syms kmod-compat %kernel_build_shell_package diff --git a/scripts/check-embargoed-bugz b/scripts/check-embargoed-bugz index 950618a..2f26c70 100755 --- a/scripts/check-embargoed-bugz +++ b/scripts/check-embargoed-bugz @@ -32,7 +32,7 @@ while read local_ref local_sha remote_ref remote_sha do test "$local_sha" = $z40 && continue case "$remote_ref" in - *_EMBARGO/*) + *_EMBARGO/*|*_EMBARGO) continue;; refs/heads/users/*/for-next) base=${remote_ref#refs/heads/users/*/} diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py index 955c065..87e2f4d 100755 --- a/scripts/git_sort/git_sort.py +++ b/scripts/git_sort/git_sort.py @@ -222,6 +222,7 @@ remotes = ( Head(RepoURL("kvalo/wireless-drivers-next.git")), Head(RepoURL("mkp/scsi.git"), "queue"), Head(RepoURL("mkp/scsi.git"), "fixes"), + Head(RepoURL("mkp/scsi.git"), "for-next"), Head(RepoURL("git://git.kernel.dk/linux-block.git"), "for-next"), Head(RepoURL("git://git.kernel.org/pub/scm/virt/kvm/kvm.git"), "queue"), Head(RepoURL("git://git.infradead.org/nvme.git"), "nvme-5.15"), diff --git a/scripts/run_oldconfig.sh b/scripts/run_oldconfig.sh index fe50a1a..357692a 100755 --- a/scripts/run_oldconfig.sh +++ b/scripts/run_oldconfig.sh @@ -423,6 +423,9 @@ for config in $config_files; do esac if [ -d scripts/dummy-tools ] ; then MAKE_ARGS="$MAKE_ARGS CROSS_COMPILE=scripts/dummy-tools/" + if [ -e scripts/dummy-tools/pahole ]; then + MAKE_ARGS="$MAKE_ARGS PAHOLE=scripts/dummy-tools/pahole" + fi chmod 755 scripts/dummy-tools/* chmod 755 scripts/* fi diff --git a/scripts/tar-up.sh b/scripts/tar-up.sh index 38715a0..5c4c801 100755 --- a/scripts/tar-up.sh +++ b/scripts/tar-up.sh @@ -166,12 +166,6 @@ check_for_merge_conflicts $referenced_files kernel-source.changes{,.old} || \ inconsistent=true scripts/check-conf || inconsistent=true scripts/check-cvs-add --committed || inconsistent=true -# FIXME: someone should clean up the mess and make this check fatal -if $inconsistent; then - echo "Inconsistencies found." - echo "Please clean up series.conf and/or the patches directories!" - echo -fi tsfile=source-timestamp if ! scripts/cvs-wd-timestamp > $build_dir/$tsfile; then @@ -195,6 +189,15 @@ trap 'if test -n "$CLEANFILES"; then rm -rf "${CLEANFILES[@]}"; fi' EXIT tmpdir=$(mktemp -dt ${0##*/}.XXXXXX) CLEANFILES=("${CLEANFILES[@]}" "$tmpdir") rpmfiles=$(ls rpm/* | grep -v "~$") +rpmstatus=$(for i in $rpmfiles ; do git status -s $i ; done) +[ -z "$rpmstatus" ] || { inconsistent=true ; echo "$rpmstatus" ; } + +# FIXME: someone should clean up the mess and make this check fatal +if $inconsistent; then + echo "Inconsistencies found." + echo "Please clean up series.conf and/or the patches directories!" + echo +fi cp -p $rpmfiles config.conf supported.conf doc/* $build_dir match="${flavor:+\\/$flavor$}" diff --git a/series.conf b/series.conf index c7d6024..d9d4f3f 100644 --- a/series.conf +++ b/series.conf @@ -9456,6 +9456,7 @@ patches.suse/powerpc-mm-Don-t-lose-major-fault-indication-on-retr.patch patches.suse/powerpc-Remove-old-unused-icswx-based-coprocessor-su.patch patches.suse/powerpc-powernv-Enable-PCI-peer-to-peer.patch + patches.suse/powerpc-powernv-Use-darn-instruction-for-get_random_.patch patches.suse/powerpc-mm-book3s64-Make-KERN_IO_START-a-variable.patch patches.suse/powerpc-mm-slb-Move-comment-next-to-the-code-it-s-referring-to.patch patches.suse/powerpc-mm-hash64-Make-vmalloc-56T-on-hash.patch @@ -28402,6 +28403,7 @@ patches.suse/ext4-move-call-to-ext4_error-into-ext4_xattr_check_b.patch patches.suse/ext4-add-bounds-checking-to-ext4_xattr_find_entry.patch patches.suse/random-use-a-tighter-cap-in-credit_entropy_bits_safe + patches.suse/random-always-fill-buffer-in-get_random_bytes_wait.patch patches.suse/irqchip-gic-v2-Reset-APRn-registers-at-boot-time.patch patches.suse/irqchip-gic-v3-Reset-APgRn-registers-at-boot-time.patch patches.suse/irqchip-gic-v3-Allow-LPIs-to-be-disabled-from-the-co.patch @@ -37356,6 +37358,7 @@ patches.suse/net-sched-fix-notifications-for-action-held-chains.patch patches.suse/net-sched-make-tcf_chain_-get-put-static.patch patches.suse/cxgb4-fix-endian-to-test-F_FW_PORT_CMD_DCBXDIS32.patch + patches.suse/net-fec-check-DMA-addressing-limitations.patch patches.suse/net-Fix-coding-style-in-skb_push.patch patches.suse/be2net-fix-spelling-mistake-seqence-sequence.patch patches.suse/net-phy-Fix-the-register-offsets-in-Broadcom-iProc-m.patch @@ -49121,6 +49124,7 @@ patches.suse/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch patches.suse/cxgb4-Update-1.23.3.0-as-the-latest-firmware-support.patch patches.suse/cxgb4-cxgb4vf-Display-advertised-FEC-in-ethtool.patch + patches.suse/cxgb3-l2t-Fix-undefined-behaviour.patch patches.suse/net-hns3-check-1000M-half-for-hns3_ethtool_ops.set_l.patch patches.suse/net-hns3-reduce-resources-use-in-kdump-kernel.patch patches.suse/net-hns3-modify-the-VF-network-port-media-type-acqui.patch @@ -49982,6 +49986,7 @@ patches.suse/nvme-fc-use-separate-work-queue-to-avoid-warning.patch patches.suse/nvme-multipath-avoid-crash-on-invalid-subsystem-cntl.patch patches.suse/nvme-change-locking-for-the-per-subsystem-controller.patch + patches.suse/latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch patches.suse/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes patches.suse/kvm-s390-fix-potential-spectre-warnings.patch patches.suse/kvm-s390-add-vector-enhancements-facility-2-to-cpumodel @@ -51100,6 +51105,7 @@ patches.suse/Input-synaptics-enable-SMBUS-on-T480-thinkpad-trackp.patch patches.suse/pinctrl-rockchip-fix-leaked-of_node-references.patch patches.suse/dm-bufio-fix-deadlock-with-loop-device.patch + patches.suse/net-stmmac-Fix-misuses-of-GENMASK-macro.patch patches.suse/net-mlx5e-Rx-Fix-checksum-calculation-for-new-hardwa.patch patches.suse/net-mlx5e-IPoIB-Add-error-path-in-mlx5_rdma_setup_rn.patch patches.suse/cxgb4-reduce-kernel-stack-usage-in-cudbg_collect_mem.patch @@ -52370,6 +52376,7 @@ patches.suse/powerpc-Add-attributes-for-setjmp-longjmp.patch patches.suse/powerpc-pseries-correctly-track-irq-state-in-default.patch patches.suse/powerpc-xive-Fix-bogus-error-code-returned-by-OPAL.patch + patches.suse/powerpc-fadump-make-crash-memory-ranges-array-alloca.patch patches.suse/powerpc-dump-kernel-log-before-carrying-out-fadump-o.patch patches.suse/vfio_pci-Restore-original-state-on-release.patch patches.suse/clk-qoriq-Fix-Wunused-const-variable.patch @@ -54652,6 +54659,9 @@ patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch + patches.suse/linux-random.h-Remove-arch_has_random-arch_has_random_seed.patch + patches.suse/linux-random.h-Use-false-with-bool.patch + patches.suse/linux-random.h-Mark-CONFIG_ARCH_RANDOM-functions-__must_check.patch patches.suse/vfs-fix-do_last-regression.patch patches.suse/cifs-fix-soft-mounts-hanging-in-the-reconnect-code.patch patches.suse/msft-hv-2011-hv_balloon-Balloon-up-according-to-request-page-numb.patch @@ -55038,6 +55048,7 @@ patches.suse/bonding-alb-make-sure-arp-header-is-pulled-before-ac.patch patches.suse/ipvlan-do-not-add-hardware-address-of-master-to-its-.patch patches.suse/gre-fix-uninit-value-in-__iptunnel_pull_header.patch + patches.suse/net-stmmac-dwmac1000-Disable-ACS-if-enhanced-descs-a.patch patches.suse/sfc-detach-from-cb_page-in-efx_copy_channel.patch patches.suse/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch patches.suse/ipvlan-add-cond_resched_rcu-while-processing-muticas.patch @@ -55692,6 +55703,7 @@ patches.suse/objtool-Support-Clang-non-section-symbols-in-ORC-generation.patch patches.suse/objtool-fix-switch-table-detection-in-text-unlikely.patch patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch + patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch patches.suse/x86-resctrl-Fix-invalid-attempt-at-removing-the-defa.patch patches.suse/x86-resctrl-preserve-cdp-enable-over-cpu-hotplug.patch patches.suse/tpm-ibmvtpm-retry-on-H_CLOSED-in-tpm_ibmvtpm_send.patch @@ -55733,6 +55745,7 @@ patches.suse/net-dsa-b53-Fix-ARL-register-definitions.patch patches.suse/net-dsa-b53-Rework-ARL-bin-logic.patch patches.suse/0016-net-dsa-b53-b53_arl_rw_op-needs-to-select-IVL-or-SVL.patch + patches.suse/vrf-Fix-IPv6-with-qdisc-and-xfrm.patch patches.suse/mlxsw-Fix-some-IS_ERR-vs-NULL-bugs.patch patches.suse/cxgb4-fix-adapter-crash-due-to-wrong-MC-size.patch patches.suse/net-x25-Fix-x25_neigh-refcnt-leak-when-receiving-fra.patch @@ -55827,6 +55840,7 @@ patches.suse/bnxt_en-Return-error-when-allocating-zero-size-conte.patch patches.suse/bnxt_en-Fix-VLAN-acceleration-handling-in-bnxt_fix_f.patch patches.suse/sch_sfq-validate-silly-quantum-values.patch + patches.suse/net-sonic-Fix-a-resource-leak-in-an-error-handling-p.patch patches.suse/batman-adv-fix-batadv_nc_random_weight_tq.patch patches.suse/batman-adv-Fix-refcnt-leak-in-batadv_show_throughput.patch patches.suse/batman-adv-Fix-refcnt-leak-in-batadv_store_throughpu.patch @@ -56020,6 +56034,7 @@ patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch patches.suse/objtool-ignore-empty-alternatives.patch patches.suse/efi-efivars-Add-missing-kobject_put-in-sysfs-entry-c.patch + patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch patches.suse/x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch patches.suse/drivers-perf-hisi-Fix-typo-in-events-attribute-array.patch patches.suse/lpfc_debugfs-get-rid-of-pointless-access_ok.patch @@ -56353,6 +56368,9 @@ patches.suse/s390-qdio-put-thinint-indicator-after-early-error patches.suse/ceph-convert-mdsc-cap_dirty-to-a-per-session-list.patch patches.suse/ceph-request-expedited-service-on-session-s-last-cap-flush.patch + patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch + patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch + patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch patches.suse/ovl-pass-correct-flags-for-opening-real-directory.patch patches.suse/ovl-switch-to-mounter-creds-in-readdir.patch patches.suse/ovl-verify-permissions-in-ovl_path_open.patch @@ -56606,6 +56624,7 @@ patches.suse/tcp-make-sure-listeners-don-t-initialize-congestion-.patch patches.suse/cgroup-fix-sock_cgroup_data-on-big-endian.patch patches.suse/bnxt_en-fix-NULL-dereference-in-case-SR-IOV-configur.patch + patches.suse/net-macb-mark-device-wake-capable-when-magic-packet-.patch patches.suse/mlxsw-spectrum_router-Remove-inappropriate-usage-of-.patch patches.suse/smb3-fix-access-denied-on-change-notify-request-to-some-servers.patch patches.suse/cifs-remove-the-retry-in-cifs_poxis_lock_set.patch @@ -57702,6 +57721,11 @@ patches.suse/tty-ipwireless-fix-error-handling.patch patches.suse/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch patches.suse/tty-serial-fsl_lpuart-fix-lpuart32_poll_get_char.patch + patches.suse/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys.patch + patches.suse/drivers-core-Use-sysfs_emit-and-sysfs_emit_at-for-sh.patch + patches.suse/drivers-core-Remove-strcat-uses-around-sysfs_emit-an.patch + patches.suse/drivers-core-Miscellaneous-changes-for-sysfs_emit.patch + patches.suse/mm-and-drivers-core-Convert-hugetlb_report_node_memi.patch patches.suse/iio-dac-ad5592r-Fix-use-of-true-for-IIO_SHARED_BY_TY.patch patches.suse/iio-magn-hmc5843-Fix-passing-true-where-iio_shared_b.patch patches.suse/iio-accel-bma180-Fix-use-of-true-when-should-be-iio_.patch @@ -57865,6 +57889,7 @@ patches.suse/net-ipv6-discard-next-hop-mtu-less-than-minimum-link.patch patches.suse/tipc-fix-the-skb_unshare-in-tipc_buf_append.patch patches.suse/ipv4-Restore-flowi4_oif-update-before-call-to-xfrm_l.patch + patches.suse/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch patches.suse/net-fec-Fix-phy_device-lookup-for-phy_reset_after_cl.patch patches.suse/ibmveth-Switch-order-of-ibmveth_helper-calls.patch patches.suse/ibmveth-Identify-ingress-large-send-packets.patch @@ -57873,6 +57898,7 @@ patches.suse/powerpc-pseries-Fix-missing-of_node_put-in-rng_init.patch patches.suse/powerpc-icp-hv-Fix-missing-of_node_put-in-success-pa.patch patches.suse/cxl-Rework-error-message-for-incompatible-slots.patch + patches.suse/powerpc-powernv-Staticify-functions-without-prototyp.patch patches.suse/powerpc-hwirq-Remove-stale-forward-irq_chip-declarat.patch patches.suse/powerpc-irq-Drop-forward-declaration-of-struct-irqac.patch patches.suse/powerpc-perf-consolidate-GPCI-hcall-structs-into-asm.patch @@ -58033,6 +58059,7 @@ patches.suse/cxgb4-set-up-filter-action-after-rewrites.patch patches.suse/mlxsw-core-Fix-memory-leak-on-module-removal.patch patches.suse/mlxsw-core-Fix-use-after-free-in-mlxsw_emad_trans_fi.patch + patches.suse/bnxt_en-Re-write-PCI-BARs-after-PCI-fatal-error.patch patches.suse/chelsio-chtls-fix-deadlock-issue.patch patches.suse/chelsio-chtls-fix-memory-leaks-in-CPL-handlers.patch patches.suse/ibmveth-Fix-use-of-ibmveth-in-a-bridge.patch @@ -58942,6 +58969,7 @@ patches.suse/ibmvnic-serialize-access-to-work-queue-on-remove.patch patches.suse/net-re-solve-some-conflicts-after-net-net-next-merge.patch patches.suse/reset-hisilicon-correct-vendor-prefix.patch + patches.suse/vt-drop-old-FONT-ioctls.patch patches.suse/usb-dwc2-Do-not-update-data-length-if-it-is-0-on-inb.patch patches.suse/usb-dwc2-Abort-transaction-after-errors-with-unknown.patch patches.suse/usb-dwc2-Make-trimming-xfer-length-a-debug-message.patch @@ -59142,6 +59170,7 @@ patches.suse/net-hns3-fix-bug-when-calculating-the-TCAM-table-inf.patch patches.suse/can-skb-can_skb_set_owner-fix-ref-counting-if-socket.patch patches.suse/ibmvnic-Fix-possibly-uninitialized-old_num_tx_queues.patch + patches.suse/net-stmmac-fix-incorrect-DMA-channel-intr-enable-set.patch patches.suse/ixgbe-fail-to-create-xfrm-offload-of-IPsec-tunnel-mo.patch patches.suse/net-usb-qmi_wwan-allow-qmimux-add-del-with-master-up.patch patches.suse/ibmvnic-always-store-valid-MAC-address.patch @@ -59243,6 +59272,7 @@ patches.suse/ext4-fix-potential-error-in-ext4_do_update_inode.patch patches.suse/veth-Store-queue_mapping-independently-of-XDP-prog-p.patch patches.suse/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch + patches.suse/net-dsa-bcm_sf2-Qualify-phydev-dev_flags-based-on-po.patch patches.suse/igc-reinit_locked-should-be-called-with-rtnl_lock.patch patches.suse/igc-Fix-Pause-Frame-Advertising.patch patches.suse/igc-Fix-Supported-Pause-Frame-Link-Setting.patch @@ -59512,6 +59542,7 @@ patches.suse/kernel-smp-add-more-data-to-CSD-lock-debugging.patch patches.suse/rsxx-remove-extraneous-const-qualifier.patch patches.suse/md-Fix-missing-unused-status-line-of-proc-mdstat.patch + patches.suse/block-drbd-drbd_nl-Make-conversion-to-enum-drbd_ret_code-explicit.patch patches.suse/md-md_open-returns-EBUSY-when-entering-racing-area.patch patches.suse/md-factor-out-a-mddev_find_locked-helper-from-mddev_.patch patches.suse/md-split-mddev_find.patch @@ -59837,6 +59868,9 @@ patches.suse/net-netcp-Fix-an-error-message.patch patches.suse/cfg80211-mitigate-A-MSDU-aggregation-attacks.patch patches.suse/bpf-Add-kconfig-knob-for-disabling-unpriv-bpf-by-def.patch + patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch + patches.suse/net-mdio-thunder-Fix-a-double-free-issue-in-the-.rem.patch + patches.suse/net-mdio-octeon-Fix-some-double-free-issues.patch patches.suse/tls-splice-check-SPLICE_F_NONBLOCK-instead-of-MSG_DO.patch patches.suse/net-sched-fix-packet-stuck-problem-for-lockless-qdis.patch patches.suse/net-sched-fix-tx-action-rescheduling-issue-during-de.patch @@ -59949,15 +59983,21 @@ patches.suse/mac80211-remove-warning-in-ieee80211_get_sband.patch patches.suse/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch patches.suse/alx-Fix-an-error-handling-path-in-alx_probe.patch + patches.suse/net-stmmac-dwmac1000-Fix-extended-MAC-address-regist.patch + patches.suse/qlcnic-Fix-an-error-handling-path-in-qlcnic_probe.patch + patches.suse/netxen_nic-Fix-an-error-handling-path-in-netxen_nic_.patch patches.suse/bpf-Fix-leakage-under-speculation-on-mispredicted-br.patch patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch + patches.suse/net-fec_ptp-add-clock-rate-zero-check.patch patches.suse/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch patches.suse/r8152-Avoid-memcpy-over-reading-of-ETH_SS_STATS.patch patches.suse/be2net-Fix-an-error-handling-path-in-be_probe.patch + patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch patches.suse/cxgb4-fix-wrong-shift.patch patches.suse/net-ll_temac-Fix-TX-BD-buffer-overwrite.patch + patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch patches.suse/s390-sles12sp5-zcrypt-fix-hanging-ioctl-caused-by-wrong-msg-counter.patch patches.suse/powerpc-perf-Fix-crash-in-perf_instruction_pointer-w.patch patches.suse/x86-fpu-Reset-state-for-all-signal-restore-failures.patch @@ -60056,11 +60096,14 @@ patches.suse/block-fix-trace-completion-for-chained-bio.patch patches.suse/nvme-verify-MNAN-value-if-ANA-is-enabled.patch patches.suse/net-pch_gbe-Propagate-error-from-devm_gpio_request_o.patch + patches.suse/mvpp2-suppress-warning.patch patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch patches.suse/msft-hv-2344-net-mana-Use-struct_size-in-kzalloc.patch patches.suse/ibmvnic-remove-default-label-from-to_string-switch.patch + patches.suse/net-xilinx_emaclite-Do-not-print-real-IOMEM-pointer.patch patches.suse/e100-handle-eeprom-as-little-endian.patch patches.suse/can-hi311x-hi3110_can_probe-silence-clang-warning.patch + patches.suse/ehea-fix-error-return-code-in-ehea_restart_qps.patch patches.suse/ipv6-use-prandom_u32-for-ID-generation.patch patches.suse/net-usb-asix-add-error-handling-for-asix_mdio_-funct.patch patches.suse/net-ena-optimize-data-access-in-fast-path-code.patch @@ -60118,6 +60161,7 @@ patches.suse/Bluetooth-mgmt-Fix-slab-out-of-bounds-in-tlv_data_is.patch patches.suse/Bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch patches.suse/gve-DQO-Fix-off-by-one-in-gve_rx_dqo.patch + patches.suse/net-ethernet-aeroflex-fix-UAF-in-greth_of_remove.patch patches.suse/net-sched-add-barrier-to-ensure-correct-ordering-for.patch patches.suse/msft-hv-2398-hv_netvsc-Set-needed_headroom-according-to-VF.patch patches.suse/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch @@ -60918,6 +60962,7 @@ patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch patches.suse/atlantic-Fix-OOB-read-and-write-in-hw_atl_utils_fw_r.patch patches.suse/iavf-prevent-accidental-free-of-filter-structure.patch + patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch patches.suse/NFC-reorganize-the-functions-in-nci_request.patch patches.suse/NFC-reorder-the-logic-in-nfc_-un-register_device.patch patches.suse/NFC-add-NCI_UNREG-flag-to-eliminate-the-race.patch @@ -61018,6 +61063,7 @@ patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch patches.suse/arm64-clear_page-shouldn-t-use-DC-ZVA-when-DCZID_EL0.DZP-1.patch patches.suse/random-fix-data-race-on-crng_node_pool.patch + patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch patches.suse/media-mceusb-fix-control-message-timeouts.patch patches.suse/media-redrat3-fix-control-message-timeouts.patch @@ -61029,6 +61075,9 @@ patches.suse/media-stk1160-fix-control-message-timeouts.patch patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch + patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch + patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch + patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch patches.suse/msft-hv-2486-net-mana-Add-XDP-support.patch patches.suse/ibmvnic-Update-driver-return-codes.patch @@ -61118,6 +61167,8 @@ patches.suse/ibmvnic-remove-unused-wait_capability.patch patches.suse/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch patches.suse/gve-Fix-GFP-flags-when-allocing-pages.patch + patches.suse/ipv4-tcp-send-zero-IPID-in-SYNACK-messages.patch + patches.suse/ipv4-avoid-using-shared-IP-generator-for-connected-s.patch patches.suse/udf-Fix-NULL-ptr-deref-when-converting-from-inline-f.patch patches.suse/udf-Restore-i_lenAlloc-when-inode-expansion-fails.patch patches.suse/s390-hypfs-include-z-VM-guests-with-access-control-group-set @@ -61212,6 +61263,7 @@ patches.suse/net-bcmgenet-Don-t-claim-WOL-when-its-not-available.patch patches.suse/af_key-add-__GFP_ZERO-flag-for-compose_sadb_supporte.patch patches.suse/Input-aiptek-properly-check-endpoint-type.patch + patches.suse/kvm-emulate-fix-setcc-emulation-function-offsets-with-sls.patch patches.suse/arm64-module-remove-NOLOAD-from-linker-script.patch patches.suse/arm64-mm-avoid-fixmap-race-condition-when-create-pud-mapping.patch patches.suse/hwrng-cavium-HW_RANDOM_CAVIUM-should-depend-on-ARCH_.patch @@ -61297,7 +61349,6 @@ patches.suse/scsi-lpfc-Use-rport-as-argument-for-lpfc_chk_tgt_map.patch patches.suse/scsi-lpfc-Remove-failing-soft_wwn-support.patch patches.suse/scsi-qla2xxx-Fix-incorrect-reporting-of-task-managem.patch - patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch patches.suse/scsi-qla2xxx-Fix-loss-of-NVMe-namespaces-after-drive.patch patches.suse/scsi-qla2xxx-Fix-missed-DMA-unmap-for-NVMe-ls-reques.patch patches.suse/scsi-qla2xxx-Fix-crash-during-module-load-unload-tes.patch @@ -61355,6 +61406,8 @@ patches.suse/veth-Ensure-eth-header-is-in-skb-s-linear-part.patch patches.suse/mm-page_alloc-fix-build_zonerefs_node.patch patches.suse/smp-Fix-offline-cpu-check-in-flush_smp_call_function.patch + patches.suse/openvswitch-fix-OOB-access-in-reserve_sfa_size.patch + patches.suse/net-sched-cls_u32-fix-netns-refcount-changes-in-u32_.patch patches.suse/ext4-fix-symlink-file-size-not-match-to-file-content.patch patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch @@ -61380,6 +61433,7 @@ patches.suse/USB-serial-option-add-support-for-Cinterion-MV32-WA-.patch patches.suse/USB-serial-cp210x-add-PIDs-for-Kamstrup-USB-Meter-Re.patch patches.suse/USB-serial-whiteheat-fix-heap-overflow-in-WHITEHEAT_.patch + patches.suse/arch_topology-Do-not-set-llc_sibling-if-llc_id-is-in.patch patches.suse/nfc-replace-improper-check-device_is_registered-in-n.patch patches.suse/nfc-nfcmrvl-main-reorder-destructive-operations-in-n.patch patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch @@ -61406,6 +61460,7 @@ patches.suse/USB-serial-option-add-Fibocom-L610-modem.patch patches.suse/USB-serial-option-add-Fibocom-MA510-modem.patch patches.suse/USB-serial-qcserial-add-support-for-Sierra-Wireless-.patch + patches.suse/fsl_lpuart-Don-t-enable-interrupts-too-early.patch patches.suse/perf-fix-sys_perf_event_open-race-against-self.patch patches.suse/fs-writeback-writeback_sb_inodes-Recalculate-wrote-a.patch patches.suse/target-remove-an-incorrect-unmap-zeroes-data-deduction.patch @@ -61417,6 +61472,8 @@ patches.suse/md-fix-an-incorrect-NULL-check-in-does_sb_need_chang.patch patches.suse/md-fix-an-incorrect-NULL-check-in-md_reload_sb.patch patches.suse/md-raid0-Ignore-RAID0-layout-if-the-second-zone-has-.patch + patches.suse/irqchip-exiu-Fix-acknowledgment-of-edge-triggered-in.patch + patches.suse/x86-entry-remove-skip_r11rcx.patch patches.suse/tpm-ibmvtpm-Correct-the-return-value-in-tpm_ibmvtpm_.patch patches.suse/ACPI-property-Release-subnode-properties-with-data-n.patch patches.suse/ext4-fix-use-after-free-in-ext4_rename_dir_prepare.patch @@ -61426,6 +61483,7 @@ patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch patches.suse/iomap-iomap_write_failed-fix.patch + patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch patches.suse/scsi-qla2xxx-Remove-free_sg-command-flag.patch patches.suse/scsi-ufs-qcom-Fix-ufs_qcom_resume.patch patches.suse/scsi-qla2xxx-Remove-unneeded-flush_workqueue.patch @@ -61439,10 +61497,12 @@ patches.suse/0011-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch patches.suse/0012-dm-crypt-make-printing-of-the-key-constant-time.patch patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch + patches.suse/PCI-qcom-Fix-runtime-PM-imbalance-on-probe-errors.patch patches.suse/crypto-qat-set-to-zero-DH-parameters-before-free.patch patches.suse/crypto-qat-fix-memory-leak-in-RSA.patch patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch + patches.suse/powerpc-fadump-fix-PT_LOAD-segment-for-boot-memory-a.patch patches.suse/powerpc-idle-Fix-return-value-of-__setup-handler.patch patches.suse/powerpc-perf-Fix-the-threshold-compare-group-constra.patch patches.suse/powerpc-xive-Fix-refcount-leak-in-xive_spapr_init.patch @@ -61455,29 +61515,132 @@ patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch patches.suse/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch patches.suse/0004-md-bcache-check-the-return-value-of-kzalloc-in-detac.patch + patches.suse/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch patches.suse/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch patches.suse/usb-usbip-add-missing-device-lock-on-tweak-configura.patch patches.suse/USB-storage-karma-fix-rio_karma_init-return.patch patches.suse/usb-musb-Fix-missing-of_node_put-in-omap2430_probe.patch patches.suse/USB-serial-option-add-Quectel-BG95-modem.patch + patches.suse/scsi-qla2xxx-Remove-setting-of-req-and-rsp-parameter.patch + patches.suse/scsi-qla2xxx-Remove-unused-ql_dm_tgt_ex_pct-paramete.patch patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch patches.suse/writeback-Fix-inode-i_io_list-not-be-protected-by-in.patch patches.suse/SUNRPC-Fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch + patches.suse/scsi-lpfc-Address-NULL-pointer-dereference-after-sta.patch + patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch + patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch + patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch + patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch + patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch + patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch + patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch + patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch + patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch patches.suse/0013-dm-mirror-log-round-up-region-bitmap-size-to-BITS_PE.patch patches.suse/init-Initialize-noop_backing_dev_info-early.patch + patches.suse/pNFS-Don-t-keep-retrying-if-the-server-replied-NFS4E.patch patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch patches.suse/ext4-make-variable-count-signed.patch + patches.suse/powerpc-pseries-wire-up-rng-during-setup_arch.patch patches.suse/powerpc-rtas-Allow-ibm-platform-dump-RTAS-call-with-.patch + patches.suse/powerpc-powernv-wire-up-rng-during-setup_arch.patch patches.suse/usbnet-fix-memory-allocation-in-helpers.patch patches.suse/net-usb-ax88179_178a-Fix-packet-receiving.patch patches.suse/net-rose-fix-UAF-bugs-caused-by-timer-handler.patch + patches.suse/dm-raid-fix-KASAN-warning-in-raid5_add_disks.patch + patches.suse/SUNRPC-Fix-READ_PLUS-crasher.patch patches.suse/xen-blkfront-fix-leaking-data-in-shared-pages.patch patches.suse/xen-netfront-fix-leaking-data-in-shared-pages.patch patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch patches.suse/xen-blkfront-force-data-bouncing-when-backend-is-unt.patch patches.suse/ibmvnic-Properly-dispose-of-all-skbs-during-a-failov.patch patches.suse/usbnet-fix-memory-leak-in-error-case.patch + patches.suse/fbcon-Disallow-setting-font-bigger-than-screen-size.patch + patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch + patches.suse/fbmem-Check-virtual-screen-sizes-in-fb_set_var.patch + patches.suse/powerpc-powernv-delay-rng-platform-device-creation-u.patch + patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch + patches.suse/x86-retpoline-Use-mfunction-return.patch + patches.suse/x86-Undo-return-thunk-damage.patch + patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch + patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch + patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch + patches.suse/x86-Use-return-thunk-in-asm-code.patch + patches.suse/x86-Add-magic-AMD-return-thunk.patch + patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch + patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch + patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch + patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch + patches.suse/x86-entry-add-kernel-ibrs-implementation.patch + patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch + patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch + patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch + patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch + patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch + patches.suse/x86-bugs-Add-retbleed-ibpb.patch + patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch + patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch + patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch + patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch + patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch + patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch + patches.suse/x86-common-Stamp-out-the-stepping-madness.patch + patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch + patches.suse/x86-retbleed-add-fine-grained-kconfig-knobs.patch + patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch + patches.suse/x86-kexec-disable-ret-on-kexec.patch patches.suse/xen-netback-avoid-entering-xenvif_rx_next_skb-with-a.patch + patches.suse/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch + patches.suse/serial-mvebu-uart-correctly-report-configured-baudra.patch + patches.suse/lkdtm-disable-return-thunks-in-rodata-c.patch + patches.suse/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch + patches.suse/scsi-qla2xxx-edif-Reduce-Initiator-Initiator-thrashi.patch + patches.suse/scsi-qla2xxx-edif-bsg-refactor.patch + patches.suse/scsi-qla2xxx-edif-Wait-for-app-to-ack-on-sess-down.patch + patches.suse/scsi-qla2xxx-edif-Add-bsg-interface-to-read-doorbell.patch + patches.suse/scsi-qla2xxx-edif-Fix-potential-stuck-session-in-sa-.patch + patches.suse/scsi-qla2xxx-edif-Synchronize-NPIV-deletion-with-aut.patch + patches.suse/scsi-qla2xxx-edif-Add-retry-for-ELS-passthrough.patch + patches.suse/scsi-qla2xxx-edif-Remove-old-doorbell-interface.patch + patches.suse/scsi-qla2xxx-edif-Fix-n2n-discovery-issue-with-secur.patch + patches.suse/scsi-qla2xxx-edif-Fix-n2n-login-retry-for-secure-dev.patch + patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.500-k.patch + patches.suse/scsi-qla2xxx-edif-Fix-I-O-timeout-due-to-over-subscr.patch + patches.suse/scsi-qla2xxx-edif-Send-LOGO-for-unexpected-IKE-messa.patch + patches.suse/scsi-qla2xxx-edif-Reduce-disruption-due-to-multiple-.patch + patches.suse/scsi-qla2xxx-edif-Fix-no-login-after-app-start.patch + patches.suse/scsi-qla2xxx-edif-Tear-down-session-if-keys-have-bee.patch + patches.suse/scsi-qla2xxx-edif-Fix-session-thrash.patch + patches.suse/scsi-qla2xxx-edif-Fix-no-logout-on-delete-for-N2N.patch + patches.suse/scsi-qla2xxx-edif-Reduce-N2N-thrashing-at-app_start-.patch + patches.suse/scsi-qla2xxx-edif-Fix-slow-session-teardown.patch + patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.600-k.patch + patches.suse/scsi-qla2xxx-Fix-excessive-I-O-error-messages-by-def.patch + patches.suse/scsi-qla2xxx-Add-a-new-v2-dport-diagnostic-feature.patch + patches.suse/scsi-qla2xxx-Wind-down-adapter-after-PCIe-error.patch + patches.suse/scsi-qla2xxx-Turn-off-multi-queue-for-8G-adapters.patch + patches.suse/scsi-qla2xxx-Fix-crash-due-to-stale-SRB-access-aroun.patch + patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-during-port-pe.patch + patches.suse/scsi-qla2xxx-Fix-losing-target-when-it-reappears-dur.patch + patches.suse/scsi-qla2xxx-Add-debug-prints-in-the-device-remove-p.patch + patches.suse/scsi-qla2xxx-Fix-losing-FCP-2-targets-on-long-port-d.patch + patches.suse/scsi-qla2xxx-Fix-erroneous-mailbox-timeout-after-PCI.patch + patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.700-k.patch + patches.suse/scsi-qla2xxx-Check-correct-variable-in-qla24xx_async.patch + patches.suse/scsi-qla2xxx-Fix-incorrect-display-of-max-frame-size.patch + patches.suse/scsi-qla2xxx-Zero-undefined-mailbox-IN-registers.patch + patches.suse/scsi-qla2xxx-Fix-response-queue-handler-reading-stal.patch + patches.suse/scsi-qla2xxx-edif-Fix-dropped-IKE-message.patch + patches.suse/scsi-qla2xxx-Fix-imbalance-vha-vref_count.patch + patches.suse/scsi-qla2xxx-Fix-discovery-issues-in-FC-AL-topology.patch + patches.suse/scsi-qla2xxx-Fix-sparse-warning-for-dport_data.patch + patches.suse/scsi-qla2xxx-Update-manufacturer-details.patch + patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.800-k.patch + patches.suse/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch + patches.suse/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch + patches.suse/powerpc-powernv-Avoid-crashing-if-rng-is-NULL.patch + patches.suse/powerpc-powernv-kvm-Use-darn-for-H_RANDOM-on-Power9.patch + patches.suse/powerpc-powernv-rename-remaining-rng-powernv_-functi.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -61529,6 +61692,8 @@ # the supported flag. ######################################################## patches.rpmify/cloneconfig.diff + patches.suse/tty-extract-tty_flip_buffer_commit-from-tty_flip_buf.patch + patches.suse/tty-use-new-tty_insert_flip_string_and_push_buffer-i.patch ######################################################## # kbuild/module infrastructure fixes @@ -61586,12 +61751,6 @@ patches.suse/setuid-dumpable-wrongdir patches.suse/sched-fair-Enable-SIS_AVG_CPU-by-default.patch - patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch - patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch - patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch - patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch - patches.suse/IBRS-forbid-shooting-in-foot.patch - # bsc#1137366 patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch @@ -61619,55 +61778,7 @@ ######################################################## patches.suse/x86-apic-force-bigsmp-apic-on-IBM-EXA3-4.patch - patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch - # srbds - patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch - patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch - patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch - patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch - - # mmio - patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch - patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch - patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch - patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch - patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch - patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch - patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch - patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch - patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch - - # tip - patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch - patches.suse/x86-retpoline-Use-mfunction-return.patch - patches.suse/x86-Undo-return-thunk-damage.patch - patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch - patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch - patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch - patches.suse/x86-Use-return-thunk-in-asm-code.patch - patches.suse/x86-Add-magic-AMD-return-thunk.patch - patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch - patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch - patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch - patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch - patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch - patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch - patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch - patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch - patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch - patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch - patches.suse/x86-bugs-Add-retbleed-ibpb.patch - patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch - patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch - patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch - patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch - patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch - patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch - patches.suse/x86-common-Stamp-out-the-stepping-madness.patch - patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch - patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch patches.suse/CVE-Mitigation-for-CVE-2022-29900-and-CVE-2022-29901.patch - patches.suse/x86-kexec-Disable-RET-on-kexec.patch ######################################################## # S/390 @@ -61681,16 +61792,9 @@ patches.suse/s390-sles15-bpf-indirect-call.patch patches.suse/s390-sles15sp1-kmsg-update-2019-01-10.patch patches.suse/s390-sles15sp1-kmsg-update-2019-03-08.patch - patches.kabi/s390-cio-fix-virtio-ccw-dma-without-pv - patches.kabi/kABI-s390-ap-Fix-hanging-ioctl-caused-by-wrong-msg-c.patch patches.suse/s390-sles12sp5-kdump-fix-out-of-memory-with-PCI.patch - patches.kabi/s390-kabi-workaround-for-lowcore-vmap_stack.patch - patches.kabi/s390-kabi-for-stack-unwind-api.patch - patches.kabi/s390-kabi-workaround-ftrace_ret_stack.patch - patches.kabi/s390-kabi-workaround-reliable-stack-tracing.patch - ######################################################## # aarch64 ######################################################## @@ -61791,8 +61895,6 @@ patches.suse/powerpc-Add-pmem.h.patch - patches.kabi/powerpc-add-back-flush_dcache_range.patch - # CVE-2020-4788 patches.suse/powerpc-64s-Define-MASKABLE_RELON_EXCEPTION_PSERIES_.patch patches.suse/powerpc-64s-move-some-exception-handlers-out-of-line.patch @@ -61846,8 +61948,6 @@ patches.suse/acpi_thermal_passive_blacklist.patch patches.suse/ACPI-acpi_pad-Do-not-launch-acpi_pad-threads-on-idle-cpus.patch - patches.kabi/ACPI-kabi-fixes-for-subsys-exports.patch - ######################################################## # Driver core ######################################################## @@ -62018,14 +62118,10 @@ patches.suse/scsi-sr-workaround-VMware-ESXi-cdrom-emulation-bug.patch patches.suse/scsi-release-sg-list-in-scsi_release_buffers.patch - patches.kabi/kabi-protect-RDMA_DRIVER_EFA.patch patches.suse/scsi-fnic-do-not-call-scsi_done-for-unhandled-commands.patch patches.suse/blk-wbt-fix-missed-wakeup.patch - # git-fixes kABI fix - patches.kabi/kABI-fix-addition-of-new-field-in-struct-esp - ######################################################## # DRM/Video ######################################################## @@ -62055,9 +62151,7 @@ patches.suse/drm-mgag200-Implement-basic-PM-support patches.suse/kernel-Export-mm_access.patch patches.suse/0001-drm-qxl-Return-error-if-fbdev-is-not-32-bpp.patch - patches.kabi/drm_connector-registration_state-kABI-workaround.patch patches.suse/drm-fix-spectre-issue-in-vmw_execbuf_ioctl.patch - patches.kabi/drm-drm_file-kabi-workaround.patch ######################################################## # Out-of-tree networking @@ -62081,11 +62175,6 @@ # Wireless Networking ######################################################## patches.suse/b43-missing-firmware-info.patch - patches.kabi/ath10k-last_wmi_vdev_start_status-kabi-workaround.patch - patches.kabi/ath10k-hw_filter_reset_required-kabi-fix.patch - patches.kabi/iwlwifi-iwl_rx_cmd_buffer-kabi-fix.patch - patches.kabi/mwifiex-power_cfg-kabi-workaround.patch - patches.kabi/netlink-nla_policy-kabi-workaround.patch patches.suse/mac80211-assure-all-fragments-are-encrypted.patch patches.suse/mac80211-prevent-mixed-key-and-fragment-cache-attack.patch @@ -62114,11 +62203,7 @@ ########################################################## # Sound ########################################################## - patches.kabi/ALSA-hda-kabi-workaround-for-generic-parser-flag.patch - patches.kabi/ALSA-snd_hda_pick_pin_fixup-kABI-workaround.patch - patches.kabi/snd-rawmidi-buffer_ref-kABI-workaround.patch patches.suse/ALSA-pcm-Fix-potential-AB-BA-lock-with-buffer_mutex-.patch - patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch ######################################################## # printk @@ -62141,8 +62226,6 @@ patches.suse/nvdimm-testing-provide-SZ_4G.patch - patches.kabi/mmc-retune_crc_disable-flag-kABI-fix.patch - # Intel IOMMU patches.suse/iommu-vt-d-Correctly-calculate-agaw-in-domain_init.patch @@ -62378,9 +62461,32 @@ patches.suse/0005-USB-padding-for-XHCI.patch patches.suse/0006-ehci-adding-padding.patch + patches.kabi/s390-cio-fix-virtio-ccw-dma-without-pv + patches.kabi/kABI-s390-ap-Fix-hanging-ioctl-caused-by-wrong-msg-c.patch + patches.kabi/s390-kabi-workaround-for-lowcore-vmap_stack.patch + patches.kabi/s390-kabi-for-stack-unwind-api.patch + patches.kabi/s390-kabi-workaround-ftrace_ret_stack.patch + patches.kabi/s390-kabi-workaround-reliable-stack-tracing.patch + patches.kabi/powerpc-add-back-flush_dcache_range.patch + patches.kabi/ACPI-kabi-fixes-for-subsys-exports.patch + patches.kabi/kabi-protect-RDMA_DRIVER_EFA.patch + patches.kabi/kABI-fix-addition-of-new-field-in-struct-esp + patches.kabi/drm_connector-registration_state-kABI-workaround.patch + patches.kabi/drm-drm_file-kabi-workaround.patch + patches.kabi/ath10k-last_wmi_vdev_start_status-kabi-workaround.patch + patches.kabi/ath10k-hw_filter_reset_required-kabi-fix.patch + patches.kabi/iwlwifi-iwl_rx_cmd_buffer-kabi-fix.patch + patches.kabi/mwifiex-power_cfg-kabi-workaround.patch + patches.kabi/netlink-nla_policy-kabi-workaround.patch + patches.kabi/ALSA-hda-kabi-workaround-for-generic-parser-flag.patch + patches.kabi/ALSA-snd_hda_pick_pin_fixup-kABI-workaround.patch + patches.kabi/snd-rawmidi-buffer_ref-kABI-workaround.patch + patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch + patches.kabi/mmc-retune_crc_disable-flag-kABI-fix.patch patches.kabi/media-em28xx-stop-rewriting-device-s-struct.patch patches.kabi/media-em28xx-fix-handler-for-vidioc_s_input.patch patches.kabi/kABI-add-_q-suffix-to-exports-that-take-struct-dh.patch + patches.kabi/powerpc-powernv-kABI-add-back-powernv_get_random_lon.patch patches.kabi/include-mm-h-in-net-h.patch @@ -62455,6 +62561,7 @@ patches.kabi/pcie_port_bus_type-kabi-compat.patch patches.kabi/debugfs-kabi-restore-debugfs_remove_recursive.patch + patches.kabi/sysfs-Add-sysfs_emit-and-sysfs_emit_at-to-format-sys-kabi-workaround.patch patches.kabi/v4l2_fh-kabi-workaround.patch