diff --git a/blacklist.conf b/blacklist.conf index 4ea249d..7e1d840 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1426,3 +1426,12 @@ abc25bbcb55c08183d30ee79a308aeef16b62dcb # CONFIG_ARM_LPAE is not enabled for an 1605de1b3ca66e3eddbca4b3c353c13c26476fe2 # Unsupported platform f32c34d6cfbb3d1f1c26f223cb549cca9767cfbd # Gone in as 41512e4dc0b84525495e784295092592adb87f1b ef775a0e36c6a81c5b07cb228c02f967133fe768 # PROC_FS is always set in our configs +7607c44c157d343223510c8ffdf7206fdd2a6213 # Requires 730633f0b7f9 which is very difficult to port without breaking kABI +35e4c6c1a2fc2eb11b9306e95cda1fa06a511948 # Requires 730633f0b7f9 which is very difficult to port without breaking kABI +86399ea071099ec8ee0a83ac9ad67f7df96a50ad # Requires 730633f0b7f9 which is very difficult to port without breaking kABI +81dedaf10c20959bdf5624f9783f408df26ba7a4 # Just a cleanup +480d42dc001bbfe953825a92073012fcd5a99161 # Bug introduced with edb0872f44ec "block: move the bdi from the request_queue to the gendisk" +b781d8db580c058ecd54ed7d5dde7f8270b25f5b # Bug introduced with db18a53e5ba8 "blk-cgroup: remove blkcg_bio_issue_check" +2fc428f6b7ca80794cb9928c90d4de524366659f # Bug introduced by fd41e60331b13 "bfq-iosched: stop using blkg->stat_bytes and ->stat_ios" +5ff9f19231a0e670b3d79c563f1b0b185abeca91 # Reverted by 8dc932d3e8afb65e12eba7495f046c83884c49bf +064a91771f7aae4ea2d13033b64e921951d216ce # Cosmetic diff --git a/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch b/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch index b47b322..35fbb7b 100644 --- a/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch +++ b/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch @@ -21,7 +21,7 @@ Acked-by: Torsten Duwe --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -482,6 +482,8 @@ struct crng_state { +@@ -483,6 +483,8 @@ struct crng_state { __u32 state[16]; unsigned long init_time; spinlock_t lock; @@ -30,7 +30,7 @@ Acked-by: Torsten Duwe }; static struct crng_state primary_crng = { -@@ -547,7 +549,7 @@ struct entropy_store { +@@ -548,7 +550,7 @@ struct entropy_store { static ssize_t extract_entropy(struct entropy_store *r, void *buf, size_t nbytes, int min, int rsvd); static ssize_t _extract_entropy(struct entropy_store *r, void *buf, @@ -39,7 +39,7 @@ Acked-by: Torsten Duwe static void crng_reseed(struct crng_state *crng, struct entropy_store *r); static void push_to_pool(struct work_struct *work); -@@ -907,7 +909,7 @@ static void crng_initialize_secondary(st +@@ -908,7 +910,7 @@ static void __maybe_unused crng_initiali static void __init crng_initialize_primary(struct crng_state *crng) { memcpy(&crng->state[0], "expand 32-byte k", 16); @@ -48,9 +48,9 @@ Acked-by: Torsten Duwe if (crng_init_try_arch_early(crng) && trust_cpu) { invalidate_batched_entropy(); numa_crng_init(); -@@ -1086,11 +1088,25 @@ static void _extract_crng(struct crng_st - time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) - crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); +@@ -1108,11 +1110,25 @@ static void _extract_crng(struct crng_st + &input_pool : NULL); + } spin_lock_irqsave(&crng->lock, flags); + + if (fips_enabled && !crng->last_data_init) { @@ -74,7 +74,7 @@ Acked-by: Torsten Duwe spin_unlock_irqrestore(&crng->lock, flags); } -@@ -1580,22 +1596,14 @@ static void extract_buf(struct entropy_s +@@ -1586,22 +1602,14 @@ static void extract_buf(struct entropy_s } static ssize_t _extract_entropy(struct entropy_store *r, void *buf, @@ -98,7 +98,7 @@ Acked-by: Torsten Duwe i = min_t(int, nbytes, EXTRACT_SIZE); memcpy(buf, tmp, i); nbytes -= i; -@@ -1621,7 +1629,22 @@ static ssize_t _extract_entropy(struct e +@@ -1627,7 +1635,22 @@ static ssize_t _extract_entropy(struct e static ssize_t extract_entropy(struct entropy_store *r, void *buf, size_t nbytes, int min, int reserved) { @@ -121,7 +121,7 @@ Acked-by: Torsten Duwe unsigned long flags; /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ -@@ -1640,24 +1663,6 @@ static ssize_t extract_entropy(struct en +@@ -1646,24 +1669,6 @@ static ssize_t extract_entropy(struct en spin_unlock_irqrestore(&r->lock, flags); } @@ -146,7 +146,7 @@ Acked-by: Torsten Duwe trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); if (!r->initialized && r->pull) { xfer_secondary_pool(r, ENTROPY_BITS(r->pull)/8); -@@ -1678,6 +1683,15 @@ static ssize_t extract_entropy_user(stru +@@ -1684,6 +1689,15 @@ static ssize_t extract_entropy_user(stru } extract_buf(r, tmp); diff --git a/patches.suse/ACPI-scan-Create-platform-device-for-BCM4752-and-LNV.patch b/patches.suse/ACPI-scan-Create-platform-device-for-BCM4752-and-LNV.patch new file mode 100644 index 0000000..f19506d --- /dev/null +++ b/patches.suse/ACPI-scan-Create-platform-device-for-BCM4752-and-LNV.patch @@ -0,0 +1,79 @@ +From f85196bdd5a50da74670250564740fc852b3c239 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 30 Dec 2021 12:57:47 +0100 +Subject: [PATCH] ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes +Git-commit: f85196bdd5a50da74670250564740fc852b3c239 +Patch-mainline: v5.17-rc1 +References: git-fixes + +BCM4752 and LNV4752 ACPI nodes describe a Broadcom 4752 GPS module +attached to an UART of the system. + +The GPS modules talk a custom protocol which only works with a closed- +source Android gpsd daemon which knows this protocol. + +The ACPI nodes also describe GPIOs to turn the GPS on/off these are +handled by the net/rfkill/rfkill-gpio.c code. This handling predates the +addition of enumeration of ACPI instantiated serdevs to the kernel and +was broken by that addition, because the ACPI scan code now no longer +instantiates platform_device-s for these nodes. + +Rename the i2c_multi_instantiate_ids HID list to ignore_serial_bus_ids +and add the BCM4752 and LNV4752 HIDs, so that rfkill-gpio gets +a platform_device to bind to again; and so that a tty cdev for gpsd +gets created for these. + +Fixes: e361d1f85855 ("ACPI / scan: Fix enumeration for special UART devices") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/scan.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index a9adcda39d40..4dd3a9efcd0f 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1710,6 +1710,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + { + struct list_head resource_list; + bool is_serial_bus_slave = false; ++ static const struct acpi_device_id ignore_serial_bus_ids[] = { + /* + * These devices have multiple I2cSerialBus resources and an i2c-client + * must be instantiated for each, each with its own i2c_device_id. +@@ -1718,11 +1719,18 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + * drivers/platform/x86/i2c-multi-instantiate.c driver, which knows + * which i2c_device_id to use for each resource. + */ +- static const struct acpi_device_id i2c_multi_instantiate_ids[] = { + {"BSG1160", }, + {"BSG2150", }, + {"INT33FE", }, + {"INT3515", }, ++ /* ++ * HIDs of device with an UartSerialBusV2 resource for which userspace ++ * expects a regular tty cdev to be created (instead of the in kernel ++ * serdev) and which have a kernel driver which expects a platform_dev ++ * such as the rfkill-gpio driver. ++ */ ++ {"BCM4752", }, ++ {"LNV4752", }, + {} + }; + +@@ -1736,8 +1744,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + fwnode_property_present(&device->fwnode, "baud"))) + return true; + +- /* Instantiate a pdev for the i2c-multi-instantiate drv to bind to */ +- if (!acpi_match_device_ids(device, i2c_multi_instantiate_ids)) ++ if (!acpi_match_device_ids(device, ignore_serial_bus_ids)) + return false; + + INIT_LIST_HEAD(&resource_list); +-- +2.31.1 + diff --git a/patches.suse/ALSA-PCM-Add-missing-rwsem-around-snd_ctl_remove-cal.patch b/patches.suse/ALSA-PCM-Add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 0000000..984bffe --- /dev/null +++ b/patches.suse/ALSA-PCM-Add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,40 @@ +From 5471e9762e1af4b7df057a96bfd46cc250979b88 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Nov 2021 08:13:13 +0100 +Subject: [PATCH] ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls +Git-commit: 5471e9762e1af4b7df057a96bfd46cc250979b88 +Patch-mainline: v5.17-rc1 +References: git-fixes + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: a8ff48cb7083 ("ALSA: pcm: Free chmap at PCM free callback, too") +Link: https://lore.kernel.org/r/20211116071314.15065-2-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/pcm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 6fd3677685d7..ba4a987ed1c6 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -810,7 +810,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal); + static void free_chmap(struct snd_pcm_str *pstr) + { + if (pstr->chmap_kctl) { +- snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl); ++ struct snd_card *card = pstr->pcm->card; ++ ++ down_write(&card->controls_rwsem); ++ snd_ctl_remove(card, pstr->chmap_kctl); ++ up_write(&card->controls_rwsem); + pstr->chmap_kctl = NULL; + } + } +-- +2.31.1 + diff --git a/patches.suse/ALSA-hda-Add-missing-rwsem-around-snd_ctl_remove-cal.patch b/patches.suse/ALSA-hda-Add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 0000000..92a6881 --- /dev/null +++ b/patches.suse/ALSA-hda-Add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,39 @@ +From 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Nov 2021 08:13:14 +0100 +Subject: [PATCH] ALSA: hda: Add missing rwsem around snd_ctl_remove() calls +Git-commit: 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 +Patch-mainline: v5.17-rc1 +References: git-fixes + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: d13bd412dce2 ("ALSA: hda - Manage kcontrol lists") +Link: https://lore.kernel.org/r/20211116071314.15065-3-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 0c4a337c9fc0..eda70814369b 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1727,8 +1727,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec) + { + int i; + struct hda_nid_item *items = codec->mixers.list; ++ ++ down_write(&codec->card->controls_rwsem); + for (i = 0; i < codec->mixers.used; i++) + snd_ctl_remove(codec->card, items[i].kctl); ++ up_write(&codec->card->controls_rwsem); + snd_array_free(&codec->mixers); + snd_array_free(&codec->nids); + } +-- +2.31.1 + diff --git a/patches.suse/ALSA-hda-Make-proper-use-of-timecounter.patch b/patches.suse/ALSA-hda-Make-proper-use-of-timecounter.patch new file mode 100644 index 0000000..96b4b00 --- /dev/null +++ b/patches.suse/ALSA-hda-Make-proper-use-of-timecounter.patch @@ -0,0 +1,122 @@ +From 6dd21ad81bf96478db3403b1bbe251c0612d0431 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 24 Nov 2021 23:40:01 +0100 +Subject: [PATCH] ALSA: hda: Make proper use of timecounter +Git-commit: 6dd21ad81bf96478db3403b1bbe251c0612d0431 +Patch-mainline: v5.17-rc1 +References: git-fixes + +HDA uses a timecounter to read a hardware clock running at 24 MHz. The +conversion factor is set with a mult value of 125 and a shift value of 0, +which is not converting the hardware clock to nanoseconds, it is converting +to 1/3 nanoseconds because the conversion factor from 24Mhz to nanoseconds +is 125/3. The usage sites divide the "nanoseconds" value returned by +timecounter_read() by 3 to get a real nanoseconds value. + +There is a lengthy comment in azx_timecounter_init() explaining this +choice. That comment makes blatantly wrong assumptions about how +timecounters work and what can overflow. + +The comment says: + + * Applying the 1/3 factor as part of the multiplication + * requires at least 20 bits for a decent precision, however + * overflows occur after about 4 hours or less, not a option. + +timecounters operate on time deltas between two readouts of a clock and use +the mult/shift pair to calculate a precise nanoseconds value: + + delta_nsec = (delta_clock * mult) >> shift; + +The fractional part is also taken into account and preserved to prevent +accumulated rounding errors. For details see cyclecounter_cyc2ns(). + +The mult/shift pair has to be chosen so that the multiplication of the +maximum expected delta value does not result in a 64bit overflow. As the +counter wraps around on 32bit, the maximum observable delta between two +reads is (1 << 32) - 1 which is about 178.9 seconds. + +That in turn means the maximum multiplication factor which fits into an u32 +will not cause a 64bit overflow ever because it's guaranteed that: + + ((1 << 32) - 1) ^ 2 < (1 << 64) + +The resulting correct multiplication factor is 2796202667 and the shift +value is 26, i.e. 26 bit precision. The overflow of the multiplication +would happen exactly at a clock readout delta of 6597069765 which is way +after the wrap around of the hardware clock at around 274.8 seconds which +is off from the claimed 4 hours by more than an order of magnitude. + +If the counter ever wraps around the last read value then the calculation +is off by the number of wrap arounds times 178.9 seconds because the +overflow cannot be observed. + +Use clocks_calc_mult_shift(), which calculates the most accurate mult/shift +pair based on the given clock frequency, and remove the bogus comment along +with the divisions at the readout sites. + +Fixes: 5d890f591d15 ("ALSA: hda: support for wallclock timestamps") +Signed-off-by: Thomas Gleixner +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/871r35kwji.ffs@tglx +Signed-off-by: Takashi Iwai + +--- + sound/hda/hdac_stream.c | 14 ++++---------- + sound/pci/hda/hda_controller.c | 1 - + sound/soc/intel/skylake/skl-pcm.c | 1 - + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c +index 9867555883c3..aa7955fdf68a 100644 +--- a/sound/hda/hdac_stream.c ++++ b/sound/hda/hdac_stream.c +@@ -534,17 +534,11 @@ static void azx_timecounter_init(struct hdac_stream *azx_dev, + cc->mask = CLOCKSOURCE_MASK(32); + + /* +- * Converting from 24 MHz to ns means applying a 125/3 factor. +- * To avoid any saturation issues in intermediate operations, +- * the 125 factor is applied first. The division is applied +- * last after reading the timecounter value. +- * Applying the 1/3 factor as part of the multiplication +- * requires at least 20 bits for a decent precision, however +- * overflows occur after about 4 hours or less, not a option. ++ * Calculate the optimal mult/shift values. The counter wraps ++ * around after ~178.9 seconds. + */ +- +- cc->mult = 125; /* saturation after 195 years */ +- cc->shift = 0; ++ clocks_calc_mult_shift(&cc->mult, &cc->shift, 24000000, ++ NSEC_PER_SEC, 178); + + nsec = 0; /* audio time is elapsed time since trigger */ + timecounter_init(tc, cc, nsec); +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 930ae4002a81..75dcb14ff20a 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -504,7 +504,6 @@ static int azx_get_time_info(struct snd_pcm_substream *substream, + snd_pcm_gettime(substream->runtime, system_ts); + + nsec = timecounter_read(&azx_dev->core.tc); +- nsec = div_u64(nsec, 3); /* can be optimized */ + if (audio_tstamp_config->report_delay) + nsec = azx_adjust_codec_delay(substream, nsec); + +diff --git a/sound/soc/intel/skylake/skl-pcm.c b/sound/soc/intel/skylake/skl-pcm.c +index 9ecaf6a1e847..e4aa366d356e 100644 +--- a/sound/soc/intel/skylake/skl-pcm.c ++++ b/sound/soc/intel/skylake/skl-pcm.c +@@ -1251,7 +1251,6 @@ static int skl_platform_soc_get_time_info( + snd_pcm_gettime(substream->runtime, system_ts); + + nsec = timecounter_read(&hstr->tc); +- nsec = div_u64(nsec, 3); /* can be optimized */ + if (audio_tstamp_config->report_delay) + nsec = skl_adjust_codec_delay(substream, nsec); + +-- +2.31.1 + diff --git a/patches.suse/ALSA-hda-realtek-Fix-silent-output-on-Gigabyte-X570--c19330086795.patch b/patches.suse/ALSA-hda-realtek-Fix-silent-output-on-Gigabyte-X570--c19330086795.patch new file mode 100644 index 0000000..036e8cd --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Fix-silent-output-on-Gigabyte-X570--c19330086795.patch @@ -0,0 +1,109 @@ +From c1933008679586b20437280463110c967d66f865 Mon Sep 17 00:00:00 2001 +From: Christian Lachner +Date: Mon, 3 Jan 2022 15:05:17 +0100 +Subject: [PATCH] ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after reboot from Windows +Git-commit: c1933008679586b20437280463110c967d66f865 +Patch-mainline: v5.17-rc1 +References: git-fixes + +This patch addresses an issue where after rebooting from Windows into Linux +there would be no audio output. + +It turns out that the Realtek Audio driver on Windows changes some coeffs +which are not being reset/reinitialized when rebooting the machine. As a +result, there is no audio output until these coeffs are being reset to +their initial state. This patch takes care of that by setting known-good +(initial) values to the coeffs. + +We initially relied upon alc1220_fixup_clevo_p950() to fix some pins in the +connection list. However, it also sets coef 0x7 which does not need to be +touched. Furthermore, to prevent mixing device-specific quirks I introduced +a new alc1220_fixup_gb_x570() which is heavily based on +alc1220_fixup_clevo_p950() but does not set coeff 0x7 and fixes the coeffs +that are actually needed instead. + +This new alc1220_fixup_gb_x570() is believed to also work for other boards, +like the Gigabyte X570 Aorus Extreme and the newer Gigabyte Aorus X570S +Master. However, as there is no way for me to test these I initially only +enable this new behaviour for the mainboard I have which is the Gigabyte +X570(non-S) Aorus Master. + +I tested this patch on the 5.15 branch as well as on master and it is +working well for me. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 +Signed-off-by: Christian Lachner +Fixes: 0d45e86d2267d ("ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master") +Cc: +Link: https://lore.kernel.org/r/20220103140517.30273-2-gladiac@gmail.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2f1727faec69..2eea70605fd3 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1924,6 +1924,7 @@ enum { + ALC887_FIXUP_ASUS_BASS, + ALC887_FIXUP_BASS_CHMAP, + ALC1220_FIXUP_GB_DUAL_CODECS, ++ ALC1220_FIXUP_GB_X570, + ALC1220_FIXUP_CLEVO_P950, + ALC1220_FIXUP_CLEVO_PB51ED, + ALC1220_FIXUP_CLEVO_PB51ED_PINS, +@@ -2113,6 +2114,29 @@ static void alc1220_fixup_gb_dual_codecs(struct hda_codec *codec, + } + } + ++static void alc1220_fixup_gb_x570(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ static const hda_nid_t conn1[] = { 0x0c }; ++ static const struct coef_fw gb_x570_coefs[] = { ++ WRITE_COEF(0x1a, 0x01c1), ++ WRITE_COEF(0x1b, 0x0202), ++ WRITE_COEF(0x43, 0x3005), ++ {} ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_override_conn_list(codec, 0x14, ARRAY_SIZE(conn1), conn1); ++ snd_hda_override_conn_list(codec, 0x1b, ARRAY_SIZE(conn1), conn1); ++ break; ++ case HDA_FIXUP_ACT_INIT: ++ alc_process_coef_fw(codec, gb_x570_coefs); ++ break; ++ } ++} ++ + static void alc1220_fixup_clevo_p950(struct hda_codec *codec, + const struct hda_fixup *fix, + int action) +@@ -2415,6 +2439,10 @@ static const struct hda_fixup alc882_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc1220_fixup_gb_dual_codecs, + }, ++ [ALC1220_FIXUP_GB_X570] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc1220_fixup_gb_x570, ++ }, + [ALC1220_FIXUP_CLEVO_P950] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc1220_fixup_clevo_p950, +@@ -2517,7 +2545,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x13fe, 0x1009, "Advantech MIT-W101", ALC886_FIXUP_EAPD), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), +- SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_GB_X570), + SND_PCI_QUIRK(0x1458, 0xa0ce, "Gigabyte X570 Aorus Xtreme", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x11f7, "MSI-GE63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950), +-- +2.31.1 + diff --git a/patches.suse/ALSA-jack-Add-missing-rwsem-around-snd_ctl_remove-ca.patch b/patches.suse/ALSA-jack-Add-missing-rwsem-around-snd_ctl_remove-ca.patch new file mode 100644 index 0000000..013ac69 --- /dev/null +++ b/patches.suse/ALSA-jack-Add-missing-rwsem-around-snd_ctl_remove-ca.patch @@ -0,0 +1,41 @@ +From 06764dc931848c3a9bc01a63bbf76a605408bb54 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Nov 2021 08:13:12 +0100 +Subject: [PATCH] ALSA: jack: Add missing rwsem around snd_ctl_remove() calls +Git-commit: 06764dc931848c3a9bc01a63bbf76a605408bb54 +Patch-mainline: v5.17-rc1 +References: git-fixes + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: 9058cbe1eed2 ("ALSA: jack: implement kctl creating for jack devices") +Link: https://lore.kernel.org/r/20211116071314.15065-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/jack.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 32350c6aba84..f50a1e920e1d 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -62,10 +62,13 @@ static int snd_jack_dev_free(struct snd_device *device) + struct snd_card *card = device->card; + struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl; + ++ down_write(&card->controls_rwsem); + list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) { + list_del_init(&jack_kctl->list); + snd_ctl_remove(card, jack_kctl->kctl); + } ++ up_write(&card->controls_rwsem); ++ + if (jack->private_free) + jack->private_free(jack); + +-- +2.31.1 + diff --git a/patches.suse/ALSA-oss-fix-compile-error-when-OSS_DEBUG-is-enabled.patch b/patches.suse/ALSA-oss-fix-compile-error-when-OSS_DEBUG-is-enabled.patch new file mode 100644 index 0000000..742be8a --- /dev/null +++ b/patches.suse/ALSA-oss-fix-compile-error-when-OSS_DEBUG-is-enabled.patch @@ -0,0 +1,40 @@ +From 8e7daf318d97f25e18b2fc7eb5909e34cd903575 Mon Sep 17 00:00:00 2001 +From: Bixuan Cui +Date: Wed, 1 Dec 2021 16:58:54 +0800 +Subject: [PATCH] ALSA: oss: fix compile error when OSS_DEBUG is enabled +Git-commit: 8e7daf318d97f25e18b2fc7eb5909e34cd903575 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Fix compile error when OSS_DEBUG is enabled: + sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger': + sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first + use in this function); did you mean 'csubstream'? + pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); + ^ + +Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers") +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com +Signed-off-by: Takashi Iwai + +--- + sound/core/oss/pcm_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 82a818734a5f..bb37665ad3c2 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2052,7 +2052,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + int err, cmd; + + #ifdef OSS_DEBUG +- pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); ++ pr_debug("pcm_oss: trigger = 0x%x\n", trigger); + #endif + + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK]; +-- +2.31.1 + diff --git a/patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch b/patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch index f0bf8ce..df75eaa 100644 --- a/patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch +++ b/patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Tue, 16 Nov 2021 07:54:14 +0100 Subject: [PATCH] ALSA: usb-audio: Add minimal-mute notion in dB mapping table Git-commit: 85b741c1cb6854478fd1aa13ac231e2c1baf4c4b -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.17-rc1 References: bsc#1192375 Some devices do mute the volume at the minimal volume, and for such diff --git a/patches.suse/ALSA-usb-audio-Drop-superfluous-0-in-Presonus-Studio.patch b/patches.suse/ALSA-usb-audio-Drop-superfluous-0-in-Presonus-Studio.patch new file mode 100644 index 0000000..9782a8d --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Drop-superfluous-0-in-Presonus-Studio.patch @@ -0,0 +1,63 @@ +From 1e583aef12aa74afd37c1418255cc4b74e023236 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 2 Dec 2021 09:38:33 +0100 +Subject: [PATCH] ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID +Git-commit: 1e583aef12aa74afd37c1418255cc4b74e023236 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The vendor ID of Presonus Studio 1810c had a superfluous '0' in its +USB ID. Drop it. + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Link: https://lore.kernel.org/r/20211202083833.17784-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/format.c | 2 +- + sound/usb/mixer_quirks.c | 2 +- + sound/usb/quirks.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index f5e676a51b30..405dc0bf6678 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -375,7 +375,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, + for (rate = min; rate <= max; rate += res) { + + /* Filter out invalid rates on Presonus Studio 1810c */ +- if (chip->usb_id == USB_ID(0x0194f, 0x010c) && ++ if (chip->usb_id == USB_ID(0x194f, 0x010c) && + !s1810c_valid_sample_rate(fp, rate)) + goto skip_rate; + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index d489c1de3bae..db194ad168d0 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -3254,7 +3254,7 @@ int snd_usb_mixer_apply_create_quirk(struct usb_mixer_interface *mixer) + err = snd_rme_controls_create(mixer); + break; + +- case USB_ID(0x0194f, 0x010c): /* Presonus Studio 1810c */ ++ case USB_ID(0x194f, 0x010c): /* Presonus Studio 1810c */ + err = snd_sc1810_init_mixer(mixer); + break; + case USB_ID(0x2a39, 0x3fb0): /* RME Babyface Pro FS */ +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 64e1c20311ed..ab9f3da49941 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1290,7 +1290,7 @@ int snd_usb_apply_interface_quirk(struct snd_usb_audio *chip, + if (chip->usb_id == USB_ID(0x0763, 0x2012)) + return fasttrackpro_skip_setting_quirk(chip, iface, altno); + /* presonus studio 1810c: skip altsets incompatible with device_setup */ +- if (chip->usb_id == USB_ID(0x0194f, 0x010c)) ++ if (chip->usb_id == USB_ID(0x194f, 0x010c)) + return s1810c_skip_setting_quirk(chip, iface, altno); + + +-- +2.31.1 + diff --git a/patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch b/patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch index 3e9e751..e233d08 100644 --- a/patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch +++ b/patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Tue, 16 Nov 2021 07:54:15 +0100 Subject: [PATCH] ALSA: usb-audio: Fix dB level of Bose Revolve+ SoundLink Git-commit: 02eb1d098e26f34c8f047b0b1cee6f4433a34bd1 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.17-rc1 References: bsc#1192375 Bose Revolve+ SoundLink (0a57:40fa) advertises invalid dB level for diff --git a/patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch b/patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch index 13b0792..921624c 100644 --- a/patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch +++ b/patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Tue, 16 Nov 2021 07:54:13 +0100 Subject: [PATCH] ALSA: usb-audio: Use int for dB map values Git-commit: fd23116d7b8dffa05f42a857eee6ee9cce238d24 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.17-rc1 References: bsc#1192375 The values in usbmix_dB_map should be rather signed while we're using diff --git a/patches.suse/ASoC-fsl_asrc-refine-the-check-of-available-clock-di.patch b/patches.suse/ASoC-fsl_asrc-refine-the-check-of-available-clock-di.patch new file mode 100644 index 0000000..e9e8041 --- /dev/null +++ b/patches.suse/ASoC-fsl_asrc-refine-the-check-of-available-clock-di.patch @@ -0,0 +1,159 @@ +From 320386343451ab6a3577e0ee200dac56a6182944 Mon Sep 17 00:00:00 2001 +From: Shengjiu Wang +Date: Wed, 5 Jan 2022 19:08:03 +0800 +Subject: [PATCH] ASoC: fsl_asrc: refine the check of available clock divider +Git-commit: 320386343451ab6a3577e0ee200dac56a6182944 +Patch-mainline: v5.17-rc1 +References: git-fixes + +According to RM, the clock divider range is from 1 to 8, clock +prescaling ratio may be any power of 2 from 1 to 128. +So the supported divider is not all the value between +1 and 1024, just limited value in that range. + +Create table for the supported divder and add function to +check the clock divider is available by comparing with +the table. + +Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1641380883-20709-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/fsl/fsl_asrc.c | 69 +++++++++++++++++++++++++++++++++------- + 1 file changed, 58 insertions(+), 11 deletions(-) + +diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c +index 24b41881a68f..d7d1536a4f37 100644 +--- a/sound/soc/fsl/fsl_asrc.c ++++ b/sound/soc/fsl/fsl_asrc.c +@@ -19,6 +19,7 @@ + #include "fsl_asrc.h" + + #define IDEAL_RATIO_DECIMAL_DEPTH 26 ++#define DIVIDER_NUM 64 + + #define pair_err(fmt, ...) \ + dev_err(&asrc->pdev->dev, "Pair %c: " fmt, 'A' + index, ##__VA_ARGS__) +@@ -101,6 +102,55 @@ static unsigned char clk_map_imx8qxp[2][ASRC_CLK_MAP_LEN] = { + }, + }; + ++/* ++ * According to RM, the divider range is 1 ~ 8, ++ * prescaler is power of 2 from 1 ~ 128. ++ */ ++static int asrc_clk_divider[DIVIDER_NUM] = { ++ 1, 2, 4, 8, 16, 32, 64, 128, /* divider = 1 */ ++ 2, 4, 8, 16, 32, 64, 128, 256, /* divider = 2 */ ++ 3, 6, 12, 24, 48, 96, 192, 384, /* divider = 3 */ ++ 4, 8, 16, 32, 64, 128, 256, 512, /* divider = 4 */ ++ 5, 10, 20, 40, 80, 160, 320, 640, /* divider = 5 */ ++ 6, 12, 24, 48, 96, 192, 384, 768, /* divider = 6 */ ++ 7, 14, 28, 56, 112, 224, 448, 896, /* divider = 7 */ ++ 8, 16, 32, 64, 128, 256, 512, 1024, /* divider = 8 */ ++}; ++ ++/* ++ * Check if the divider is available for internal ratio mode ++ */ ++static bool fsl_asrc_divider_avail(int clk_rate, int rate, int *div) ++{ ++ u32 rem, i; ++ u64 n; ++ ++ if (div) ++ *div = 0; ++ ++ if (clk_rate == 0 || rate == 0) ++ return false; ++ ++ n = clk_rate; ++ rem = do_div(n, rate); ++ ++ if (div) ++ *div = n; ++ ++ if (rem != 0) ++ return false; ++ ++ for (i = 0; i < DIVIDER_NUM; i++) { ++ if (n == asrc_clk_divider[i]) ++ break; ++ } ++ ++ if (i == DIVIDER_NUM) ++ return false; ++ ++ return true; ++} ++ + /** + * fsl_asrc_sel_proc - Select the pre-processing and post-processing options + * @inrate: input sample rate +@@ -330,12 +380,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + enum asrc_word_width input_word_width; + enum asrc_word_width output_word_width; + u32 inrate, outrate, indiv, outdiv; +- u32 clk_index[2], div[2], rem[2]; ++ u32 clk_index[2], div[2]; + u64 clk_rate; + int in, out, channels; + int pre_proc, post_proc; + struct clk *clk; +- bool ideal; ++ bool ideal, div_avail; + + if (!config) { + pair_err("invalid pair config\n"); +@@ -415,8 +465,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + clk = asrc_priv->asrck_clk[clk_index[ideal ? OUT : IN]]; + + clk_rate = clk_get_rate(clk); +- rem[IN] = do_div(clk_rate, inrate); +- div[IN] = (u32)clk_rate; ++ div_avail = fsl_asrc_divider_avail(clk_rate, inrate, &div[IN]); + + /* + * The divider range is [1, 1024], defined by the hardware. For non- +@@ -425,7 +474,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + * only result in different converting speeds. So remainder does not + * matter, as long as we keep the divider within its valid range. + */ +- if (div[IN] == 0 || (!ideal && (div[IN] > 1024 || rem[IN] != 0))) { ++ if (div[IN] == 0 || (!ideal && !div_avail)) { + pair_err("failed to support input sample rate %dHz by asrck_%x\n", + inrate, clk_index[ideal ? OUT : IN]); + return -EINVAL; +@@ -436,13 +485,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + clk = asrc_priv->asrck_clk[clk_index[OUT]]; + clk_rate = clk_get_rate(clk); + if (ideal && use_ideal_rate) +- rem[OUT] = do_div(clk_rate, IDEAL_RATIO_RATE); ++ div_avail = fsl_asrc_divider_avail(clk_rate, IDEAL_RATIO_RATE, &div[OUT]); + else +- rem[OUT] = do_div(clk_rate, outrate); +- div[OUT] = clk_rate; ++ div_avail = fsl_asrc_divider_avail(clk_rate, outrate, &div[OUT]); + + /* Output divider has the same limitation as the input one */ +- if (div[OUT] == 0 || (!ideal && (div[OUT] > 1024 || rem[OUT] != 0))) { ++ if (div[OUT] == 0 || (!ideal && !div_avail)) { + pair_err("failed to support output sample rate %dHz by asrck_%x\n", + outrate, clk_index[OUT]); + return -EINVAL; +@@ -621,8 +669,7 @@ static void fsl_asrc_select_clk(struct fsl_asrc_priv *asrc_priv, + clk_index = asrc_priv->clk_map[j][i]; + clk_rate = clk_get_rate(asrc_priv->asrck_clk[clk_index]); + /* Only match a perfect clock source with no remainder */ +- if (clk_rate != 0 && (clk_rate / rate[j]) <= 1024 && +- (clk_rate % rate[j]) == 0) ++ if (fsl_asrc_divider_avail(clk_rate, rate[j], NULL)) + break; + } + +-- +2.31.1 + diff --git a/patches.suse/ASoC-fsl_mqs-fix-MODULE_ALIAS.patch b/patches.suse/ASoC-fsl_mqs-fix-MODULE_ALIAS.patch new file mode 100644 index 0000000..13b3521 --- /dev/null +++ b/patches.suse/ASoC-fsl_mqs-fix-MODULE_ALIAS.patch @@ -0,0 +1,33 @@ +From 9f3d45318dd9e739ed62e4218839a7a824d3cced Mon Sep 17 00:00:00 2001 +From: Alyssa Ross +Date: Tue, 4 Jan 2022 13:22:16 +0000 +Subject: [PATCH] ASoC: fsl_mqs: fix MODULE_ALIAS +Git-commit: 9f3d45318dd9e739ed62e4218839a7a824d3cced +Patch-mainline: v5.17-rc1 +References: git-fixes + +modprobe can't handle spaces in aliases. + +Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver") +Signed-off-by: Alyssa Ross +Link: https://lore.kernel.org/r/20220104132218.1690103-1-hi@alyssa.is +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/fsl/fsl_mqs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c +index 27b4536dce44..ceaecbe3a25e 100644 +--- a/sound/soc/fsl/fsl_mqs.c ++++ b/sound/soc/fsl/fsl_mqs.c +@@ -337,4 +337,4 @@ module_platform_driver(fsl_mqs_driver); + MODULE_AUTHOR("Shengjiu Wang "); + MODULE_DESCRIPTION("MQS codec driver"); + MODULE_LICENSE("GPL v2"); +-MODULE_ALIAS("platform: fsl-mqs"); ++MODULE_ALIAS("platform:fsl-mqs"); +-- +2.31.1 + diff --git a/patches.suse/ASoC-mediatek-Check-for-error-clk-pointer.patch b/patches.suse/ASoC-mediatek-Check-for-error-clk-pointer.patch new file mode 100644 index 0000000..f5d8931 --- /dev/null +++ b/patches.suse/ASoC-mediatek-Check-for-error-clk-pointer.patch @@ -0,0 +1,68 @@ +From 9de2b9286a6dd16966959b3cb34fc2ddfd39213e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 22 Dec 2021 09:51:57 +0800 +Subject: [PATCH] ASoC: mediatek: Check for error clk pointer +Git-commit: 9de2b9286a6dd16966959b3cb34fc2ddfd39213e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Yes, you are right and now the return code depending on the +init_clks(). + +Fixes: 6078c651947a ("soc: mediatek: Refine scpsys to support multiple platform") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211222015157.1025853-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/soc/mediatek/mtk-scpsys.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/mediatek/mtk-scpsys.c b/drivers/soc/mediatek/mtk-scpsys.c +index ca75b14931ec..670cc82d17dc 100644 +--- a/drivers/soc/mediatek/mtk-scpsys.c ++++ b/drivers/soc/mediatek/mtk-scpsys.c +@@ -411,12 +411,17 @@ static int scpsys_power_off(struct generic_pm_domain *genpd) + return ret; + } + +-static void init_clks(struct platform_device *pdev, struct clk **clk) ++static int init_clks(struct platform_device *pdev, struct clk **clk) + { + int i; + +- for (i = CLK_NONE + 1; i < CLK_MAX; i++) ++ for (i = CLK_NONE + 1; i < CLK_MAX; i++) { + clk[i] = devm_clk_get(&pdev->dev, clk_names[i]); ++ if (IS_ERR(clk[i])) ++ return PTR_ERR(clk[i]); ++ } ++ ++ return 0; + } + + static struct scp *init_scp(struct platform_device *pdev, +@@ -426,7 +431,7 @@ static struct scp *init_scp(struct platform_device *pdev, + { + struct genpd_onecell_data *pd_data; + struct resource *res; +- int i, j; ++ int i, j, ret; + struct scp *scp; + struct clk *clk[CLK_MAX]; + +@@ -481,7 +486,9 @@ static struct scp *init_scp(struct platform_device *pdev, + + pd_data->num_domains = num; + +- init_clks(pdev, clk); ++ ret = init_clks(pdev, clk); ++ if (ret) ++ return ERR_PTR(ret); + + for (i = 0; i < num; i++) { + struct scp_domain *scpd = &scp->domains[i]; +-- +2.31.1 + diff --git a/patches.suse/ASoC-rt5663-Handle-device_property_read_u32_array-er.patch b/patches.suse/ASoC-rt5663-Handle-device_property_read_u32_array-er.patch new file mode 100644 index 0000000..9f8deea --- /dev/null +++ b/patches.suse/ASoC-rt5663-Handle-device_property_read_u32_array-er.patch @@ -0,0 +1,65 @@ +From 2167c0b205960607fb136b4bb3c556a62be1569a Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 15 Dec 2021 11:15:50 +0800 +Subject: [PATCH] ASoC: rt5663: Handle device_property_read_u32_array error codes +Git-commit: 2167c0b205960607fb136b4bb3c556a62be1569a +Patch-mainline: v5.17-rc1 +References: git-fixes + +The return value of device_property_read_u32_array() is not always 0. +To catch the exception in case that devm_kzalloc failed and the +rt5663->imp_table was NULL, which caused the failure of +device_property_read_u32_array. + +Fixes: 450f0f6a8fb4 ("ASoC: rt5663: Add the manual offset field to compensate the DC offset") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211215031550.70702-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/rt5663.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c +index 0389b2bb360e..2138f62e6af5 100644 +--- a/sound/soc/codecs/rt5663.c ++++ b/sound/soc/codecs/rt5663.c +@@ -3461,6 +3461,7 @@ static void rt5663_calibrate(struct rt5663_priv *rt5663) + static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev) + { + int table_size; ++ int ret; + + device_property_read_u32(dev, "realtek,dc_offset_l_manual", + &rt5663->pdata.dc_offset_l_manual); +@@ -3477,9 +3478,11 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev) + table_size = sizeof(struct impedance_mapping_table) * + rt5663->pdata.impedance_sensing_num; + rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL); +- device_property_read_u32_array(dev, ++ ret = device_property_read_u32_array(dev, + "realtek,impedance_sensing_table", + (u32 *)rt5663->imp_table, table_size); ++ if (ret) ++ return ret; + } + + return 0; +@@ -3504,8 +3507,11 @@ static int rt5663_i2c_probe(struct i2c_client *i2c, + + if (pdata) + rt5663->pdata = *pdata; +- else +- rt5663_parse_dp(rt5663, &i2c->dev); ++ else { ++ ret = rt5663_parse_dp(rt5663, &i2c->dev); ++ if (ret) ++ return ret; ++ } + + for (i = 0; i < ARRAY_SIZE(rt5663->supplies); i++) + rt5663->supplies[i].supply = rt5663_supply_names[i]; +-- +2.31.1 + diff --git a/patches.suse/ASoC-samsung-idma-Check-of-ioremap-return-value.patch b/patches.suse/ASoC-samsung-idma-Check-of-ioremap-return-value.patch new file mode 100644 index 0000000..0c1a2e1 --- /dev/null +++ b/patches.suse/ASoC-samsung-idma-Check-of-ioremap-return-value.patch @@ -0,0 +1,40 @@ +From 3ecb46755eb85456b459a1a9f952c52986bce8ec Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 28 Dec 2021 11:40:26 +0800 +Subject: [PATCH] ASoC: samsung: idma: Check of ioremap return value +Git-commit: 3ecb46755eb85456b459a1a9f952c52986bce8ec +Patch-mainline: v5.17-rc1 +References: git-fixes + +Because of the potential failure of the ioremap(), the buf->area could +be NULL. +Therefore, we need to check it and return -ENOMEM in order to transfer +the error. + +Fixes: f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/samsung/idma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c +index 66bcc2f97544..c3f1b054e238 100644 +--- a/sound/soc/samsung/idma.c ++++ b/sound/soc/samsung/idma.c +@@ -360,6 +360,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream) + buf->addr = idma.lp_tx_addr; + buf->bytes = idma_hardware.buffer_bytes_max; + buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes); ++ if (!buf->area) ++ return -ENOMEM; + + return 0; + } +-- +2.31.1 + diff --git a/patches.suse/ASoC-sunxi-fix-a-sound-binding-broken-reference.patch b/patches.suse/ASoC-sunxi-fix-a-sound-binding-broken-reference.patch new file mode 100644 index 0000000..70a2c20 --- /dev/null +++ b/patches.suse/ASoC-sunxi-fix-a-sound-binding-broken-reference.patch @@ -0,0 +1,37 @@ +From d8481155a3219ef427c6384022931758fbbe8ebe Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 26 Jul 2019 08:47:27 -0300 +Subject: [PATCH] ASoC: sunxi: fix a sound binding broken reference +Git-commit: d8481155a3219ef427c6384022931758fbbe8ebe +Patch-mainline: v5.4-rc1 +References: git-fixes + +Address this rename: + Documentation/devicetree/bindings/sound/{sun4i-i2s.txt -> allwinner,sun4i-a10-i2s.yaml} + +Fixes: 0a0ca8e94ca3 ("dt-bindings: sound: Convert Allwinner I2S binding to YAML") +Signed-off-by: Mauro Carvalho Chehab +Link: https://lore.kernel.org/r/9932608f32030c886d906ea656eda8408c544776.1564140865.git.mchehab+samsung@kernel.org +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + Documentation/devicetree/bindings/sound/sun8i-a33-codec.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/sound/sun8i-a33-codec.txt b/Documentation/devicetree/bindings/sound/sun8i-a33-codec.txt +index 2ca3d138528e..7ecf6bd60d27 100644 +--- a/Documentation/devicetree/bindings/sound/sun8i-a33-codec.txt ++++ b/Documentation/devicetree/bindings/sound/sun8i-a33-codec.txt +@@ -4,7 +4,7 @@ Allwinner SUN8I audio codec + On Sun8i-A33 SoCs, the audio is separated in different parts: + - A DAI driver. It uses the "sun4i-i2s" driver which is + documented here: +- Documentation/devicetree/bindings/sound/sun4i-i2s.txt ++ Documentation/devicetree/bindings/sound/allwinner,sun4i-a10-i2s.yaml + - An analog part of the codec which is handled as PRCM registers. + See Documentation/devicetree/bindings/sound/sun8i-codec-analog.txt + - An digital part of the codec which is documented in this current +-- +2.31.1 + diff --git a/patches.suse/ASoC-uniphier-drop-selecting-non-existing-SND_SOC_UN.patch b/patches.suse/ASoC-uniphier-drop-selecting-non-existing-SND_SOC_UN.patch new file mode 100644 index 0000000..6255680 --- /dev/null +++ b/patches.suse/ASoC-uniphier-drop-selecting-non-existing-SND_SOC_UN.patch @@ -0,0 +1,53 @@ +From 49f893253ab43566e34332a969324531fea463f6 Mon Sep 17 00:00:00 2001 +From: Lukas Bulwahn +Date: Thu, 25 Nov 2021 10:51:57 +0100 +Subject: [PATCH] ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA +Git-commit: 49f893253ab43566e34332a969324531fea463f6 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Commit f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common +driver") adds configs SND_SOC_UNIPHIER_{LD11,PXS2}, which select the +non-existing config SND_SOC_UNIPHIER_AIO_DMA. + +Hence, ./scripts/checkkconfigsymbols.py warns: + + SND_SOC_UNIPHIER_AIO_DMA + Referencing files: sound/soc/uniphier/Kconfig + +Probably, there is actually no further config intended to be selected +here. So, just drop selecting the non-existing config. + +Fixes: f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common driver") +Signed-off-by: Lukas Bulwahn +Link: https://lore.kernel.org/r/20211125095158.8394-2-lukas.bulwahn@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/uniphier/Kconfig | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/soc/uniphier/Kconfig b/sound/soc/uniphier/Kconfig +index aa3592ee1358..ddfa6424c656 100644 +--- a/sound/soc/uniphier/Kconfig ++++ b/sound/soc/uniphier/Kconfig +@@ -23,7 +23,6 @@ config SND_SOC_UNIPHIER_LD11 + tristate "UniPhier LD11/LD20 Device Driver" + depends on SND_SOC_UNIPHIER + select SND_SOC_UNIPHIER_AIO +- select SND_SOC_UNIPHIER_AIO_DMA + help + This adds ASoC driver for Socionext UniPhier LD11/LD20 + input and output that can be used with other codecs. +@@ -34,7 +33,6 @@ config SND_SOC_UNIPHIER_PXS2 + tristate "UniPhier PXs2 Device Driver" + depends on SND_SOC_UNIPHIER + select SND_SOC_UNIPHIER_AIO +- select SND_SOC_UNIPHIER_AIO_DMA + help + This adds ASoC driver for Socionext UniPhier PXs2 + input and output that can be used with other codecs. +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-using-wrong-mode.patch b/patches.suse/Bluetooth-L2CAP-Fix-using-wrong-mode.patch new file mode 100644 index 0000000..507da3c --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-using-wrong-mode.patch @@ -0,0 +1,49 @@ +From 30d57722732d9736554f85f75f9d7ad5402d192e Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 8 Dec 2021 15:35:48 -0800 +Subject: [PATCH] Bluetooth: L2CAP: Fix using wrong mode +Git-commit: 30d57722732d9736554f85f75f9d7ad5402d192e +Patch-mainline: v5.17-rc1 +References: git-fixes + +If user has a set to use SOCK_STREAM the socket would default to +L2CAP_MODE_ERTM which later needs to be adjusted if the destination +address is LE which doesn't support such mode. + +Fixes: 15f02b9105625 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_sock.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -161,7 +161,11 @@ static int l2cap_sock_bind(struct socket + break; + } + +- if (chan->psm && bdaddr_type_is_le(chan->src_type)) ++ /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and ++ * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. ++ */ ++ if (chan->psm && bdaddr_type_is_le(chan->src_type) && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) + chan->mode = L2CAP_MODE_LE_FLOWCTL; + + chan->state = BT_BOUND; +@@ -240,7 +244,11 @@ static int l2cap_sock_connect(struct soc + return -EINVAL; + } + +- if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode) ++ /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and ++ * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. ++ */ ++ if (chan->psm && bdaddr_type_is_le(chan->src_type) && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) + chan->mode = L2CAP_MODE_LE_FLOWCTL; + + err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), diff --git a/patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch b/patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch new file mode 100644 index 0000000..7a4828e --- /dev/null +++ b/patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,43 @@ +From b5e6fa7a12572c82f1e7f2f51fbb02a322291291 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:39:44 +0200 +Subject: [PATCH] Bluetooth: bfusb: fix division by zero in send path +Git-commit: b5e6fa7a12572c82f1e7f2f51fbb02a322291291 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Add the missing bulk-out endpoint sanity check to probe() to avoid +division by zero in bfusb_send_frame() in case a malicious device has +broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/bfusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c +index 5a321b4076aa..cab93935cc7f 100644 +--- a/drivers/bluetooth/bfusb.c ++++ b/drivers/bluetooth/bfusb.c +@@ -628,6 +628,9 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i + data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; + data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); + ++ if (!data->bulk_pkt_size) ++ goto done; ++ + rwlock_init(&data->lock); + + data->reassembly = NULL; +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-btmtksdio-fix-resume-failure.patch b/patches.suse/Bluetooth-btmtksdio-fix-resume-failure.patch new file mode 100644 index 0000000..8484b78 --- /dev/null +++ b/patches.suse/Bluetooth-btmtksdio-fix-resume-failure.patch @@ -0,0 +1,34 @@ +From 561ae1d46a8ddcbc13162d5771f5ed6c8249e730 Mon Sep 17 00:00:00 2001 +From: Sean Wang +Date: Thu, 2 Dec 2021 02:02:47 +0800 +Subject: [PATCH] Bluetooth: btmtksdio: fix resume failure +Git-commit: 561ae1d46a8ddcbc13162d5771f5ed6c8249e730 +Patch-mainline: v5.17-rc1 +References: git-fixes + +btmtksdio have to rely on MMC_PM_KEEP_POWER in pm_flags to avoid that +SDIO power is being shut off during the device is in suspend. That fixes +the SDIO command fails to access the bus after the device is resumed. + +Fixes: 7f3c563c575e7 ("Bluetooth: btmtksdio: Add runtime PM support to SDIO based Bluetooth") +Co-developed-by: Mark-yw Chen +Signed-off-by: Mark-yw Chen +Signed-off-by: Sean Wang +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/btmtksdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1042,6 +1042,8 @@ static int btmtksdio_runtime_suspend(str + if (!bdev) + return 0; + ++ sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ + sdio_claim_host(bdev->func); + + sdio_writel(bdev->func, C_FW_OWN_REQ_SET, MTK_REG_CHLPCR, &err); diff --git a/patches.suse/Bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_.patch b/patches.suse/Bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_.patch new file mode 100644 index 0000000..9947637 --- /dev/null +++ b/patches.suse/Bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_.patch @@ -0,0 +1,82 @@ +From 60c6a63a3d3080a62f3e0e20084f58dbeff16748 Mon Sep 17 00:00:00 2001 +From: "Mark-YW.Chen" +Date: Thu, 14 Oct 2021 00:22:04 +0800 +Subject: [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() +Git-commit: 60c6a63a3d3080a62f3e0e20084f58dbeff16748 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Driver should free `usb->setup_packet` to avoid the leak. + +$ cat /sys/kernel/debug/kmemleak +unreferenced object 0xffffffa564a58080 (size 128): + backtrace: + [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384 + [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994 + [btusb] + [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc + [btusb] + [<00000000c6105069>] hci_dev_do_open+0x290/0x974 + [bluetooth] + [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth] + [<000000005d80e687>] process_one_work+0x514/0xc80 + [<00000000f4d57637>] worker_thread+0x818/0xd0c + [<00000000dc7bdb55>] kthread+0x2f8/0x3b8 + [<00000000f9999513>] ret_from_fork+0x10/0x30 + +Fixes: a1c49c434e150 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Signed-off-by: Mark-YW.Chen +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 3e26f60b457e..87b71740fad8 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2265,6 +2265,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb) + skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC); + if (!skb) { + hdev->stat.err_rx++; ++ kfree(urb->setup_packet); + return; + } + +@@ -2285,6 +2286,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb) + data->evt_skb = skb_clone(skb, GFP_ATOMIC); + if (!data->evt_skb) { + kfree_skb(skb); ++ kfree(urb->setup_packet); + return; + } + } +@@ -2293,6 +2295,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb) + if (err < 0) { + kfree_skb(data->evt_skb); + data->evt_skb = NULL; ++ kfree(urb->setup_packet); + return; + } + +@@ -2303,6 +2306,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb) + wake_up_bit(&data->flags, + BTUSB_TX_WAIT_VND_EVT); + } ++ kfree(urb->setup_packet); + return; + } else if (urb->status == -ENOENT) { + /* Avoid suspend failed when usb_kill_urb */ +@@ -2323,6 +2327,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb) + usb_anchor_urb(urb, &data->ctrl_anchor); + err = usb_submit_urb(urb, GFP_ATOMIC); + if (err < 0) { ++ kfree(urb->setup_packet); + /* -EPERM: urb is being killed; + * -ENODEV: device got disconnected + */ +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch b/patches.suse/Bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch new file mode 100644 index 0000000..7baa67e --- /dev/null +++ b/patches.suse/Bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch @@ -0,0 +1,54 @@ +From 2a7ca7459d905febf519163bd9e3eed894de6bb7 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Mon, 25 Oct 2021 21:10:12 +0800 +Subject: [PATCH] Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails +Git-commit: 2a7ca7459d905febf519163bd9e3eed894de6bb7 +Patch-mainline: v5.17-rc1 +References: git-fixes + +I got a kernel BUG report when doing fault injection test: + +Acked-by: Takashi Iwai + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:45! +... +RIP: 0010:__list_del_entry_valid.cold+0x12/0x4d +... +Call Trace: + proto_unregister+0x83/0x220 + cmtp_cleanup_sockets+0x37/0x40 [cmtp] + cmtp_exit+0xe/0x1f [cmtp] + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If cmtp_init_sockets() in cmtp_init() fails, cmtp_init() still returns +success. This will cause a kernel bug when accessing uncreated ctmp +related data when the module exits. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Marcel Holtmann +--- + net/bluetooth/cmtp/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c +index 0a2d78e811cf..83eb84e8e688 100644 +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -501,9 +501,7 @@ static int __init cmtp_init(void) + { + BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION); + +- cmtp_init_sockets(); +- +- return 0; ++ return cmtp_init_sockets(); + } + + static void __exit cmtp_exit(void) +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-hci_bcm-Check-for-error-irq.patch b/patches.suse/Bluetooth-hci_bcm-Check-for-error-irq.patch new file mode 100644 index 0000000..818877a --- /dev/null +++ b/patches.suse/Bluetooth-hci_bcm-Check-for-error-irq.patch @@ -0,0 +1,46 @@ +From b38cd3b42fba66cc538edb9cf77e07881f43f8e2 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 24 Dec 2021 10:53:18 +0800 +Subject: [PATCH] Bluetooth: hci_bcm: Check for error irq +Git-commit: b38cd3b42fba66cc538edb9cf77e07881f43f8e2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() effectively +convert that into -EINVAL, even at probe time rather than later on. +So it might be better to check just now. + +Fixes: 0395ffc1ee05 ("Bluetooth: hci_bcm: Add PM for BCM devices") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/hci_bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c +index 7852abf15ddf..d634a27bc850 100644 +--- a/drivers/bluetooth/hci_bcm.c ++++ b/drivers/bluetooth/hci_bcm.c +@@ -1188,7 +1188,12 @@ static int bcm_probe(struct platform_device *pdev) + return -ENOMEM; + + dev->dev = &pdev->dev; +- dev->irq = platform_get_irq(pdev, 0); ++ ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; ++ ++ dev->irq = ret; + + /* Initialize routing field to an unused value */ + dev->pcm_int_params[0] = 0xff; +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-hci_qca-Stop-IBS-timer-during-BT-OFF.patch b/patches.suse/Bluetooth-hci_qca-Stop-IBS-timer-during-BT-OFF.patch new file mode 100644 index 0000000..bf62ac1 --- /dev/null +++ b/patches.suse/Bluetooth-hci_qca-Stop-IBS-timer-during-BT-OFF.patch @@ -0,0 +1,38 @@ +From df1e5c51492fd93ffc293acdcc6f00698d19fedc Mon Sep 17 00:00:00 2001 +From: Panicker Harish +Date: Wed, 22 Dec 2021 12:59:05 +0530 +Subject: [PATCH] Bluetooth: hci_qca: Stop IBS timer during BT OFF +Git-commit: df1e5c51492fd93ffc293acdcc6f00698d19fedc +Patch-mainline: v5.17-rc1 +References: git-fixes + +The IBS timers are not stopped properly once BT OFF is triggered. +we could see IBS commands being sent along with version command, +so stopped IBS timers while Bluetooth is off. + +Fixes: 3e4be65eb82c ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990") +Signed-off-by: Panicker Harish +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index dd768a8ed7cb..9e99311038ae 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1928,6 +1928,9 @@ static int qca_power_off(struct hci_dev *hdev) + hu->hdev->hw_error = NULL; + hu->hdev->cmd_timeout = NULL; + ++ del_timer_sync(&qca->wake_retrans_timer); ++ del_timer_sync(&qca->tx_idle_timer); ++ + /* Stop sending shutdown command if soc crashes. */ + if (soc_type != QCA_ROME + && qca->memdump_state == QCA_MEMDUMP_IDLE) { +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-stop-proccessing-malicious-adv-data.patch b/patches.suse/Bluetooth-stop-proccessing-malicious-adv-data.patch new file mode 100644 index 0000000..3088196 --- /dev/null +++ b/patches.suse/Bluetooth-stop-proccessing-malicious-adv-data.patch @@ -0,0 +1,54 @@ +From 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Mon, 1 Nov 2021 10:12:12 +0300 +Subject: [PATCH] Bluetooth: stop proccessing malicious adv data +Git-commit: 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The +problem was in missing validaion check. + +We should check if data is not malicious and we can read next data block. +If we won't check ptr validness, code can read a way beyond skb->end and +it can cause problems, of course. + +Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") +Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/hci_event.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d4b75a6cfeee..5471fbf38873 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5906,7 +5906,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + +- if (ev->length <= HCI_MAX_AD_LENGTH) { ++ if (ev->length <= HCI_MAX_AD_LENGTH && ++ ev->data + ev->length <= skb_tail_pointer(skb)) { + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +@@ -5916,6 +5917,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + ptr += sizeof(*ev) + ev->length + 1; ++ ++ if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { ++ bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); ++ break; ++ } + } + + hci_dev_unlock(hdev); +-- +2.31.1 + diff --git a/patches.suse/Documentation-ACPI-Fix-data-node-reference-documenta.patch b/patches.suse/Documentation-ACPI-Fix-data-node-reference-documenta.patch new file mode 100644 index 0000000..00283a0 --- /dev/null +++ b/patches.suse/Documentation-ACPI-Fix-data-node-reference-documenta.patch @@ -0,0 +1,71 @@ +From a11174952205d082f1658fab4314f0caf706e0a8 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 1 Dec 2021 14:59:31 +0200 +Subject: [PATCH] Documentation: ACPI: Fix data node reference documentation +Git-commit: a11174952205d082f1658fab4314f0caf706e0a8 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The data node reference documentation was missing a package that must +contain the property values, instead property name and multiple values +being present in a single package. This is not aligned with the _DSD +spec. + +Fix it by adding the package for the values. + +Also add the missing "reg" properties to two numbered nodes. + +Fixes: b10134a3643d ("ACPI: property: Document hierarchical data extension references") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + .../firmware-guide/acpi/dsd/data-node-references.rst | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/Documentation/firmware-guide/acpi/dsd/data-node-references.rst b/Documentation/firmware-guide/acpi/dsd/data-node-references.rst +index b7ad47df49de..8b65b32e6e40 100644 +--- a/Documentation/firmware-guide/acpi/dsd/data-node-references.rst ++++ b/Documentation/firmware-guide/acpi/dsd/data-node-references.rst +@@ -5,7 +5,7 @@ + Referencing hierarchical data nodes + =================================== + +-:Copyright: |copy| 2018 Intel Corporation ++:Copyright: |copy| 2018, 2021 Intel Corporation + :Author: Sakari Ailus + + ACPI in general allows referring to device objects in the tree only. +@@ -52,12 +52,14 @@ the ANOD object which is also the final target node of the reference. + Name (NOD0, Package() { + ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"), + Package () { ++ Package () { "reg", 0 }, + Package () { "random-property", 3 }, + } + }) + Name (NOD1, Package() { + ToUUID("dbb8e3e6-5886-4ba6-8795-1319f52a966b"), + Package () { ++ Package () { "reg", 1 }, + Package () { "anothernode", "ANOD" }, + } + }) +@@ -74,7 +76,11 @@ the ANOD object which is also the final target node of the reference. + Name (_DSD, Package () { + ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"), + Package () { +- Package () { "reference", ^DEV0, "node@1", "anothernode" }, ++ Package () { ++ "reference", Package () { ++ ^DEV0, "node@1", "anothernode" ++ } ++ }, + } + }) + } +-- +2.31.1 + diff --git a/patches.suse/Documentation-refer-to-config-RANDOMIZE_BASE-for-ker.patch b/patches.suse/Documentation-refer-to-config-RANDOMIZE_BASE-for-ker.patch new file mode 100644 index 0000000..1fbcd73 --- /dev/null +++ b/patches.suse/Documentation-refer-to-config-RANDOMIZE_BASE-for-ker.patch @@ -0,0 +1,44 @@ +From 82ca67321f55a8d1da6ac3ed611da3c32818bb37 Mon Sep 17 00:00:00 2001 +From: Lukas Bulwahn +Date: Thu, 30 Dec 2021 18:19:40 +0100 +Subject: [PATCH] Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization +Git-commit: 82ca67321f55a8d1da6ac3ed611da3c32818bb37 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The config RANDOMIZE_SLAB does not exist, the authors probably intended to +refer to the config RANDOMIZE_BASE, which provides kernel address-space +randomization. They probably just confused SLAB with BASE (these two +four-letter words coincidentally share three common letters), as they also +point out the config SLAB_FREELIST_RANDOM as further randomization within +the same sentence. + +Fix the reference of the config for kernel address-space randomization to +the config that provides that. + +Fixes: 6e88559470f5 ("Documentation: Add section about CPU vulnerabilities for Spectre") +Signed-off-by: Lukas Bulwahn +Link: https://lore.kernel.org/r/20211230171940.27558-1-lukas.bulwahn@gmail.com +Signed-off-by: Jonathan Corbet +Acked-by: Takashi Iwai + +--- + Documentation/admin-guide/hw-vuln/spectre.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst +index ab7d402c1677..a2b22d5640ec 100644 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst +@@ -468,7 +468,7 @@ Spectre variant 2 + before invoking any firmware code to prevent Spectre variant 2 exploits + using the firmware. + +- Using kernel address space randomization (CONFIG_RANDOMIZE_SLAB=y ++ Using kernel address space randomization (CONFIG_RANDOMIZE_BASE=y + and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes + attacks on the kernel generally more difficult. + +-- +2.31.1 + diff --git a/patches.suse/HID-asus-Add-depends-on-USB_HID-to-HID_ASUS-Kconfig-.patch b/patches.suse/HID-asus-Add-depends-on-USB_HID-to-HID_ASUS-Kconfig-.patch new file mode 100644 index 0000000..1095c36 --- /dev/null +++ b/patches.suse/HID-asus-Add-depends-on-USB_HID-to-HID_ASUS-Kconfig-.patch @@ -0,0 +1,38 @@ +From c4f0126d487f3c68ab19ccb7c561e8fbf3ea2247 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 7 May 2020 11:53:34 +0200 +Subject: [PATCH] HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option +Git-commit: c4f0126d487f3c68ab19ccb7c561e8fbf3ea2247 +Patch-mainline: v5.8-rc1 +References: git-fixes + +Since commit 4bc43a421218 ("HID: asus: Add +hid_is_using_ll_driver(usb_hid_driver) check") the hid-asus.c depends +on the usb_hid_driver symbol. Add a depends on USB_HID to Kconfig to +fix missing symbols errors in hid-asus when USB_HID is not enabled. + +Fixes: 4bc43a421218 ("HID: asus: Add hid_is_using_ll_driver(usb_hid_driver) check") +Reported-by: kbuild test robot +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index 34f07371716d..b1111407b2f8 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -149,6 +149,7 @@ config HID_APPLEIR + + config HID_ASUS + tristate "Asus" ++ depends on USB_HID + depends on LEDS_CLASS + depends on ASUS_WMI || ASUS_WMI=n + select POWER_SUPPLY +-- +2.31.1 + diff --git a/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-0a94131d6920.patch b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-0a94131d6920.patch new file mode 100644 index 0000000..6f012f3 --- /dev/null +++ b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-0a94131d6920.patch @@ -0,0 +1,52 @@ +From 0a94131d6920916ccb6a357037c535533af08819 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Wed, 5 Jan 2022 18:29:13 +0100 +Subject: [PATCH] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 0a94131d6920916ccb6a357037c535533af08819 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The function performs a check on the hdev input parameters, however, it +is used before the check. + +Initialize the udev variable after the sanity check to avoid a +possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-coverity-id: 1443827 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-uclogic-params.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index 3c10b858cf74..3a83e2c39b4f 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -66,7 +66,7 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev, + __u8 idx, size_t len) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); ++ struct usb_device *udev; + __u8 *buf = NULL; + + /* Check arguments */ +@@ -75,6 +75,8 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ + buf = kmalloc(len, GFP_KERNEL); + if (buf == NULL) { + rc = -ENOMEM; +-- +2.31.1 + diff --git a/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-aa320fdbbbb4.patch b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-aa320fdbbbb4.patch new file mode 100644 index 0000000..690b741 --- /dev/null +++ b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-aa320fdbbbb4.patch @@ -0,0 +1,52 @@ +From aa320fdbbbb482c19100f51461bd0069753ce3d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Wed, 5 Jan 2022 18:29:15 +0100 +Subject: [PATCH] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: aa320fdbbbb482c19100f51461bd0069753ce3d7 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The function performs a check on the hdev input parameters, however, it +is used before the check. + +Initialize the udev variable after the sanity check to avoid a +possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-coverity-id: 1443763 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-uclogic-params.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index 4136837e4d15..3e70f969fb84 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -452,7 +452,7 @@ static int uclogic_params_frame_init_v1_buttonpad( + { + int rc; + bool found = false; +- struct usb_device *usb_dev = hid_to_usb_dev(hdev); ++ struct usb_device *usb_dev; + char *str_buf = NULL; + const size_t str_len = 16; + +@@ -462,6 +462,8 @@ static int uclogic_params_frame_init_v1_buttonpad( + goto cleanup; + } + ++ usb_dev = hid_to_usb_dev(hdev); ++ + /* + * Enable generic button mode + */ +-- +2.31.1 + diff --git a/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-ff6b548afe4d.patch b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-ff6b548afe4d.patch new file mode 100644 index 0000000..a9ac1d9 --- /dev/null +++ b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-ff6b548afe4d.patch @@ -0,0 +1,58 @@ +From ff6b548afe4d9d1ff3a0f6ef79e8cbca25d8f905 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Wed, 5 Jan 2022 18:29:14 +0100 +Subject: [PATCH] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: ff6b548afe4d9d1ff3a0f6ef79e8cbca25d8f905 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The function performs a check on its input parameters, however, the +hdev parameter is used before the check. + +Initialize the stack variables after checking the input parameters to +avoid a possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-coverity-id: 1443804 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-uclogic-params.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index 3a83e2c39b4f..4136837e4d15 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -709,9 +709,9 @@ static int uclogic_params_huion_init(struct uclogic_params *params, + struct hid_device *hdev) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); +- struct usb_interface *iface = to_usb_interface(hdev->dev.parent); +- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ struct usb_device *udev; ++ struct usb_interface *iface; ++ __u8 bInterfaceNumber; + bool found; + /* The resulting parameters (noop) */ + struct uclogic_params p = {0, }; +@@ -725,6 +725,10 @@ static int uclogic_params_huion_init(struct uclogic_params *params, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ iface = to_usb_interface(hdev->dev.parent); ++ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ + /* If it's not a pen interface */ + if (bInterfaceNumber != 0) { + /* TODO: Consider marking the interface invalid */ +-- +2.31.1 + diff --git a/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc.patch b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc.patch new file mode 100644 index 0000000..1705c90 --- /dev/null +++ b/patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc.patch @@ -0,0 +1,61 @@ +From f364c571a5c77e96de2d32062ff019d6b8d2e2bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Wed, 5 Jan 2022 18:29:12 +0100 +Subject: [PATCH] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: f364c571a5c77e96de2d32062ff019d6b8d2e2bc +Patch-mainline: v5.17-rc1 +References: git-fixes + +The function performs a check on its input parameters, however, the +hdev parameter is used before the check. + +Initialize the stack variables after checking the input parameters to +avoid a possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-coverity-id: 1443831 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-uclogic-params.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index adff1bd68d9f..3c10b858cf74 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -834,10 +834,10 @@ int uclogic_params_init(struct uclogic_params *params, + struct hid_device *hdev) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); +- __u8 bNumInterfaces = udev->config->desc.bNumInterfaces; +- struct usb_interface *iface = to_usb_interface(hdev->dev.parent); +- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ struct usb_device *udev; ++ __u8 bNumInterfaces; ++ struct usb_interface *iface; ++ __u8 bInterfaceNumber; + bool found; + /* The resulting parameters (noop) */ + struct uclogic_params p = {0, }; +@@ -848,6 +848,11 @@ int uclogic_params_init(struct uclogic_params *params, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ bNumInterfaces = udev->config->desc.bNumInterfaces; ++ iface = to_usb_interface(hdev->dev.parent); ++ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ + /* + * Set replacement report descriptor if the original matches the + * specified size. Otherwise keep interface unchanged. +-- +2.31.1 + diff --git a/patches.suse/Input-i8042-add-deferred-probe-support.patch b/patches.suse/Input-i8042-add-deferred-probe-support.patch new file mode 100644 index 0000000..26b01c0 --- /dev/null +++ b/patches.suse/Input-i8042-add-deferred-probe-support.patch @@ -0,0 +1,275 @@ +From 9222ba68c3f4065f6364b99cc641b6b019ef2d42 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 28 Nov 2021 23:21:41 -0800 +Subject: [PATCH] Input: i8042 - add deferred probe support +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9222ba68c3f4065f6364b99cc641b6b019ef2d42 +Patch-mainline: v5.16-rc7 +References: bsc#1190256 + +We've got a bug report about the non-working keyboard on ASUS ZenBook +UX425UA. It seems that the PS/2 device isn't ready immediately at +boot but takes some seconds to get ready. Until now, the only +workaround is to defer the probe, but it's available only when the +driver is a module. However, many distros, including openSUSE as in +the original report, build the PS/2 input drivers into kernel, hence +it won't work easily. + +This patch adds the support for the deferred probe for i8042 stuff as +a workaround of the problem above. When the deferred probe mode is +enabled and the device couldn't be probed, it'll be repeated with the +standard deferred probe mechanism. + +The deferred probe mode is enabled either via the new option +i8042.probe_defer or via the quirk table entry. As of this patch, the +quirk table contains only ASUS ZenBook UX425UA. + +The deferred probe part is based on Fabio's initial work. + +Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1190256 +Signed-off-by: Takashi Iwai +Tested-by: Samuel Čavoj +Link: https://lore.kernel.org/r/20211117063757.11380-1-tiwai@suse.de + +Signed-off-by: Dmitry Torokhov + +--- + .../admin-guide/kernel-parameters.txt | 2 + + drivers/input/serio/i8042-x86ia64io.h | 14 +++++ + drivers/input/serio/i8042.c | 54 ++++++++++++------- + 3 files changed, 51 insertions(+), 19 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index cb89dbdedc46..ddfa50578a3e 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -1627,6 +1627,8 @@ + architectures force reset to be always executed + i8042.unlock [HW] Unlock (ignore) the keylock + i8042.kbdreset [HW] Reset device connected to KBD port ++ i8042.probe_defer ++ [HW] Allow deferred probing upon i8042 probe errors + + i810= [HW,DRM] + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index aedd05541044..1acc7c844929 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -995,6 +995,17 @@ static const struct dmi_system_id __initconst i8042_dmi_kbdreset_table[] = { + { } + }; + ++static const struct dmi_system_id i8042_dmi_probe_defer_table[] __initconst = { ++ { ++ /* ASUS ZenBook UX425UA */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX425UA"), ++ }, ++ }, ++ { } ++}; ++ + #endif /* CONFIG_X86 */ + + #ifdef CONFIG_PNP +@@ -1315,6 +1326,9 @@ static int __init i8042_platform_init(void) + if (dmi_check_system(i8042_dmi_kbdreset_table)) + i8042_kbdreset = true; + ++ if (dmi_check_system(i8042_dmi_probe_defer_table)) ++ i8042_probe_defer = true; ++ + /* + * A20 was already enabled during early kernel init. But some buggy + * BIOSes (in MSI Laptops) require A20 to be enabled using 8042 to +diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c +index 0b9f1d0a8f8b..3fc0a89cc785 100644 +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -45,6 +45,10 @@ static bool i8042_unlock; + module_param_named(unlock, i8042_unlock, bool, 0); + MODULE_PARM_DESC(unlock, "Ignore keyboard lock."); + ++static bool i8042_probe_defer; ++module_param_named(probe_defer, i8042_probe_defer, bool, 0); ++MODULE_PARM_DESC(probe_defer, "Allow deferred probing."); ++ + enum i8042_controller_reset_mode { + I8042_RESET_NEVER, + I8042_RESET_ALWAYS, +@@ -711,7 +715,7 @@ static int i8042_set_mux_mode(bool multiplex, unsigned char *mux_version) + * LCS/Telegraphics. + */ + +-static int __init i8042_check_mux(void) ++static int i8042_check_mux(void) + { + unsigned char mux_version; + +@@ -740,10 +744,10 @@ static int __init i8042_check_mux(void) + /* + * The following is used to test AUX IRQ delivery. + */ +-static struct completion i8042_aux_irq_delivered __initdata; +-static bool i8042_irq_being_tested __initdata; ++static struct completion i8042_aux_irq_delivered; ++static bool i8042_irq_being_tested; + +-static irqreturn_t __init i8042_aux_test_irq(int irq, void *dev_id) ++static irqreturn_t i8042_aux_test_irq(int irq, void *dev_id) + { + unsigned long flags; + unsigned char str, data; +@@ -770,7 +774,7 @@ static irqreturn_t __init i8042_aux_test_irq(int irq, void *dev_id) + * verifies success by readinng CTR. Used when testing for presence of AUX + * port. + */ +-static int __init i8042_toggle_aux(bool on) ++static int i8042_toggle_aux(bool on) + { + unsigned char param; + int i; +@@ -798,7 +802,7 @@ static int __init i8042_toggle_aux(bool on) + * the presence of an AUX interface. + */ + +-static int __init i8042_check_aux(void) ++static int i8042_check_aux(void) + { + int retval = -1; + bool irq_registered = false; +@@ -1005,7 +1009,7 @@ static int i8042_controller_init(void) + + if (i8042_command(&ctr[n++ % 2], I8042_CMD_CTL_RCTR)) { + pr_err("Can't read CTR while initializing i8042\n"); +- return -EIO; ++ return i8042_probe_defer ? -EPROBE_DEFER : -EIO; + } + + } while (n < 2 || ctr[0] != ctr[1]); +@@ -1320,7 +1324,7 @@ static void i8042_shutdown(struct platform_device *dev) + i8042_controller_reset(false); + } + +-static int __init i8042_create_kbd_port(void) ++static int i8042_create_kbd_port(void) + { + struct serio *serio; + struct i8042_port *port = &i8042_ports[I8042_KBD_PORT_NO]; +@@ -1349,7 +1353,7 @@ static int __init i8042_create_kbd_port(void) + return 0; + } + +-static int __init i8042_create_aux_port(int idx) ++static int i8042_create_aux_port(int idx) + { + struct serio *serio; + int port_no = idx < 0 ? I8042_AUX_PORT_NO : I8042_MUX_PORT_NO + idx; +@@ -1386,13 +1390,13 @@ static int __init i8042_create_aux_port(int idx) + return 0; + } + +-static void __init i8042_free_kbd_port(void) ++static void i8042_free_kbd_port(void) + { + kfree(i8042_ports[I8042_KBD_PORT_NO].serio); + i8042_ports[I8042_KBD_PORT_NO].serio = NULL; + } + +-static void __init i8042_free_aux_ports(void) ++static void i8042_free_aux_ports(void) + { + int i; + +@@ -1402,7 +1406,7 @@ static void __init i8042_free_aux_ports(void) + } + } + +-static void __init i8042_register_ports(void) ++static void i8042_register_ports(void) + { + int i; + +@@ -1443,7 +1447,7 @@ static void i8042_free_irqs(void) + i8042_aux_irq_registered = i8042_kbd_irq_registered = false; + } + +-static int __init i8042_setup_aux(void) ++static int i8042_setup_aux(void) + { + int (*aux_enable)(void); + int error; +@@ -1485,7 +1489,7 @@ static int __init i8042_setup_aux(void) + return error; + } + +-static int __init i8042_setup_kbd(void) ++static int i8042_setup_kbd(void) + { + int error; + +@@ -1535,7 +1539,7 @@ static int i8042_kbd_bind_notifier(struct notifier_block *nb, + return 0; + } + +-static int __init i8042_probe(struct platform_device *dev) ++static int i8042_probe(struct platform_device *dev) + { + int error; + +@@ -1600,6 +1604,7 @@ static struct platform_driver i8042_driver = { + .pm = &i8042_pm_ops, + #endif + }, ++ .probe = i8042_probe, + .remove = i8042_remove, + .shutdown = i8042_shutdown, + }; +@@ -1610,7 +1615,6 @@ static struct notifier_block i8042_kbd_bind_notifier_block = { + + static int __init i8042_init(void) + { +- struct platform_device *pdev; + int err; + + dbg_init(); +@@ -1626,17 +1630,29 @@ static int __init i8042_init(void) + /* Set this before creating the dev to allow i8042_command to work right away */ + i8042_present = true; + +- pdev = platform_create_bundle(&i8042_driver, i8042_probe, NULL, 0, NULL, 0); +- if (IS_ERR(pdev)) { +- err = PTR_ERR(pdev); ++ err = platform_driver_register(&i8042_driver); ++ if (err) + goto err_platform_exit; ++ ++ i8042_platform_device = platform_device_alloc("i8042", -1); ++ if (!i8042_platform_device) { ++ err = -ENOMEM; ++ goto err_unregister_driver; + } + ++ err = platform_device_add(i8042_platform_device); ++ if (err) ++ goto err_free_device; ++ + bus_register_notifier(&serio_bus, &i8042_kbd_bind_notifier_block); + panic_blink = i8042_panic_blink; + + return 0; + ++err_free_device: ++ platform_device_put(i8042_platform_device); ++err_unregister_driver: ++ platform_driver_unregister(&i8042_driver); + err_platform_exit: + i8042_platform_exit(); + return err; +-- +2.31.1 + diff --git a/patches.suse/Input-i8042-enable-deferred-probe-quirk-for-ASUS-UM3.patch b/patches.suse/Input-i8042-enable-deferred-probe-quirk-for-ASUS-UM3.patch new file mode 100644 index 0000000..ae737c4 --- /dev/null +++ b/patches.suse/Input-i8042-enable-deferred-probe-quirk-for-ASUS-UM3.patch @@ -0,0 +1,48 @@ +From 44ee250aeeabb28b52a10397ac17ffb8bfe94839 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Samuel=20=C4=8Cavoj?= +Date: Sat, 4 Dec 2021 13:17:36 -0800 +Subject: [PATCH] Input: i8042 - enable deferred probe quirk for ASUS UM325UA +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 44ee250aeeabb28b52a10397ac17ffb8bfe94839 +Patch-mainline: v5.16-rc7 +References: bsc#1190256 + +The ASUS UM325UA suffers from the same issue as the ASUS UX425UA, which +is a very similar laptop. The i8042 device is not usable immediately +after boot and fails to initialize, requiring a deferred retry. + +Enable the deferred probe quirk for the UM325UA. + +Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1190256 +Signed-off-by: Samuel Čavoj +Link: https://lore.kernel.org/r/20211204015615.232948-1-samuel@cavoj.net +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 1acc7c844929..148a7c5fd0e2 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -1003,6 +1003,13 @@ static const struct dmi_system_id i8042_dmi_probe_defer_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX425UA"), + }, + }, ++ { ++ /* ASUS ZenBook UM325UA */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UA_UM325UA"), ++ }, ++ }, + { } + }; + +-- +2.31.1 + diff --git a/patches.suse/Input-spaceball-fix-parsing-of-movement-data-packets.patch b/patches.suse/Input-spaceball-fix-parsing-of-movement-data-packets.patch new file mode 100644 index 0000000..78e5d58 --- /dev/null +++ b/patches.suse/Input-spaceball-fix-parsing-of-movement-data-packets.patch @@ -0,0 +1,62 @@ +From bc7ec91718c49d938849697cfad98fcd9877cc26 Mon Sep 17 00:00:00 2001 +From: "Leo L. Schwab" +Date: Thu, 30 Dec 2021 21:05:00 -0800 +Subject: [PATCH] Input: spaceball - fix parsing of movement data packets +Git-commit: bc7ec91718c49d938849697cfad98fcd9877cc26 +Patch-mainline: v5.16-rc8 +References: git-fixes + +The spaceball.c module was not properly parsing the movement reports +coming from the device. The code read axis data as signed 16-bit +little-endian values starting at offset 2. + +In fact, axis data in Spaceball movement reports are signed 16-bit +big-endian values starting at offset 3. This was determined first by +visually inspecting the data packets, and later verified by consulting: +http://spacemice.org/pdf/SpaceBall_2003-3003_Protocol.pdf + +If this ever worked properly, it was in the time before Git... + +Signed-off-by: Leo L. Schwab +Link: https://lore.kernel.org/r/20211221101630.1146385-1-ewhac@ewhac.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/joystick/spaceball.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/joystick/spaceball.c b/drivers/input/joystick/spaceball.c +index 429411c6c0a8..a85a4f33aea8 100644 +--- a/drivers/input/joystick/spaceball.c ++++ b/drivers/input/joystick/spaceball.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #define DRIVER_DESC "SpaceTec SpaceBall 2003/3003/4000 FLX driver" + +@@ -75,9 +76,15 @@ static void spaceball_process_packet(struct spaceball* spaceball) + + case 'D': /* Ball data */ + if (spaceball->idx != 15) return; +- for (i = 0; i < 6; i++) ++ /* ++ * Skip first three bytes; read six axes worth of data. ++ * Axis values are signed 16-bit big-endian. ++ */ ++ data += 3; ++ for (i = 0; i < ARRAY_SIZE(spaceball_axes); i++) { + input_report_abs(dev, spaceball_axes[i], +- (__s16)((data[2 * i + 3] << 8) | data[2 * i + 2])); ++ (__s16)get_unaligned_be16(&data[i * 2])); ++ } + break; + + case 'K': /* Button data */ +-- +2.31.1 + diff --git a/patches.suse/NFC-add-NCI_UNREG-flag-to-eliminate-the-race.patch b/patches.suse/NFC-add-NCI_UNREG-flag-to-eliminate-the-race.patch index 2931c59..ca8346c 100644 --- a/patches.suse/NFC-add-NCI_UNREG-flag-to-eliminate-the-race.patch +++ b/patches.suse/NFC-add-NCI_UNREG-flag-to-eliminate-the-race.patch @@ -4,7 +4,7 @@ Date: Tue, 16 Nov 2021 23:27:32 +0800 Subject: [PATCH] NFC: add NCI_UNREG flag to eliminate the race Git-commit: 48b71a9e66c2eab60564b1b1c85f4928ed04e406 Patch-mainline: v5.16-rc2 -References: git-fixes +References: CVE-2021-4202 bsc#1194529 There are two sites that calls queue_work() after the destroy_workqueue() and lead to possible UAF. diff --git a/patches.suse/NFC-reorder-the-logic-in-nfc_-un-register_device.patch b/patches.suse/NFC-reorder-the-logic-in-nfc_-un-register_device.patch index 9929699..fc09c7f 100644 --- a/patches.suse/NFC-reorder-the-logic-in-nfc_-un-register_device.patch +++ b/patches.suse/NFC-reorder-the-logic-in-nfc_-un-register_device.patch @@ -4,7 +4,7 @@ Date: Tue, 16 Nov 2021 23:26:52 +0800 Subject: [PATCH] NFC: reorder the logic in nfc_{un,}register_device Git-commit: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Patch-mainline: v5.16-rc2 -References: git-fixes +References: CVE-2021-4202 bsc#1194529 There is a potential UAF between the unregistration routine and the NFC netlink operations. diff --git a/patches.suse/NFC-reorganize-the-functions-in-nci_request.patch b/patches.suse/NFC-reorganize-the-functions-in-nci_request.patch index 81917fb..d730696 100644 --- a/patches.suse/NFC-reorganize-the-functions-in-nci_request.patch +++ b/patches.suse/NFC-reorganize-the-functions-in-nci_request.patch @@ -4,7 +4,7 @@ Date: Mon, 15 Nov 2021 22:56:00 +0800 Subject: [PATCH] NFC: reorganize the functions in nci_request Git-commit: 86cdf8e38792545161dbe3350a7eced558ba4d15 Patch-mainline: v5.16-rc2 -References: git-fixes +References: CVE-2021-4202 bsc#1194529 There is a possible data race as shown below: diff --git a/patches.suse/NFSD-Fix-zero-length-NFSv3-WRITEs.patch b/patches.suse/NFSD-Fix-zero-length-NFSv3-WRITEs.patch new file mode 100644 index 0000000..5794fcd --- /dev/null +++ b/patches.suse/NFSD-Fix-zero-length-NFSv3-WRITEs.patch @@ -0,0 +1,66 @@ +From: Chuck Lever +Date: Tue, 21 Dec 2021 11:52:06 -0500 +Subject: [PATCH] NFSD: Fix zero-length NFSv3 WRITEs +Git-commit: 6a2f774424bfdcc2df3e17de0cefe74a4269cad5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The Linux NFS server currently responds to a zero-length NFSv3 WRITE +request with NFS3ERR_IO. It responds to a zero-length NFSv4 WRITE +with NFS4_OK and count of zero. + +RFC 1813 says of the WRITE procedure's @count argument: + +count + The number of bytes of data to be written. If count is + 0, the WRITE will succeed and return a count of 0, + barring errors due to permissions checking. + +RFC 8881 has similar language for NFSv4, though NFSv4 removed the +explicit @count argument because that value is already contained in +the opaque payload array. + +The synthetic client pynfs's WRT4 and WRT15 tests do emit zero- +length WRITEs to exercise this spec requirement. Commit fdec6114ee1f +("nfsd4: zero-length WRITE should succeed") addressed the same +problem there with the same fix. + +But interestingly the Linux NFS client does not appear to emit zero- +length WRITEs, instead squelching them. I'm not aware of a test that +can generate such WRITEs for NFSv3, so I wrote a naive C program to +generate a zero-length WRITE and test this fix. + +Fixes: 8154ef2776aa ("NFSD: Clean up legacy NFS WRITE argument XDR decoders") +Reported-by: Trond Myklebust +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org +Acked-by: NeilBrown + +--- + fs/nfsd/nfs3proc.c | 3 +-- + fs/nfsd/nfsproc.c | 2 -- + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -204,8 +204,7 @@ nfsd3_proc_write(struct svc_rqst *rqstp) + resp->committed = argp->stable; + nvecs = svc_fill_write_vector(rqstp, rqstp->rq_arg.pages, + &argp->first, cnt); +- if (!nvecs) +- RETURN_STATUS(nfserr_io); ++ + nfserr = nfsd_write(rqstp, &resp->fh, argp->offset, + rqstp->rq_vec, nvecs, &cnt, + resp->committed); +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -220,8 +220,6 @@ nfsd_proc_write(struct svc_rqst *rqstp) + + nvecs = svc_fill_write_vector(rqstp, rqstp->rq_arg.pages, + &argp->first, cnt); +- if (!nvecs) +- return nfserr_io; + nfserr = nfsd_write(rqstp, fh_copy(&resp->fh, &argp->fh), + argp->offset, rqstp->rq_vec, nvecs, + &cnt, NFS_DATA_SYNC); diff --git a/patches.suse/NFSv42-Don-t-fail-clone-unless-the-OP_CLONE-operatio.patch b/patches.suse/NFSv42-Don-t-fail-clone-unless-the-OP_CLONE-operatio.patch new file mode 100644 index 0000000..26e415a --- /dev/null +++ b/patches.suse/NFSv42-Don-t-fail-clone-unless-the-OP_CLONE-operatio.patch @@ -0,0 +1,33 @@ +From: Trond Myklebust +Date: Tue, 16 Nov 2021 09:55:01 -0500 +Subject: [PATCH] NFSv42: Don't fail clone() unless the OP_CLONE operation + failed +Git-commit: d3c45824ad65aebf765fcf51366d317a29538820 +Patch-mainline: v5.16 +References: git-fixes + +The failure to retrieve post-op attributes has no bearing on whether or +not the clone operation itself was successful. We must therefore ignore +the return value of decode_getfattr() when looking at the success or +failure of nfs4_xdr_dec_clone(). + +Fixes: 36022770de6c ("nfs42: add CLONE xdr functions") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs42xdr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/nfs42xdr.c ++++ b/fs/nfs/nfs42xdr.c +@@ -769,8 +769,7 @@ static int nfs4_xdr_dec_clone(struct rpc + status = decode_clone(xdr); + if (status) + goto out; +- status = decode_getfattr(xdr, res->dst_fattr, res->server); +- ++ decode_getfattr(xdr, res->dst_fattr, res->server); + out: + res->rpc_status = status; + return status; diff --git a/patches.suse/NFSv42-Fix-pagecache-invalidation-after-COPY-CLONE.patch b/patches.suse/NFSv42-Fix-pagecache-invalidation-after-COPY-CLONE.patch new file mode 100644 index 0000000..efa8809 --- /dev/null +++ b/patches.suse/NFSv42-Fix-pagecache-invalidation-after-COPY-CLONE.patch @@ -0,0 +1,42 @@ +From: Benjamin Coddington +Date: Tue, 16 Nov 2021 10:48:13 -0500 +Subject: [PATCH] NFSv42: Fix pagecache invalidation after COPY/CLONE +Git-commit: 3f015d89a47cd8855cd92f71fff770095bd885a1 +Patch-mainline: v5.16 +References: git-fixes + +The mechanism in use to allow the client to see the results of COPY/CLONE +is to drop those pages from the pagecache. This forces the client to read +those pages once more from the server. However, truncate_pagecache_range() +zeros out partial pages instead of dropping them. Let us instead use +invalidate_inode_pages2_range() with full-page offsets to ensure the client +properly sees the results of COPY/CLONE operations. + +Cc: # v4.7+ +Fixes: 2e72448b07dc ("NFS: Add COPY nfs operation") +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs42proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 08355b66e7cb..8b21ff1be717 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -289,7 +289,9 @@ static void nfs42_copy_dest_done(struct inode *inode, loff_t pos, loff_t len) + loff_t newsize = pos + len; + loff_t end = newsize - 1; + +- truncate_pagecache_range(inode, pos, end); ++ WARN_ON_ONCE(invalidate_inode_pages2_range(inode->i_mapping, ++ pos >> PAGE_SHIFT, end >> PAGE_SHIFT)); ++ + spin_lock(&inode->i_lock); + if (newsize > i_size_read(inode)) + i_size_write(inode, newsize); +-- +2.34.1 + diff --git a/patches.suse/PCI-ACPI-Fix-acpi_pci_osc_control_set-kernel-doc-com.patch b/patches.suse/PCI-ACPI-Fix-acpi_pci_osc_control_set-kernel-doc-com.patch new file mode 100644 index 0000000..b612db9 --- /dev/null +++ b/patches.suse/PCI-ACPI-Fix-acpi_pci_osc_control_set-kernel-doc-com.patch @@ -0,0 +1,43 @@ +From 843438deebe247fcf7e4d3dd5655c9df4b5412fd Mon Sep 17 00:00:00 2001 +From: Yang Li +Date: Thu, 23 Dec 2021 10:28:56 +0800 +Subject: [PATCH] PCI/ACPI: Fix acpi_pci_osc_control_set() kernel-doc comment +Git-commit: 843438deebe247fcf7e4d3dd5655c9df4b5412fd +Patch-mainline: v5.17-rc1 +References: git-fixes + +Add the description of @support and remove @req in +acpi_pci_osc_control_set() kernel-doc comment to remove warnings found +by running scripts/kernel-doc, which is caused by using 'make W=1'. + +drivers/acpi/pci_root.c:337: warning: Excess function parameter 'req' +description in 'acpi_pci_osc_control_set' +drivers/acpi/pci_root.c:337: warning: Function parameter or member +'support' not described in 'acpi_pci_osc_control_set' + +Reported-by: Abaci Robot +Fixes: 6bc779ee05d4 ("PCI/ACPI: Check for _OSC support in acpi_pci_osc_control_set()") +Signed-off-by: Yang Li +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/pci_root.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c +index ab2f7dfb0c44..b0f19f3fc798 100644 +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -324,7 +324,7 @@ EXPORT_SYMBOL_GPL(acpi_get_pci_dev); + * acpi_pci_osc_control_set - Request control of PCI root _OSC features. + * @handle: ACPI handle of a PCI root bridge (or PCIe Root Complex). + * @mask: Mask of _OSC bits to request control of, place to store control mask. +- * @req: Mask of _OSC bits the control of is essential to the caller. ++ * @support: _OSC supported capability. + * + * Run _OSC query for @mask and if that is successful, compare the returned + * mask of control bits with @req. If all of the @req bits are set in the +-- +2.31.1 + diff --git a/patches.suse/PCI-MSI-Fix-pci_irq_vector-pci_irq_get_affinity.patch b/patches.suse/PCI-MSI-Fix-pci_irq_vector-pci_irq_get_affinity.patch new file mode 100644 index 0000000..01fc427 --- /dev/null +++ b/patches.suse/PCI-MSI-Fix-pci_irq_vector-pci_irq_get_affinity.patch @@ -0,0 +1,97 @@ +From 29bbc35e29d9b6347780dcacde2deb4b39344167 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 6 Dec 2021 23:27:26 +0100 +Subject: [PATCH] PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() +Git-commit: 29bbc35e29d9b6347780dcacde2deb4b39344167 +Patch-mainline: v5.17-rc1 +References: git-fixes + +pci_irq_vector() and pci_irq_get_affinity() use the list position to find the +MSI-X descriptor at a given index. That's correct for the normal case where +the entry number is the same as the list position. + +But it's wrong for cases where MSI-X was allocated with an entries array +describing sparse entry numbers into the hardware message descriptor +table. That's inconsistent at best. + +Make it always check the entry number because that's what the zero base +index really means. This change won't break existing users which use a +sparse entries array for allocation because these users retrieve the Linux +interrupt number from the entries array after allocation and none of them +uses pci_irq_vector() or pci_irq_get_affinity(). + +Fixes: aff171641d18 ("PCI: Provide sensible IRQ vector alloc/free routines") +Signed-off-by: Thomas Gleixner +Tested-by: Juergen Gross +Reviewed-by: Jason Gunthorpe +Acked-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20211206210223.929792157@linutronix.de +Acked-by: Takashi Iwai + +--- + drivers/pci/msi.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c +index 48e3f4e47b29..00ed45fea482 100644 +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -1187,19 +1187,24 @@ EXPORT_SYMBOL(pci_free_irq_vectors); + + /** + * pci_irq_vector - return Linux IRQ number of a device vector +- * @dev: PCI device to operate on +- * @nr: device-relative interrupt vector index (0-based). ++ * @dev: PCI device to operate on ++ * @nr: Interrupt vector index (0-based) ++ * ++ * @nr has the following meanings depending on the interrupt mode: ++ * MSI-X: The index in the MSI-X vector table ++ * MSI: The index of the enabled MSI vectors ++ * INTx: Must be 0 ++ * ++ * Return: The Linux interrupt number or -EINVAl if @nr is out of range. + */ + int pci_irq_vector(struct pci_dev *dev, unsigned int nr) + { + if (dev->msix_enabled) { + struct msi_desc *entry; +- int i = 0; + + for_each_pci_msi_entry(entry, dev) { +- if (i == nr) ++ if (entry->msi_attrib.entry_nr == nr) + return entry->irq; +- i++; + } + WARN_ON_ONCE(1); + return -EINVAL; +@@ -1223,17 +1228,22 @@ EXPORT_SYMBOL(pci_irq_vector); + * pci_irq_get_affinity - return the affinity of a particular MSI vector + * @dev: PCI device to operate on + * @nr: device-relative interrupt vector index (0-based). ++ * ++ * @nr has the following meanings depending on the interrupt mode: ++ * MSI-X: The index in the MSI-X vector table ++ * MSI: The index of the enabled MSI vectors ++ * INTx: Must be 0 ++ * ++ * Return: A cpumask pointer or NULL if @nr is out of range + */ + const struct cpumask *pci_irq_get_affinity(struct pci_dev *dev, int nr) + { + if (dev->msix_enabled) { + struct msi_desc *entry; +- int i = 0; + + for_each_pci_msi_entry(entry, dev) { +- if (i == nr) ++ if (entry->msi_attrib.entry_nr == nr) + return &entry->affinity->mask; +- i++; + } + WARN_ON_ONCE(1); + return NULL; +-- +2.31.1 + diff --git a/patches.suse/PCI-dwc-Do-not-remap-invalid-res.patch b/patches.suse/PCI-dwc-Do-not-remap-invalid-res.patch new file mode 100644 index 0000000..877be2f --- /dev/null +++ b/patches.suse/PCI-dwc-Do-not-remap-invalid-res.patch @@ -0,0 +1,49 @@ +From 6e5ebc96ec651b67131f816d7e3bf286c635e749 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Mon, 1 Nov 2021 11:02:43 -0700 +Subject: [PATCH] PCI: dwc: Do not remap invalid res +Git-commit: 6e5ebc96ec651b67131f816d7e3bf286c635e749 +Patch-mainline: v5.17-rc1 +References: git-fixes + +On imx6 and perhaps others when pcie probes you get a: +imx6q-pcie 33800000.pcie: invalid resource + +This occurs because the atu is not specified in the DT and as such it +should not be remapped. + +Link: https://lore.kernel.org/r/20211101180243.23761-1-tharvey@gateworks.com +Fixes: 281f1f99cf3a ("PCI: dwc: Detect number of iATU windows") +Signed-off-by: Tim Harvey +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Rob Herring +Acked-by: Richard Zhu +Cc: Richard Zhu +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/dwc/pcie-designware.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c +index 850b4533f4ef..d92c8a25094f 100644 +--- a/drivers/pci/controller/dwc/pcie-designware.c ++++ b/drivers/pci/controller/dwc/pcie-designware.c +@@ -672,10 +672,11 @@ void dw_pcie_iatu_detect(struct dw_pcie *pci) + if (!pci->atu_base) { + struct resource *res = + platform_get_resource_byname(pdev, IORESOURCE_MEM, "atu"); +- if (res) ++ if (res) { + pci->atu_size = resource_size(res); +- pci->atu_base = devm_ioremap_resource(dev, res); +- if (IS_ERR(pci->atu_base)) ++ pci->atu_base = devm_ioremap_resource(dev, res); ++ } ++ if (!pci->atu_base || IS_ERR(pci->atu_base)) + pci->atu_base = pci->dbi_base + DEFAULT_DBI_ATU_OFFSET; + } + +-- +2.31.1 + diff --git a/patches.suse/PCI-mvebu-Check-for-errors-from-pci_bridge_emul_init.patch b/patches.suse/PCI-mvebu-Check-for-errors-from-pci_bridge_emul_init.patch new file mode 100644 index 0000000..ac8d153 --- /dev/null +++ b/patches.suse/PCI-mvebu-Check-for-errors-from-pci_bridge_emul_init.patch @@ -0,0 +1,68 @@ +From 5d18d702e5c9309f4195653475c7a7fdde4ca71f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 13:45:52 +0100 +Subject: [PATCH] PCI: mvebu: Check for errors from pci_bridge_emul_init() call +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5d18d702e5c9309f4195653475c7a7fdde4ca71f +Patch-mainline: v5.17-rc1 +References: git-fixes + +Function pci_bridge_emul_init() may fail so correctly check for errors. + +Link: https://lore.kernel.org/r/20211125124605.25915-3-pali@kernel.org +Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-mvebu.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c +index 51cf3ecb4121..e4424db808fe 100644 +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -570,7 +570,7 @@ static struct pci_bridge_emul_ops mvebu_pci_bridge_emul_ops = { + * Initialize the configuration space of the PCI-to-PCI bridge + * associated with the given PCIe interface. + */ +-static void mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port) ++static int mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port) + { + struct pci_bridge_emul *bridge = &port->bridge; + +@@ -589,7 +589,7 @@ static void mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port) + bridge->data = port; + bridge->ops = &mvebu_pci_bridge_emul_ops; + +- pci_bridge_emul_init(bridge, PCI_BRIDGE_EMUL_NO_PREFETCHABLE_BAR); ++ return pci_bridge_emul_init(bridge, PCI_BRIDGE_EMUL_NO_PREFETCHABLE_BAR); + } + + static inline struct mvebu_pcie *sys_to_pcie(struct pci_sys_data *sys) +@@ -1075,9 +1075,18 @@ static int mvebu_pcie_probe(struct platform_device *pdev) + continue; + } + ++ ret = mvebu_pci_bridge_emul_init(port); ++ if (ret < 0) { ++ dev_err(dev, "%s: cannot init emulated bridge\n", ++ port->name); ++ devm_iounmap(dev, port->base); ++ port->base = NULL; ++ mvebu_pcie_powerdown(port); ++ continue; ++ } ++ + mvebu_pcie_setup_hw(port); + mvebu_pcie_set_local_dev_nr(port, 1); +- mvebu_pci_bridge_emul_init(port); + } + + pcie->nports = i; +-- +2.31.1 + diff --git a/patches.suse/PCI-mvebu-Do-not-modify-PCI-IO-type-bits-in-conf_wri.patch b/patches.suse/PCI-mvebu-Do-not-modify-PCI-IO-type-bits-in-conf_wri.patch new file mode 100644 index 0000000..84b120e --- /dev/null +++ b/patches.suse/PCI-mvebu-Do-not-modify-PCI-IO-type-bits-in-conf_wri.patch @@ -0,0 +1,46 @@ +From 2cf150216e5b5619d7c25180ccf2cc8ac7bebc13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 13:45:57 +0100 +Subject: [PATCH] PCI: mvebu: Do not modify PCI IO type bits in conf_write +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2cf150216e5b5619d7c25180ccf2cc8ac7bebc13 +Patch-mainline: v5.17-rc1 +References: git-fixes + +PCI IO type bits are already initialized in mvebu_pci_bridge_emul_init() +function and only when IO support is enabled. These type bits are read-only +and pci-bridge-emul.c code already does not allow to modify them from upper +layers. + +When IO support is disabled then all IO registers should be read-only and +return zeros. Therefore do not modify PCI IO type bits in +mvebu_pci_bridge_emul_base_conf_write() callback. + +Link: https://lore.kernel.org/r/20211125124605.25915-8-pali@kernel.org +Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-mvebu.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -490,13 +490,6 @@ mvebu_pci_bridge_emul_base_conf_write(st + } + + case PCI_IO_BASE: +- /* +- * We keep bit 1 set, it is a read-only bit that +- * indicates we support 32 bits addressing for the +- * I/O +- */ +- conf->iobase |= PCI_IO_RANGE_TYPE_32; +- conf->iolimit |= PCI_IO_RANGE_TYPE_32; + mvebu_pcie_handle_iobase_change(port); + break; + diff --git a/patches.suse/PCI-mvebu-Fix-support-for-DEVCAP2-DEVCTL2-and-LNKCTL.patch b/patches.suse/PCI-mvebu-Fix-support-for-DEVCAP2-DEVCTL2-and-LNKCTL.patch new file mode 100644 index 0000000..d2a50e0 --- /dev/null +++ b/patches.suse/PCI-mvebu-Fix-support-for-DEVCAP2-DEVCTL2-and-LNKCTL.patch @@ -0,0 +1,71 @@ +From 4ab34548c55fbbb3898306a47dfaccd4860e1ccb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 13:46:05 +0100 +Subject: [PATCH] PCI: mvebu: Fix support for DEVCAP2, DEVCTL2 and LNKCTL2 registers on emulated bridge +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 4ab34548c55fbbb3898306a47dfaccd4860e1ccb +Patch-mainline: v5.17-rc1 +References: git-fixes + +Armada XP and new hardware supports access to DEVCAP2, DEVCTL2 and LNKCTL2 +configuration registers of PCIe core via PCIE_CAP_PCIEXP. So export them +via emulated software root bridge. + +Pre-XP hardware does not support these registers and returns zeros. + +Link: https://lore.kernel.org/r/20211125124605.25915-16-pali@kernel.org +Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-mvebu.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c +index bc350bd0a3e8..b859952a9c67 100644 +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -560,6 +560,18 @@ mvebu_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge, + *value = mvebu_readl(port, PCIE_RC_RTSTA); + break; + ++ case PCI_EXP_DEVCAP2: ++ *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCAP2); ++ break; ++ ++ case PCI_EXP_DEVCTL2: ++ *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL2); ++ break; ++ ++ case PCI_EXP_LNKCTL2: ++ *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_LNKCTL2); ++ break; ++ + default: + return PCI_BRIDGE_EMUL_NOT_HANDLED; + } +@@ -672,6 +684,17 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge, + if (new & PCI_EXP_RTSTA_PME) + mvebu_writel(port, ~PCIE_INT_PM_PME, PCIE_INT_CAUSE_OFF); + break; ++ ++ case PCI_EXP_DEVCTL2: ++ mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL2); ++ break; ++ ++ case PCI_EXP_LNKCTL2: ++ mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_LNKCTL2); ++ break; ++ ++ default: ++ break; + } + } + +-- +2.31.1 + diff --git a/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_DEVCTL-on-emulated.patch b/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_DEVCTL-on-emulated.patch new file mode 100644 index 0000000..042b734 --- /dev/null +++ b/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_DEVCTL-on-emulated.patch @@ -0,0 +1,57 @@ +From ecae073e393e65ee7be7ebf3fdd5258ab99f1636 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 13:46:03 +0100 +Subject: [PATCH] PCI: mvebu: Fix support for PCI_EXP_DEVCTL on emulated bridge +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: ecae073e393e65ee7be7ebf3fdd5258ab99f1636 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Comment in Armada 370 functional specification is misleading. +PCI_EXP_DEVCTL_*RE bits are supported and configures receiving of error +interrupts. + +Link: https://lore.kernel.org/r/20211125124605.25915-14-pali@kernel.org +Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-mvebu.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c +index 89e610f3c9f3..a863b26d44f4 100644 +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -534,9 +534,7 @@ mvebu_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge, + break; + + case PCI_EXP_DEVCTL: +- *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL) & +- ~(PCI_EXP_DEVCTL_URRE | PCI_EXP_DEVCTL_FERE | +- PCI_EXP_DEVCTL_NFERE | PCI_EXP_DEVCTL_CERE); ++ *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL); + break; + + case PCI_EXP_LNKCAP: +@@ -647,13 +645,6 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge, + + switch (reg) { + case PCI_EXP_DEVCTL: +- /* +- * Armada370 data says these bits must always +- * be zero when in root complex mode. +- */ +- new &= ~(PCI_EXP_DEVCTL_URRE | PCI_EXP_DEVCTL_FERE | +- PCI_EXP_DEVCTL_NFERE | PCI_EXP_DEVCTL_CERE); +- + mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL); + break; + +-- +2.31.1 + diff --git a/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_RTSTA-on-emulated-.patch b/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_RTSTA-on-emulated-.patch new file mode 100644 index 0000000..41af12b --- /dev/null +++ b/patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_RTSTA-on-emulated-.patch @@ -0,0 +1,57 @@ +From 838ff44a398ff47fe9b924961d91aee325821220 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 13:46:04 +0100 +Subject: [PATCH] PCI: mvebu: Fix support for PCI_EXP_RTSTA on emulated bridge +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 838ff44a398ff47fe9b924961d91aee325821220 +Patch-mainline: v5.17-rc1 +References: git-fixes + +PME Status bit in Root Status Register (PCIE_RC_RTSTA_OFF) is read-only and +can be cleared only by writing 0b to the Interrupt Cause RW0C register +(PCIE_INT_CAUSE_OFF). + +Link: https://lore.kernel.org/r/20211125124605.25915-15-pali@kernel.org +Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-mvebu.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c +index a863b26d44f4..bc350bd0a3e8 100644 +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -51,6 +51,8 @@ + PCIE_CONF_FUNC(PCI_FUNC(devfn)) | PCIE_CONF_REG(where) | \ + PCIE_CONF_ADDR_EN) + #define PCIE_CONF_DATA_OFF 0x18fc ++#define PCIE_INT_CAUSE_OFF 0x1900 ++#define PCIE_INT_PM_PME BIT(28) + #define PCIE_MASK_OFF 0x1910 + #define PCIE_MASK_ENABLE_INTS 0x0f000000 + #define PCIE_CTRL_OFF 0x1a00 +@@ -661,7 +663,14 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge, + break; + + case PCI_EXP_RTSTA: +- mvebu_writel(port, new, PCIE_RC_RTSTA); ++ /* ++ * PME Status bit in Root Status Register (PCIE_RC_RTSTA) ++ * is read-only and can be cleared only by writing 0b to the ++ * Interrupt Cause RW0C register (PCIE_INT_CAUSE_OFF). So ++ * clear PME via Interrupt Cause. ++ */ ++ if (new & PCI_EXP_RTSTA_PME) ++ mvebu_writel(port, ~PCIE_INT_PM_PME, PCIE_INT_CAUSE_OFF); + break; + } + } +-- +2.31.1 + diff --git a/patches.suse/PCI-pci-bridge-emul-Properly-mark-reserved-PCIe-bits.patch b/patches.suse/PCI-pci-bridge-emul-Properly-mark-reserved-PCIe-bits.patch new file mode 100644 index 0000000..edc50be --- /dev/null +++ b/patches.suse/PCI-pci-bridge-emul-Properly-mark-reserved-PCIe-bits.patch @@ -0,0 +1,61 @@ +From 7b067ac63a5730d2fae18399fed7e45f23d36912 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Wed, 24 Nov 2021 16:59:40 +0100 +Subject: [PATCH] PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 7b067ac63a5730d2fae18399fed7e45f23d36912 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Some bits in PCI config space are reserved when device is PCIe. Properly +define behavior of PCI registers for PCIe emulated bridge and ensure that +it would not be possible change these reserved bits. + +Link: https://lore.kernel.org/r/20211124155944.1290-3-pali@kernel.org +Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/pci/pci-bridge-emul.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/pci/pci-bridge-emul.c b/drivers/pci/pci-bridge-emul.c +index 5de8b8dde209..0cbb4e3ca827 100644 +--- a/drivers/pci/pci-bridge-emul.c ++++ b/drivers/pci/pci-bridge-emul.c +@@ -295,6 +295,27 @@ int pci_bridge_emul_init(struct pci_bridge_emul *bridge, + kfree(bridge->pci_regs_behavior); + return -ENOMEM; + } ++ /* These bits are applicable only for PCI and reserved on PCIe */ ++ bridge->pci_regs_behavior[PCI_CACHE_LINE_SIZE / 4].ro &= ++ ~GENMASK(15, 8); ++ bridge->pci_regs_behavior[PCI_COMMAND / 4].ro &= ++ ~((PCI_COMMAND_SPECIAL | PCI_COMMAND_INVALIDATE | ++ PCI_COMMAND_VGA_PALETTE | PCI_COMMAND_WAIT | ++ PCI_COMMAND_FAST_BACK) | ++ (PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK | ++ PCI_STATUS_DEVSEL_MASK) << 16); ++ bridge->pci_regs_behavior[PCI_PRIMARY_BUS / 4].ro &= ++ ~GENMASK(31, 24); ++ bridge->pci_regs_behavior[PCI_IO_BASE / 4].ro &= ++ ~((PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK | ++ PCI_STATUS_DEVSEL_MASK) << 16); ++ bridge->pci_regs_behavior[PCI_INTERRUPT_LINE / 4].rw &= ++ ~((PCI_BRIDGE_CTL_MASTER_ABORT | ++ BIT(8) | BIT(9) | BIT(11)) << 16); ++ bridge->pci_regs_behavior[PCI_INTERRUPT_LINE / 4].ro &= ++ ~((PCI_BRIDGE_CTL_FAST_BACK) << 16); ++ bridge->pci_regs_behavior[PCI_INTERRUPT_LINE / 4].w1c &= ++ ~(BIT(10) << 16); + } + + if (flags & PCI_BRIDGE_EMUL_NO_PREFETCHABLE_BAR) { +-- +2.31.1 + diff --git a/patches.suse/PCI-pci-bridge-emul-Set-PCI_STATUS_CAP_LIST-for-PCIe.patch b/patches.suse/PCI-pci-bridge-emul-Set-PCI_STATUS_CAP_LIST-for-PCIe.patch new file mode 100644 index 0000000..a37f960 --- /dev/null +++ b/patches.suse/PCI-pci-bridge-emul-Set-PCI_STATUS_CAP_LIST-for-PCIe.patch @@ -0,0 +1,38 @@ +From 3be9d243b21724d49b65043d4520d688b6040b36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Wed, 24 Nov 2021 16:59:44 +0100 +Subject: [PATCH] PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3be9d243b21724d49b65043d4520d688b6040b36 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Since all PCI Express device Functions are required to implement the PCI +Express Capability structure, Capabilities List bit in PCI Status Register +must be hardwired to 1b. Capabilities Pointer register (which is already +set by pci-bride-emul.c driver) is valid only when Capabilities List is set +to 1b. + +Link: https://lore.kernel.org/r/20211124155944.1290-7-pali@kernel.org +Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/pci/pci-bridge-emul.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/pci-bridge-emul.c ++++ b/drivers/pci/pci-bridge-emul.c +@@ -287,6 +287,7 @@ int pci_bridge_emul_init(struct pci_brid + + if (bridge->has_pcie) { + bridge->conf.capabilities_pointer = PCI_CAP_PCIE_START; ++ bridge->conf.status |= cpu_to_le16(PCI_STATUS_CAP_LIST); + bridge->pcie_conf.cap_id = PCI_CAP_ID_EXP; + /* Set PCIe v2, root port, slot support */ + bridge->pcie_conf.cap = diff --git a/patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch b/patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch new file mode 100644 index 0000000..dae84a5 --- /dev/null +++ b/patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch @@ -0,0 +1,76 @@ +From 23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 17 Nov 2021 23:22:09 +0100 +Subject: [PATCH] PCI: pciehp: Fix infinite loop in IRQ handler upon power fault +Git-commit: 23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The Power Fault Detected bit in the Slot Status register differs from +all other hotplug events in that it is sticky: It can only be cleared +after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: + + If a power controller detects a main power fault on the hot-plug slot, + it must automatically set its internal main power fault latch [...]. + The main power fault latch is cleared when software turns off power to + the hot-plug slot. + +The stickiness used to cause interrupt storms and infinite loops which +were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault +interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable +software notification on empty slots"). + +Unfortunately in 2020 the infinite loop issue was inadvertently +reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt +Race"): The hardirq handler pciehp_isr() clears the PFD bit until +pciehp's power_fault_detected flag is set. That happens in the IRQ +thread pciehp_ist(), which never learns of the event because the hardirq +handler is stuck in an infinite loop. Fix by setting the +power_fault_detected flag already in the hardirq handler. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214989 +Link: https://lore.kernel.org/linux-pci/DM8PR11MB5702255A6A92F735D90A4446868B9@DM8PR11MB5702.namprd11.prod.outlook.com +Fixes: 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race") +Link: https://lore.kernel.org/r/66eaeef31d4997ceea357ad93259f290ededecfd.1637187226.git.lukas@wunner.de +Reported-by: Joseph Bao +Tested-by: Joseph Bao +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.19+ +Cc: Stuart Hayes +Acked-by: Takashi Iwai + +--- + drivers/pci/hotplug/pciehp_hpc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -603,6 +603,8 @@ read_status: + */ + if (ctrl->power_fault_detected) + status &= ~PCI_EXP_SLTSTA_PFD; ++ else if (status & PCI_EXP_SLTSTA_PFD) ++ ctrl->power_fault_detected = true; + + events |= status; + if (!events) { +@@ -612,7 +614,7 @@ read_status: + } + + if (status) { +- pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events); ++ pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, status); + + /* + * In MSI mode, all event bits must be zero before the port +@@ -686,8 +688,7 @@ static irqreturn_t pciehp_ist(int irq, v + } + + /* Check Power Fault Detected */ +- if ((events & PCI_EXP_SLTSTA_PFD) && !ctrl->power_fault_detected) { +- ctrl->power_fault_detected = 1; ++ if (events & PCI_EXP_SLTSTA_PFD) { + ctrl_err(ctrl, "Slot(%s): Power fault\n", slot_name(ctrl)); + pciehp_set_attention_status(ctrl, 1); + pciehp_green_led_off(ctrl); diff --git a/patches.suse/PCI-xgene-Fix-IB-window-setup.patch b/patches.suse/PCI-xgene-Fix-IB-window-setup.patch new file mode 100644 index 0000000..bac25ba --- /dev/null +++ b/patches.suse/PCI-xgene-Fix-IB-window-setup.patch @@ -0,0 +1,51 @@ +From c7a75d07827a1f33d566e18e6098379cc2a0c2b2 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Mon, 29 Nov 2021 11:36:37 -0600 +Subject: [PATCH] PCI: xgene: Fix IB window setup +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: c7a75d07827a1f33d566e18e6098379cc2a0c2b2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Commit 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") +broke PCI support on XGene. The cause is the IB resources are now sorted +in address order instead of being in DT dma-ranges order. The result is +which inbound registers are used for each region are swapped. I don't +know the details about this h/w, but it appears that IB region 0 +registers can't handle a size greater than 4GB. In any case, limiting +the size for region 0 is enough to get back to the original assignment +of dma-ranges to regions. + +Link: https://lore.kernel.org/all/CA+enf=v9rY_xnZML01oEgKLmvY1NGBUUhnSJaETmXtDtXfaczA@mail.gmail.com/ +Link: https://lore.kernel.org/r/20211129173637.303201-1-robh@kernel.org +Fixes: 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") +Reported-by: Stéphane Graber +Tested-by: Stéphane Graber +Signed-off-by: Rob Herring +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Krzysztof Wilczyński +Cc: stable@vger.kernel.org # v5.5+ +Acked-by: Takashi Iwai + +--- + drivers/pci/controller/pci-xgene.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pci-xgene.c b/drivers/pci/controller/pci-xgene.c +index 56d0d50338c8..d83dbd977418 100644 +--- a/drivers/pci/controller/pci-xgene.c ++++ b/drivers/pci/controller/pci-xgene.c +@@ -465,7 +465,7 @@ static int xgene_pcie_select_ib_reg(u8 *ib_reg_mask, u64 size) + return 1; + } + +- if ((size > SZ_1K) && (size < SZ_1T) && !(*ib_reg_mask & (1 << 0))) { ++ if ((size > SZ_1K) && (size < SZ_4G) && !(*ib_reg_mask & (1 << 0))) { + *ib_reg_mask |= (1 << 0); + return 0; + } +-- +2.31.1 + diff --git a/patches.suse/RDMA-hns-Replace-kfree-with-kvfree.patch b/patches.suse/RDMA-hns-Replace-kfree-with-kvfree.patch new file mode 100644 index 0000000..581ef30 --- /dev/null +++ b/patches.suse/RDMA-hns-Replace-kfree-with-kvfree.patch @@ -0,0 +1,32 @@ +From: Jiacheng Shi +Date: Fri, 10 Dec 2021 01:42:34 -0800 +Subject: RDMA/hns: Replace kfree() with kvfree() +Patch-mainline: v5.16-rc7 +Git-commit: 12d3bbdd6bd2780b71cc466f3fbc6eb7d43bbc2a +References: jsc#SLE-14777 + +Variables allocated by kvmalloc_array() should not be freed by kfree. +Because they may be allocated by vmalloc. So we replace kfree() with +kvfree() here. + +Fixes: 6fd610c5733d ("RDMA/hns: Support 0 hop addressing for SRQ buffer") +Link: https://lore.kernel.org/r/20211210094234.5829-1-billsjc@sjtu.edu.cn +Signed-off-by: Jiacheng Shi +Acked-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -272,7 +272,7 @@ static int alloc_srq_wrid(struct hns_roc + + static void free_srq_wrid(struct hns_roce_srq *srq) + { +- kfree(srq->wrid); ++ kvfree(srq->wrid); + srq->wrid = NULL; + } + diff --git a/patches.suse/Revert-net-mlx5-Add-retry-mechanism-to-the-command-e.patch b/patches.suse/Revert-net-mlx5-Add-retry-mechanism-to-the-command-e.patch new file mode 100644 index 0000000..1ecb054 --- /dev/null +++ b/patches.suse/Revert-net-mlx5-Add-retry-mechanism-to-the-command-e.patch @@ -0,0 +1,61 @@ +From: Moshe Shemesh +Date: Sun, 5 Dec 2021 11:20:59 +0200 +Subject: Revert "net/mlx5: Add retry mechanism to the command entry index + allocation" +Patch-mainline: v5.17-rc1 +Git-commit: 4f6626b0e140867fd6d5a2e9d4ceaef97f10f46a +References: jsc#SLE-15172 + +This reverts commit 410bd754cd73c4a2ac3856d9a03d7b08f9c906bf. + +The reverted commit had added a retry mechanism to the command entry +index allocation. The previous patch ensures that there is a free +command entry index once the command work handler holds the command +semaphore. Thus the retry mechanism is not needed. + +Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation") +Signed-off-by: Moshe Shemesh +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 21 +-------------------- + 1 file changed, 1 insertion(+), 20 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -887,25 +887,6 @@ static bool opcode_allowed(struct mlx5_c + return cmd->allowed_opcode == opcode; + } + +-static int cmd_alloc_index_retry(struct mlx5_cmd *cmd) +-{ +- unsigned long alloc_end = jiffies + msecs_to_jiffies(1000); +- int idx; +- +-retry: +- idx = cmd_alloc_index(cmd); +- if (idx < 0 && time_before(jiffies, alloc_end)) { +- /* Index allocation can fail on heavy load of commands. This is a temporary +- * situation as the current command already holds the semaphore, meaning that +- * another command completion is being handled and it is expected to release +- * the entry index soon. +- */ +- cpu_relax(); +- goto retry; +- } +- return idx; +-} +- + bool mlx5_cmd_is_down(struct mlx5_core_dev *dev) + { + return pci_channel_offline(dev->pdev) || +@@ -930,7 +911,7 @@ static void cmd_work_handler(struct work + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +- alloc_ret = cmd_alloc_index_retry(cmd); ++ alloc_ret = cmd_alloc_index(cmd); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); + if (ent->callback) { diff --git a/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch b/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch new file mode 100644 index 0000000..42c4fe6 --- /dev/null +++ b/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch @@ -0,0 +1,71 @@ +From 1d7d4c07932e04355d6e6528d44a2f2c9e354346 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Dec 2021 21:07:12 -0500 +Subject: [PATCH] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status +Git-commit: 1d7d4c07932e04355d6e6528d44a2f2c9e354346 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When the USB core code for getting root-hub status reports was +originally written, it was assumed that the hub driver would be its +only caller. But this isn't true now; user programs can use usbfs to +communicate with root hubs and get status reports. When they do this, +they may use a transfer_buffer that is smaller than the data returned +by the HCD, which will lead to a buffer overflow error when +usb_hcd_poll_rh_status() tries to store the status data. This was +discovered by syzbot: + +Bug: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +Bug: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776 +Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062 + +This patch fixes the bug by reducing the amount of status data if it +won't fit in the transfer_buffer. If some data gets discarded then +the URB's completion status is set to -EOVERFLOW rather than 0, to let +the user know what happened. + +Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Cc: +Link: https://lore.kernel.org/r/Yc+3UIQJ2STbxNua@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hcd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 9ffc63ae65ac..3e01dd6e509b 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + { + struct urb *urb; + int length; ++ int status; + unsigned long flags; + char buffer[6]; /* Any root hubs with > 31 ports? */ + +@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + if (urb) { + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); + hcd->status_urb = NULL; ++ if (urb->transfer_buffer_length >= length) { ++ status = 0; ++ } else { ++ status = -EOVERFLOW; ++ length = urb->transfer_buffer_length; ++ } + urb->actual_length = length; + memcpy(urb->transfer_buffer, buffer, length); + + usb_hcd_unlink_urb_from_ep(hcd, urb); +- usb_hcd_giveback_urb(hcd, urb, 0); ++ usb_hcd_giveback_urb(hcd, urb, status); + } else { + length = 0; + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); +-- +2.31.1 + diff --git a/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch b/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch new file mode 100644 index 0000000..8f2a884 --- /dev/null +++ b/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch @@ -0,0 +1,75 @@ +From 0f663729bb4afc92a9986b66131ebd5b8a9254d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Sat, 1 Jan 2022 14:52:14 -0500 +Subject: [PATCH] USB: core: Fix bug in resuming hub's handling of wakeup requests +Git-commit: 0f663729bb4afc92a9986b66131ebd5b8a9254d1 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Bugzilla #213839 reports a 7-port hub that doesn't work properly when +devices are plugged into some of the ports; the kernel goes into an +unending disconnect/reinitialize loop as shown in the bug report. + +This "7-port hub" comprises two four-port hubs with one plugged into +the other; the failures occur when a device is plugged into one of the +downstream hub's ports. (These hubs have other problems too. For +example, they bill themselves as USB-2.0 compliant but they only run +at full speed.) + +It turns out that the failures are caused by bugs in both the kernel +and the hub. The hub's bug is that it reports a different +bmAttributes value in its configuration descriptor following a remote +wakeup (0xe0 before, 0xc0 after -- the wakeup-support bit has +changed). + +The kernel's bug is inside the hub driver's resume handler. When +hub_activate() sees that one of the hub's downstream ports got a +wakeup request from a child device, it notes this fact by setting the +corresponding bit in the hub->change_bits variable. But this variable +is meant for connection changes, not wakeup events; setting it causes +the driver to believe the downstream port has been disconnected and +then connected again (in addition to having received a wakeup +request). + +Because of this, the hub driver then tries to check whether the device +currently plugged into the downstream port is the same as the device +that had been attached there before. Normally this check succeeds and +wakeup handling continues with no harm done (which is why the bug +remained undetected until now). But with these dodgy hubs, the check +fails because the config descriptor has changed. This causes the hub +driver to reinitialize the child device, leading to the +disconnect/reinitialize loop described in the bug report. + +The proper way to note reception of a downstream wakeup request is +to set a bit in the hub->event_bits variable instead of +hub->change_bits. That way the hub driver will realize that something +has happened to the port but will not think the port and child device +have been disconnected. This patch makes that change. + +Cc: +Tested-by: Jonathan McDowell +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YdCw7nSfWYPKWQoD@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 721794f0f494..47a1c8bddf86 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1228,7 +1228,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + */ + if (portchange || (hub_is_superspeed(hub->hdev) && + port_resumed)) +- set_bit(port1, hub->change_bits); ++ set_bit(port1, hub->event_bits); + + } else if (udev->persist_enabled) { + #ifdef CONFIG_PM +-- +2.31.1 + diff --git a/patches.suse/atlantic-Fix-buff_ring-OOB-in-aq_ring_rx_clean.patch b/patches.suse/atlantic-Fix-buff_ring-OOB-in-aq_ring_rx_clean.patch new file mode 100644 index 0000000..2a1c2e2 --- /dev/null +++ b/patches.suse/atlantic-Fix-buff_ring-OOB-in-aq_ring_rx_clean.patch @@ -0,0 +1,83 @@ +From 5f50153288452e10b6edd69ec9112c49442b054a Mon Sep 17 00:00:00 2001 +From: Zekun Shen +Date: Sun, 26 Dec 2021 21:32:45 -0500 +Subject: [PATCH] atlantic: Fix buff_ring OOB in aq_ring_rx_clean +Git-commit: 5f50153288452e10b6edd69ec9112c49442b054a +Patch-mainline: v5.16-rc8 +References: git-fixes + +The function obtain the next buffer without boundary check. +We should return with I/O error code. + +The bug is found by fuzzing and the crash report is attached. +It is an OOB bug although reported as use-after-free. + +[ 4.804724] BUG: KASAN: use-after-free in aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.805661] Read of size 4 at addr ffff888034fe93a8 by task ksoftirqd/0/9 +[ 4.806505] +[ 4.806703] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #34 +[ 4.809030] Call Trace: +[ 4.809343] dump_stack+0x76/0xa0 +[ 4.809755] print_address_description.constprop.0+0x16/0x200 +[ 4.810455] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.811234] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.813183] __kasan_report.cold+0x37/0x7c +[ 4.813715] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.814393] kasan_report+0xe/0x20 +[ 4.814837] aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.815499] ? hw_atl_b0_hw_ring_rx_receive+0x9a5/0xb90 [atlantic] +[ 4.816290] aq_vec_poll+0x179/0x5d0 [atlantic] +[ 4.816870] ? _GLOBAL__sub_I_65535_1_aq_pci_func_init+0x20/0x20 [atlantic] +[ 4.817746] ? __next_timer_interrupt+0xba/0xf0 +[ 4.818322] net_rx_action+0x363/0xbd0 +[ 4.818803] ? call_timer_fn+0x240/0x240 +[ 4.819302] ? __switch_to_asm+0x40/0x70 +[ 4.819809] ? napi_busy_loop+0x520/0x520 +[ 4.820324] __do_softirq+0x18c/0x634 +[ 4.820797] ? takeover_tasklets+0x5f0/0x5f0 +[ 4.821343] run_ksoftirqd+0x15/0x20 +[ 4.821804] smpboot_thread_fn+0x2f1/0x6b0 +[ 4.822331] ? smpboot_unregister_percpu_thread+0x160/0x160 +[ 4.823041] ? __kthread_parkme+0x80/0x100 +[ 4.823571] ? smpboot_unregister_percpu_thread+0x160/0x160 +[ 4.824301] kthread+0x2b5/0x3b0 +[ 4.824723] ? kthread_create_on_node+0xd0/0xd0 +[ 4.825304] ret_from_fork+0x35/0x40 + +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 81b3756417ec..77e76c9efd32 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -366,6 +366,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + if (!buff->is_eop) { + buff_ = buff; + do { ++ if (buff_->next >= self->size) { ++ err = -EIO; ++ goto err_exit; ++ } + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + is_rsc_completed = +@@ -389,6 +393,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + (buff->is_lro && buff->is_cso_err)) { + buff_ = buff; + do { ++ if (buff_->next >= self->size) { ++ err = -EIO; ++ goto err_exit; ++ } + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + +-- +2.31.1 + diff --git a/patches.suse/backlight-qcom-wled-Fix-off-by-one-maximum-with-defa.patch b/patches.suse/backlight-qcom-wled-Fix-off-by-one-maximum-with-defa.patch new file mode 100644 index 0000000..1853e33 --- /dev/null +++ b/patches.suse/backlight-qcom-wled-Fix-off-by-one-maximum-with-defa.patch @@ -0,0 +1,133 @@ +From 5ada78b26f935f8751852dffa24f6b545b1d2517 Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 15 Nov 2021 21:34:54 +0100 +Subject: [PATCH] backlight: qcom-wled: Fix off-by-one maximum with default num_strings +Git-commit: 5ada78b26f935f8751852dffa24f6b545b1d2517 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When not specifying num-strings in the DT the default is used, but +1 is +added to it which turns WLED3 into 4 and WLED4/5 into 5 strings instead +of 3 and 4 respectively, causing out-of-bounds reads and register +read/writes. This +1 exists for a deficiency in the DT parsing code, +and is simply omitted entirely - solving this oob issue - by parsing the +property separately much like qcom,enabled-strings. + +This also enables more stringent checks on the maximum value when +qcom,enabled-strings is provided in the DT, by parsing num-strings after +enabled-strings to allow it to check against (and in a subsequent patch +override) the length of enabled-strings: it is invalid to set +num-strings higher than that. +The DT currently utilizes it to get around an incorrect fixed read of +four elements from that array (has been addressed in a prior patch) by +setting a lower num-strings where desired. + +Fixes: 93c64f1ea1e8 ("leds: add Qualcomm PM8941 WLED driver") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-5-marijn.suijten@somainline.org +Acked-by: Takashi Iwai + +--- + drivers/video/backlight/qcom-wled.c | 48 ++++++++++------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 9d883e702134..ab10910971e9 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1255,21 +1255,6 @@ static const struct wled_var_cfg wled5_ovp_cfg = { + .size = 16, + }; + +-static u32 wled3_num_strings_values_fn(u32 idx) +-{ +- return idx + 1; +-} +- +-static const struct wled_var_cfg wled3_num_strings_cfg = { +- .fn = wled3_num_strings_values_fn, +- .size = 3, +-}; +- +-static const struct wled_var_cfg wled4_num_strings_cfg = { +- .fn = wled3_num_strings_values_fn, +- .size = 4, +-}; +- + static u32 wled3_switch_freq_values_fn(u32 idx) + { + return 19200 / (2 * (1 + idx)); +@@ -1343,11 +1328,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled3_num_strings_cfg, +- }, + }; + + const struct wled_u32_opts wled4_opts[] = { +@@ -1371,11 +1351,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled4_num_strings_cfg, +- }, + }; + + const struct wled_u32_opts wled5_opts[] = { +@@ -1399,11 +1374,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled4_num_strings_cfg, +- }, + { + .name = "qcom,modulator-sel", + .val_ptr = &cfg->mod_sel, +@@ -1522,8 +1492,6 @@ static int wled_configure(struct wled *wled) + *bool_opts[i].val_ptr = true; + } + +- cfg->num_strings = cfg->num_strings + 1; +- + string_len = of_property_count_elems_of_size(dev->of_node, + "qcom,enabled-strings", + sizeof(u32)); +@@ -1554,6 +1522,22 @@ static int wled_configure(struct wled *wled) + } + } + ++ rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val); ++ if (!rc) { ++ if (val < 1 || val > wled->max_string_count) { ++ dev_err(dev, "qcom,num-strings must be between 1 and %d\n", ++ wled->max_string_count); ++ return -EINVAL; ++ } ++ ++ if (string_len > 0 && val > string_len) { ++ dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); ++ return -EINVAL; ++ } ++ ++ cfg->num_strings = val; ++ } ++ + return 0; + } + +-- +2.31.1 + diff --git a/patches.suse/backlight-qcom-wled-Override-default-length-with-qco.patch b/patches.suse/backlight-qcom-wled-Override-default-length-with-qco.patch new file mode 100644 index 0000000..e8256bd --- /dev/null +++ b/patches.suse/backlight-qcom-wled-Override-default-length-with-qco.patch @@ -0,0 +1,64 @@ +From 2b4b49602f9feca7b7a84eaa33ad9e666c8aa695 Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 15 Nov 2021 21:34:55 +0100 +Subject: [PATCH] backlight: qcom-wled: Override default length with qcom,enabled-strings +Git-commit: 2b4b49602f9feca7b7a84eaa33ad9e666c8aa695 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The length of qcom,enabled-strings as property array is enough to +determine the number of strings to be enabled, without needing to set +qcom,num-strings to override the default number of strings when less +than the default (which is also the maximum) is provided in DT. + +This also introduces an extra warning when qcom,num-strings is set, +denoting that it is not necessary to set both anymore. It is usually +more concise to set just qcom,num-length when a zero-based, contiguous +range of strings is needed (the majority of the cases), or to only set +qcom,enabled-strings when a specific set of indices is desired. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-6-marijn.suijten@somainline.org +Acked-by: Takashi Iwai + +--- + drivers/video/backlight/qcom-wled.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index ab10910971e9..5306b06044b4 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1520,6 +1520,8 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + } ++ ++ cfg->num_strings = string_len; + } + + rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val); +@@ -1530,9 +1532,13 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + +- if (string_len > 0 && val > string_len) { +- dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); +- return -EINVAL; ++ if (string_len > 0) { ++ dev_warn(dev, "Only one of qcom,num-strings or qcom,enabled-strings" ++ " should be set\n"); ++ if (val > string_len) { ++ dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); ++ return -EINVAL; ++ } + } + + cfg->num_strings = val; +-- +2.31.1 + diff --git a/patches.suse/backlight-qcom-wled-Pass-number-of-elements-to-read-.patch b/patches.suse/backlight-qcom-wled-Pass-number-of-elements-to-read-.patch new file mode 100644 index 0000000..feef362 --- /dev/null +++ b/patches.suse/backlight-qcom-wled-Pass-number-of-elements-to-read-.patch @@ -0,0 +1,55 @@ +From e29e24bdabfeddbf8b1a4ecac1af439a85150438 Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 15 Nov 2021 21:34:52 +0100 +Subject: [PATCH] backlight: qcom-wled: Pass number of elements to read to read_u32_array +Git-commit: e29e24bdabfeddbf8b1a4ecac1af439a85150438 +Patch-mainline: v5.17-rc1 +References: git-fixes + +of_property_read_u32_array takes the number of elements to read as last +argument. This does not always need to be 4 (sizeof(u32)) but should +instead be the size of the array in DT as read just above with +of_property_count_elems_of_size. + +To not make such an error go unnoticed again the driver now bails +accordingly when of_property_read_u32_array returns an error. +Surprisingly the indentation of newlined arguments is lining up again +after prepending `rc = `. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-3-marijn.suijten@somainline.org +Acked-by: Takashi Iwai + +--- + drivers/video/backlight/qcom-wled.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 8a42ed89c59c..d413b913fef3 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1535,10 +1535,15 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + +- of_property_read_u32_array(dev->of_node, ++ rc = of_property_read_u32_array(dev->of_node, + "qcom,enabled-strings", + wled->cfg.enabled_strings, +- sizeof(u32)); ++ string_len); ++ if (rc) { ++ dev_err(dev, "Failed to read %d elements from qcom,enabled-strings: %d\n", ++ string_len, rc); ++ return rc; ++ } + + for (i = 0; i < string_len; ++i) { + if (wled->cfg.enabled_strings[i] >= wled->max_string_count) { +-- +2.31.1 + diff --git a/patches.suse/backlight-qcom-wled-Validate-enabled-string-indices-.patch b/patches.suse/backlight-qcom-wled-Validate-enabled-string-indices-.patch new file mode 100644 index 0000000..684e5af --- /dev/null +++ b/patches.suse/backlight-qcom-wled-Validate-enabled-string-indices-.patch @@ -0,0 +1,60 @@ +From c05b21ebc5bce3ecc78c2c71afd76d92c790a2ac Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 15 Nov 2021 21:34:51 +0100 +Subject: [PATCH] backlight: qcom-wled: Validate enabled string indices in DT +Git-commit: c05b21ebc5bce3ecc78c2c71afd76d92c790a2ac +Patch-mainline: v5.17-rc1 +References: git-fixes + +The strings passed in DT may possibly cause out-of-bounds register +accesses and should be validated before use. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-2-marijn.suijten@somainline.org +Acked-by: Takashi Iwai + +--- + drivers/video/backlight/qcom-wled.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index d094299c2a48..8a42ed89c59c 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1528,12 +1528,28 @@ static int wled_configure(struct wled *wled) + string_len = of_property_count_elems_of_size(dev->of_node, + "qcom,enabled-strings", + sizeof(u32)); +- if (string_len > 0) ++ if (string_len > 0) { ++ if (string_len > wled->max_string_count) { ++ dev_err(dev, "Cannot have more than %d strings\n", ++ wled->max_string_count); ++ return -EINVAL; ++ } ++ + of_property_read_u32_array(dev->of_node, + "qcom,enabled-strings", + wled->cfg.enabled_strings, + sizeof(u32)); + ++ for (i = 0; i < string_len; ++i) { ++ if (wled->cfg.enabled_strings[i] >= wled->max_string_count) { ++ dev_err(dev, ++ "qcom,enabled-strings index %d at %d is out of bounds\n", ++ wled->cfg.enabled_strings[i], i); ++ return -EINVAL; ++ } ++ } ++ } ++ + return 0; + } + +-- +2.31.1 + diff --git a/patches.suse/batman-adv-mcast-don-t-send-link-local-multicast-to-.patch b/patches.suse/batman-adv-mcast-don-t-send-link-local-multicast-to-.patch new file mode 100644 index 0000000..215e576 --- /dev/null +++ b/patches.suse/batman-adv-mcast-don-t-send-link-local-multicast-to-.patch @@ -0,0 +1,188 @@ +From 938f2e0b57ffe8a6df71e1e177b2978b1b33fe5e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Sat, 1 Jan 2022 06:27:13 +0100 +Subject: [PATCH] batman-adv: mcast: don't send link-local multicast to mcast routers +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 938f2e0b57ffe8a6df71e1e177b2978b1b33fe5e +Patch-mainline: v5.16 +References: git-fixes + +The addition of routable multicast TX handling introduced a +bug/regression for packets with a link-local multicast destination: +These packets would be sent to all batman-adv nodes with a multicast +router and to all batman-adv nodes with an old version without multicast +router detection. + +This even disregards the batman-adv multicast fanout setting, which can +potentially lead to an unwanted, high number of unicast transmissions or +even congestion. + +Fixing this by avoiding to send link-local multicast packets to nodes in +the multicast router list. + +Fixes: 11d458c1cb9b ("batman-adv: mcast: apply optimizations for routable packets, too") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Acked-by: Takashi Iwai + +--- + net/batman-adv/multicast.c | 15 ++++++++++----- + net/batman-adv/multicast.h | 10 ++++++---- + net/batman-adv/soft-interface.c | 7 +++++-- + 3 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c +index 433901dcf0c3..f4004cf0ff6f 100644 +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -1339,6 +1339,7 @@ batadv_mcast_forw_rtr_node_get(struct batadv_priv *bat_priv, + * @bat_priv: the bat priv with all the soft interface information + * @skb: The multicast packet to check + * @orig: an originator to be set to forward the skb to ++ * @is_routable: stores whether the destination is routable + * + * Return: the forwarding mode as enum batadv_forw_mode and in case of + * BATADV_FORW_SINGLE set the orig to the single originator the skb +@@ -1346,17 +1347,16 @@ batadv_mcast_forw_rtr_node_get(struct batadv_priv *bat_priv, + */ + enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, +- struct batadv_orig_node **orig) ++ struct batadv_orig_node **orig, int *is_routable) + { + int ret, tt_count, ip_count, unsnoop_count, total_count; + bool is_unsnoopable = false; + unsigned int mcast_fanout; + struct ethhdr *ethhdr; +- int is_routable = 0; + int rtr_count = 0; + + ret = batadv_mcast_forw_mode_check(bat_priv, skb, &is_unsnoopable, +- &is_routable); ++ is_routable); + if (ret == -ENOMEM) + return BATADV_FORW_NONE; + else if (ret < 0) +@@ -1369,7 +1369,7 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + ip_count = batadv_mcast_forw_want_all_ip_count(bat_priv, ethhdr); + unsnoop_count = !is_unsnoopable ? 0 : + atomic_read(&bat_priv->mcast.num_want_all_unsnoopables); +- rtr_count = batadv_mcast_forw_rtr_count(bat_priv, is_routable); ++ rtr_count = batadv_mcast_forw_rtr_count(bat_priv, *is_routable); + + total_count = tt_count + ip_count + unsnoop_count + rtr_count; + +@@ -1689,6 +1689,7 @@ batadv_mcast_forw_want_rtr(struct batadv_priv *bat_priv, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the multicast packet to transmit + * @vid: the vlan identifier ++ * @is_routable: stores whether the destination is routable + * + * Sends copies of a frame with multicast destination to any node that signaled + * interest in it, that is either via the translation table or the according +@@ -1701,7 +1702,7 @@ batadv_mcast_forw_want_rtr(struct batadv_priv *bat_priv, + * is neither IPv4 nor IPv6. NET_XMIT_SUCCESS otherwise. + */ + int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid) ++ unsigned short vid, int is_routable) + { + int ret; + +@@ -1717,12 +1718,16 @@ int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + return ret; + } + ++ if (!is_routable) ++ goto skip_mc_router; ++ + ret = batadv_mcast_forw_want_rtr(bat_priv, skb, vid); + if (ret != NET_XMIT_SUCCESS) { + kfree_skb(skb); + return ret; + } + ++skip_mc_router: + consume_skb(skb); + return ret; + } +diff --git a/net/batman-adv/multicast.h b/net/batman-adv/multicast.h +index 9fee5da08311..8aec818d0bf6 100644 +--- a/net/batman-adv/multicast.h ++++ b/net/batman-adv/multicast.h +@@ -43,7 +43,8 @@ enum batadv_forw_mode { + + enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, +- struct batadv_orig_node **mcast_single_orig); ++ struct batadv_orig_node **mcast_single_orig, ++ int *is_routable); + + int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, + struct sk_buff *skb, +@@ -51,7 +52,7 @@ int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, + struct batadv_orig_node *orig_node); + + int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid); ++ unsigned short vid, int is_routable); + + void batadv_mcast_init(struct batadv_priv *bat_priv); + +@@ -68,7 +69,8 @@ void batadv_mcast_purge_orig(struct batadv_orig_node *orig_node); + + static inline enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, +- struct batadv_orig_node **mcast_single_orig) ++ struct batadv_orig_node **mcast_single_orig, ++ int *is_routable) + { + return BATADV_FORW_ALL; + } +@@ -85,7 +87,7 @@ batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, + + static inline int + batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid) ++ unsigned short vid, int is_routable) + { + kfree_skb(skb); + return NET_XMIT_DROP; +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 7ee09337fc40..2dbbe6c19609 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -198,6 +198,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, + int gw_mode; + enum batadv_forw_mode forw_mode = BATADV_FORW_SINGLE; + struct batadv_orig_node *mcast_single_orig = NULL; ++ int mcast_is_routable = 0; + int network_offset = ETH_HLEN; + __be16 proto; + +@@ -300,7 +301,8 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, + send: + if (do_bcast && !is_broadcast_ether_addr(ethhdr->h_dest)) { + forw_mode = batadv_mcast_forw_mode(bat_priv, skb, +- &mcast_single_orig); ++ &mcast_single_orig, ++ &mcast_is_routable); + if (forw_mode == BATADV_FORW_NONE) + goto dropped; + +@@ -359,7 +361,8 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, + ret = batadv_mcast_forw_send_orig(bat_priv, skb, vid, + mcast_single_orig); + } else if (forw_mode == BATADV_FORW_SOME) { +- ret = batadv_mcast_forw_send(bat_priv, skb, vid); ++ ret = batadv_mcast_forw_send(bat_priv, skb, vid, ++ mcast_is_routable); + } else { + if (batadv_dat_snoop_outgoing_arp_request(bat_priv, + skb)) +-- +2.31.1 + diff --git a/patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch b/patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch new file mode 100644 index 0000000..9f2d503 --- /dev/null +++ b/patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch @@ -0,0 +1,156 @@ +From 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Wed, 20 Oct 2021 09:40:36 +0800 +Subject: [PATCH] blk-cgroup: synchronize blkg creation against policy + deactivation +Git-commit: 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f +Patch-mainline: v5.16-rc1 +References: bsc#1194584 + +Our test reports a null pointer dereference: + +[ 168.534653] ================================================================== +[ 168.535614] Disabling lock debugging due to kernel taint +[ 168.536346] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 168.537274] #PF: supervisor read access in kernel mode +[ 168.537964] #PF: error_code(0x0000) - not-present page +[ 168.538667] PGD 0 P4D 0 +[ 168.539025] Oops: 0000 [#1] PREEMPT SMP KASAN +[ 168.539656] CPU: 13 PID: 759 Comm: bash Tainted: G B 5.15.0-rc2-next-202100 +[ 168.540954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_0738364 +[ 168.542736] RIP: 0010:bfq_pd_init+0x88/0x1e0 +[ 168.543318] Code: 98 00 00 00 e8 c9 e4 5b ff 4c 8b 65 00 49 8d 7c 24 08 e8 bb e4 5b ff 4d0 +[ 168.545803] RSP: 0018:ffff88817095f9c0 EFLAGS: 00010002 +[ 168.546497] RAX: 0000000000000001 RBX: ffff888101a1c000 RCX: 0000000000000000 +[ 168.547438] RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff888106553428 +[ 168.548402] RBP: ffff888106553400 R08: ffffffff961bcaf4 R09: 0000000000000001 +[ 168.549365] R10: ffffffffa2e16c27 R11: fffffbfff45c2d84 R12: 0000000000000000 +[ 168.550291] R13: ffff888101a1c098 R14: ffff88810c7a08c8 R15: ffffffffa55541a0 +[ 168.551221] FS: 00007fac75227700(0000) GS:ffff88839ba80000(0000) knlGS:0000000000000000 +[ 168.552278] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 168.553040] CR2: 0000000000000008 CR3: 0000000165ce7000 CR4: 00000000000006e0 +[ 168.554000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 168.554929] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 168.555888] Call Trace: +[ 168.556221] +[ 168.556510] blkg_create+0x1c0/0x8c0 +[ 168.556989] blkg_conf_prep+0x574/0x650 +[ 168.557502] ? stack_trace_save+0x99/0xd0 +[ 168.558033] ? blkcg_conf_open_bdev+0x1b0/0x1b0 +[ 168.558629] tg_set_conf.constprop.0+0xb9/0x280 +[ 168.559231] ? kasan_set_track+0x29/0x40 +[ 168.559758] ? kasan_set_free_info+0x30/0x60 +[ 168.560344] ? tg_set_limit+0xae0/0xae0 +[ 168.560853] ? do_sys_openat2+0x33b/0x640 +[ 168.561383] ? do_sys_open+0xa2/0x100 +[ 168.561877] ? __x64_sys_open+0x4e/0x60 +[ 168.562383] ? __kasan_check_write+0x20/0x30 +[ 168.562951] ? copyin+0x48/0x70 +[ 168.563390] ? _copy_from_iter+0x234/0x9e0 +[ 168.563948] tg_set_conf_u64+0x17/0x20 +[ 168.564467] cgroup_file_write+0x1ad/0x380 +[ 168.565014] ? cgroup_file_poll+0x80/0x80 +[ 168.565568] ? __mutex_lock_slowpath+0x30/0x30 +[ 168.566165] ? pgd_free+0x100/0x160 +[ 168.566649] kernfs_fop_write_iter+0x21d/0x340 +[ 168.567246] ? cgroup_file_poll+0x80/0x80 +[ 168.567796] new_sync_write+0x29f/0x3c0 +[ 168.568314] ? new_sync_read+0x410/0x410 +[ 168.568840] ? __handle_mm_fault+0x1c97/0x2d80 +[ 168.569425] ? copy_page_range+0x2b10/0x2b10 +[ 168.570007] ? _raw_read_lock_bh+0xa0/0xa0 +[ 168.570622] vfs_write+0x46e/0x630 +[ 168.571091] ksys_write+0xcd/0x1e0 +[ 168.571563] ? __x64_sys_read+0x60/0x60 +[ 168.572081] ? __kasan_check_write+0x20/0x30 +[ 168.572659] ? do_user_addr_fault+0x446/0xff0 +[ 168.573264] __x64_sys_write+0x46/0x60 +[ 168.573774] do_syscall_64+0x35/0x80 +[ 168.574264] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 168.574960] RIP: 0033:0x7fac74915130 +[ 168.575456] Code: 73 01 c3 48 8b 0d 58 ed 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 444 +[ 168.577969] RSP: 002b:00007ffc3080e288 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 168.578986] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007fac74915130 +[ 168.579937] RDX: 0000000000000009 RSI: 000056007669f080 RDI: 0000000000000001 +[ 168.580884] RBP: 000056007669f080 R08: 000000000000000a R09: 00007fac75227700 +[ 168.581841] R10: 000056007655c8f0 R11: 0000000000000246 R12: 0000000000000009 +[ 168.582796] R13: 0000000000000001 R14: 00007fac74be55e0 R15: 00007fac74be08c0 +[ 168.583757] +[ 168.584063] Modules linked in: +[ 168.584494] CR2: 0000000000000008 +[ 168.584964] ---[ end trace 2475611ad0f77a1a ]--- + +This is because blkg_alloc() is called from blkg_conf_prep() without +holding 'q->queue_lock', and elevator is exited before blkg_create(): + +thread 1 thread 2 +blkg_conf_prep + spin_lock_irq(&q->queue_lock); + blkg_lookup_check -> return NULL + spin_unlock_irq(&q->queue_lock); + + blkg_alloc + blkcg_policy_enabled -> true + pd = ->pd_alloc_fn + blkg->pd[i] = pd + blk_mq_exit_sched + bfq_exit_queue + blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock); + __clear_bit(pol->plid, q->blkcg_pols); + spin_unlock_irq(&q->queue_lock); + q->elevator = NULL; + spin_lock_irq(&q->queue_lock); + blkg_create + if (blkg->pd[i]) + ->pd_init_fn -> q->elevator is NULL + spin_unlock_irq(&q->queue_lock); + +Because blkcg_deactivate_policy() requires queue to be frozen, we can +grab q_usage_counter to synchoronize blkg_conf_prep() against +blkcg_deactivate_policy(). + +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20211020014036.2141723-1-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Acked-by: Jan Kara + +--- + block/blk-cgroup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -818,6 +818,14 @@ int blkg_conf_prep(struct blkcg *blkcg, + + q = disk->queue; + ++ /* ++ * blkcg_deactivate_policy() requires queue to be frozen, we can grab ++ * q_usage_counter to prevent concurrent with blkcg_deactivate_policy(). ++ */ ++ ret = blk_queue_enter(q, 0); ++ if (ret) ++ return ret; ++ + rcu_read_lock(); + spin_lock_irq(&q->queue_lock); + +@@ -878,6 +886,7 @@ int blkg_conf_prep(struct blkcg *blkcg, + goto success; + } + success: ++ blk_queue_exit(q); + ctx->disk = disk; + ctx->blkg = blkg; + ctx->body = input; +@@ -887,6 +896,7 @@ fail_unlock: + spin_unlock_irq(&q->queue_lock); + rcu_read_unlock(); + fail: ++ blk_queue_exit(q); + put_disk_and_module(disk); + /* + * If queue was bypassing, we should retry. Do so after a diff --git a/patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch b/patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch new file mode 100644 index 0000000..a1deb4f --- /dev/null +++ b/patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch @@ -0,0 +1,48 @@ +From e6a59aac8a8713f335a37d762db0dbe80e7f6d38 Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Fri, 10 Dec 2021 10:20:58 -0800 +Subject: [PATCH] block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) +Git-commit: e6a59aac8a8713f335a37d762db0dbe80e7f6d38 +Patch-mainline: v5.16-rc5 +References: bsc#1194586 + +do_each_pid_thread(PIDTYPE_PGID) can race with a concurrent +change_pid(PIDTYPE_PGID) that can move the task from one hlist +to another while iterating. Serialize ioprio_get to take +the tasklist_lock in this case, just like it's set counterpart. + +Fixes: d69b78ba1de (ioprio: grab rcu_read_lock in sys_ioprio_{set,get}()) +Acked-by: Oleg Nesterov +Signed-off-by: Davidlohr Bueso +Link: https://lore.kernel.org/r/20211210182058.43417-1-dave@stgolabs.net +Signed-off-by: Jens Axboe +Acked-by: Jan Kara + +--- + block/ioprio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/ioprio.c b/block/ioprio.c +index 313c14a70bbd..6f01d35a5145 100644 +--- a/block/ioprio.c ++++ b/block/ioprio.c +@@ -220,6 +220,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which, int, who) + pgrp = task_pgrp(current); + else + pgrp = find_vpid(who); ++ read_lock(&tasklist_lock); + do_each_pid_thread(pgrp, PIDTYPE_PGID, p) { + tmpio = get_task_ioprio(p); + if (tmpio < 0) +@@ -229,6 +230,8 @@ SYSCALL_DEFINE2(ioprio_get, int, which, int, who) + else + ret = ioprio_best(ret, tmpio); + } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); ++ read_unlock(&tasklist_lock); ++ + break; + case IOPRIO_WHO_USER: + uid = make_kuid(current_user_ns(), who); +-- +2.31.1 + diff --git a/patches.suse/block-remove-the-bd_block_size-field-from-struct-blo.patch b/patches.suse/block-remove-the-bd_block_size-field-from-struct-blo.patch index 00d59d9..e1e44b9 100644 --- a/patches.suse/block-remove-the-bd_block_size-field-from-struct-blo.patch +++ b/patches.suse/block-remove-the-bd_block_size-field-from-struct-blo.patch @@ -14,29 +14,27 @@ Reviewed-by: Johannes Thumshirn Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Acked-by: Hannes Reinecke +[dwagner: dropped set_init_blocksize recalculation, gets reverted by + 8dc932d3e8af ("Revert "block: simplify set_init_blocksize + " to regain lost performance")] +Signed-off-by: Daniel Wagner --- - fs/block_dev.c | 9 ++------- - include/linux/blk_types.h | 1 - - include/linux/blkdev.h | 2 +- - 3 files changed, 3 insertions(+), 9 deletions(-) + fs/block_dev.c | 5 +---- + include/linux/blk_types.h | 1 - + include/linux/blkdev.h | 2 +- + 3 files changed, 2 insertions(+), 6 deletions(-) -diff --git a/fs/block_dev.c b/fs/block_dev.c -index 8b7a9c76d33e..06d31e459048 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c -@@ -105,10 +105,7 @@ EXPORT_SYMBOL(invalidate_bdev); - - static void set_init_blocksize(struct block_device *bdev) - { -- unsigned bsize = bdev_logical_block_size(bdev); -- +@@ -113,7 +113,6 @@ static void set_init_blocksize(struct bl + break; + bsize <<= 1; + } - bdev->bd_block_size = bsize; -- bdev->bd_inode->i_blkbits = blksize_bits(bsize); -+ bdev->bd_inode->i_blkbits = blksize_bits(bdev_logical_block_size(bdev)); + bdev->bd_inode->i_blkbits = blksize_bits(bsize); } - int set_blocksize(struct block_device *bdev, int size) -@@ -122,9 +119,8 @@ int set_blocksize(struct block_device *bdev, int size) +@@ -128,9 +127,8 @@ int set_blocksize(struct block_device *b return -EINVAL; /* Don't change the size if it is same as current */ @@ -47,7 +45,7 @@ index 8b7a9c76d33e..06d31e459048 100644 bdev->bd_inode->i_blkbits = blksize_bits(size); kill_bdev(bdev); } -@@ -889,7 +885,6 @@ struct block_device *bdget(dev_t dev) +@@ -898,7 +896,6 @@ struct block_device *bdget(dev_t dev) bdev->bd_contains = NULL; bdev->bd_super = NULL; bdev->bd_inode = inode; @@ -55,8 +53,6 @@ index 8b7a9c76d33e..06d31e459048 100644 bdev->bd_part_count = 0; bdev->bd_invalidated = 0; inode->i_mode = S_IFBLK; -diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h -index a602132cbe32..b01cd19bbe8a 100644 --- a/include/linux/blk_types.h +++ b/include/linux/blk_types.h @@ -33,7 +33,6 @@ struct block_device { @@ -67,11 +63,9 @@ index a602132cbe32..b01cd19bbe8a 100644 u8 bd_partno; struct hd_struct * bd_part; /* number of times partitions within this device have been opened. */ -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 1cc913ffdbe2..408eb66a82fd 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h -@@ -1543,7 +1543,7 @@ static inline unsigned int blksize_bits(unsigned int size) +@@ -1543,7 +1543,7 @@ static inline unsigned int blksize_bits( static inline unsigned int block_size(struct block_device *bdev) { @@ -80,6 +74,3 @@ index 1cc913ffdbe2..408eb66a82fd 100644 } int kblockd_schedule_work(struct work_struct *work); --- -2.16.4 - diff --git a/patches.suse/block-simplify-set_init_blocksize.patch b/patches.suse/block-simplify-set_init_blocksize.patch deleted file mode 100644 index 2849575..0000000 --- a/patches.suse/block-simplify-set_init_blocksize.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Christoph Hellwig -Date: Fri, 26 Jun 2020 10:01:54 +0200 -Subject: [PATCH] block: simplify set_init_blocksize -Git-commit: 5ff9f19231a0e670b3d79c563f1b0b185abeca91 -Patch-mainline: v5.9-rc1 -References: bsc#1175995,jsc#SLE-15608 - -The loop to increase the initial block size doesn't really make any -sense, as the AND operation won't match for powers of two if it didn't -for the initial block size. - -Signed-off-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Acked-by: Hannes Reinecke ---- - fs/block_dev.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/fs/block_dev.c b/fs/block_dev.c -index 0e0d43dc27d3..8b7a9c76d33e 100644 ---- a/fs/block_dev.c -+++ b/fs/block_dev.c -@@ -106,13 +106,7 @@ EXPORT_SYMBOL(invalidate_bdev); - static void set_init_blocksize(struct block_device *bdev) - { - unsigned bsize = bdev_logical_block_size(bdev); -- loff_t size = i_size_read(bdev->bd_inode); - -- while (bsize < PAGE_SIZE) { -- if (size & bsize) -- break; -- bsize <<= 1; -- } - bdev->bd_block_size = bsize; - bdev->bd_inode->i_blkbits = blksize_bits(bsize); - } --- -2.16.4 - diff --git a/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch b/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch new file mode 100644 index 0000000..2ebabb2 --- /dev/null +++ b/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch @@ -0,0 +1,56 @@ +From 4a8737ff068724f509d583fef404d349adba80d6 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 10 Dec 2021 10:03:09 +0100 +Subject: [PATCH] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data +Git-commit: 4a8737ff068724f509d583fef404d349adba80d6 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The received data contains the channel the received data is associated +with. If the channel number is bigger than the actual number of +channels assume broken or malicious USB device and shut it down. + +This fixes the error found by clang: + +| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used +| uninitialized whenever 'if' condition is true +| if (hf->channel >= GS_MAX_INTF) +| ^~~~~~~~~~~~~~~~~~~~~~~~~~ +| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here +| hf, dev->gs_hf_size, gs_usb_receive_bulk_callback, +| ^~~ + +Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/gs_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 1b400de00f51..d7ce2c5956f4 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -321,7 +321,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* device reports out of range channel id */ + if (hf->channel >= GS_MAX_INTF) +- goto resubmit_urb; ++ goto device_detach; + + dev = usbcan->canch[hf->channel]; + +@@ -406,6 +406,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { ++ device_detach: + for (rc = 0; rc < GS_MAX_INTF; rc++) { + if (usbcan->canch[rc]) + netif_device_detach(usbcan->canch[rc]->netdev); +-- +2.31.1 + diff --git a/patches.suse/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flag.patch b/patches.suse/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flag.patch new file mode 100644 index 0000000..60e6b38 --- /dev/null +++ b/patches.suse/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flag.patch @@ -0,0 +1,44 @@ +From 89d58aebe14a365c25ba6645414afdbf4e41cea4 Mon Sep 17 00:00:00 2001 +From: Brian Silverman +Date: Wed, 5 Jan 2022 16:29:50 -0800 +Subject: [PATCH] can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} +Git-commit: 89d58aebe14a365c25ba6645414afdbf4e41cea4 +Patch-mainline: v5.17-rc1 +References: git-fixes + +No information is deliberately sent in hf->flags in host -> device +communications, but the open-source candleLight firmware echoes it +back, which can result in the GS_CAN_FLAG_OVERFLOW flag being set and +generating spurious ERRORFRAMEs. + +While there also initialize the reserved member with 0. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20220106002952.25883-1-brian.silverman@bluerivertech.com +Link: https://github.com/candle-usb/candleLight_fw/issues/87 +Cc: stable@vger.kernel.org +Signed-off-by: Brian Silverman +[mkl: initialize the reserved member, too] +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/gs_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index d7ce2c5956f4..4d43aca2ff56 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -508,6 +508,8 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, + + hf->echo_id = idx; + hf->channel = dev->channel; ++ hf->flags = 0; ++ hf->reserved = 0; + + cf = (struct can_frame *)skb->data; + +-- +2.31.1 + diff --git a/patches.suse/can-softing-softing_startstop-fix-set-but-not-used-v.patch b/patches.suse/can-softing-softing_startstop-fix-set-but-not-used-v.patch new file mode 100644 index 0000000..2cc8875 --- /dev/null +++ b/patches.suse/can-softing-softing_startstop-fix-set-but-not-used-v.patch @@ -0,0 +1,62 @@ +From 370d988cc529598ebaec6487d4f84c2115dc696b Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 8 Jan 2022 21:57:51 +0100 +Subject: [PATCH] can: softing: softing_startstop(): fix set but not used variable warning +Git-commit: 370d988cc529598ebaec6487d4f84c2115dc696b +Patch-mainline: v5.17-rc1 +References: git-fixes + +In the function softing_startstop() the variable error_reporting is +assigned but not used. The code that uses this variable is commented +out. Its stated that the functionality is not finally verified. + +To fix the warning: + +| drivers/net/can/softing/softing_fw.c:424:9: error: variable 'error_reporting' set but not used [-Werror,-Wunused-but-set-variable] + +remove the comment, activate the code, but add a "0 &&" to the if +expression and rely on the optimizer rather than the preprocessor to +remove the code. + +Link: https://lore.kernel.org/all/20220109103126.1872833-1-mkl@pengutronix.de +Fixes: 03fd3cf5a179 ("can: add driver for Softing card") +Cc: Kurt Van Dijck +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/softing/softing_fw.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c +index 7e1536877993..32286f861a19 100644 +--- a/drivers/net/can/softing/softing_fw.c ++++ b/drivers/net/can/softing/softing_fw.c +@@ -565,18 +565,19 @@ int softing_startstop(struct net_device *dev, int up) + if (ret < 0) + goto failed; + } +- /* enable_error_frame */ +- /* ++ ++ /* enable_error_frame ++ * + * Error reporting is switched off at the moment since + * the receiving of them is not yet 100% verified + * This should be enabled sooner or later +- * +- if (error_reporting) { ++ */ ++ if (0 && error_reporting) { + ret = softing_fct_cmd(card, 51, "enable_error_frame"); + if (ret < 0) + goto failed; + } +- */ ++ + /* initialize interface */ + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]); + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]); +-- +2.31.1 + diff --git a/patches.suse/can-softing_cs-softingcs_probe-fix-memleak-on-regist.patch b/patches.suse/can-softing_cs-softingcs_probe-fix-memleak-on-regist.patch new file mode 100644 index 0000000..5bc9e04 --- /dev/null +++ b/patches.suse/can-softing_cs-softingcs_probe-fix-memleak-on-regist.patch @@ -0,0 +1,41 @@ +From ced4913efb0acc844ed65cc01d091a85d83a2082 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Dec 2021 11:48:43 +0100 +Subject: [PATCH] can: softing_cs: softingcs_probe(): fix memleak on registration failure +Git-commit: ced4913efb0acc844ed65cc01d091a85d83a2082 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In case device registration fails during probe, the driver state and +the embedded platform device structure needs to be freed using +platform_device_put() to properly free all resources (e.g. the device +name). + +Fixes: 0a0b7a5f7a04 ("can: add driver for Softing card") +Link: https://lore.kernel.org/all/20211222104843.6105-1-johan@kernel.org +Cc: stable@vger.kernel.org # 2.6.38 +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/softing/softing_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/softing/softing_cs.c b/drivers/net/can/softing/softing_cs.c +index 2e93ee792373..e5c939b63fa6 100644 +--- a/drivers/net/can/softing/softing_cs.c ++++ b/drivers/net/can/softing/softing_cs.c +@@ -293,7 +293,7 @@ static int softingcs_probe(struct pcmcia_device *pcmcia) + return 0; + + platform_failed: +- kfree(dev); ++ platform_device_put(pdev); + mem_failed: + pcmcia_bad: + pcmcia_failed: +-- +2.31.1 + diff --git a/patches.suse/can-usb_8dev-remove-unused-member-echo_skb-from-stru.patch b/patches.suse/can-usb_8dev-remove-unused-member-echo_skb-from-stru.patch new file mode 100644 index 0000000..559cdea --- /dev/null +++ b/patches.suse/can-usb_8dev-remove-unused-member-echo_skb-from-stru.patch @@ -0,0 +1,36 @@ +From 617dbee5c7acfa0a884a423e93fc4dede8e6d4de Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sun, 12 Dec 2021 15:56:01 +0100 +Subject: [PATCH] can: usb_8dev: remove unused member echo_skb from struct usb_8dev_priv +Git-commit: 617dbee5c7acfa0a884a423e93fc4dede8e6d4de +Patch-mainline: v5.17-rc1 +References: git-fixes + +This patch removes the unused memberecho_skb from the struct +usb_8dev_priv. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Link: https://lore.kernel.org/all/20220104230753.956520-1-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/usb_8dev.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c +index d1b83bd1b3cb..1fa02905e7ec 100644 +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -121,8 +121,6 @@ struct usb_8dev_tx_urb_context { + struct usb_8dev_priv { + struct can_priv can; /* must be the first member */ + +- struct sk_buff *echo_skb[MAX_TX_URBS]; +- + struct usb_device *udev; + struct net_device *netdev; + +-- +2.31.1 + diff --git a/patches.suse/can-xilinx_can-xcan_probe-check-for-error-irq.patch b/patches.suse/can-xilinx_can-xcan_probe-check-for-error-irq.patch new file mode 100644 index 0000000..f30be51 --- /dev/null +++ b/patches.suse/can-xilinx_can-xcan_probe-check-for-error-irq.patch @@ -0,0 +1,48 @@ +From c6564c13dae25cd7f8e1de5127b4da4500ee5844 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 24 Dec 2021 10:13:24 +0800 +Subject: [PATCH] can: xilinx_can: xcan_probe(): check for error irq +Git-commit: c6564c13dae25cd7f8e1de5127b4da4500ee5844 +Patch-mainline: v5.17-rc1 +References: git-fixes + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). + +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() +effectively convert that into -EINVAL, even at probe time rather than +later on. So it might be better to check just now. + +Fixes: b1201e44f50b ("can: xilinx CAN controller support") +Link: https://lore.kernel.org/all/20211224021324.1447494-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/xilinx_can.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index e2b15d29d15e..af4a2adc8598 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1761,7 +1761,12 @@ static int xcan_probe(struct platform_device *pdev) + spin_lock_init(&priv->tx_lock); + + /* Get IRQ for the device */ +- ndev->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err_free; ++ ++ ndev->irq = ret; ++ + ndev->flags |= IFF_ECHO; /* We support local echo */ + + platform_set_drvdata(pdev, ndev); +-- +2.31.1 + diff --git a/patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch b/patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch new file mode 100644 index 0000000..d1255ff --- /dev/null +++ b/patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch @@ -0,0 +1,259 @@ +From: Tejun Heo +Date: Thu, 6 Jan 2022 11:02:29 -1000 +Subject: cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 0d2b5955b36250a9428c832664f2079cbf723bec +Patch-mainline: v5.16 +References: bsc#1194302 CVE-2021-4197 + +of->priv is currently used by each interface file implementation to store +private information. This patch collects the current two private data usages +into struct cgroup_file_ctx which is allocated and freed by the common path. +This allows generic private data which applies to multiple files, which will +be used to in the following patch. + +Note that cgroup_procs iterator is now embedded as procs.iter in the new +cgroup_file_ctx so that it doesn't need to be allocated and freed +separately. + +v2: union dropped from cgroup_file_ctx and the procs iterator is embedded in + cgroup_file_ctx as suggested by Linus. + +v3: Michal pointed out that cgroup1's procs pidlist uses of->priv too. + Converted. Didn't change to embedded allocation as cgroup1 pidlists get + stored for caching. + +Signed-off-by: Tejun Heo +Cc: Linus Torvalds +Reviewed-by: Michal Koutný +[mkoutny: adjust context] +Acked-by: Michal Koutný +--- + kernel/cgroup/cgroup-internal.h | 17 +++++++++++ + kernel/cgroup/cgroup-v1.c | 26 +++++++++--------- + kernel/cgroup/cgroup.c | 57 +++++++++++++++++++++++++--------------- + 3 files changed, 67 insertions(+), 33 deletions(-) + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -65,6 +65,23 @@ static inline struct cgroup_fs_context * + return container_of(kfc, struct cgroup_fs_context, kfc); + } + ++struct cgroup_pidlist; ++ ++struct cgroup_file_ctx { ++ struct { ++ void *trigger; ++ } psi; ++ ++ struct { ++ bool started; ++ struct css_task_iter iter; ++ } procs; ++ ++ struct { ++ struct cgroup_pidlist *pidlist; ++ } procs1; ++}; ++ + /* + * A cgroup can be associated with multiple css_sets as different tasks may + * belong to different cgroups on different hierarchies. In the other +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -417,6 +417,7 @@ static void *cgroup_pidlist_start(struct + * next pid to display, if any + */ + struct kernfs_open_file *of = s->private; ++ struct cgroup_file_ctx *ctx = of->priv; + struct cgroup *cgrp = seq_css(s)->cgroup; + struct cgroup_pidlist *l; + enum cgroup_filetype type = seq_cft(s)->private; +@@ -426,25 +427,24 @@ static void *cgroup_pidlist_start(struct + mutex_lock(&cgrp->pidlist_mutex); + + /* +- * !NULL @of->priv indicates that this isn't the first start() +- * after open. If the matching pidlist is around, we can use that. +- * Look for it. Note that @of->priv can't be used directly. It +- * could already have been destroyed. ++ * !NULL @ctx->procs1.pidlist indicates that this isn't the first ++ * start() after open. If the matching pidlist is around, we can use ++ * that. Look for it. Note that @ctx->procs1.pidlist can't be used ++ * directly. It could already have been destroyed. + */ +- if (of->priv) +- of->priv = cgroup_pidlist_find(cgrp, type); ++ if (ctx->procs1.pidlist) ++ ctx->procs1.pidlist = cgroup_pidlist_find(cgrp, type); + + /* + * Either this is the first start() after open or the matching + * pidlist has been destroyed inbetween. Create a new one. + */ +- if (!of->priv) { +- ret = pidlist_array_load(cgrp, type, +- (struct cgroup_pidlist **)&of->priv); ++ if (!ctx->procs1.pidlist) { ++ ret = pidlist_array_load(cgrp, type, &ctx->procs1.pidlist); + if (ret) + return ERR_PTR(ret); + } +- l = of->priv; ++ l = ctx->procs1.pidlist; + + if (pid) { + int end = l->length; +@@ -472,7 +472,8 @@ static void *cgroup_pidlist_start(struct + static void cgroup_pidlist_stop(struct seq_file *s, void *v) + { + struct kernfs_open_file *of = s->private; +- struct cgroup_pidlist *l = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; ++ struct cgroup_pidlist *l = ctx->procs1.pidlist; + + if (l) + mod_delayed_work(cgroup_pidlist_destroy_wq, &l->destroy_dwork, +@@ -483,7 +484,8 @@ static void cgroup_pidlist_stop(struct s + static void *cgroup_pidlist_next(struct seq_file *s, void *v, loff_t *pos) + { + struct kernfs_open_file *of = s->private; +- struct cgroup_pidlist *l = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; ++ struct cgroup_pidlist *l = ctx->procs1.pidlist; + pid_t *p = v; + pid_t *end = l->list + l->length; + /* +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3645,6 +3645,7 @@ static int cgroup_cpu_pressure_show(stru + static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, + size_t nbytes, enum psi_res res) + { ++ struct cgroup_file_ctx *ctx = of->priv; + struct psi_trigger *new; + struct cgroup *cgrp; + struct psi_group *psi; +@@ -3663,7 +3664,7 @@ static ssize_t cgroup_pressure_write(str + return PTR_ERR(new); + } + +- psi_trigger_replace(&of->priv, new); ++ psi_trigger_replace(&ctx->psi.trigger, new); + + cgroup_put(cgrp); + +@@ -3694,12 +3695,16 @@ static ssize_t cgroup_cpu_pressure_write + static __poll_t cgroup_pressure_poll(struct kernfs_open_file *of, + poll_table *pt) + { +- return psi_trigger_poll(&of->priv, of->file, pt); ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ return psi_trigger_poll(&ctx->psi.trigger, of->file, pt); + } + + static void cgroup_pressure_release(struct kernfs_open_file *of) + { +- psi_trigger_replace(&of->priv, NULL); ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ psi_trigger_replace(&ctx->psi.trigger, NULL); + } + #endif /* CONFIG_PSI */ + +@@ -3739,19 +3744,32 @@ static ssize_t cgroup_freeze_write(struc + + static int cgroup_file_open(struct kernfs_open_file *of) + { +- struct cftype *cft = of->kn->priv; ++ struct cftype *cft = of_cft(of); ++ struct cgroup_file_ctx *ctx; ++ int ret; + +- if (cft->open) +- return cft->open(of); +- return 0; ++ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) ++ return -ENOMEM; ++ of->priv = ctx; ++ ++ if (!cft->open) ++ return 0; ++ ++ ret = cft->open(of); ++ if (ret) ++ kfree(ctx); ++ return ret; + } + + static void cgroup_file_release(struct kernfs_open_file *of) + { +- struct cftype *cft = of->kn->priv; ++ struct cftype *cft = of_cft(of); ++ struct cgroup_file_ctx *ctx = of->priv; + + if (cft->release) + cft->release(of); ++ kfree(ctx); + } + + static ssize_t cgroup_file_write(struct kernfs_open_file *of, char *buf, +@@ -4679,21 +4697,21 @@ void css_task_iter_end(struct css_task_i + + static void cgroup_procs_release(struct kernfs_open_file *of) + { +- if (of->priv) { +- css_task_iter_end(of->priv); +- kfree(of->priv); +- } ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ if (ctx->procs.started) ++ css_task_iter_end(&ctx->procs.iter); + } + + static void *cgroup_procs_next(struct seq_file *s, void *v, loff_t *pos) + { + struct kernfs_open_file *of = s->private; +- struct css_task_iter *it = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; + + if (pos) + (*pos)++; + +- return css_task_iter_next(it); ++ return css_task_iter_next(&ctx->procs.iter); + } + + static void *__cgroup_procs_start(struct seq_file *s, loff_t *pos, +@@ -4701,21 +4719,18 @@ static void *__cgroup_procs_start(struct + { + struct kernfs_open_file *of = s->private; + struct cgroup *cgrp = seq_css(s)->cgroup; +- struct css_task_iter *it = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; ++ struct css_task_iter *it = &ctx->procs.iter; + + /* + * When a seq_file is seeked, it's always traversed sequentially + * from position 0, so we can simply keep iterating on !0 *pos. + */ +- if (!it) { ++ if (!ctx->procs.started) { + if (WARN_ON_ONCE((*pos))) + return ERR_PTR(-EINVAL); +- +- it = kzalloc(sizeof(*it), GFP_KERNEL); +- if (!it) +- return ERR_PTR(-ENOMEM); +- of->priv = it; + css_task_iter_start(&cgrp->self, iter_flags, it); ++ ctx->procs.started = true; + } else if (!(*pos)) { + css_task_iter_end(it); + css_task_iter_start(&cgrp->self, iter_flags, it); diff --git a/patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch b/patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch new file mode 100644 index 0000000..47ca00e --- /dev/null +++ b/patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch @@ -0,0 +1,133 @@ +From: Tejun Heo +Date: Thu, 6 Jan 2022 11:02:29 -1000 +Subject: cgroup: Use open-time cgroup namespace for process migration perm + checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: e57457641613fef0d147ede8bd6a3047df588b95 +Patch-mainline: v5.16 +References: bsc#1194302 CVE-2021-4197 + +cgroup process migration permission checks are performed at write time as +whether a given operation is allowed or not is dependent on the content of +the write - the PID. This currently uses current's cgroup namespace which is +a potential security weakness as it may allow scenarios where a less +privileged process tricks a more privileged one into writing into a fd that +it created. + +This patch makes cgroup remember the cgroup namespace at the time of open +and uses it for migration permission checks instad of current's. Note that +this only applies to cgroup2 as cgroup1 doesn't have namespace support. + +This also fixes a use-after-free bug on cgroupns reported in + + https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com + +Note that backporting this fix also requires the preceding patch. + +Reported-by: "Eric W. Biederman" +Suggested-by: Linus Torvalds +Cc: Michal Koutný +Cc: Oleg Nesterov +Reviewed-by: Michal Koutný +Reported-by: syzbot+50f5cf33a284ce738b62@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com +Fixes: 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option") +Signed-off-by: Tejun Heo +[mkoutny: drop the cgroup_css_set_fork and attach_permissions part, adjust context] +Acked-by: Michal Koutný +--- + kernel/cgroup/cgroup-internal.h | 2 ++ + kernel/cgroup/cgroup.c | 20 ++++++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -68,6 +68,8 @@ static inline struct cgroup_fs_context * + struct cgroup_pidlist; + + struct cgroup_file_ctx { ++ struct cgroup_namespace *ns; ++ + struct { + void *trigger; + } psi; +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3751,14 +3751,19 @@ static int cgroup_file_open(struct kernf + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return -ENOMEM; ++ ++ ctx->ns = current->nsproxy->cgroup_ns; ++ get_cgroup_ns(ctx->ns); + of->priv = ctx; + + if (!cft->open) + return 0; + + ret = cft->open(of); +- if (ret) ++ if (ret) { ++ put_cgroup_ns(ctx->ns); + kfree(ctx); ++ } + return ret; + } + +@@ -3769,13 +3774,14 @@ static void cgroup_file_release(struct k + + if (cft->release) + cft->release(of); ++ put_cgroup_ns(ctx->ns); + kfree(ctx); + } + + static ssize_t cgroup_file_write(struct kernfs_open_file *of, char *buf, + size_t nbytes, loff_t off) + { +- struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; ++ struct cgroup_file_ctx *ctx = of->priv; + struct cgroup *cgrp = of->kn->parent->priv; + struct cftype *cft = of->kn->priv; + struct cgroup_subsys_state *css; +@@ -3789,7 +3795,7 @@ static ssize_t cgroup_file_write(struct + */ + if ((cgrp->root->flags & CGRP_ROOT_NS_DELEGATE) && + !(cft->flags & CFTYPE_NS_DELEGATABLE) && +- ns != &init_cgroup_ns && ns->root_cset->dfl_cgrp == cgrp) ++ ctx->ns != &init_cgroup_ns && ctx->ns->root_cset->dfl_cgrp == cgrp) + return -EPERM; + + if (cft->write) +@@ -4765,9 +4771,9 @@ static int cgroup_procs_show(struct seq_ + + static int cgroup_procs_write_permission(struct cgroup *src_cgrp, + struct cgroup *dst_cgrp, +- struct super_block *sb) ++ struct super_block *sb, ++ struct cgroup_namespace *ns) + { +- struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; + struct cgroup *com_cgrp = src_cgrp; + struct inode *inode; + int ret; +@@ -4803,6 +4809,7 @@ static int cgroup_procs_write_permission + static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, + bool threadgroup) + { ++ struct cgroup_file_ctx *ctx = of->priv; + struct cgroup *src_cgrp, *dst_cgrp; + struct task_struct *task; + const struct cred *saved_cred; +@@ -4830,7 +4837,8 @@ static ssize_t __cgroup_procs_write(stru + */ + saved_cred = override_creds(of->file->f_cred); + ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, +- of->file->f_path.dentry->d_sb, threadgroup); ++ of->file->f_path.dentry->d_sb, ++ ctx->ns); + revert_creds(saved_cred); + if (ret) + goto out_finish; diff --git a/patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch b/patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch new file mode 100644 index 0000000..1afe302 --- /dev/null +++ b/patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch @@ -0,0 +1,78 @@ +From: Tejun Heo +Date: Thu, 6 Jan 2022 11:02:28 -1000 +Subject: cgroup: Use open-time credentials for process migraton perm checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 1756d7994ad85c2479af6ae5a9750b92324685af +Patch-mainline: v5.16 +References: bsc#1194302 CVE-2021-4197 + + +cgroup process migration permission checks are performed at write time as +whether a given operation is allowed or not is dependent on the content of +the write - the PID. This currently uses current's credentials which is a +potential security weakness as it may allow scenarios where a less +privileged process tricks a more privileged one into writing into a fd that +it created. + +This patch makes both cgroup2 and cgroup1 process migration interfaces to +use the credentials saved at the time of open (file->f_cred) instead of +current's. + +Reported-by: "Eric W. Biederman" +Suggested-by: Linus Torvalds +Fixes: 187fe84067bd ("cgroup: require write perm on common ancestor when moving processes on the default hierarchy") +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +[mkoutny: s/cgroup_attach_permissions/cgroup_procs_write_permission/] +Acked-by: Michal Koutný +--- + kernel/cgroup/cgroup-v1.c | 7 ++++--- + kernel/cgroup/cgroup.c | 9 ++++++++- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -526,10 +526,11 @@ static ssize_t __cgroup1_procs_write(str + goto out_unlock; + + /* +- * Even if we're attaching all tasks in the thread group, we only +- * need to check permissions on one of them. ++ * Even if we're attaching all tasks in the thread group, we only need ++ * to check permissions on one of them. Check permissions using the ++ * credentials from file open to protect against inherited fd attacks. + */ +- cred = current_cred(); ++ cred = of->file->f_cred; + tcred = get_task_cred(task); + if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) && + !uid_eq(cred->euid, tcred->uid) && +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4790,6 +4790,7 @@ static ssize_t __cgroup_procs_write(stru + { + struct cgroup *src_cgrp, *dst_cgrp; + struct task_struct *task; ++ const struct cred *saved_cred; + ssize_t ret; + bool locked; + +@@ -4807,9 +4808,15 @@ static ssize_t __cgroup_procs_write(stru + src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root); + spin_unlock_irq(&css_set_lock); + +- /* process and thread migrations follow same delegation rule */ ++ /* ++ * Process and thread migrations follow same delegation rule. Check ++ * permissions using the credentials from file open to protect against ++ * inherited fd attacks. ++ */ ++ saved_cred = override_creds(of->file->f_cred); + ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, + of->file->f_path.dentry->d_sb, threadgroup); ++ revert_creds(saved_cred); + if (ret) + goto out_finish; + diff --git a/patches.suse/cgroup-cgroup.-procs-threads-factor-out-common-parts.patch b/patches.suse/cgroup-cgroup.-procs-threads-factor-out-common-parts.patch new file mode 100644 index 0000000..f8e2c3e --- /dev/null +++ b/patches.suse/cgroup-cgroup.-procs-threads-factor-out-common-parts.patch @@ -0,0 +1,125 @@ +From: =?utf-8?b?TWljaGFsIEtvdXRuw70gPG1rb3V0bnlAc3VzZS5jb20+?= +Date: Thu, 14 Jan 2021 13:44:27 +0100 +Subject: cgroup: cgroup.{procs,threads} factor out common parts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: da70862efe0065bada33d67a903270cdbbaf07d9 +Patch-mainline: v5.12-rc1 +References: bsc#1194302 CVE-2021-4197 + +The functions cgroup_threads_write and cgroup_procs_write are almost +identical. In order to reduce duplication, factor out the common code in +similar fashion we already do for other threadgroup/task functions. No +functional changes are intended. + +Suggested-by: Hao Lee +Signed-off-by: Michal Koutný +Reviewed-by: Daniel Jordan +Signed-off-by: Tejun Heo +[mkoutny: s/cgroup_attach_permissions/cgroup_procs_write_permission/, adjust context] +Acked-by: Michal Koutný +--- + kernel/cgroup/cgroup.c | 60 +++++++++++-------------------------------------- + 1 file changed, 14 insertions(+), 46 deletions(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4784,8 +4784,8 @@ static int cgroup_procs_write_permission + return 0; + } + +-static ssize_t cgroup_procs_write(struct kernfs_open_file *of, +- char *buf, size_t nbytes, loff_t off) ++static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, ++ bool threadgroup) + { + struct cgroup *src_cgrp, *dst_cgrp; + struct task_struct *task; +@@ -4796,7 +4796,7 @@ static ssize_t cgroup_procs_write(struct + if (!dst_cgrp) + return -ENODEV; + +- task = cgroup_procs_write_start(buf, true, &locked); ++ task = cgroup_procs_write_start(buf, threadgroup, &locked); + ret = PTR_ERR_OR_ZERO(task); + if (ret) + goto out_unlock; +@@ -4806,19 +4806,26 @@ static ssize_t cgroup_procs_write(struct + src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root); + spin_unlock_irq(&css_set_lock); + ++ /* process and thread migrations follow same delegation rule */ + ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, +- of->file->f_path.dentry->d_sb); ++ of->file->f_path.dentry->d_sb, threadgroup); + if (ret) + goto out_finish; + +- ret = cgroup_attach_task(dst_cgrp, task, true); ++ ret = cgroup_attach_task(dst_cgrp, task, threadgroup); + + out_finish: + cgroup_procs_write_finish(task, locked); + out_unlock: + cgroup_kn_unlock(of->kn); + +- return ret ?: nbytes; ++ return ret; ++} ++ ++static ssize_t cgroup_procs_write(struct kernfs_open_file *of, ++ char *buf, size_t nbytes, loff_t off) ++{ ++ return __cgroup_procs_write(of, buf, true) ?: nbytes; + } + + static void *cgroup_threads_start(struct seq_file *s, loff_t *pos) +@@ -4829,46 +4836,7 @@ static void *cgroup_threads_start(struct + static ssize_t cgroup_threads_write(struct kernfs_open_file *of, + char *buf, size_t nbytes, loff_t off) + { +- struct cgroup *src_cgrp, *dst_cgrp; +- struct task_struct *task; +- ssize_t ret; +- bool locked; +- +- buf = strstrip(buf); +- +- dst_cgrp = cgroup_kn_lock_live(of->kn, false); +- if (!dst_cgrp) +- return -ENODEV; +- +- task = cgroup_procs_write_start(buf, false, &locked); +- ret = PTR_ERR_OR_ZERO(task); +- if (ret) +- goto out_unlock; +- +- /* find the source cgroup */ +- spin_lock_irq(&css_set_lock); +- src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root); +- spin_unlock_irq(&css_set_lock); +- +- /* thread migrations follow the cgroup.procs delegation rule */ +- ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, +- of->file->f_path.dentry->d_sb); +- if (ret) +- goto out_finish; +- +- /* and must be contained in the same domain */ +- ret = -EOPNOTSUPP; +- if (src_cgrp->dom_cgrp != dst_cgrp->dom_cgrp) +- goto out_finish; +- +- ret = cgroup_attach_task(dst_cgrp, task, false); +- +-out_finish: +- cgroup_procs_write_finish(task, locked); +-out_unlock: +- cgroup_kn_unlock(of->kn); +- +- return ret ?: nbytes; ++ return __cgroup_procs_write(of, buf, false) ?: nbytes; + } + + /* cgroup core interface files for the default hierarchy */ diff --git a/patches.suse/char-mwave-Adjust-io-port-register-size.patch b/patches.suse/char-mwave-Adjust-io-port-register-size.patch new file mode 100644 index 0000000..382ac63 --- /dev/null +++ b/patches.suse/char-mwave-Adjust-io-port-register-size.patch @@ -0,0 +1,51 @@ +From f5912cc19acd7c24b2dbf65a6340bf194244f085 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 3 Dec 2021 00:42:06 -0800 +Subject: [PATCH] char/mwave: Adjust io port register size +Git-commit: f5912cc19acd7c24b2dbf65a6340bf194244f085 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Using MKWORD() on a byte-sized variable results in OOB read. Expand the +size of the reserved area so both MKWORD and MKBYTE continue to work +without overflow. Silences this warning on a -Warray-bounds build: + +drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds] + 346 | #define MKWORD(var) (*((unsigned short *)(&var))) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp' + 356 | #define OutWordDsp(index,value) outw(value,usDspBaseIO+index) + | ^~~~~ +drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD' + 373 | OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl)); + | ^~~~~~ +drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl' + 358 | DSP_ISA_SLAVE_CONTROL rSlaveControl; + | ^~~~~~~~~~~~~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/char/mwave/3780i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h +index 9ccb6b270b07..95164246afd1 100644 +--- a/drivers/char/mwave/3780i.h ++++ b/drivers/char/mwave/3780i.h +@@ -68,7 +68,7 @@ typedef struct { + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */ + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */ + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */ +- unsigned char Reserved:5; /* 0: Reserved */ ++ unsigned short Reserved:13; /* 0: Reserved */ + } DSP_ISA_SLAVE_CONTROL; + + +-- +2.31.1 + diff --git a/patches.suse/clk-Gemini-fix-struct-name-in-kernel-doc.patch b/patches.suse/clk-Gemini-fix-struct-name-in-kernel-doc.patch new file mode 100644 index 0000000..280cbff --- /dev/null +++ b/patches.suse/clk-Gemini-fix-struct-name-in-kernel-doc.patch @@ -0,0 +1,44 @@ +From ecb64bbff7dddf510c7b011a7c0bd6a87e5c88e8 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 19 Nov 2021 22:27:19 -0800 +Subject: [PATCH] clk: Gemini: fix struct name in kernel-doc +Git-commit: ecb64bbff7dddf510c7b011a7c0bd6a87e5c88e8 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Fix a typo in the struct name in the kernel-doc notation so that +kernel-doc won't complain about it. + +Fixes this warning: + +drivers/clk/clk-gemini.c:64: warning: expecting prototype for struct gemini_data_data. Prototype was for struct gemini_gate_data instead + +Fixes: 846423f96721 ("clk: Add Gemini SoC clock controller") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: linux-clk@vger.kernel.org +Link: https://lore.kernel.org/r/20211120062719.21395-1-rdunlap@infradead.org +Reviewed-by: Linus Walleij +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/clk-gemini.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-gemini.c b/drivers/clk/clk-gemini.c +index b51069e794ff..a23fa6d47ef1 100644 +--- a/drivers/clk/clk-gemini.c ++++ b/drivers/clk/clk-gemini.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(gemini_clk_lock); + #define PCI_DLL_TAP_SEL_MASK 0x1f + + /** +- * struct gemini_data_data - Gemini gated clocks ++ * struct gemini_gate_data - Gemini gated clocks + * @bit_idx: the bit used to gate this clock in the clock register + * @name: the clock name + * @parent_name: the name of the parent clock +-- +2.31.1 + diff --git a/patches.suse/clk-bcm-2835-Pick-the-closest-clock-rate.patch b/patches.suse/clk-bcm-2835-Pick-the-closest-clock-rate.patch new file mode 100644 index 0000000..3cfb45a --- /dev/null +++ b/patches.suse/clk-bcm-2835-Pick-the-closest-clock-rate.patch @@ -0,0 +1,46 @@ +From 5517357a4733d7cf7c17fc79d0530cfa47add372 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 22 Sep 2021 14:54:15 +0200 +Subject: [PATCH] clk: bcm-2835: Pick the closest clock rate +Git-commit: 5517357a4733d7cf7c17fc79d0530cfa47add372 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The driver currently tries to pick the closest rate that is lower than +the rate being requested. + +This causes an issue with clk_set_min_rate() since it actively checks +for the rounded rate to be above the minimum that was just set. + +Let's change the logic a bit to pick the closest rate to the requested +rate, no matter if it's actually higher or lower. + +Fixes: 6d18b8adbe67 ("clk: bcm2835: Support for clock parent selection") +Signed-off-by: Maxime Ripard +Acked-by: Stephen Boyd +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne # boot and basic functionality +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-2-maxime@cerno.tech +Acked-by: Takashi Iwai + +--- + drivers/clk/bcm/clk-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index a254512965eb..bf97b2b2a63f 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1216,7 +1216,7 @@ static int bcm2835_clock_determine_rate(struct clk_hw *hw, + rate = bcm2835_clock_choose_div_and_prate(hw, i, req->rate, + &div, &prate, + &avgrate); +- if (rate > best_rate && rate <= req->rate) { ++ if (abs(req->rate - rate) < abs(req->rate - best_rate)) { + best_parent = parent; + best_prate = prate; + best_rate = rate; +-- +2.31.1 + diff --git a/patches.suse/clk-bcm-2835-Remove-rounding-up-the-dividers.patch b/patches.suse/clk-bcm-2835-Remove-rounding-up-the-dividers.patch new file mode 100644 index 0000000..873620d --- /dev/null +++ b/patches.suse/clk-bcm-2835-Remove-rounding-up-the-dividers.patch @@ -0,0 +1,82 @@ +From 8ca011ef4af48a7af7b15afd8a4a44039dd04cea Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 22 Sep 2021 14:54:16 +0200 +Subject: [PATCH] clk: bcm-2835: Remove rounding up the dividers +Git-commit: 8ca011ef4af48a7af7b15afd8a4a44039dd04cea +Patch-mainline: v5.17-rc1 +References: git-fixes + +The driver, once it found a divider, tries to round it up by increasing +the least significant bit of the fractional part by one when the +round_up argument is set and there's a remainder. + +However, since it increases the divider it will actually reduce the +clock rate below what we were asking for, leading to issues with +clk_set_min_rate() that will complain that our rounded clock rate is +below the minimum of the rate. + +Since the dividers are fairly precise already, let's remove that part so +that we can have clk_set_min_rate() working. + +This is effectively a revert of 9c95b32ca093 ("clk: bcm2835: add a round +up ability to the clock divisor"). + +Fixes: 9c95b32ca093 ("clk: bcm2835: add a round up ability to the clock divisor") +Signed-off-by: Maxime Ripard +Acked-by: Stephen Boyd +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne # boot and basic functionality +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-3-maxime@cerno.tech +Acked-by: Takashi Iwai + +--- + drivers/clk/bcm/clk-bcm2835.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index bf97b2b2a63f..3667b4d731e7 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -932,8 +932,7 @@ static int bcm2835_clock_is_on(struct clk_hw *hw) + + static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + unsigned long rate, +- unsigned long parent_rate, +- bool round_up) ++ unsigned long parent_rate) + { + struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw); + const struct bcm2835_clock_data *data = clock->data; +@@ -945,10 +944,6 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + + rem = do_div(temp, rate); + div = temp; +- +- /* Round up and mask off the unused bits */ +- if (round_up && ((div & unused_frac_mask) != 0 || rem != 0)) +- div += unused_frac_mask + 1; + div &= ~unused_frac_mask; + + /* different clamping limits apply for a mash clock */ +@@ -1079,7 +1074,7 @@ static int bcm2835_clock_set_rate(struct clk_hw *hw, + struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw); + struct bcm2835_cprman *cprman = clock->cprman; + const struct bcm2835_clock_data *data = clock->data; +- u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate, false); ++ u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate); + u32 ctl; + + spin_lock(&cprman->regs_lock); +@@ -1130,7 +1125,7 @@ static unsigned long bcm2835_clock_choose_div_and_prate(struct clk_hw *hw, + + if (!(BIT(parent_idx) & data->set_rate_parent)) { + *prate = clk_hw_get_rate(parent); +- *div = bcm2835_clock_choose_div(hw, rate, *prate, true); ++ *div = bcm2835_clock_choose_div(hw, rate, *prate); + + *avgrate = bcm2835_clock_rate_from_divisor(clock, *prate, *div); + +-- +2.31.1 + diff --git a/patches.suse/clk-imx-pllv1-fix-kernel-doc-notation-for-struct-clk.patch b/patches.suse/clk-imx-pllv1-fix-kernel-doc-notation-for-struct-clk.patch new file mode 100644 index 0000000..1e81ad4 --- /dev/null +++ b/patches.suse/clk-imx-pllv1-fix-kernel-doc-notation-for-struct-clk.patch @@ -0,0 +1,70 @@ +From 71e762316140445c3146bac98ffb29ad6ea0d36c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Sun, 14 Nov 2021 19:26:07 -0800 +Subject: [PATCH] clk: imx: pllv1: fix kernel-doc notation for struct clk_pllv1 +Git-commit: 71e762316140445c3146bac98ffb29ad6ea0d36c +Patch-mainline: v5.17-rc1 +References: git-fixes + +Convert struct clk_pllv1 comments to kernel-doc notation and move them +below the MFN_* macros. + +Fixes this kernel-doc warning: + +drivers/clk/imx/clk-pllv1.c:12: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * pll v1 + +Fixes: 2af9e6db14db ("ARM i.MX: Add common clock support for pllv1") +Fixes: a594790368a8 ("ARM: imx: pllv1: Fix PLL calculation for i.MX27") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Abel Vesa +Cc: linux-clk@vger.kernel.org +Cc: linux-imx@nxp.com +Cc: Alexander Shiyan +Cc: Shawn Guo +Cc: Sascha Hauer +Link: https://lore.kernel.org/r/20211115032607.28970-1-rdunlap@infradead.org +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/imx/clk-pllv1.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/imx/clk-pllv1.c b/drivers/clk/imx/clk-pllv1.c +index 36ffb0525735..93ee81b28fc7 100644 +--- a/drivers/clk/imx/clk-pllv1.c ++++ b/drivers/clk/imx/clk-pllv1.c +@@ -8,20 +8,19 @@ + + #include "clk.h" + ++#define MFN_BITS (10) ++#define MFN_SIGN (BIT(MFN_BITS - 1)) ++#define MFN_MASK (MFN_SIGN - 1) ++ + /** +- * pll v1 ++ * struct clk_pllv1 - IMX PLLv1 clock descriptor + * +- * @clk_hw clock source +- * @parent the parent clock name +- * @base base address of pll registers ++ * @hw: clock source ++ * @base: base address of pll registers ++ * @type: type of IMX_PLLV1 + * + * PLL clock version 1, found on i.MX1/21/25/27/31/35 + */ +- +-#define MFN_BITS (10) +-#define MFN_SIGN (BIT(MFN_BITS - 1)) +-#define MFN_MASK (MFN_SIGN - 1) +- + struct clk_pllv1 { + struct clk_hw hw; + void __iomem *base; +-- +2.31.1 + diff --git a/patches.suse/clk-imx8mn-Fix-imx8mn_clko1_sels.patch b/patches.suse/clk-imx8mn-Fix-imx8mn_clko1_sels.patch new file mode 100644 index 0000000..a1d9f5e --- /dev/null +++ b/patches.suse/clk-imx8mn-Fix-imx8mn_clko1_sels.patch @@ -0,0 +1,50 @@ +From 570727e9acfac1c2330a01dd5e1272e9c3acec08 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Wed, 17 Nov 2021 07:32:02 -0600 +Subject: [PATCH] clk: imx8mn: Fix imx8mn_clko1_sels +Git-commit: 570727e9acfac1c2330a01dd5e1272e9c3acec08 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When attempting to use sys_pll1_80m as the parent for clko1, the +system hangs. This is due to the fact that the source select +for sys_pll1_80m was incorrectly pointing to m7_alt_pll_clk, which +doesn't yet exist. + +According to Rev 3 of the TRM, The imx8mn_clko1_sels also incorrectly +references an osc_27m which does not exist, nor does an entry for +source select bits 010b. Fix both by inserting a dummy clock into +the missing space in the table and renaming the incorrectly name clock +with dummy. + +Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20211117133202.775633-1-aford173@gmail.com +Signed-off-by: Abel Vesa +Acked-by: Takashi Iwai + +--- + drivers/clk/imx/clk-imx8mn.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c +index c55577604e16..021355a24708 100644 +--- a/drivers/clk/imx/clk-imx8mn.c ++++ b/drivers/clk/imx/clk-imx8mn.c +@@ -277,9 +277,9 @@ static const char * const imx8mn_pdm_sels[] = {"osc_24m", "sys_pll2_100m", "audi + + static const char * const imx8mn_dram_core_sels[] = {"dram_pll_out", "dram_alt_root", }; + +-static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "osc_27m", +- "sys_pll1_200m", "audio_pll2_out", "vpu_pll", +- "sys_pll1_80m", }; ++static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "dummy", ++ "sys_pll1_200m", "audio_pll2_out", "sys_pll2_500m", ++ "dummy", "sys_pll1_80m", }; + static const char * const imx8mn_clko2_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll1_400m", + "sys_pll2_166m", "sys_pll3_out", "audio_pll1_out", + "video_pll1_out", "osc_32k", }; +-- +2.31.1 + diff --git a/patches.suse/clk-stm32-Fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch b/patches.suse/clk-stm32-Fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch new file mode 100644 index 0000000..38b83bd --- /dev/null +++ b/patches.suse/clk-stm32-Fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch @@ -0,0 +1,74 @@ +From 6fc058a72f3b7b07fc4de6d66ad1f68951b00f6e Mon Sep 17 00:00:00 2001 +From: Dillon Min +Date: Tue, 26 Oct 2021 15:11:21 +0800 +Subject: [PATCH] clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shell +Git-commit: 6fc058a72f3b7b07fc4de6d66ad1f68951b00f6e +Patch-mainline: v5.17-rc1 +References: git-fixes + +stm32's clk driver register two ltdc gate clk to clk core by +clk_hw_register_gate() and clk_hw_register_composite() + +First: 'stm32f429_gates[]', clk name is 'ltdc', which no user to use. +Second: 'stm32f429_aux_clk[]', clk name is 'lcd-tft', used by ltdc driver + +both of them point to the same offset of stm32's RCC register. after +kernel enter console, clk core turn off ltdc's clk as 'stm32f429_gates[]' +is no one to use. but, actually 'stm32f429_aux_clk[]' is in use. + +stm32f469/746/769 have the same issue, fix it. + +Fixes: daf2d117cbca ("clk: stm32f4: Add lcd-tft clock") +Link: https://lore.kernel.org/linux-arm-kernel/1590564453-24499-7-git-send-email-dillon.minfei@gmail.com/ +Link: https://lore.kernel.org/lkml/CAPTRvHkf0cK_4ZidM17rPo99gWDmxgqFt4CDUjqFFwkOeQeFDg@mail.gmail.com/ +Signed-off-by: Dillon Min +Reviewed-by: Patrice Chotard +Acked-by: Gabriel Fernandez +Acked-by: Stephen Boyd +Link: https://lore.kernel.org/r/1635232282-3992-10-git-send-email-dillon.minfei@gmail.com +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/clk-stm32f4.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c +index af46176ad053..473dfe632cc5 100644 +--- a/drivers/clk/clk-stm32f4.c ++++ b/drivers/clk/clk-stm32f4.c +@@ -129,7 +129,6 @@ static const struct stm32f4_gate_data stm32f429_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 20, "spi5", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f469_gates[] __initconst = { +@@ -211,7 +210,6 @@ static const struct stm32f4_gate_data stm32f469_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 20, "spi5", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f746_gates[] __initconst = { +@@ -286,7 +284,6 @@ static const struct stm32f4_gate_data stm32f746_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 23, "sai2", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f769_gates[] __initconst = { +@@ -364,7 +361,6 @@ static const struct stm32f4_gate_data stm32f769_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 23, "sai2", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 30, "mdio", "apb2_div" }, + }; + +-- +2.31.1 + diff --git a/patches.suse/crypto-caam-replace-this_cpu_ptr-with-raw_cpu_ptr.patch b/patches.suse/crypto-caam-replace-this_cpu_ptr-with-raw_cpu_ptr.patch new file mode 100644 index 0000000..b307f14 --- /dev/null +++ b/patches.suse/crypto-caam-replace-this_cpu_ptr-with-raw_cpu_ptr.patch @@ -0,0 +1,62 @@ +From efd21e10fc3bf4c6da122470a5ae89ec4ed8d180 Mon Sep 17 00:00:00 2001 +From: Meng Li +Date: Mon, 1 Nov 2021 11:13:53 +0800 +Subject: [PATCH] crypto: caam - replace this_cpu_ptr with raw_cpu_ptr +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: efd21e10fc3bf4c6da122470a5ae89ec4ed8d180 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When enable the kernel debug config, there is below calltrace detected: +Bug: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/339 +caller is debug_smp_processor_id+0x20/0x30 +Cpu: 9 PID: 339 Comm: cryptomgr_test Not tainted 5.10.63-yocto-standard #1 +Hardware name: NXP Layerscape LX2160ARDB (DT) +Call trace: + dump_backtrace+0x0/0x1a0 + show_stack+0x24/0x30 + dump_stack+0xf0/0x13c + check_preemption_disabled+0x100/0x110 + debug_smp_processor_id+0x20/0x30 + dpaa2_caam_enqueue+0x10c/0x25c + ...... + cryptomgr_test+0x38/0x60 + kthread+0x158/0x164 + ret_from_fork+0x10/0x38 +According to the comment in commit ac5d15b4519f("crypto: caam/qi2 + - use affine DPIOs "), because preemption is no longer disabled +while trying to enqueue an FQID, it might be possible to run the +enqueue on a different CPU(due to migration, when in process context), +however this wouldn't be a functionality issue. But there will be +above calltrace when enable kernel debug config. So, replace this_cpu_ptr +with raw_cpu_ptr to avoid above call trace. + +Fixes: ac5d15b4519f ("crypto: caam/qi2 - use affine DPIOs") +Cc: stable@vger.kernel.org +Signed-off-by: Meng Li +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/caam/caamalg_qi2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caamalg_qi2.c b/drivers/crypto/caam/caamalg_qi2.c +index 8b8ed77d8715..6753f0e6e55d 100644 +--- a/drivers/crypto/caam/caamalg_qi2.c ++++ b/drivers/crypto/caam/caamalg_qi2.c +@@ -5470,7 +5470,7 @@ int dpaa2_caam_enqueue(struct device *dev, struct caam_request *req) + dpaa2_fd_set_len(&fd, dpaa2_fl_get_len(&req->fd_flt[1])); + dpaa2_fd_set_flc(&fd, req->flc_dma); + +- ppriv = this_cpu_ptr(priv->ppriv); ++ ppriv = raw_cpu_ptr(priv->ppriv); + for (i = 0; i < (priv->dpseci_attr.num_tx_queues << 1); i++) { + err = dpaa2_io_service_enqueue_fq(ppriv->dpio, ppriv->req_fqid, + &fd); +-- +2.31.1 + diff --git a/patches.suse/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch b/patches.suse/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch new file mode 100644 index 0000000..5329448 --- /dev/null +++ b/patches.suse/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch @@ -0,0 +1,39 @@ +From b4cb4d31631912842eb7dce02b4350cbb7562d5e Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye +Date: Thu, 4 Nov 2021 06:38:31 -0700 +Subject: [PATCH] crypto: qce - fix uaf on qce_ahash_register_one +Git-commit: b4cb4d31631912842eb7dce02b4350cbb7562d5e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Pointer base points to sub field of tmpl, it +is dereferenced after tmpl is freed. Fix +this by accessing base before free tmpl. + +Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Chengfeng Ye +Acked-by: Thara Gopinath +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/qce/sha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +index 8e6fcf2c21cc..59159f5e64e5 100644 +--- a/drivers/crypto/qce/sha.c ++++ b/drivers/crypto/qce/sha.c +@@ -498,8 +498,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + + ret = crypto_register_ahash(alg); + if (ret) { +- kfree(tmpl); + dev_err(qce->dev, "%s registration failed\n", base->cra_name); ++ kfree(tmpl); + return ret; + } + +-- +2.31.1 + diff --git a/patches.suse/crypto-stm32-crc32-Fix-kernel-BUG-triggered-in-probe.patch b/patches.suse/crypto-stm32-crc32-Fix-kernel-BUG-triggered-in-probe.patch new file mode 100644 index 0000000..8810b30 --- /dev/null +++ b/patches.suse/crypto-stm32-crc32-Fix-kernel-BUG-triggered-in-probe.patch @@ -0,0 +1,69 @@ +From 29009604ad4e3ef784fd9b9fef6f23610ddf633d Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 20 Dec 2021 20:50:22 +0100 +Subject: [PATCH] crypto: stm32/crc32 - Fix kernel BUG triggered in probe() +Git-commit: 29009604ad4e3ef784fd9b9fef6f23610ddf633d +Patch-mainline: v5.17-rc1 +References: git-fixes + +The include/linux/crypto.h struct crypto_alg field cra_driver_name description +states "Unique name of the transformation provider. " ... " this contains the +name of the chip or provider and the name of the transformation algorithm." + +In case of the stm32-crc driver, field cra_driver_name is identical for all +registered transformation providers and set to the name of the driver itself, +which is incorrect. This patch fixes it by assigning a unique cra_driver_name +to each registered transformation provider. + +The kernel crash is triggered when the driver calls crypto_register_shashes() +which calls crypto_register_shash(), which calls crypto_register_alg(), which +calls __crypto_register_alg(), which returns -EEXIST, which is propagated +back through this call chain. Upon -EEXIST from crypto_register_shash(), the +crypto_register_shashes() starts unregistering the providers back, and calls +crypto_unregister_shash(), which calls crypto_unregister_alg(), and this is +where the BUG() triggers due to incorrect cra_refcnt. + +Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module") +Signed-off-by: Marek Vasut +Cc: # 4.12+ +Cc: Alexandre Torgue +Cc: Fabien Dessenne +Cc: Herbert Xu +Cc: Lionel Debieve +Cc: Nicolas Toromanoff +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-crypto@vger.kernel.org +Acked-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/stm32/stm32-crc32.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c +index 75867c0b0017..be1bf39a317d 100644 +--- a/drivers/crypto/stm32/stm32-crc32.c ++++ b/drivers/crypto/stm32/stm32-crc32.c +@@ -279,7 +279,7 @@ static struct shash_alg algs[] = { + .digestsize = CHKSUM_DIGEST_SIZE, + .base = { + .cra_name = "crc32", +- .cra_driver_name = DRIVER_NAME, ++ .cra_driver_name = "stm32-crc32-crc32", + .cra_priority = 200, + .cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .cra_blocksize = CHKSUM_BLOCK_SIZE, +@@ -301,7 +301,7 @@ static struct shash_alg algs[] = { + .digestsize = CHKSUM_DIGEST_SIZE, + .base = { + .cra_name = "crc32c", +- .cra_driver_name = DRIVER_NAME, ++ .cra_driver_name = "stm32-crc32-crc32c", + .cra_priority = 200, + .cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .cra_blocksize = CHKSUM_BLOCK_SIZE, +-- +2.31.1 + diff --git a/patches.suse/crypto-stm32-cryp-fix-double-pm-exit.patch b/patches.suse/crypto-stm32-cryp-fix-double-pm-exit.patch new file mode 100644 index 0000000..0feea45 --- /dev/null +++ b/patches.suse/crypto-stm32-cryp-fix-double-pm-exit.patch @@ -0,0 +1,33 @@ +From 6c12e742785bf9333faf60bfb96575bdd763448e Mon Sep 17 00:00:00 2001 +From: Nicolas Toromanoff +Date: Tue, 30 Nov 2021 08:54:58 +0100 +Subject: [PATCH] crypto: stm32/cryp - fix double pm exit +Git-commit: 6c12e742785bf9333faf60bfb96575bdd763448e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Delete extraneous lines in probe error handling code: pm was +disabled twice. + +Fixes: 65f9aa36ee47 ("crypto: stm32/cryp - Add power management support") + +Reported-by: Marek Vasut +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/stm32/stm32-cryp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -2040,8 +2040,6 @@ err_engine1: + + pm_runtime_disable(dev); + pm_runtime_put_noidle(dev); +- pm_runtime_disable(dev); +- pm_runtime_put_noidle(dev); + + clk_disable_unprepare(cryp->clk); + diff --git a/patches.suse/crypto-stm32-cryp-fix-lrw-chaining-mode.patch b/patches.suse/crypto-stm32-cryp-fix-lrw-chaining-mode.patch new file mode 100644 index 0000000..1fc14c6 --- /dev/null +++ b/patches.suse/crypto-stm32-cryp-fix-lrw-chaining-mode.patch @@ -0,0 +1,41 @@ +From fa97dc2d48b476ea98199d808d3248d285987e99 Mon Sep 17 00:00:00 2001 +From: Nicolas Toromanoff +Date: Tue, 30 Nov 2021 08:54:59 +0100 +Subject: [PATCH] crypto: stm32/cryp - fix lrw chaining mode +Git-commit: fa97dc2d48b476ea98199d808d3248d285987e99 +Patch-mainline: v5.17-rc1 +References: git-fixes + +This fixes the lrw autotest if lrw uses the CRYP as the AES block cipher +provider (as ecb(aes)). At end of request, CRYP should not update the IV +in case of ECB chaining mode. Indeed the ECB chaining mode never uses +the IV, but the software LRW chaining mode uses the IV field as +a counter and due to the (unexpected) update done by CRYP while the AES +block process, the counter get a wrong value when the IV overflow. + +Fixes: 5f49f18d27cd ("crypto: stm32/cryp - update to return iv_out") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/stm32/stm32-cryp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index 3f71d927843c..d3aa0afbe365 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -644,7 +644,7 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err) + /* Phase 4 : output tag */ + err = stm32_cryp_read_auth_tag(cryp); + +- if (!err && (!(is_gcm(cryp) || is_ccm(cryp)))) ++ if (!err && (!(is_gcm(cryp) || is_ccm(cryp) || is_ecb(cryp)))) + stm32_cryp_get_iv(cryp); + + if (cryp->sgs_copied) { +-- +2.31.1 + diff --git a/patches.suse/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch b/patches.suse/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch new file mode 100644 index 0000000..1a3d668 --- /dev/null +++ b/patches.suse/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch @@ -0,0 +1,36 @@ +From d703c7a994ee34b7fa89baf21631fca0aa9f17fc Mon Sep 17 00:00:00 2001 +From: Nicolas Toromanoff +Date: Tue, 30 Nov 2021 08:54:56 +0100 +Subject: [PATCH] crypto: stm32/cryp - fix xts and race condition in crypto_engine requests +Git-commit: d703c7a994ee34b7fa89baf21631fca0aa9f17fc +Patch-mainline: v5.17-rc1 +References: git-fixes + +Don't erase key: +If key is erased before the crypto_finalize_.*_request() call, some +pending process will run with a key={ 0 }. +Moreover if the key is reset at end of request, it breaks xts chaining +mode, as for last xts block (in case input len is not a multiple of +block) a new AES request is started without calling again set_key(). + +Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/stm32/stm32-cryp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -669,8 +669,6 @@ static void stm32_cryp_finish_req(struct + else + crypto_finalize_ablkcipher_request(cryp->engine, cryp->req, + err); +- +- memset(cryp->ctx->key, 0, cryp->ctx->keylen); + } + + static int stm32_cryp_cpu_start(struct stm32_cryp *cryp) diff --git a/patches.suse/device-property-Fix-documentation-for-FWNODE_GRAPH_D.patch b/patches.suse/device-property-Fix-documentation-for-FWNODE_GRAPH_D.patch new file mode 100644 index 0000000..93173b7 --- /dev/null +++ b/patches.suse/device-property-Fix-documentation-for-FWNODE_GRAPH_D.patch @@ -0,0 +1,58 @@ +From 49f39cb0ef198ae3c73765c9b9ee3034e4c9f076 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 1 Dec 2021 14:59:30 +0200 +Subject: [PATCH] device property: Fix documentation for FWNODE_GRAPH_DEVICE_DISABLED +Git-commit: 49f39cb0ef198ae3c73765c9b9ee3034e4c9f076 +Patch-mainline: v5.17-rc1 +References: git-fixes + +FWNODE_GRAPH_DEVICE_DISABLED flag was meant for also returning endpoints +connected to disabled devices, but it also may return endpoints that are +not connected. Fix this in documentation. Also +fwnode_graph_get_endpoint_by_id() was affeced by this. + +Also improve the language a little bit. + +Fixes: 0fcc2bdc8aff ("device property: Add fwnode_graph_get_endpoint_by_id()") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/base/property.c | 4 ++-- + include/linux/property.h | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/property.c b/drivers/base/property.c +index b7b3a7b86006..e2860abf9889 100644 +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -1063,8 +1063,8 @@ EXPORT_SYMBOL_GPL(fwnode_graph_get_remote_node); + * has not been found, look for the closest endpoint ID greater than the + * specified one and return the endpoint that corresponds to it, if present. + * +- * Do not return endpoints that belong to disabled devices, unless +- * FWNODE_GRAPH_DEVICE_DISABLED is passed in @flags. ++ * Does not return endpoints that belong to disabled devices or endpoints that ++ * are unconnected, unless FWNODE_GRAPH_DEVICE_DISABLED is passed in @flags. + * + * The returned endpoint needs to be released by calling fwnode_handle_put() on + * it when it is not needed any more. +diff --git a/include/linux/property.h b/include/linux/property.h +index 16f736c698a2..7a2df45ec3ae 100644 +--- a/include/linux/property.h ++++ b/include/linux/property.h +@@ -414,7 +414,8 @@ static inline bool fwnode_graph_is_endpoint(struct fwnode_handle *fwnode) + * one. + * @FWNODE_GRAPH_DEVICE_DISABLED: That the device to which the remote + * endpoint of the given endpoint belongs to, +- * may be disabled. ++ * may be disabled, or that the endpoint is not ++ * connected. + */ + #define FWNODE_GRAPH_ENDPOINT_NEXT BIT(0) + #define FWNODE_GRAPH_DEVICE_DISABLED BIT(1) +-- +2.31.1 + diff --git a/patches.suse/dma_fence_array-Fix-PENDING_ERROR-leak-in-dma_fence_.patch b/patches.suse/dma_fence_array-Fix-PENDING_ERROR-leak-in-dma_fence_.patch new file mode 100644 index 0000000..0d04639 --- /dev/null +++ b/patches.suse/dma_fence_array-Fix-PENDING_ERROR-leak-in-dma_fence_.patch @@ -0,0 +1,59 @@ +From 95d35838880fb040ccb9fe4a48816bd0c8b62df5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Mon, 29 Nov 2021 16:27:27 +0100 +Subject: [PATCH] dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 95d35838880fb040ccb9fe4a48816bd0c8b62df5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If a dma_fence_array is reported signaled by a call to +dma_fence_is_signaled(), it may leak the PENDING_ERROR status. + +Fix this by clearing the PENDING_ERROR status if we return true in +dma_fence_array_signaled(). + +V2: +- Update Cc list, and add R-b. + +Fixes: 1f70b8b812f3 ("dma-fence: Propagate errors to dma-fence-array container") +Cc: Chris Wilson +Cc: Sumit Semwal +Cc: Gustavo Padovan +Cc: Christian König +Cc: "Christian König" +Cc: linux-media@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: linaro-mm-sig@lists.linaro.org +Cc: # v5.4+ +Signed-off-by: Thomas Hellström +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20211129152727.448908-1-thomas.hellstrom@linux.intel.com +Acked-by: Takashi Iwai + +--- + drivers/dma-buf/dma-fence-array.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma-buf/dma-fence-array.c b/drivers/dma-buf/dma-fence-array.c +index d3fbd950be94..3e07f961e2f3 100644 +--- a/drivers/dma-buf/dma-fence-array.c ++++ b/drivers/dma-buf/dma-fence-array.c +@@ -104,7 +104,11 @@ static bool dma_fence_array_signaled(struct dma_fence *fence) + { + struct dma_fence_array *array = to_dma_fence_array(fence); + +- return atomic_read(&array->num_pending) <= 0; ++ if (atomic_read(&array->num_pending) > 0) ++ return false; ++ ++ dma_fence_array_clear_pending_error(array); ++ return true; + } + + static void dma_fence_array_release(struct dma_fence *fence) +-- +2.31.1 + diff --git a/patches.suse/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch b/patches.suse/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch new file mode 100644 index 0000000..bd6a4ce --- /dev/null +++ b/patches.suse/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch @@ -0,0 +1,63 @@ +From 134c37fa250a87a7e77c80a7c59ae16c462e46e0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Nov 2021 23:21:58 +0100 +Subject: [PATCH] dmaengine: pxa/mmp: stop referencing config->slave_id +Git-commit: 134c37fa250a87a7e77c80a7c59ae16c462e46e0 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The last driver referencing the slave_id on Marvell PXA and MMP platforms +was the SPI driver, but this stopped doing so a long time ago, so the +TODO from the earlier patch can no be removed. + +Fixes: b729bf34535e ("spi/pxa2xx: Don't use slave_id of dma_slave_config") +Fixes: 13b3006b8ebd ("dma: mmp_pdma: add filter function") +Signed-off-by: Arnd Bergmann +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.org +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/mmp_pdma.c | 6 ------ + drivers/dma/pxa_dma.c | 7 ------- + 2 files changed, 13 deletions(-) + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index a23563cd118b..5a53d7fcef01 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -727,12 +727,6 @@ static int mmp_pdma_config_write(struct dma_chan *dchan, + + chan->dir = direction; + chan->dev_addr = addr; +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (cfg->slave_id) +- chan->drcmr = cfg->slave_id; + + return 0; + } +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 52d04641e361..6078cc81892e 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -909,13 +909,6 @@ static void pxad_get_config(struct pxad_chan *chan, + *dcmd |= PXA_DCMD_BURST16; + else if (maxburst == 32) + *dcmd |= PXA_DCMD_BURST32; +- +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (chan->cfg.slave_id) +- chan->drcmr = chan->cfg.slave_id; + } + + static struct dma_async_tx_descriptor * +-- +2.31.1 + diff --git a/patches.suse/drm-amdgpu-Fix-a-NULL-pointer-dereference-in-amdgpu_.patch b/patches.suse/drm-amdgpu-Fix-a-NULL-pointer-dereference-in-amdgpu_.patch new file mode 100644 index 0000000..1fa9391 --- /dev/null +++ b/patches.suse/drm-amdgpu-Fix-a-NULL-pointer-dereference-in-amdgpu_.patch @@ -0,0 +1,64 @@ +From b220110e4cd442156f36e1d9b4914bb9e87b0d00 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Fri, 3 Dec 2021 00:17:36 +0800 +Subject: [PATCH] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() +Git-commit: b220110e4cd442156f36e1d9b4914bb9e87b0d00 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In amdgpu_connector_lcd_native_mode(), the return value of +drm_mode_duplicate() is assigned to mode, and there is a dereference +of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL +pointer dereference on failure of drm_mode_duplicate(). + +Fix this bug add a check of mode. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and +our static analyzer no longer warns about this code. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 0de66f59adb8..df1f9b88a53f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -401,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +-- +2.31.1 + diff --git a/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch b/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch new file mode 100644 index 0000000..44ce0d4 --- /dev/null +++ b/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch @@ -0,0 +1,41 @@ +From abfaf0eee97925905e742aa3b0b72e04a918fa9e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Jan 2022 17:09:43 +0800 +Subject: [PATCH] drm/amdkfd: Check for null pointer after calling kmemdup +Git-commit: abfaf0eee97925905e742aa3b0b72e04a918fa9e +Patch-mainline: v5.17-rc1 +References: git-fixes + +As the possible failure of the allocation, kmemdup() may return NULL +pointer. +Therefore, it should be better to check the 'props2' in order to prevent +the dereference of NULL pointer. + +Fixes: 3a87177eb141 ("drm/amdkfd: Add topology support for dGPUs") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +index f187596faf66..9624bbe8b501 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +@@ -1060,6 +1060,9 @@ static int kfd_parse_subtype_iolink(struct crat_subtype_iolink *iolink, + return -ENODEV; + /* same everything but the other direction */ + props2 = kmemdup(props, sizeof(*props2), GFP_KERNEL); ++ if (!props2) ++ return -ENOMEM; ++ + props2->node_from = id_to; + props2->node_to = id_from; + props2->kobj = NULL; +-- +2.31.1 + diff --git a/patches.suse/drm-atomic-Check-new_crtc_state-active-to-determine-.patch b/patches.suse/drm-atomic-Check-new_crtc_state-active-to-determine-.patch new file mode 100644 index 0000000..8c53f82 --- /dev/null +++ b/patches.suse/drm-atomic-Check-new_crtc_state-active-to-determine-.patch @@ -0,0 +1,57 @@ +From 69e630016ef4e4a1745310c446f204dc6243e907 Mon Sep 17 00:00:00 2001 +From: Liu Ying +Date: Thu, 30 Dec 2021 12:06:26 +0800 +Subject: [PATCH] drm/atomic: Check new_crtc_state->active to determine if CRTC needs disable in self refresh mode +Git-commit: 69e630016ef4e4a1745310c446f204dc6243e907 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Actual hardware state of CRTC is controlled by the member 'active' in +struct drm_crtc_state instead of the member 'enable', according to the +kernel doc of the member 'enable'. In fact, the drm client modeset +and atomic helpers are using the member 'active' to do the control. + +Referencing the member 'enable' of new_crtc_state, the function +crtc_needs_disable() may fail to reflect if CRTC needs disable in +self refresh mode, e.g., when the framebuffer emulation will be blanked +through the client modeset helper with the next commit, the member +'enable' of new_crtc_state is still true while the member 'active' is +false, hence the relevant potential encoder and bridges won't be disabled. + +So, let's check new_crtc_state->active to determine if CRTC needs disable +in self refresh mode instead of new_crtc_state->enable. + +Fixes: 1452c25b0e60 ("drm: Add helpers to kick off self refresh mode in drivers") +Cc: Sean Paul +Cc: Rob Clark +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: Daniel Vetter +Reviewed-by: Alex Deucher +Signed-off-by: Liu Ying +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20211230040626.646807-1-victor.liu@nxp.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_atomic_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index aef2fbd676e5..794442823262 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1016,7 +1016,7 @@ crtc_needs_disable(struct drm_crtc_state *old_state, + * it's in self refresh mode and needs to be fully disabled. + */ + return old_state->active || +- (old_state->self_refresh_active && !new_state->enable) || ++ (old_state->self_refresh_active && !new_state->active) || + new_state->self_refresh_active; + } + +-- +2.31.1 + diff --git a/patches.suse/drm-bridge-analogix_dp-Make-PSR-exit-block-less.patch b/patches.suse/drm-bridge-analogix_dp-Make-PSR-exit-block-less.patch new file mode 100644 index 0000000..e787040 --- /dev/null +++ b/patches.suse/drm-bridge-analogix_dp-Make-PSR-exit-block-less.patch @@ -0,0 +1,91 @@ +From c4c6ef229593366ab593d4d424addc7025b54a76 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 3 Nov 2021 13:52:00 -0700 +Subject: [PATCH] drm/bridge: analogix_dp: Make PSR-exit block less +Git-commit: c4c6ef229593366ab593d4d424addc7025b54a76 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Prior to commit 6c836d965bad ("drm/rockchip: Use the helpers for PSR"), +"PSR exit" used non-blocking analogix_dp_send_psr_spd(). The refactor +started using the blocking variant, for a variety of reasons -- quoting +Sean Paul's potentially-faulty memory: + +""" + - To avoid racing a subsequent PSR entry (if exit takes a long time) + - To avoid racing disable/modeset + - We're not displaying new content while exiting PSR anyways, so there + is minimal utility in allowing frames to be submitted + - We're lying to userspace telling them frames are on the screen when + we're just dropping them on the floor +""" + +However, I'm finding that this blocking transition is causing upwards of +60+ ms of unneeded latency on PSR-exit, to the point that initial cursor +movements when leaving PSR are unbearably jumpy. + +It turns out that we need to meet in the middle somewhere: Sean is right +that we were "lying to userspace" with a non-blocking PSR-exit, but the +new blocking behavior is also waiting too long: + +According to the eDP specification, the sink device must support PSR +entry transitions from both state 4 (ACTIVE_RESYNC) and state 0 +(INACTIVE). It also states that in ACTIVE_RESYNC, "the Sink device must +display the incoming active frames from the Source device with no +visible glitches and/or artifacts." + +Thus, for our purposes, we only need to wait for ACTIVE_RESYNC before +moving on; we are ready to display video, and subsequent PSR-entry is +safe. + +Tested on a Samsung Chromebook Plus (i.e., Rockchip RK3399 Gru Kevin), +where this saves about 60ms of latency, for PSR-exit that used to +take about 80ms. + +Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") +Cc: +Cc: Zain Wang +Cc: Tomasz Figa +Cc: Heiko Stuebner +Cc: Sean Paul +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20211103135112.v3.1.I67612ea073c3306c71b46a87be894f79707082df@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +index cab6c8b92efd..6a4f20fccf84 100644 +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +@@ -998,11 +998,21 @@ int analogix_dp_send_psr_spd(struct analogix_dp_device *dp, + if (!blocking) + return 0; + ++ /* ++ * db[1]!=0: entering PSR, wait for fully active remote frame buffer. ++ * db[1]==0: exiting PSR, wait for either ++ * (a) ACTIVE_RESYNC - the sink "must display the ++ * incoming active frames from the Source device with no visible ++ * glitches and/or artifacts", even though timings may still be ++ * re-synchronizing; or ++ * (b) INACTIVE - the transition is fully complete. ++ */ + ret = readx_poll_timeout(analogix_dp_get_psr_status, dp, psr_status, + psr_status >= 0 && + ((vsc->db[1] && psr_status == DP_PSR_SINK_ACTIVE_RFB) || +- (!vsc->db[1] && psr_status == DP_PSR_SINK_INACTIVE)), 1500, +- DP_TIMEOUT_PSR_LOOP_MS * 1000); ++ (!vsc->db[1] && (psr_status == DP_PSR_SINK_ACTIVE_RESYNC || ++ psr_status == DP_PSR_SINK_INACTIVE))), ++ 1500, DP_TIMEOUT_PSR_LOOP_MS * 1000); + if (ret) { + dev_warn(dp->dev, "Failed to apply PSR %d\n", ret); + return ret; +-- +2.31.1 + diff --git a/patches.suse/drm-bridge-display-connector-fix-an-uninitialized-po.patch b/patches.suse/drm-bridge-display-connector-fix-an-uninitialized-po.patch new file mode 100644 index 0000000..50e8042 --- /dev/null +++ b/patches.suse/drm-bridge-display-connector-fix-an-uninitialized-po.patch @@ -0,0 +1,38 @@ +From 189723fbe9aca18d6f7d638c59a40288030932b5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 Oct 2021 11:08:25 +0300 +Subject: [PATCH] drm/bridge: display-connector: fix an uninitialized pointer in probe() +Git-commit: 189723fbe9aca18d6f7d638c59a40288030932b5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The "label" pointer is used for debug output. The code assumes that it +is either NULL or valid, but it is never set to NULL. It is either +valid or uninitialized. + +Fixes: 0c275c30176b ("drm/bridge: Add bridge driver for display connectors") +Signed-off-by: Dan Carpenter +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211013080825.GE6010@kili +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/bridge/display-connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/display-connector.c b/drivers/gpu/drm/bridge/display-connector.c +index 05eb759da6fc..847a0dce7f1d 100644 +--- a/drivers/gpu/drm/bridge/display-connector.c ++++ b/drivers/gpu/drm/bridge/display-connector.c +@@ -107,7 +107,7 @@ static int display_connector_probe(struct platform_device *pdev) + { + struct display_connector *conn; + unsigned int type; +- const char *label; ++ const char *label = NULL; + int ret; + + conn = devm_kzalloc(&pdev->dev, sizeof(*conn), GFP_KERNEL); +-- +2.31.1 + diff --git a/patches.suse/drm-bridge-ti-sn65dsi86-Set-max-register-for-regmap.patch b/patches.suse/drm-bridge-ti-sn65dsi86-Set-max-register-for-regmap.patch new file mode 100644 index 0000000..3cfa0e2 --- /dev/null +++ b/patches.suse/drm-bridge-ti-sn65dsi86-Set-max-register-for-regmap.patch @@ -0,0 +1,35 @@ +From 0b665d4af35837f0a0ae63135b84a3c187c1db3b Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Tue, 14 Dec 2021 16:25:29 -0800 +Subject: [PATCH] drm/bridge: ti-sn65dsi86: Set max register for regmap +Git-commit: 0b665d4af35837f0a0ae63135b84a3c187c1db3b +Patch-mainline: v5.17-rc1 +References: git-fixes + +Set the maximum register to 0xff so we can dump the registers for this +device in debugfs. + +Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") +Cc: Rob Clark +Cc: Douglas Anderson +Cc: Laurent Pinchart +Signed-off-by: Stephen Boyd +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20211215002529.382383-1-swboyd@chromium.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -171,6 +171,7 @@ static const struct regmap_config ti_sn_ + .val_bits = 8, + .volatile_table = &ti_sn_bridge_volatile_table, + .cache_type = REGCACHE_NONE, ++ .max_register = 0xFF, + }; + + static void ti_sn_bridge_write_u16(struct ti_sn_bridge *pdata, diff --git a/patches.suse/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch b/patches.suse/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch new file mode 100644 index 0000000..e3e0c42 --- /dev/null +++ b/patches.suse/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch @@ -0,0 +1,81 @@ +From acf20ed020ffa4d6cc8347e8d356509b95df3cbe Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 13 Oct 2021 19:41:39 +0800 +Subject: [PATCH] drm: fix null-ptr-deref in drm_dev_init_release() +Git-commit: acf20ed020ffa4d6cc8347e8d356509b95df3cbe +Patch-mainline: v5.17-rc1 +References: git-fixes + +I got a null-ptr-deref report: + +[drm:drm_dev_init [drm]] *ERROR* Cannot allocate anonymous inode: -12 +================================================================== +Bug: KASAN: null-ptr-deref in iput+0x3c/0x4a0 +... +Call Trace: + dump_stack_lvl+0x6c/0x8b + kasan_report.cold+0x64/0xdb + __asan_load8+0x69/0x90 + iput+0x3c/0x4a0 + drm_dev_init_release+0x39/0xb0 [drm] + drm_managed_release+0x158/0x2d0 [drm] + drm_dev_init+0x3a7/0x4c0 [drm] + __devm_drm_dev_alloc+0x55/0xd0 [drm] + mi0283qt_probe+0x8a/0x2b5 [mi0283qt] + spi_probe+0xeb/0x130 +... + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If drm_fs_inode_new() fails in drm_dev_init(), dev->anon_inode will point +to PTR_ERR(...) instead of NULL. This will result in null-ptr-deref when +drm_fs_inode_free(dev->anon_inode) is called. + +drm_dev_init() + drm_fs_inode_new() // fail, dev->anon_inode = PTR_ERR(...) + drm_managed_release() + drm_dev_init_release() + drm_fs_inode_free() // access non-existent anon_inode + +Define a temp variable and assign it to dev->anon_inode if the temp +variable is not PTR_ERR. + +Fixes: 2cbf7fc6718b ("drm: Use drmm_ for drm_dev_init cleanup") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211013114139.4042207-1-wanghai38@huawei.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_drv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -621,6 +621,7 @@ int drm_dev_init(struct drm_device *dev, + struct drm_driver *driver, + struct device *parent) + { ++ struct inode *inode; + int ret; + + if (!drm_core_init_complete) { +@@ -657,13 +658,15 @@ int drm_dev_init(struct drm_device *dev, + if (ret) + return ret; + +- dev->anon_inode = drm_fs_inode_new(); +- if (IS_ERR(dev->anon_inode)) { +- ret = PTR_ERR(dev->anon_inode); ++ inode = drm_fs_inode_new(); ++ if (IS_ERR(inode)) { ++ ret = PTR_ERR(inode); + DRM_ERROR("Cannot allocate anonymous inode: %d\n", ret); + goto err; + } + ++ dev->anon_inode = inode; ++ + if (drm_core_check_feature(dev, DRIVER_RENDER)) { + ret = drm_minor_alloc(dev, DRM_MINOR_RENDER); + if (ret) diff --git a/patches.suse/drm-i915-Avoid-bitwise-vs-logical-OR-warning-in-snb_.patch b/patches.suse/drm-i915-Avoid-bitwise-vs-logical-OR-warning-in-snb_.patch new file mode 100644 index 0000000..0ce052d --- /dev/null +++ b/patches.suse/drm-i915-Avoid-bitwise-vs-logical-OR-warning-in-snb_.patch @@ -0,0 +1,60 @@ +From 2e70570656adfe1c5d9a29940faa348d5f132199 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 14 Oct 2021 14:19:16 -0700 +Subject: [PATCH] drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2e70570656adfe1c5d9a29940faa348d5f132199 +Patch-mainline: v5.17-rc1 +References: git-fixes + +A new warning in clang points out a place in this file where a bitwise +OR is being used with boolean types: + +drivers/gpu/drm/i915/intel_pm.c:3066:12: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This construct is intentional, as it allows every one of the calls to +ilk_increase_wm_latency() to occur (instead of short circuiting with +logical OR) while still caring about the result of each call. + +To make this clearer to the compiler, use the '|=' operator to assign +the result of each ilk_increase_wm_latency() call to changed, which +keeps the meaning of the code the same but makes it obvious that every +one of these calls is expected to happen. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1473 +Reported-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Suggested-by: Dávid Bolvanský +Reviewed-by: Nick Desaulniers +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20211014211916.3550122-1-nathan@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/intel_pm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index f90fe39cf8ca..aaa3a0998e4c 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -3050,9 +3050,9 @@ static void snb_wm_latency_quirk(struct drm_i915_private *dev_priv) + * The BIOS provided WM memory latency values are often + * inadequate for high resolution displays. Adjust them. + */ +- changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12) | +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12) | +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12); ++ changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12); ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12); ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12); + + if (!changed) + return; +-- +2.31.1 + diff --git a/patches.suse/drm-mediatek-Check-plane-visibility-in-atomic_update.patch b/patches.suse/drm-mediatek-Check-plane-visibility-in-atomic_update.patch new file mode 100644 index 0000000..f58000b --- /dev/null +++ b/patches.suse/drm-mediatek-Check-plane-visibility-in-atomic_update.patch @@ -0,0 +1,74 @@ +From c0b8892e2461b5fa740e47efbb1269a487b04020 Mon Sep 17 00:00:00 2001 +From: Hsin-Yi Wang +Date: Mon, 22 Jun 2020 23:57:53 +0800 +Subject: [PATCH] drm/mediatek: Check plane visibility in atomic_update +Git-commit: c0b8892e2461b5fa740e47efbb1269a487b04020 +Patch-mainline: v5.8-rc5 +References: git-fixes + +Disable the plane if it's not visible. Otherwise mtk_ovl_layer_config() +would proceed with invalid plane and we may see vblank timeout. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Tomasz Figa +Signed-off-by: Chun-Kuang Hu +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/mediatek/mtk_drm_plane.c | 25 ++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +index c2bd683a87c8..92141a19681b 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +@@ -164,6 +164,16 @@ static int mtk_plane_atomic_check(struct drm_plane *plane, + true, true); + } + ++static void mtk_plane_atomic_disable(struct drm_plane *plane, ++ struct drm_plane_state *old_state) ++{ ++ struct mtk_plane_state *state = to_mtk_plane_state(plane->state); ++ ++ state->pending.enable = false; ++ wmb(); /* Make sure the above parameter is set before update */ ++ state->pending.dirty = true; ++} ++ + static void mtk_plane_atomic_update(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +@@ -178,6 +188,11 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + if (!crtc || WARN_ON(!fb)) + return; + ++ if (!plane->state->visible) { ++ mtk_plane_atomic_disable(plane, old_state); ++ return; ++ } ++ + gem = fb->obj[0]; + mtk_gem = to_mtk_gem_obj(gem); + addr = mtk_gem->dma_addr; +@@ -200,16 +215,6 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + state->pending.dirty = true; + } + +-static void mtk_plane_atomic_disable(struct drm_plane *plane, +- struct drm_plane_state *old_state) +-{ +- struct mtk_plane_state *state = to_mtk_plane_state(plane->state); +- +- state->pending.enable = false; +- wmb(); /* Make sure the above parameter is set before update */ +- state->pending.dirty = true; +-} +- + static const struct drm_plane_helper_funcs mtk_plane_helper_funcs = { + .prepare_fb = drm_gem_fb_prepare_fb, + .atomic_check = mtk_plane_atomic_check, +-- +2.31.1 + diff --git a/patches.suse/drm-msm-dpu-fix-safe-status-debugfs-file.patch b/patches.suse/drm-msm-dpu-fix-safe-status-debugfs-file.patch new file mode 100644 index 0000000..5f03708 --- /dev/null +++ b/patches.suse/drm-msm-dpu-fix-safe-status-debugfs-file.patch @@ -0,0 +1,40 @@ +From f31b0e24d31e18b4503eeaf0032baeacc0beaff6 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Thu, 2 Dec 2021 01:26:27 +0300 +Subject: [PATCH] drm/msm/dpu: fix safe status debugfs file +Git-commit: f31b0e24d31e18b4503eeaf0032baeacc0beaff6 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Make safe_status debugfs fs file actually return safe status rather than +danger status data. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Link: https://lore.kernel.org/r/20211201222633.2476780-3-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index c541dbbd9df8..057d5536f881 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -73,8 +73,8 @@ static int _dpu_danger_signal_status(struct seq_file *s, + &status); + } else { + seq_puts(s, "\nSafe signal status:\n"); +- if (kms->hw_mdp->ops.get_danger_status) +- kms->hw_mdp->ops.get_danger_status(kms->hw_mdp, ++ if (kms->hw_mdp->ops.get_safe_status) ++ kms->hw_mdp->ops.get_safe_status(kms->hw_mdp, + &status); + } + pm_runtime_put_sync(&kms->pdev->dev); +-- +2.31.1 + diff --git a/patches.suse/drm-panel-innolux-p079zca-Delete-panel-on-attach-fai.patch b/patches.suse/drm-panel-innolux-p079zca-Delete-panel-on-attach-fai.patch new file mode 100644 index 0000000..464a0f6 --- /dev/null +++ b/patches.suse/drm-panel-innolux-p079zca-Delete-panel-on-attach-fai.patch @@ -0,0 +1,57 @@ +From 32a267e9c057e1636e7afdd20599aa5741a73079 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Thu, 23 Sep 2021 17:33:54 -0700 +Subject: [PATCH] drm/panel: innolux-p079zca: Delete panel on attach() failure +Git-commit: 32a267e9c057e1636e7afdd20599aa5741a73079 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't +ready), we leave a dangling drm_panel reference to freed memory. Clean +that up on failure. + +This problem exists since the driver's introduction, but is especially +relevant after refactored for dual-DSI variants. + +Fixes: 14c8f2e9f8ea ("drm/panel: add Innolux P079ZCA panel driver") +Fixes: 7ad4e4636c54 ("drm/panel: p079zca: Refactor panel driver to support multiple panels") +Signed-off-by: Brian Norris +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.2.I9023cf8811a3abf4964ed84eb681721d8bb489d6@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/panel/panel-innolux-p079zca.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +index aea316225391..f194b62e290c 100644 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +@@ -484,6 +484,7 @@ static void innolux_panel_del(struct innolux_panel *innolux) + static int innolux_panel_probe(struct mipi_dsi_device *dsi) + { + const struct panel_desc *desc; ++ struct innolux_panel *innolux; + int err; + + desc = of_device_get_match_data(&dsi->dev); +@@ -495,7 +496,14 @@ static int innolux_panel_probe(struct mipi_dsi_device *dsi) + if (err < 0) + return err; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err < 0) { ++ innolux = mipi_dsi_get_drvdata(dsi); ++ innolux_panel_del(innolux); ++ return err; ++ } ++ ++ return 0; + } + + static int innolux_panel_remove(struct mipi_dsi_device *dsi) +-- +2.31.1 + diff --git a/patches.suse/drm-panel-kingdisplay-kd097d04-Delete-panel-on-attac.patch b/patches.suse/drm-panel-kingdisplay-kd097d04-Delete-panel-on-attac.patch new file mode 100644 index 0000000..0637aa0 --- /dev/null +++ b/patches.suse/drm-panel-kingdisplay-kd097d04-Delete-panel-on-attac.patch @@ -0,0 +1,44 @@ +From 5f31dbeae8a88f31c3eb4eb526ab4807c40da241 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Thu, 23 Sep 2021 17:33:53 -0700 +Subject: [PATCH] drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure +Git-commit: 5f31dbeae8a88f31c3eb4eb526ab4807c40da241 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't +ready), we leave a dangling drm_panel reference to freed memory. Clean +that up on failure. + +Fixes: 2a994cbed6b2 ("drm/panel: Add Kingdisplay KD097D04 panel driver") +Signed-off-by: Brian Norris +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.1.Icb4d9dbc1817f4e826361a4f1cea7461541668f0@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +index 86e4213e8bb1..daccb1fd5fda 100644 +--- a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c ++++ b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +@@ -406,7 +406,13 @@ static int kingdisplay_panel_probe(struct mipi_dsi_device *dsi) + if (err < 0) + return err; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err < 0) { ++ kingdisplay_panel_del(kingdisplay); ++ return err; ++ } ++ ++ return 0; + } + + static int kingdisplay_panel_remove(struct mipi_dsi_device *dsi) +-- +2.31.1 + diff --git a/patches.suse/drm-radeon-radeon_kms-Fix-a-NULL-pointer-dereference.patch b/patches.suse/drm-radeon-radeon_kms-Fix-a-NULL-pointer-dereference.patch new file mode 100644 index 0000000..098c960 --- /dev/null +++ b/patches.suse/drm-radeon-radeon_kms-Fix-a-NULL-pointer-dereference.patch @@ -0,0 +1,121 @@ +From ab50cb9df8896b39aae65c537a30de2c79c19735 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 23:13:10 +0800 +Subject: [PATCH] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: ab50cb9df8896b39aae65c537a30de2c79c19735 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to +vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In +radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va, +which could lead to a NULL pointer dereference on failure of +radeon_vm_bo_add(). + +Fix this bug by adding a check of vm->ib_bo_va. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DRM_RADEON=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling") +Reviewed-by: Christian König +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 7afe28408085..e2488559cc9f 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev) + int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + { + struct radeon_device *rdev = dev->dev_private; ++ struct radeon_fpriv *fpriv; ++ struct radeon_vm *vm; + int r; + + file_priv->driver_priv = NULL; +@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +- struct radeon_fpriv *fpriv; +- struct radeon_vm *vm; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -672,35 +672,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + if (rdev->accel_working) { + vm = &fpriv->vm; + r = radeon_vm_init(rdev, vm); +- if (r) { +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_fpriv; + + r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_vm_fini; + + /* map the ib pool buffer read only into + * virtual address space */ + vm->ib_bo_va = radeon_vm_bo_add(rdev, vm, + rdev->ring_tmp_bo.bo); ++ if (!vm->ib_bo_va) { ++ r = -ENOMEM; ++ goto out_vm_fini; ++ } ++ + r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va, + RADEON_VA_IB_OFFSET, + RADEON_VM_PAGE_READABLE | + RADEON_VM_PAGE_SNOOPED); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_vm_fini; + } + file_priv->driver_priv = fpriv; + } + ++ if (!r) ++ goto out_suspend; ++ ++out_vm_fini: ++ radeon_vm_fini(rdev, vm); ++out_fpriv: ++ kfree(fpriv); + out_suspend: + pm_runtime_mark_last_busy(dev->dev); + pm_runtime_put_autosuspend(dev->dev); +-- +2.31.1 + diff --git a/patches.suse/drm-rockchip-dsi-Disable-PLL-clock-on-bind-error.patch b/patches.suse/drm-rockchip-dsi-Disable-PLL-clock-on-bind-error.patch new file mode 100644 index 0000000..252e0b5 --- /dev/null +++ b/patches.suse/drm-rockchip-dsi-Disable-PLL-clock-on-bind-error.patch @@ -0,0 +1,66 @@ +From 5a614570172e1c9f59035d259dd735acd4f1c01b Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:52 -0700 +Subject: [PATCH] drm/rockchip: dsi: Disable PLL clock on bind error +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5a614570172e1c9f59035d259dd735acd4f1c01b +Patch-mainline: v5.17-rc1 +References: git-fixes + +Fix some error handling here noticed in review of other changes. + +Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") +Signed-off-by: Brian Norris +Reported-by: Chen-Yu Tsai +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.4.I8bb7a91ecc411d56bc155763faa15f289d7fc074@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index 9c0fc3f59f3f..4ed7a6868197 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -944,7 +944,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = clk_prepare_enable(dsi->grf_clk); + if (ret) { + DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + dw_mipi_dsi_rockchip_config(dsi); +@@ -956,19 +956,21 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to create drm encoder\n"); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + dsi->dsi_bound = true; + + return 0; + ++out_pll_clk: ++ clk_disable_unprepare(dsi->pllref_clk); + out_pm_runtime: + pm_runtime_put(dsi->dev); + if (dsi->slave) +-- +2.31.1 + diff --git a/patches.suse/drm-rockchip-dsi-Fix-unbalanced-clock-on-probe-error.patch b/patches.suse/drm-rockchip-dsi-Fix-unbalanced-clock-on-probe-error.patch new file mode 100644 index 0000000..33bc82d --- /dev/null +++ b/patches.suse/drm-rockchip-dsi-Fix-unbalanced-clock-on-probe-error.patch @@ -0,0 +1,51 @@ +From 251888398753924059f3bb247a44153a2853137f Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:51 -0700 +Subject: [PATCH] drm/rockchip: dsi: Fix unbalanced clock on probe error +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 251888398753924059f3bb247a44153a2853137f +Patch-mainline: v5.17-rc1 +References: git-fixes + +Our probe() function never enabled this clock, so we shouldn't disable +it if we fail to probe the bridge. + +Noted by inspection. + +Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") +Signed-off-by: Brian Norris +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.3.Ie8ceefb51ab6065a1151869b6fcda41a467d4d2c@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index fba8a8da587d..9c0fc3f59f3f 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -1433,14 +1433,10 @@ static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev) + if (ret != -EPROBE_DEFER) + DRM_DEV_ERROR(dev, + "Failed to probe dw_mipi_dsi: %d\n", ret); +- goto err_clkdisable; ++ return ret; + } + + return 0; +- +-err_clkdisable: +- clk_disable_unprepare(dsi->pllref_clk); +- return ret; + } + + static int dw_mipi_dsi_rockchip_remove(struct platform_device *pdev) +-- +2.31.1 + diff --git a/patches.suse/drm-rockchip-dsi-Hold-pm-runtime-across-bind-unbind.patch b/patches.suse/drm-rockchip-dsi-Hold-pm-runtime-across-bind-unbind.patch new file mode 100644 index 0000000..6184478 --- /dev/null +++ b/patches.suse/drm-rockchip-dsi-Hold-pm-runtime-across-bind-unbind.patch @@ -0,0 +1,156 @@ +From 514db871922f103886ad4d221cf406b4fcc5e74a Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:49 -0700 +Subject: [PATCH] drm/rockchip: dsi: Hold pm-runtime across bind/unbind +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 514db871922f103886ad4d221cf406b4fcc5e74a +Patch-mainline: v5.17-rc1 +References: git-fixes + +In commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except +LCDC mux to bind()"), we moved most HW configuration to bind(), but we +didn't move the runtime PM management. Therefore, depending on initial +boot state, runtime-PM workqueue delays, and other timing factors, we +may disable our power domain in between the hardware configuration +(bind()) and when we enable the display. This can cause us to lose +hardware state and fail to configure our display. For example: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-innolux-p079zca ff960000.mipi.0: failed to write command 0 + +Or: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110 + +We should match the runtime PM to the lifetime of the bind()/unbind() +cycle. + +Tested on Acer Chrometab 10 (RK3399 Gru-Scarlet), with panel drivers +built either as modules or built-in. + +Side notes: it seems one is more likely to see this problem when the +panel driver is built into the kernel. I've also seen this problem +bisect down to commits that simply changed Kconfig dependencies, because +it changed the order in which driver init functions were compiled into +the kernel, and therefore the ordering and timing of built-in device +probe. + +Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()") +Link: https://lore.kernel.org/linux-rockchip/9aedfb528600ecf871885f7293ca4207c84d16c1.camel@gmail.com/ +Reported-by: +Cc: +Signed-off-by: Brian Norris +Tested-by: Nícolas F. R. A. Prado +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.1.Ic2904d37f30013a7f3d8476203ad3733c186827e@changeid +Acked-by: Takashi Iwai + +--- + .../gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++--------- + 1 file changed, 19 insertions(+), 18 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index a9acbcc420d0..98d82801f3cf 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -772,10 +772,6 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder) + if (mux < 0) + return; + +- pm_runtime_get_sync(dsi->dev); +- if (dsi->slave) +- pm_runtime_get_sync(dsi->slave->dev); +- + /* + * For the RK3399, the clk of grf must be enabled before writing grf + * register. And for RK3288 or other soc, this grf_clk must be NULL, +@@ -794,20 +790,10 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder) + clk_disable_unprepare(dsi->grf_clk); + } + +-static void dw_mipi_dsi_encoder_disable(struct drm_encoder *encoder) +-{ +- struct dw_mipi_dsi_rockchip *dsi = to_dsi(encoder); +- +- if (dsi->slave) +- pm_runtime_put(dsi->slave->dev); +- pm_runtime_put(dsi->dev); +-} +- + static const struct drm_encoder_helper_funcs + dw_mipi_dsi_encoder_helper_funcs = { + .atomic_check = dw_mipi_dsi_encoder_atomic_check, + .enable = dw_mipi_dsi_encoder_enable, +- .disable = dw_mipi_dsi_encoder_disable, + }; + + static int rockchip_dsi_drm_create_encoder(struct dw_mipi_dsi_rockchip *dsi, +@@ -937,10 +923,14 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + put_device(second); + } + ++ pm_runtime_get_sync(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_get_sync(dsi->slave->dev); ++ + ret = clk_prepare_enable(dsi->pllref_clk); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to enable pllref_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + /* +@@ -952,7 +942,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = clk_prepare_enable(dsi->grf_clk); + if (ret) { + DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + dw_mipi_dsi_rockchip_config(dsi); +@@ -964,16 +954,23 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to create drm encoder\n"); +- return ret; ++ goto out_pm_runtime; + } + + ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + return 0; ++ ++out_pm_runtime: ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); ++ ++ return ret; + } + + static void dw_mipi_dsi_rockchip_unbind(struct device *dev, +@@ -988,6 +985,10 @@ static void dw_mipi_dsi_rockchip_unbind(struct device *dev, + dw_mipi_dsi_unbind(dsi->dmd); + + clk_disable_unprepare(dsi->pllref_clk); ++ ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); + } + + static const struct component_ops dw_mipi_dsi_rockchip_ops = { +-- +2.31.1 + diff --git a/patches.suse/drm-rockchip-dsi-Reconfigure-hardware-on-resume.patch b/patches.suse/drm-rockchip-dsi-Reconfigure-hardware-on-resume.patch new file mode 100644 index 0000000..4d9fd1a --- /dev/null +++ b/patches.suse/drm-rockchip-dsi-Reconfigure-hardware-on-resume.patch @@ -0,0 +1,115 @@ +From e584cdc1549932f87a2707b56bc588cfac5d89e0 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:50 -0700 +Subject: [PATCH] drm/rockchip: dsi: Reconfigure hardware on resume() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: e584cdc1549932f87a2707b56bc588cfac5d89e0 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Since commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except +LCDC mux to bind()"), we perform most HW configuration in the bind() +function. This configuration may be lost on suspend/resume, so we +need to call it again. That may lead to errors like this after system +Suspend/resume: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110 + +Tested on Acer Chromebook Tab 10 (RK3399 Gru-Scarlet). + +Note that early mailing list versions of this driver borrowed Rockchip's +downstream/BSP solution, to do HW configuration in mode_set() (which +*is* called at the appropriate pre-enable() times), but that was +discarded along the way. I've avoided that still, because mode_set() +documentation doesn't suggest this kind of purpose as far as I can tell. + +Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()") +Cc: +Signed-off-by: Brian Norris +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.2.I4e9d93aadb00b1ffc7d506e3186a25492bf0b732@changeid +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -243,6 +243,8 @@ struct dw_mipi_dsi_rockchip { + struct dw_mipi_dsi *dmd; + const struct rockchip_dw_dsi_chip_data *cdata; + struct dw_mipi_dsi_plat_data pdata; ++ ++ bool dsi_bound; + }; + + struct dphy_pll_parameter_map { +@@ -944,6 +946,8 @@ static int dw_mipi_dsi_rockchip_bind(str + goto out_pm_runtime; + } + ++ dsi->dsi_bound = true; ++ + return 0; + + out_pm_runtime: +@@ -963,6 +967,8 @@ static void dw_mipi_dsi_rockchip_unbind( + if (dsi->is_slave) + return; + ++ dsi->dsi_bound = false; ++ + dw_mipi_dsi_unbind(dsi->dmd); + + clk_disable_unprepare(dsi->pllref_clk); +@@ -1027,6 +1033,36 @@ static const struct dw_mipi_dsi_host_ops + .detach = dw_mipi_dsi_rockchip_host_detach, + }; + ++static int __maybe_unused dw_mipi_dsi_rockchip_resume(struct device *dev) ++{ ++ struct dw_mipi_dsi_rockchip *dsi = dev_get_drvdata(dev); ++ int ret; ++ ++ /* ++ * Re-configure DSI state, if we were previously initialized. We need ++ * to do this before rockchip_drm_drv tries to re-enable() any panels. ++ */ ++ if (dsi->dsi_bound) { ++ ret = clk_prepare_enable(dsi->grf_clk); ++ if (ret) { ++ DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); ++ return ret; ++ } ++ ++ dw_mipi_dsi_rockchip_config(dsi); ++ if (dsi->slave) ++ dw_mipi_dsi_rockchip_config(dsi->slave); ++ ++ clk_disable_unprepare(dsi->grf_clk); ++ } ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops dw_mipi_dsi_rockchip_pm_ops = { ++ SET_LATE_SYSTEM_SLEEP_PM_OPS(NULL, dw_mipi_dsi_rockchip_resume) ++}; ++ + static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -1250,6 +1286,7 @@ struct platform_driver dw_mipi_dsi_rockc + .remove = dw_mipi_dsi_rockchip_remove, + .driver = { + .of_match_table = dw_mipi_dsi_rockchip_dt_ids, ++ .pm = &dw_mipi_dsi_rockchip_pm_ops, + .name = "dw-mipi-dsi-rockchip", + }, + }; diff --git a/patches.suse/drm-sun4i-dw-hdmi-Fix-missing-put_device-call-in-sun.patch b/patches.suse/drm-sun4i-dw-hdmi-Fix-missing-put_device-call-in-sun.patch new file mode 100644 index 0000000..00f2b8f --- /dev/null +++ b/patches.suse/drm-sun4i-dw-hdmi-Fix-missing-put_device-call-in-sun.patch @@ -0,0 +1,41 @@ +From c71af3dae3e34d2fde0c19623cf7f8483321f0e3 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Fri, 7 Jan 2022 08:36:32 +0000 +Subject: [PATCH] drm/sun4i: dw-hdmi: Fix missing put_device() call in sun8i_hdmi_phy_get +Git-commit: c71af3dae3e34d2fde0c19623cf7f8483321f0e3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: 9bf3797796f5 ("drm/sun4i: dw-hdmi: Make HDMI PHY into a platform device") +Signed-off-by: Miaoqian Lin +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220107083633.20843-1-linmq006@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +index b64d93da651d..5e2b0175df36 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c ++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +@@ -658,8 +658,10 @@ int sun8i_hdmi_phy_get(struct sun8i_dw_hdmi *hdmi, struct device_node *node) + return -EPROBE_DEFER; + + phy = platform_get_drvdata(pdev); +- if (!phy) ++ if (!phy) { ++ put_device(&pdev->dev); + return -EPROBE_DEFER; ++ } + + hdmi->phy = phy; + +-- +2.31.1 + diff --git a/patches.suse/drm-tegra-vic-Fix-DMA-API-misuse.patch b/patches.suse/drm-tegra-vic-Fix-DMA-API-misuse.patch new file mode 100644 index 0000000..96082f2 --- /dev/null +++ b/patches.suse/drm-tegra-vic-Fix-DMA-API-misuse.patch @@ -0,0 +1,57 @@ +From 5566174cb10a5167d59b0793871cab7990b149b8 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Fri, 10 Dec 2021 17:54:44 +0000 +Subject: [PATCH] drm/tegra: vic: Fix DMA API misuse +Git-commit: 5566174cb10a5167d59b0793871cab7990b149b8 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Upon failure, dma_alloc_coherent() returns NULL. If that does happen, +passing some uninitialised stack contents to dma_mapping_error() - which +belongs to a different API in the first place - has precious little +chance of detecting it. + +Also include the correct header, because the fragile transitive +inclusion currently providing it is going to break soon. + +Fixes: 20e7dce255e9 ("drm/tegra: Remove memory allocation from Falcon library") +Cc: Thierry Reding +Cc: Mikko Perttunen +Cc: dri-devel@lists.freedesktop.org +Signed-off-by: Robin Murphy +Reviewed-by: Christoph Hellwig +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/tegra/vic.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/vic.c b/drivers/gpu/drm/tegra/vic.c +index b58e2b99f81a..c5f4d2b13c43 100644 +--- a/drivers/gpu/drm/tegra/vic.c ++++ b/drivers/gpu/drm/tegra/vic.c +@@ -5,6 +5,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -232,10 +233,8 @@ static int vic_load_firmware(struct vic *vic) + + if (!client->group) { + virt = dma_alloc_coherent(vic->dev, size, &iova, GFP_KERNEL); +- +- err = dma_mapping_error(vic->dev, iova); +- if (err < 0) +- return err; ++ if (!virt) ++ return -ENOMEM; + } else { + virt = tegra_drm_alloc(tegra, size, &iova); + } +-- +2.31.1 + diff --git a/patches.suse/drm-vboxvideo-fix-a-NULL-vs-IS_ERR-check.patch b/patches.suse/drm-vboxvideo-fix-a-NULL-vs-IS_ERR-check.patch new file mode 100644 index 0000000..64fd836 --- /dev/null +++ b/patches.suse/drm-vboxvideo-fix-a-NULL-vs-IS_ERR-check.patch @@ -0,0 +1,40 @@ +From cebbb5c46d0cb0615fd0c62dea9b44273d0a9780 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 18 Nov 2021 14:12:33 +0300 +Subject: [PATCH] drm/vboxvideo: fix a NULL vs IS_ERR() check +Git-commit: cebbb5c46d0cb0615fd0c62dea9b44273d0a9780 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The devm_gen_pool_create() function never returns NULL, it returns +error pointers. + +Fixes: 4cc9b565454b ("drm/vboxvideo: Use devm_gen_pool_create") +Signed-off-by: Dan Carpenter +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20211118111233.GA1147@kili +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/vboxvideo/vbox_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vboxvideo/vbox_main.c b/drivers/gpu/drm/vboxvideo/vbox_main.c +index f28779715ccd..c9e8b3a63c62 100644 +--- a/drivers/gpu/drm/vboxvideo/vbox_main.c ++++ b/drivers/gpu/drm/vboxvideo/vbox_main.c +@@ -127,8 +127,8 @@ int vbox_hw_init(struct vbox_private *vbox) + /* Create guest-heap mem-pool use 2^4 = 16 byte chunks */ + vbox->guest_pool = devm_gen_pool_create(vbox->ddev.dev, 4, -1, + "vboxvideo-accel"); +- if (!vbox->guest_pool) +- return -ENOMEM; ++ if (IS_ERR(vbox->guest_pool)) ++ return PTR_ERR(vbox->guest_pool); + + ret = gen_pool_add_virt(vbox->guest_pool, + (unsigned long)vbox->guest_heap, +-- +2.31.1 + diff --git a/patches.suse/drm-vc4-hdmi-Make-sure-the-controller-is-powered-up-.patch b/patches.suse/drm-vc4-hdmi-Make-sure-the-controller-is-powered-up-.patch new file mode 100644 index 0000000..a1edeab --- /dev/null +++ b/patches.suse/drm-vc4-hdmi-Make-sure-the-controller-is-powered-up-.patch @@ -0,0 +1,76 @@ +From 9c6e4f6ed1d61d5f46946e5c151ceb279eedadb1 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Thu, 19 Aug 2021 15:59:27 +0200 +Subject: [PATCH] drm/vc4: hdmi: Make sure the controller is powered up during bind +Git-commit: 9c6e4f6ed1d61d5f46946e5c151ceb279eedadb1 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In the bind hook, we actually need the device to have the HSM clock +running during the final part of the display initialisation where we +reset the controller and initialise the CEC component. + +Failing to do so will result in a complete, silent, hang of the CPU. + +Fixes: 411efa18e4b0 ("drm/vc4: hdmi: Move the HSM clock enable to runtime_pm") +Link: https://patchwork.freedesktop.org/patch/msgid/20210819135931.895976-3-maxime@cerno.tech +Reviewed-by: Dave Stevenson +Signed-off-by: Maxime Ripard +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 7a6b7cac8af3..104078f10fc6 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -2199,6 +2199,18 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + if (ret) + goto err_put_ddc; + ++ /* ++ * We need to have the device powered up at this point to call ++ * our reset hook and for the CEC init. ++ */ ++ ret = vc4_hdmi_runtime_resume(dev); ++ if (ret) ++ goto err_put_ddc; ++ ++ pm_runtime_get_noresume(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + if (vc4_hdmi->variant->reset) + vc4_hdmi->variant->reset(vc4_hdmi); + +@@ -2210,8 +2222,6 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + clk_prepare_enable(vc4_hdmi->pixel_bvb_clock); + } + +- pm_runtime_enable(dev); +- + drm_simple_encoder_init(drm, encoder, DRM_MODE_ENCODER_TMDS); + drm_encoder_helper_add(encoder, &vc4_hdmi_encoder_helper_funcs); + +@@ -2235,6 +2245,8 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + vc4_hdmi_debugfs_regs, + vc4_hdmi); + ++ pm_runtime_put_sync(dev); ++ + return 0; + + err_free_cec: +@@ -2245,6 +2257,7 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + vc4_hdmi_connector_destroy(&vc4_hdmi->connector); + err_destroy_encoder: + drm_encoder_cleanup(encoder); ++ pm_runtime_put_sync(dev); + pm_runtime_disable(dev); + err_put_ddc: + put_device(&vc4_hdmi->ddc->dev); +-- +2.31.1 + diff --git a/patches.suse/drm-vc4-hdmi-Set-a-default-HSM-rate.patch b/patches.suse/drm-vc4-hdmi-Set-a-default-HSM-rate.patch new file mode 100644 index 0000000..b125d48 --- /dev/null +++ b/patches.suse/drm-vc4-hdmi-Set-a-default-HSM-rate.patch @@ -0,0 +1,56 @@ +From 3e85b81591609bb794bb00cd619b20965b5b38cd Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 22 Sep 2021 14:54:17 +0200 +Subject: [PATCH] drm/vc4: hdmi: Set a default HSM rate +Git-commit: 3e85b81591609bb794bb00cd619b20965b5b38cd +Patch-mainline: v5.17-rc1 +References: git-fixes + +When the firmware doesn't setup the HSM rate (such as when booting +without an HDMI cable plugged in), its rate is 0 and thus any register +access results in a CPU stall, even though HSM is enabled. + +Let's enforce a minimum rate at boot to avoid this issue. + +Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver") +Signed-off-by: Maxime Ripard +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-4-maxime@cerno.tech +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -79,6 +79,7 @@ + # define VC4_HD_M_SW_RST BIT(2) + # define VC4_HD_M_ENABLE BIT(0) + ++#define HSM_MIN_CLOCK_FREQ 120000000 + #define CEC_CLOCK_FREQ 40000 + #define VC4_HSM_MID_CLOCK 149985000 + +@@ -1809,6 +1810,19 @@ static int vc4_hdmi_bind(struct device * + vc4_hdmi->disable_wifi_frequencies = + of_property_read_bool(dev->of_node, "wifi-2.4ghz-coexistence"); + ++ /* ++ * If we boot without any cable connected to the HDMI connector, ++ * the firmware will skip the HSM initialization and leave it ++ * with a rate of 0, resulting in a bus lockup when we're ++ * accessing the registers even if it's enabled. ++ * ++ * Let's put a sensible default at runtime_resume so that we ++ * don't end up in this situation. ++ */ ++ ret = clk_set_min_rate(vc4_hdmi->hsm_clock, HSM_MIN_CLOCK_FREQ); ++ if (ret) ++ goto err_put_ddc; ++ + if (vc4_hdmi->variant->reset) + vc4_hdmi->variant->reset(vc4_hdmi); + diff --git a/patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch b/patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch index 43aed56..c813d05 100644 --- a/patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch +++ b/patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch @@ -3,7 +3,8 @@ From: Jan Kara Date: Fri, 12 Nov 2021 16:09:49 +0100 Subject: [PATCH] ext4: Avoid trim error on fs with small groups References: bsc#1191271 -Patch-mainline: Submitted, in ext4 tree as of Jan 6 2022 +Patch-mainline: v5.17-rc1 +Git-commit: 173b6e383d2a204c9921ffc1eca3b87aa2106c33 A user reported FITRIM ioctl failing for him on ext4 on some devices without apparent reason. After some debugging we've found out that diff --git a/patches.suse/ext4-fix-lazy-initialization-next-schedule-time-comp.patch b/patches.suse/ext4-fix-lazy-initialization-next-schedule-time-comp.patch new file mode 100644 index 0000000..bd7ce57 --- /dev/null +++ b/patches.suse/ext4-fix-lazy-initialization-next-schedule-time-comp.patch @@ -0,0 +1,56 @@ +From 39fec6889d15a658c3a3ebb06fd69d3584ddffd3 Mon Sep 17 00:00:00 2001 +From: Shaoying Xu +Date: Thu, 2 Sep 2021 16:44:12 +0000 +Subject: [PATCH] ext4: fix lazy initialization next schedule time computation + in more granular unit +Git-commit: 39fec6889d15a658c3a3ebb06fd69d3584ddffd3 +Patch-mainline: v5.16-rc1 +References: bsc#1194580 + +Ext4 file system has default lazy inode table initialization setup once +it is mounted. However, it has issue on computing the next schedule time +that makes the timeout same amount in jiffies but different real time in +secs if with various HZ values. Therefore, fix by measuring the current +time in a more granular unit nanoseconds and make the next schedule time +independent of the HZ value. + +Fixes: bfff68738f1c ("ext4: add support for lazy inode table initialization") +Signed-off-by: Shaoying Xu +Cc: stable@vger.kernel.org +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210902164412.9994-2-shaoyi@amazon.com +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3052,8 +3052,8 @@ static int ext4_run_li_request(struct ex + struct ext4_group_desc *gdp = NULL; + ext4_group_t group, ngroups; + struct super_block *sb; +- unsigned long timeout = 0; + int ret = 0; ++ u64 start_time; + + sb = elr->lr_super; + ngroups = EXT4_SB(sb)->s_groups_count; +@@ -3073,13 +3073,12 @@ static int ext4_run_li_request(struct ex + ret = 1; + + if (!ret) { +- timeout = jiffies; ++ start_time = ktime_get_real_ns(); + ret = ext4_init_inode_table(sb, group, + elr->lr_timeout ? 0 : 1); + if (elr->lr_timeout == 0) { +- timeout = (jiffies - timeout) * +- elr->lr_sbi->s_li_wait_mult; +- elr->lr_timeout = timeout; ++ elr->lr_timeout = nsecs_to_jiffies((ktime_get_real_ns() - start_time) * ++ elr->lr_sbi->s_li_wait_mult); + } + elr->lr_next_sched = jiffies + elr->lr_timeout; + elr->lr_next_group = group + 1; diff --git a/patches.suse/firmware-Update-Kconfig-help-text-for-Google-firmwar.patch b/patches.suse/firmware-Update-Kconfig-help-text-for-Google-firmwar.patch new file mode 100644 index 0000000..ba8f1f8 --- /dev/null +++ b/patches.suse/firmware-Update-Kconfig-help-text-for-Google-firmwar.patch @@ -0,0 +1,46 @@ +From d185a3466f0cd5af8f1c5c782c53bc0e6f2e7136 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 18 Jun 2018 23:55:40 +0100 +Subject: [PATCH] firmware: Update Kconfig help text for Google firmware +Git-commit: d185a3466f0cd5af8f1c5c782c53bc0e6f2e7136 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The help text for GOOGLE_FIRMWARE states that it should only be +enabled when building a kernel for Google's own servers. However, +many of the drivers dependent on it are also useful on Chromebooks or +on any platform using coreboot. + +Update the help text to reflect this double duty. + +Fixes: d384d6f43d1e ("firmware: google memconsole: Add coreboot support") +Reviewed-by: Julius Werner +Signed-off-by: Ben Hutchings +Link: https://lore.kernel.org/r/20180618225540.GD14131@decadent.org.uk +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/firmware/google/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/google/Kconfig b/drivers/firmware/google/Kconfig +index 97968aece54f..931544c9f63d 100644 +--- a/drivers/firmware/google/Kconfig ++++ b/drivers/firmware/google/Kconfig +@@ -3,9 +3,9 @@ menuconfig GOOGLE_FIRMWARE + bool "Google Firmware Drivers" + default n + help +- These firmware drivers are used by Google's servers. They are +- only useful if you are working directly on one of their +- proprietary servers. If in doubt, say "N". ++ These firmware drivers are used by Google servers, ++ Chromebooks and other devices using coreboot firmware. ++ If in doubt, say "N". + + if GOOGLE_FIRMWARE + +-- +2.31.1 + diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch b/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch new file mode 100644 index 0000000..01dfd12 --- /dev/null +++ b/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch @@ -0,0 +1,65 @@ +From a57ac7acdcc1665662e369993898194def56e888 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:25 +0100 +Subject: [PATCH] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries +Git-commit: a57ac7acdcc1665662e369993898194def56e888 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +a kobject leak in the file registration helper by properly calling +kobject_put() for the entry in case registration of the object fails +(e.g. due to a name collision). + +This would however result in a NULL pointer dereference when the +release function tries to remove the never added entry from the +fw_cfg_entry_cache list. + +Fix this by moving the list-removal out of the release function. + +Note that the offending commit was one of the benign looking umn.edu +fixes which was reviewed but not reverted. [1][2] + +[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook +[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com + +Fixes: fe3c60684377 ("firmware: Fix a reference count leak.") +Cc: stable@vger.kernel.org # 5.8 +Cc: Qiushi Wu +Cc: Kees Cook +Cc: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/firmware/qemu_fw_cfg.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c +index 172c751a4f6c..a9c64ebfc49a 100644 +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(void) + struct fw_cfg_sysfs_entry *entry, *next; + + list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) { +- /* will end up invoking fw_cfg_sysfs_cache_delist() +- * via each object's release() method (i.e. destructor) +- */ ++ fw_cfg_sysfs_cache_delist(entry); + kobject_put(&entry->kobj); + } + } +@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(struct kobject *kobj) + { + struct fw_cfg_sysfs_entry *entry = to_entry(kobj); + +- fw_cfg_sysfs_cache_delist(entry); + kfree(entry); + } + +-- +2.31.1 + diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch b/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch new file mode 100644 index 0000000..c80ff74 --- /dev/null +++ b/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch @@ -0,0 +1,72 @@ +From 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:26 +0100 +Subject: [PATCH] firmware: qemu_fw_cfg: fix kobject leak in probe error path +Git-commit: 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +An initialised kobject must be freed using kobject_put() to avoid +leaking associated resources (e.g. the object name). + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +the leak in the first error path of the file registration helper but +left the second one unchanged. This "fix" would however result in a NULL +pointer dereference due to the release function also removing the never +added entry from the fw_cfg_entry_cache list. This has now been +addressed. + +Fix the remaining kobject leak by restoring the common error path and +adding the missing kobject_put(). + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/firmware/qemu_fw_cfg.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c +index a9c64ebfc49a..ccb7ed62452f 100644 +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -603,15 +603,13 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, + fw_cfg_sel_ko, "%d", entry->select); +- if (err) { +- kobject_put(&entry->kobj); +- return err; +- } ++ if (err) ++ goto err_put_entry; + + /* add raw binary content access */ + err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw); + if (err) +- goto err_add_raw; ++ goto err_del_entry; + + /* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */ + fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->name); +@@ -620,9 +618,10 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + fw_cfg_sysfs_cache_enlist(entry); + return 0; + +-err_add_raw: ++err_del_entry: + kobject_del(&entry->kobj); +- kfree(entry); ++err_put_entry: ++ kobject_put(&entry->kobj); + return err; + } + +-- +2.31.1 + diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch b/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch new file mode 100644 index 0000000..d421990 --- /dev/null +++ b/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch @@ -0,0 +1,40 @@ +From 433b7cd1e702b0918ef90cbf06c3da24313625d2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:27 +0100 +Subject: [PATCH] firmware: qemu_fw_cfg: fix sysfs information leak +Git-commit: 433b7cd1e702b0918ef90cbf06c3da24313625d2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Make sure to always NUL-terminate file names retrieved from the firmware +to avoid accessing data beyond the entry slab buffer and exposing it +through sysfs in case the firmware data is corrupt. + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/firmware/qemu_fw_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c +index ccb7ed62452f..f08e056ed0ae 100644 +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -598,7 +598,7 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + /* set file entry information */ + entry->size = be32_to_cpu(f->size); + entry->select = be16_to_cpu(f->select); +- memcpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); ++ strscpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); + + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, +-- +2.31.1 + diff --git a/patches.suse/floppy-Fix-hang-in-watchdog-when-disk-is-ejected.patch b/patches.suse/floppy-Fix-hang-in-watchdog-when-disk-is-ejected.patch new file mode 100644 index 0000000..50ec29b --- /dev/null +++ b/patches.suse/floppy-Fix-hang-in-watchdog-when-disk-is-ejected.patch @@ -0,0 +1,52 @@ +From fb48febce7e30baed94dd791e19521abd2c3fd83 Mon Sep 17 00:00:00 2001 +From: Tasos Sahanidis +Date: Fri, 3 Sep 2021 09:47:58 +0300 +Subject: [PATCH] floppy: Fix hang in watchdog when disk is ejected +Git-commit: fb48febce7e30baed94dd791e19521abd2c3fd83 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When the watchdog detects a disk change, it calls cancel_activity(), +which in turn tries to cancel the fd_timer delayed work. + +In the above scenario, fd_timer_fn is set to fd_watchdog(), meaning +it is trying to cancel its own work. +This results in a hang as cancel_delayed_work_sync() is waiting for the +watchdog (itself) to return, which never happens. + +This can be reproduced relatively consistently by attempting to read a +broken floppy, and ejecting it while IO is being attempted and retried. + +To resolve this, this patch calls cancel_delayed_work() instead, which +cancels the work without waiting for the watchdog to return and finish. + +Before this regression was introduced, the code in this section used +del_timer(), and not del_timer_sync() to delete the watchdog timer. + +Link: https://lore.kernel.org/r/399e486c-6540-db27-76aa-7a271b061f76@tasossah.com +Fixes: 070ad7e793dc ("floppy: convert to delayed work and single-thread wq") +Signed-off-by: Tasos Sahanidis +Signed-off-by: Denis Efremov +Signed-off-by: Jens Axboe +Acked-by: Takashi Iwai + +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 0c638de25023..f0e36c18f349 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -1015,7 +1015,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn); + static void cancel_activity(void) + { + do_floppy = NULL; +- cancel_delayed_work_sync(&fd_timer); ++ cancel_delayed_work(&fd_timer); + cancel_work_sync(&floppy_work); + } + +-- +2.31.1 + diff --git a/patches.suse/flow_offload-return-EOPNOTSUPP-for-the-unsupported-m.patch b/patches.suse/flow_offload-return-EOPNOTSUPP-for-the-unsupported-m.patch new file mode 100644 index 0000000..9673932 --- /dev/null +++ b/patches.suse/flow_offload-return-EOPNOTSUPP-for-the-unsupported-m.patch @@ -0,0 +1,34 @@ +From: Baowen Zheng +Date: Mon, 13 Dec 2021 15:46:04 +0100 +Subject: flow_offload: return EOPNOTSUPP for the unsupported mpls action type +Patch-mainline: v5.16-rc6 +Git-commit: 166b6a46b78bf8b9559a6620c3032f9fe492e082 +References: bsc#1154353 + +We need to return EOPNOTSUPP for the unsupported mpls action type when +setup the flow action. + +In the original implement, we will return 0 for the unsupported mpls +action type, actually we do not setup it and the following actions +to the flow action entry. + +Fixes: 9838b20a7fb2 ("net: sched: take rtnl lock in tc_setup_flow_action()") +Signed-off-by: Baowen Zheng +Signed-off-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/sched/cls_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -3694,6 +3694,7 @@ int tc_setup_flow_action(struct flow_act + entry->mpls_mangle.ttl = tcf_mpls_ttl(act); + break; + default: ++ err = -EOPNOTSUPP; + goto err_out_locked; + } + } else if (is_tcf_skbedit_ptype(act)) { diff --git a/patches.suse/gpu-host1x-Add-back-arm_iommu_detach_device.patch b/patches.suse/gpu-host1x-Add-back-arm_iommu_detach_device.patch new file mode 100644 index 0000000..b6a7f6a --- /dev/null +++ b/patches.suse/gpu-host1x-Add-back-arm_iommu_detach_device.patch @@ -0,0 +1,62 @@ +From d5185965c3b59073c4520bad7dd2adf725b9abba Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sat, 4 Dec 2021 17:58:48 +0300 +Subject: [PATCH] gpu: host1x: Add back arm_iommu_detach_device() +Git-commit: d5185965c3b59073c4520bad7dd2adf725b9abba +Patch-mainline: v5.17-rc1 +References: git-fixes + +Host1x DMA buffer isn't mapped properly when CONFIG_ARM_DMA_USE_IOMMU=y. +The memory management code of Host1x driver has a longstanding overhaul +overdue and it's not obvious where the problem is in this case. Hence +let's add back the old workaround which we already had sometime before. +It explicitly detaches Host1x device from the offending implicit IOMMU +domain. This fixes a completely broken Host1x DMA in case of ARM32 +multiplatform kernel config. + +Cc: stable@vger.kernel.org +Fixes: af1cbfb9bf0f ("gpu: host1x: Support DMA mapping of buffers") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/gpu/host1x/dev.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c +index 14c1ea7506fb..6994f8c0e02e 100644 +--- a/drivers/gpu/host1x/dev.c ++++ b/drivers/gpu/host1x/dev.c +@@ -22,6 +22,10 @@ + #include + #undef CREATE_TRACE_POINTS + ++#if IS_ENABLED(CONFIG_ARM_DMA_USE_IOMMU) ++#include ++#endif ++ + #include "bus.h" + #include "channel.h" + #include "debug.h" +@@ -263,6 +267,17 @@ static struct iommu_domain *host1x_iommu_attach(struct host1x *host) + struct iommu_domain *domain = iommu_get_domain_for_dev(host->dev); + int err; + ++#if IS_ENABLED(CONFIG_ARM_DMA_USE_IOMMU) ++ if (host->dev->archdata.mapping) { ++ struct dma_iommu_mapping *mapping = ++ to_dma_iommu_mapping(host->dev); ++ arm_iommu_detach_device(host->dev); ++ arm_iommu_release_mapping(mapping); ++ ++ domain = iommu_get_domain_for_dev(host->dev); ++ } ++#endif ++ + /* + * We may not always want to enable IOMMU support (for example if the + * host1x firewall is already enabled and we don't support addressing +-- +2.31.1 + diff --git a/patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch b/patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch new file mode 100644 index 0000000..3cd6764 --- /dev/null +++ b/patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch @@ -0,0 +1,41 @@ +From: Norbert Zulinski +Date: Mon, 22 Nov 2021 12:29:05 +0100 +Subject: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc +Patch-mainline: v5.16-rc5 +Git-commit: 23ec111bf3549aae37140330c31a16abfc172421 +References: git-fixes + +When trying to dump VFs VSI RX/TX descriptors +using debugfs there was a crash +due to NULL pointer dereference in i40e_dbg_dump_desc. +Added a check to i40e_dbg_dump_desc that checks if +VSI type is correct for dumping RX/TX descriptors. + +Fixes: 02e9c290814c ("i40e: debugfs interface") +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Norbert Zulinski +Signed-off-by: Mateusz Palczewski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -553,6 +553,14 @@ static void i40e_dbg_dump_desc(int cnt, + dev_info(&pf->pdev->dev, "vsi %d not found\n", vsi_seid); + return; + } ++ if (vsi->type != I40E_VSI_MAIN && ++ vsi->type != I40E_VSI_FDIR && ++ vsi->type != I40E_VSI_VMDQ2) { ++ dev_info(&pf->pdev->dev, ++ "vsi %d type %d descriptor rings not available\n", ++ vsi_seid, vsi->type); ++ return; ++ } + if (type == RING_TYPE_XDP && !i40e_enabled_xdp_vsi(vsi)) { + dev_info(&pf->pdev->dev, "XDP not enabled on VSI %d\n", vsi_seid); + return; diff --git a/patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch b/patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch new file mode 100644 index 0000000..1475e02 --- /dev/null +++ b/patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch @@ -0,0 +1,37 @@ +From: Mateusz Palczewski +Date: Thu, 9 Dec 2021 11:04:35 +0100 +Subject: i40e: Fix for displaying message regarding NVM version +Patch-mainline: v5.16 +Git-commit: 40feded8a247f95957a0de9abd100085fb320a2f +References: git-fixes + +When loading the i40e driver, it prints a message like: 'The driver for the +device detected a newer version of the NVM image v1.x than expected v1.y. +Please install the most recent version of the network driver.' This is +misleading as the driver is working as expected. + +Fix that by removing the second part of message and changing it from +dev_info to dev_dbg. + +Fixes: 4fb29bddb57f ("i40e: The driver now prints the API version in error message") +Signed-off-by: Mateusz Palczewski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -15000,8 +15000,8 @@ static int i40e_probe(struct pci_dev *pd + + if (hw->aq.api_maj_ver == I40E_FW_API_VERSION_MAJOR && + hw->aq.api_min_ver > I40E_FW_MINOR_VERSION(hw)) +- dev_info(&pdev->dev, +- "The driver for the device detected a newer version of the NVM image v%u.%u than expected v%u.%u. Please install the most recent version of the network driver.\n", ++ dev_dbg(&pdev->dev, ++ "The driver for the device detected a newer version of the NVM image v%u.%u than v%u.%u.\n", + hw->aq.api_maj_ver, + hw->aq.api_min_ver, + I40E_FW_API_VERSION_MAJOR, diff --git a/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch b/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch new file mode 100644 index 0000000..45df5c8 --- /dev/null +++ b/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch @@ -0,0 +1,84 @@ +From: Jedrzej Jagielski +Date: Fri, 17 Dec 2021 14:29:05 +0000 +Subject: i40e: Fix incorrect netdev's real number of RX/TX queues +Patch-mainline: v5.16 +Git-commit: e738451d78b2f8a9635d66c6a87f304b4d965f7a +References: git-fixes + +There was a wrong queues representation in sysfs during +driver's reinitialization in case of online cpus number is +less than combined queues. It was caused by stopped +NetworkManager, which is responsible for calling vsi_open +function during driver's initialization. +In specific situation (ex. 12 cpus online) there were 16 queues +in /sys/class/net//queues. In case of modifying queues with +value higher, than number of online cpus, then it caused write +errors and other errors. +Add updating of sysfs's queues representation during driver +initialization. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Lukasz Cieplicki +Signed-off-by: Jedrzej Jagielski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 32 +++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -8392,6 +8392,27 @@ int i40e_open(struct net_device *netdev) + } + + /** ++ * i40e_netif_set_realnum_tx_rx_queues - Update number of tx/rx queues ++ * @vsi: vsi structure ++ * ++ * This updates netdev's number of tx/rx queues ++ * ++ * Returns status of setting tx/rx queues ++ **/ ++static int i40e_netif_set_realnum_tx_rx_queues(struct i40e_vsi *vsi) ++{ ++ int ret; ++ ++ ret = netif_set_real_num_rx_queues(vsi->netdev, ++ vsi->num_queue_pairs); ++ if (ret) ++ return ret; ++ ++ return netif_set_real_num_tx_queues(vsi->netdev, ++ vsi->num_queue_pairs); ++} ++ ++/** + * i40e_vsi_open - + * @vsi: the VSI to open + * +@@ -8427,13 +8448,7 @@ int i40e_vsi_open(struct i40e_vsi *vsi) + goto err_setup_rx; + + /* Notify the stack of the actual queue counts. */ +- err = netif_set_real_num_tx_queues(vsi->netdev, +- vsi->num_queue_pairs); +- if (err) +- goto err_set_queues; +- +- err = netif_set_real_num_rx_queues(vsi->netdev, +- vsi->num_queue_pairs); ++ err = i40e_netif_set_realnum_tx_rx_queues(vsi); + if (err) + goto err_set_queues; + +@@ -13725,6 +13740,9 @@ struct i40e_vsi *i40e_vsi_setup(struct i + ret = i40e_config_netdev(vsi); + if (ret) + goto err_netdev; ++ ret = i40e_netif_set_realnum_tx_rx_queues(vsi); ++ if (ret) ++ goto err_netdev; + ret = register_netdev(vsi->netdev); + if (ret) + goto err_netdev; diff --git a/patches.suse/i40e-Fix-to-not-show-opcode-msg-on-unsuccessful-VF-M.patch b/patches.suse/i40e-Fix-to-not-show-opcode-msg-on-unsuccessful-VF-M.patch new file mode 100644 index 0000000..1981e4d --- /dev/null +++ b/patches.suse/i40e-Fix-to-not-show-opcode-msg-on-unsuccessful-VF-M.patch @@ -0,0 +1,148 @@ +From: Mateusz Palczewski +Date: Wed, 3 Mar 2021 11:45:33 +0000 +Subject: i40e: Fix to not show opcode msg on unsuccessful VF MAC change +Patch-mainline: v5.16 +Git-commit: 01cbf50877e602e2376af89e4a51c30bc574c618 +References: git-fixes + +Hide i40e opcode information sent during response to VF in case when +untrusted VF tried to change MAC on the VF interface. + +This is implemented by adding an additional parameter 'hide' to the +response sent to VF function that hides the display of error +information, but forwards the error code to VF. + +Previously it was not possible to send response with some error code +to VF without displaying opcode information. + +Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Mateusz Palczewski +Reviewed-by: Paul M Stillwell Jr +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 40 ++++++++++++++++----- + 1 file changed, 32 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1824,17 +1824,19 @@ sriov_configure_out: + /***********************virtual channel routines******************/ + + /** +- * i40e_vc_send_msg_to_vf ++ * i40e_vc_send_msg_to_vf_ex + * @vf: pointer to the VF info + * @v_opcode: virtual channel opcode + * @v_retval: virtual channel return value + * @msg: pointer to the msg buffer + * @msglen: msg length ++ * @is_quiet: true for not printing unsuccessful return values, false otherwise + * + * send msg to VF + **/ +-static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, +- u32 v_retval, u8 *msg, u16 msglen) ++static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen, ++ bool is_quiet) + { + struct i40e_pf *pf; + struct i40e_hw *hw; +@@ -1850,7 +1852,7 @@ static int i40e_vc_send_msg_to_vf(struct + abs_vf_id = vf->vf_id + hw->func_caps.vf_base_id; + + /* single place to detect unsuccessful return values */ +- if (v_retval) { ++ if (v_retval && !is_quiet) { + vf->num_invalid_msgs++; + dev_info(&pf->pdev->dev, "VF %d failed opcode %d, retval: %d\n", + vf->vf_id, v_opcode, v_retval); +@@ -1881,6 +1883,23 @@ static int i40e_vc_send_msg_to_vf(struct + } + + /** ++ * i40e_vc_send_msg_to_vf ++ * @vf: pointer to the VF info ++ * @v_opcode: virtual channel opcode ++ * @v_retval: virtual channel return value ++ * @msg: pointer to the msg buffer ++ * @msglen: msg length ++ * ++ * send msg to VF ++ **/ ++static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen) ++{ ++ return i40e_vc_send_msg_to_vf_ex(vf, v_opcode, v_retval, ++ msg, msglen, false); ++} ++ ++/** + * i40e_vc_send_resp_to_vf + * @vf: pointer to the VF info + * @opcode: operation code +@@ -2641,6 +2660,7 @@ error_param: + * i40e_check_vf_permission + * @vf: pointer to the VF info + * @al: MAC address list from virtchnl ++ * @is_quiet: set true for printing msg without opcode info, false otherwise + * + * Check that the given list of MAC addresses is allowed. Will return -EPERM + * if any address in the list is not valid. Checks the following conditions: +@@ -2655,13 +2675,15 @@ error_param: + * addresses might not be accurate. + **/ + static inline int i40e_check_vf_permission(struct i40e_vf *vf, +- struct virtchnl_ether_addr_list *al) ++ struct virtchnl_ether_addr_list *al, ++ bool *is_quiet) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx]; + int mac2add_cnt = 0; + int i; + ++ *is_quiet = false; + for (i = 0; i < al->num_elements; i++) { + struct i40e_mac_filter *f; + u8 *addr = al->list[i].addr; +@@ -2685,6 +2707,7 @@ static inline int i40e_check_vf_permissi + !ether_addr_equal(addr, vf->default_lan_addr.addr)) { + dev_err(&pf->pdev->dev, + "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n"); ++ *is_quiet = true; + return -EPERM; + } + +@@ -2721,6 +2744,7 @@ static int i40e_vc_add_mac_addr_msg(stru + (struct virtchnl_ether_addr_list *)msg; + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = NULL; ++ bool is_quiet = false; + i40e_status ret = 0; + int i; + +@@ -2737,7 +2761,7 @@ static int i40e_vc_add_mac_addr_msg(stru + */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + +- ret = i40e_check_vf_permission(vf, al); ++ ret = i40e_check_vf_permission(vf, al, &is_quiet); + if (ret) { + spin_unlock_bh(&vsi->mac_filter_hash_lock); + goto error_param; +@@ -2775,8 +2799,8 @@ static int i40e_vc_add_mac_addr_msg(stru + + error_param: + /* send the response to the VF */ +- return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_ETH_ADDR, +- ret); ++ return i40e_vc_send_msg_to_vf_ex(vf, VIRTCHNL_OP_ADD_ETH_ADDR, ++ ret, NULL, 0, is_quiet); + } + + /** diff --git a/patches.suse/i40e-fix-use-after-free-in-i40e_sync_filters_subtask.patch b/patches.suse/i40e-fix-use-after-free-in-i40e_sync_filters_subtask.patch new file mode 100644 index 0000000..86744f2 --- /dev/null +++ b/patches.suse/i40e-fix-use-after-free-in-i40e_sync_filters_subtask.patch @@ -0,0 +1,136 @@ +From: Di Zhu +Date: Mon, 29 Nov 2021 19:52:01 +0600 +Subject: i40e: fix use-after-free in i40e_sync_filters_subtask() +Patch-mainline: v5.16 +Git-commit: 3116f59c12bd24c513194cd3acb3ec1f7d468954 +References: git-fixes + +Using ifconfig command to delete the ipv6 address will cause +the i40e network card driver to delete its internal mac_filter and +i40e_service_task kernel thread will concurrently access the mac_filter. +These two processes are not protected by lock +so causing the following use-after-free problems. + + print_address_description+0x70/0x360 + ? vprintk_func+0x5e/0xf0 + kasan_report+0x1b2/0x330 + i40e_sync_vsi_filters+0x4f0/0x1850 [i40e] + i40e_sync_filters_subtask+0xe3/0x130 [i40e] + i40e_service_task+0x195/0x24c0 [i40e] + process_one_work+0x3f5/0x7d0 + worker_thread+0x61/0x6c0 + ? process_one_work+0x7d0/0x7d0 + kthread+0x1c3/0x1f0 + ? kthread_park+0xc0/0xc0 + ret_from_fork+0x35/0x40 + +Allocated by task 2279810: + kasan_kmalloc+0xa0/0xd0 + kmem_cache_alloc_trace+0xf3/0x1e0 + i40e_add_filter+0x127/0x2b0 [i40e] + i40e_add_mac_filter+0x156/0x190 [i40e] + i40e_addr_sync+0x2d/0x40 [i40e] + __hw_addr_sync_dev+0x154/0x210 + i40e_set_rx_mode+0x6d/0xf0 [i40e] + __dev_set_rx_mode+0xfb/0x1f0 + __dev_mc_add+0x6c/0x90 + igmp6_group_added+0x214/0x230 + __ipv6_dev_mc_inc+0x338/0x4f0 + addrconf_join_solict.part.7+0xa2/0xd0 + addrconf_dad_work+0x500/0x980 + process_one_work+0x3f5/0x7d0 + worker_thread+0x61/0x6c0 + kthread+0x1c3/0x1f0 + ret_from_fork+0x35/0x40 + +Freed by task 2547073: + __kasan_slab_free+0x130/0x180 + kfree+0x90/0x1b0 + __i40e_del_filter+0xa3/0xf0 [i40e] + i40e_del_mac_filter+0xf3/0x130 [i40e] + i40e_addr_unsync+0x85/0xa0 [i40e] + __hw_addr_sync_dev+0x9d/0x210 + i40e_set_rx_mode+0x6d/0xf0 [i40e] + __dev_set_rx_mode+0xfb/0x1f0 + __dev_mc_del+0x69/0x80 + igmp6_group_dropped+0x279/0x510 + __ipv6_dev_mc_dec+0x174/0x220 + addrconf_leave_solict.part.8+0xa2/0xd0 + __ipv6_ifa_notify+0x4cd/0x570 + ipv6_ifa_notify+0x58/0x80 + ipv6_del_addr+0x259/0x4a0 + inet6_addr_del+0x188/0x260 + addrconf_del_ifaddr+0xcc/0x130 + inet6_ioctl+0x152/0x190 + sock_do_ioctl+0xd8/0x2b0 + sock_ioctl+0x2e5/0x4c0 + do_vfs_ioctl+0x14e/0xa80 + ksys_ioctl+0x7c/0xa0 + __x64_sys_ioctl+0x42/0x50 + do_syscall_64+0x98/0x2c0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Di Zhu +Signed-off-by: Rui Zhang +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -107,6 +107,24 @@ MODULE_VERSION(DRV_VERSION); + + static struct workqueue_struct *i40e_wq; + ++static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f, ++ struct net_device *netdev, int delta) ++{ ++ struct netdev_hw_addr *ha; ++ ++ if (!f || !netdev) ++ return; ++ ++ netdev_for_each_mc_addr(ha, netdev) { ++ if (ether_addr_equal(ha->addr, f->macaddr)) { ++ ha->refcount += delta; ++ if (ha->refcount <= 0) ++ ha->refcount = 1; ++ break; ++ } ++ } ++} ++ + /** + * i40e_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -2044,6 +2062,7 @@ static void i40e_undo_add_filter_entries + hlist_for_each_entry_safe(new, h, from, hlist) { + /* We can simply free the wrapper structure */ + hlist_del(&new->hlist); ++ netdev_hw_addr_refcnt(new->f, vsi->netdev, -1); + kfree(new); + } + } +@@ -2391,6 +2410,10 @@ int i40e_sync_vsi_filters(struct i40e_vs + &tmp_add_list, + &tmp_del_list, + vlan_filters); ++ ++ hlist_for_each_entry(new, &tmp_add_list, hlist) ++ netdev_hw_addr_refcnt(new->f, vsi->netdev, 1); ++ + if (retval) + goto err_no_memory_locked; + +@@ -2523,6 +2546,7 @@ int i40e_sync_vsi_filters(struct i40e_vs + if (new->f->state == I40E_FILTER_NEW) + new->f->state = new->state; + hlist_del(&new->hlist); ++ netdev_hw_addr_refcnt(new->f, vsi->netdev, -1); + kfree(new); + } + spin_unlock_bh(&vsi->mac_filter_hash_lock); diff --git a/patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch b/patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch new file mode 100644 index 0000000..5e65802 --- /dev/null +++ b/patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch @@ -0,0 +1,41 @@ +From: Karen Sornek +Date: Wed, 1 Sep 2021 09:21:46 +0200 +Subject: iavf: Fix limit of total number of queues to active queues of VF +Patch-mainline: v5.16 +Git-commit: b712941c8085e638bb92456e866ed3de4404e3d5 +References: git-fixes + +In the absence of this validation, if the user requests to +configure queues more than the enabled queues, it results in +sending the requested number of queues to the kernel stack +(due to the asynchronous nature of VF response), in which +case the stack might pick a queue to transmit that is not +enabled and result in Tx hang. Fix this bug by +limiting the total number of queues allocated for VF to +active queues of VF. + +Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") +Signed-off-by: Ashwin Vijayavel +Signed-off-by: Karen Sornek +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2598,8 +2598,11 @@ static int iavf_validate_ch_config(struc + total_max_rate += tx_rate; + num_qps += mqprio_qopt->qopt.count[i]; + } +- if (num_qps > IAVF_MAX_REQ_QUEUES) ++ if (num_qps > adapter->num_active_queues) { ++ dev_err(&adapter->pdev->dev, ++ "Cannot support requested number of queues\n"); + return -EINVAL; ++ } + + ret = iavf_validate_tx_bandwidth(adapter, total_max_rate); + return ret; diff --git a/patches.suse/iavf-restore-MSI-state-on-reset.patch b/patches.suse/iavf-restore-MSI-state-on-reset.patch new file mode 100644 index 0000000..442544c --- /dev/null +++ b/patches.suse/iavf-restore-MSI-state-on-reset.patch @@ -0,0 +1,35 @@ +From: Mitch Williams +Date: Fri, 4 Jun 2021 09:53:28 -0700 +Subject: iavf: restore MSI state on reset +Patch-mainline: v5.16-rc5 +Git-commit: 7e4dcc13965c57869684d57a1dc6dd7be589488c +References: git-fixes + +If the PF experiences an FLR, the VF's MSI and MSI-X configuration will +be conveniently and silently removed in the process. When this happens, +reset recovery will appear to complete normally but no traffic will +pass. The netdev watchdog will helpfully notify everyone of this issue. + +To prevent such public embarrassment, restore MSI configuration at every +reset. For normal resets, this will do no harm, but for VF resets +resulting from a PF FLR, this will keep the VF working. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Mitch Williams +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2142,6 +2142,7 @@ static void iavf_reset_task(struct work_ + } + + pci_set_master(adapter->pdev); ++ pci_restore_msi_state(adapter->pdev); + + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + dev_err(&adapter->pdev->dev, "Reset never finished (%x)\n", diff --git a/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch b/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch new file mode 100644 index 0000000..ff3f996 --- /dev/null +++ b/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch @@ -0,0 +1,70 @@ +From 754e4382354f7908923a1949d8dc8d05f82f09cb Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 4 Jan 2022 21:28:06 +0300 +Subject: [PATCH] ieee802154: atusb: fix uninit value in atusb_set_extended_addr +Git-commit: 754e4382354f7908923a1949d8dc8d05f82f09cb +Patch-mainline: v5.16 +References: git-fixes + +Alexander reported a use of uninitialized value in +atusb_set_extended_addr(), that is caused by reading 0 bytes via +usb_control_msg(). + +Fix it by validating if the number of bytes transferred is actually +correct, since usb_control_msg() may read less bytes, than was requested +by caller. + +Fail log: + +Bug: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline] +Bug: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline] +Bug: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056 +Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd + ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline] + atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline] + atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056 + usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 + +Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver") +Reported-by: Alexander Potapenko +Acked-by: Alexander Aring +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20220104182806.7188-1-paskripkin@gmail.com +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + drivers/net/ieee802154/atusb.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c +index 23ee0b14cbfa..2f5e7b31032a 100644 +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -93,7 +93,9 @@ static int atusb_control_msg(struct atusb *atusb, unsigned int pipe, + + ret = usb_control_msg(usb_dev, pipe, request, requesttype, + value, index, data, size, timeout); +- if (ret < 0) { ++ if (ret < size) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + atusb->err = ret; + dev_err(&usb_dev->dev, + "%s: req 0x%02x val 0x%x idx 0x%x, error %d\n", +@@ -861,9 +863,9 @@ static int atusb_get_and_show_build(struct atusb *atusb) + if (!build) + return -ENOMEM; + +- ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), +- ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0, +- build, ATUSB_BUILD_SIZE, 1000); ++ /* We cannot call atusb_control_msg() here, since this request may read various length data */ ++ ret = usb_control_msg(atusb->usb_dev, usb_rcvctrlpipe(usb_dev, 0), ATUSB_BUILD, ++ ATUSB_REQ_FROM_DEV, 0, 0, build, ATUSB_BUILD_SIZE, 1000); + if (ret >= 0) { + build[ret] = 0; + dev_info(&usb_dev->dev, "Firmware: build %s\n", build); +-- +2.31.1 + diff --git a/patches.suse/igb-Fix-removal-of-unicast-MAC-filters-of-VFs.patch b/patches.suse/igb-Fix-removal-of-unicast-MAC-filters-of-VFs.patch new file mode 100644 index 0000000..7915b90 --- /dev/null +++ b/patches.suse/igb-Fix-removal-of-unicast-MAC-filters-of-VFs.patch @@ -0,0 +1,64 @@ +From: Karen Sornek +Date: Tue, 31 Aug 2021 13:16:35 +0200 +Subject: igb: Fix removal of unicast MAC filters of VFs +Patch-mainline: v5.16-rc6 +Git-commit: 584af82154f56e6b2740160fcc84a2966d969e15 +References: git-fixes + +Move checking condition of VF MAC filter before clearing +or adding MAC filter to VF to prevent potential blackout caused +by removal of necessary and working VF's MAC filter. + +Fixes: 1b8b062a99dc ("igb: add VF trust infrastructure") +Signed-off-by: Karen Sornek +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igb/igb_main.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7670,6 +7670,20 @@ static int igb_set_vf_mac_filter(struct + struct vf_mac_filter *entry = NULL; + int ret = 0; + ++ if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) && ++ !vf_data->trusted) { ++ dev_warn(&pdev->dev, ++ "VF %d requested MAC filter but is administratively denied\n", ++ vf); ++ return -EINVAL; ++ } ++ if (!is_valid_ether_addr(addr)) { ++ dev_warn(&pdev->dev, ++ "VF %d attempted to set invalid MAC filter\n", ++ vf); ++ return -EINVAL; ++ } ++ + switch (info) { + case E1000_VF_MAC_FILTER_CLR: + /* remove all unicast MAC filters related to the current VF */ +@@ -7683,20 +7697,6 @@ static int igb_set_vf_mac_filter(struct + } + break; + case E1000_VF_MAC_FILTER_ADD: +- if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) && +- !vf_data->trusted) { +- dev_warn(&pdev->dev, +- "VF %d requested MAC filter but is administratively denied\n", +- vf); +- return -EINVAL; +- } +- if (!is_valid_ether_addr(addr)) { +- dev_warn(&pdev->dev, +- "VF %d attempted to set invalid MAC filter\n", +- vf); +- return -EINVAL; +- } +- + /* try to find empty slot in the list */ + list_for_each(pos, &adapter->vf_macs.l) { + entry = list_entry(pos, struct vf_mac_filter, l); diff --git a/patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch b/patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch new file mode 100644 index 0000000..32c713e --- /dev/null +++ b/patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch @@ -0,0 +1,73 @@ +From: Letu Ren +Date: Sat, 13 Nov 2021 11:42:34 +0800 +Subject: igbvf: fix double free in `igbvf_probe` +Patch-mainline: v5.16-rc6 +Git-commit: b6d335a60dc624c0d279333b22c737faa765b028 +References: git-fixes + +In `igbvf_probe`, if register_netdev() fails, the program will go to +label err_hw_init, and then to label err_ioremap. In free_netdev() which +is just below label err_ioremap, there is `list_for_each_entry_safe` and +`netif_napi_del` which aims to delete all entries in `dev->napi_list`. +The program has added an entry `adapter->rx_ring->napi` which is added by +`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has +been freed below label err_hw_init. So this a UAF. + +In terms of how to patch the problem, we can refer to igbvf_remove() and +delete the entry before `adapter->rx_ring`. + +The KASAN logs are as follows: + +[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 +[ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 +[ 35.128360] +[ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 +[ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 35.131749] Call Trace: +[ 35.132199] dump_stack_lvl+0x59/0x7b +[ 35.132865] print_address_description+0x7c/0x3b0 +[ 35.133707] ? free_netdev+0x1fd/0x450 +[ 35.134378] __kasan_report+0x160/0x1c0 +[ 35.135063] ? free_netdev+0x1fd/0x450 +[ 35.135738] kasan_report+0x4b/0x70 +[ 35.136367] free_netdev+0x1fd/0x450 +[ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] +[ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] +[ 35.138751] local_pci_probe+0x13c/0x1f0 +[ 35.139461] pci_device_probe+0x37e/0x6c0 +[ 35.165526] +[ 35.165806] Allocated by task 366: +[ 35.166414] ____kasan_kmalloc+0xc4/0xf0 +[ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] +[ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] +[ 35.168866] local_pci_probe+0x13c/0x1f0 +[ 35.169565] pci_device_probe+0x37e/0x6c0 +[ 35.179713] +[ 35.179993] Freed by task 366: +[ 35.180539] kasan_set_track+0x4c/0x80 +[ 35.181211] kasan_set_free_info+0x1f/0x40 +[ 35.181942] ____kasan_slab_free+0x103/0x140 +[ 35.182703] kfree+0xe3/0x250 +[ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] +[ 35.184040] local_pci_probe+0x13c/0x1f0 + +Fixes: d4e0fe01a38a0 (igbvf: add new driver to support 82576 virtual functions) +Reported-by: Zheyu Ma +Signed-off-by: Letu Ren +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igbvf/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -2875,6 +2875,7 @@ static int igbvf_probe(struct pci_dev *p + return 0; + + err_hw_init: ++ netif_napi_del(&adapter->rx_ring->napi); + kfree(adapter->tx_ring); + kfree(adapter->rx_ring); + err_sw_init: diff --git a/patches.suse/igc-Fix-typo-in-i225-LTR-functions.patch b/patches.suse/igc-Fix-typo-in-i225-LTR-functions.patch new file mode 100644 index 0000000..1f518c4 --- /dev/null +++ b/patches.suse/igc-Fix-typo-in-i225-LTR-functions.patch @@ -0,0 +1,32 @@ +From: Sasha Neftin +Date: Tue, 2 Nov 2021 09:20:06 +0200 +Subject: igc: Fix typo in i225 LTR functions +Patch-mainline: v5.16-rc6 +Git-commit: 0182d1f3fa640888a2ed7e3f6df2fdb10adee7c8 +References: jsc#SLE-13533 + +The LTR maximum value was incorrectly written using the scale from +the LTR minimum value. This would cause incorrect values to be sent, +in cases where the initial calculation lead to different min/max scales. + +Fixes: 707abf069548 ("igc: Add initial LTR support") +Suggested-by: Dima Ruinskiy +Signed-off-by: Sasha Neftin +Tested-by: Nechama Kraus +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igc/igc_i225.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igc/igc_i225.c ++++ b/drivers/net/ethernet/intel/igc/igc_i225.c +@@ -636,7 +636,7 @@ s32 igc_set_ltr_i225(struct igc_hw *hw, + ltrv = rd32(IGC_LTRMAXV); + if (ltr_max != (ltrv & IGC_LTRMAXV_LTRV_MASK)) { + ltrv = IGC_LTRMAXV_LSNP_REQ | ltr_max | +- (scale_min << IGC_LTRMAXV_SCALE_SHIFT); ++ (scale_max << IGC_LTRMAXV_SCALE_SHIFT); + wr32(IGC_LTRMAXV, ltrv); + } + } diff --git a/patches.suse/ionic-Initialize-the-lif-dbid_inuse-bitmap.patch b/patches.suse/ionic-Initialize-the-lif-dbid_inuse-bitmap.patch new file mode 100644 index 0000000..eb488b4 --- /dev/null +++ b/patches.suse/ionic-Initialize-the-lif-dbid_inuse-bitmap.patch @@ -0,0 +1,33 @@ +From: Christophe JAILLET +Date: Sun, 26 Dec 2021 15:06:17 +0100 +Subject: ionic: Initialize the 'lif->dbid_inuse' bitmap +Patch-mainline: v5.16-rc8 +Git-commit: 140c7bc7d1195750342ea0e6ab76179499ae7cd7 +References: bsc#1167773 + +When allocated, this bitmap is not initialized. Only the first bit is set a +few lines below. + +Use bitmap_zalloc() to make sure that it is cleared before being used. + +Fixes: 6461b446f2a0 ("ionic: Add interrupts and doorbells") +Signed-off-by: Christophe JAILLET +Signed-off-by: Shannon Nelson +Link: https://lore.kernel.org/r/6a478eae0b5e6c63774e1f0ddb1a3f8c38fa8ade.1640527506.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -2880,7 +2880,7 @@ int ionic_lif_init(struct ionic_lif *lif + return -EINVAL; + } + +- lif->dbid_inuse = bitmap_alloc(lif->dbid_count, GFP_KERNEL); ++ lif->dbid_inuse = bitmap_zalloc(lif->dbid_count, GFP_KERNEL); + if (!lif->dbid_inuse) { + dev_err(dev, "Failed alloc doorbell id bitmap, aborting\n"); + return -ENOMEM; diff --git a/patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch b/patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch new file mode 100644 index 0000000..909198c --- /dev/null +++ b/patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch @@ -0,0 +1,37 @@ +From e96a1866b40570b5950cda8602c2819189c62a48 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 18 Oct 2021 12:37:41 +0200 +Subject: [PATCH] isofs: Fix out of bound access for corrupted isofs image +Git-commit: e96a1866b40570b5950cda8602c2819189c62a48 +Patch-mainline: v5.16-rc1 +References: bsc#1194591 + +When isofs image is suitably corrupted isofs_read_inode() can read data +beyond the end of buffer. Sanity-check the directory entry length before +using it. + +Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/isofs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 678e2c51b855..0c6eacfcbeef 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -1322,6 +1322,8 @@ static int isofs_read_inode(struct inode *inode, int relocated) + + de = (struct iso_directory_record *) (bh->b_data + offset); + de_len = *(unsigned char *) de; ++ if (de_len < sizeof(struct iso_directory_record)) ++ goto fail; + + if (offset + de_len > bufsize) { + int frag1 = bufsize - offset; +-- +2.31.1 + diff --git a/patches.suse/iwlwifi-mvm-Use-div_s64-instead-of-do_div-in-iwl_mvm.patch b/patches.suse/iwlwifi-mvm-Use-div_s64-instead-of-do_div-in-iwl_mvm.patch new file mode 100644 index 0000000..53637f4 --- /dev/null +++ b/patches.suse/iwlwifi-mvm-Use-div_s64-instead-of-do_div-in-iwl_mvm.patch @@ -0,0 +1,55 @@ +From 4ccdcc8ffd955490feec05380223db6a48961eb5 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 27 Dec 2021 12:17:57 -0700 +Subject: [PATCH] iwlwifi: mvm: Use div_s64 instead of do_div in iwl_mvm_ftm_rtt_smoothing() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 4ccdcc8ffd955490feec05380223db6a48961eb5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When building ARCH=arm allmodconfig: + +Drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c: In function ‘iwl_mvm_ftm_rtt_smoothing’: +./include/asm-generic/div64.h:222:35: error: comparison of distinct pointer types lacks a cast [-Werror] + 222 | (void)(((typeof((n)) *)0) == ((uint64_t *)0)); \ + | ^~ +drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c:1070:9: note: in expansion of macro ‘do_div’ + 1070 | do_div(rtt_avg, 100); + | ^~~~~~ + +do_div() has to be used with an unsigned 64-bit integer dividend but +rtt_avg is a signed 64-bit integer. + +div_s64() expects a signed 64-bit integer dividend and signed 32-bit +divisor, which fits this scenario, so use that function here to fix the +warning. + +Fixes: 8b0f92549f2c ("iwlwifi: mvm: fix 32-bit build in FTM") +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20211227191757.2354329-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +index 9449d1af3c11..628aee634b2a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +@@ -1066,8 +1066,7 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm, + overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT; + alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA; + +- rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg; +- do_div(rtt_avg, 100); ++ rtt_avg = div_s64(alpha * rtt + (100 - alpha) * resp->rtt_avg, 100); + + IWL_DEBUG_INFO(mvm, + "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n", +-- +2.31.1 + diff --git a/patches.suse/iwlwifi-mvm-fix-32-bit-build-in-FTM.patch b/patches.suse/iwlwifi-mvm-fix-32-bit-build-in-FTM.patch new file mode 100644 index 0000000..f0c8836 --- /dev/null +++ b/patches.suse/iwlwifi-mvm-fix-32-bit-build-in-FTM.patch @@ -0,0 +1,39 @@ +From 8b0f92549f2c2458200935c12a2e2a6e80234cf5 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sun, 19 Dec 2021 11:14:18 +0200 +Subject: [PATCH] iwlwifi: mvm: fix 32-bit build in FTM +Git-commit: 8b0f92549f2c2458200935c12a2e2a6e80234cf5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +On a 32-bit build, the division here needs to be done +using do_div(), otherwise the compiler will try to call +a function that doesn't exist, thus failing to build. + +Fixes: b68bd2e3143a ("iwlwifi: mvm: Add FTM initiator RTT smoothing logic") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219111352.e56cbf614a4d.Ib98004ccd2c7a55fd883a8ea7eebd810f406dec6@changeid +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +index 949fb790f8fb..3e6c13fc74eb 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +@@ -1066,7 +1066,8 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm, + overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT; + alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA; + +- rtt_avg = (alpha * rtt + (100 - alpha) * resp->rtt_avg) / 100; ++ rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg; ++ do_div(rtt_avg, 100); + + IWL_DEBUG_INFO(mvm, + "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n", +-- +2.31.1 + diff --git a/patches.suse/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch b/patches.suse/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch new file mode 100644 index 0000000..48df502 --- /dev/null +++ b/patches.suse/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch @@ -0,0 +1,66 @@ +From 998e1aba6e5eb35370eaf30ccc1823426ec11f90 Mon Sep 17 00:00:00 2001 +From: Nathan Errera +Date: Sun, 19 Dec 2021 12:18:15 +0200 +Subject: [PATCH] iwlwifi: mvm: test roc running status bits before removing the sta +Git-commit: 998e1aba6e5eb35370eaf30ccc1823426ec11f90 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In some cases the sta is being removed twice since we do not test the +roc aux running before removing it. Start looking at the bit before +removing the sta. + +Signed-off-by: Nathan Errera +Fixes: 2c2c3647cde4 ("iwlwifi: mvm: support ADD_STA_CMD_API_S ver 12") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219121514.d5376ac6bcb0.Ic5f8470ea60c072bde9d1503e5f528b65e301e20@changeid +Acked-by: Takashi Iwai + +--- + .../net/wireless/intel/iwlwifi/mvm/time-event.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +index e6813317edf3..b8c645b9880f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -49,14 +49,13 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk) + struct iwl_mvm *mvm = container_of(wk, struct iwl_mvm, roc_done_wk); + + /* +- * Clear the ROC_RUNNING /ROC_AUX_RUNNING status bit. ++ * Clear the ROC_RUNNING status bit. + * This will cause the TX path to drop offchannel transmissions. + * That would also be done by mac80211, but it is racy, in particular + * in the case that the time event actually completed in the firmware + * (which is handled in iwl_mvm_te_handle_notif). + */ + clear_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status); +- clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status); + + synchronize_net(); + +@@ -82,9 +81,19 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk) + mvmvif = iwl_mvm_vif_from_mac80211(mvm->p2p_device_vif); + iwl_mvm_flush_sta(mvm, &mvmvif->bcast_sta, true); + } +- } else { ++ } ++ ++ /* ++ * Clear the ROC_AUX_RUNNING status bit. ++ * This will cause the TX path to drop offchannel transmissions. ++ * That would also be done by mac80211, but it is racy, in particular ++ * in the case that the time event actually completed in the firmware ++ * (which is handled in iwl_mvm_te_handle_notif). ++ */ ++ if (test_and_clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status)) { + /* do the same in case of hot spot 2.0 */ + iwl_mvm_flush_sta(mvm, &mvm->aux_sta, true); ++ + /* In newer version of this command an aux station is added only + * in cases of dedicated tx queue and need to be removed in end + * of use */ +-- +2.31.1 + diff --git a/patches.suse/ixgbe-set-X550-MDIO-speed-before-talking-to-PHY.patch b/patches.suse/ixgbe-set-X550-MDIO-speed-before-talking-to-PHY.patch new file mode 100644 index 0000000..f001817 --- /dev/null +++ b/patches.suse/ixgbe-set-X550-MDIO-speed-before-talking-to-PHY.patch @@ -0,0 +1,49 @@ +From: Cyril Novikov +Date: Mon, 1 Nov 2021 18:39:36 -0700 +Subject: ixgbe: set X550 MDIO speed before talking to PHY +Patch-mainline: v5.16-rc6 +Git-commit: bf0a375055bd1afbbf02a0ef45f7655da7b71317 +References: git-fixes + +The MDIO bus speed must be initialized before talking to the PHY the first +time in order to avoid talking to it using a speed that the PHY doesn't +support. + +This fixes HW initialization error -17 (IXGBE_ERR_PHY_ADDR_INVALID) on +Denverton CPUs (a.k.a. the Atom C3000 family) on ports with a 10Gb network +plugged in. On those devices, HLREG0[MDCSPD] resets to 1, which combined +with the 10Gb network results in a 24MHz MDIO speed, which is apparently +too fast for the connected PHY. PHY register reads over MDIO bus return +garbage, leading to initialization failure. + +Reproduced with Linux kernel 4.19 and 5.15-rc7. Can be reproduced using +the following setup: + +* Use an Atom C3000 family system with at least one X552 LAN on the SoC +* Disable PXE or other BIOS network initialization if possible + (the interface must not be initialized before Linux boots) +* Connect a live 10Gb Ethernet cable to an X550 port +* Power cycle (not reset, doesn't always work) the system and boot Linux +* Observe: ixgbe interfaces w/ 10GbE cables plugged in fail with error -17 + +Fixes: e84db7272798 ("ixgbe: Introduce function to control MDIO speed") +Signed-off-by: Cyril Novikov +Reviewed-by: Andrew Lunn +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -3405,6 +3405,9 @@ static s32 ixgbe_reset_hw_X550em(struct + /* flush pending Tx transactions */ + ixgbe_clear_tx_pending(hw); + ++ /* set MDIO speed before talking to the PHY in case it's the 1st time */ ++ ixgbe_set_mdio_speed(hw); ++ + /* PHY ops must be identified and initialized prior to reset */ + status = hw->phy.ops.init(hw); + if (status == IXGBE_ERR_SFP_NOT_SUPPORTED || diff --git a/patches.suse/mISDN-change-function-names-to-avoid-conflicts.patch b/patches.suse/mISDN-change-function-names-to-avoid-conflicts.patch new file mode 100644 index 0000000..b1e4951 --- /dev/null +++ b/patches.suse/mISDN-change-function-names-to-avoid-conflicts.patch @@ -0,0 +1,100 @@ +From 8b5fdfc57cc2471179d1c51081424ded833c16c8 Mon Sep 17 00:00:00 2001 +From: wolfgang huang +Date: Tue, 28 Dec 2021 16:01:20 +0800 +Subject: [PATCH] mISDN: change function names to avoid conflicts +Git-commit: 8b5fdfc57cc2471179d1c51081424ded833c16c8 +Patch-mainline: v5.16-rc8 +References: git-fixes + +As we build for mips, we meet following error. l1_init error with +multiple definition. Some architecture devices usually marked with +l1, l2, lxx as the start-up phase. so we change the mISDN function +names, align with Isdnl2_xxx. + +Mips-linux-gnu-ld: drivers/isdn/mISDN/layer1.o: in function `l1_init': +(.text+0x890): multiple definition of `l1_init'; \ +arch/mips/kernel/bmips_5xxx_init.o:(.text+0xf0): first defined here +Make[1]: *** [home/mips/kernel-build/linux/Makefile:1161: vmlinux] Error 1 + +Signed-off-by: wolfgang huang +Reported-by: k2ci +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/isdn/mISDN/core.c | 6 +++--- + drivers/isdn/mISDN/core.h | 4 ++-- + drivers/isdn/mISDN/layer1.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index 55891e420446..a41b4b264594 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -381,7 +381,7 @@ mISDNInit(void) + err = mISDN_inittimer(&debug); + if (err) + goto error2; +- err = l1_init(&debug); ++ err = Isdnl1_Init(&debug); + if (err) + goto error3; + err = Isdnl2_Init(&debug); +@@ -395,7 +395,7 @@ mISDNInit(void) + error5: + Isdnl2_cleanup(); + error4: +- l1_cleanup(); ++ Isdnl1_cleanup(); + error3: + mISDN_timer_cleanup(); + error2: +@@ -408,7 +408,7 @@ static void mISDN_cleanup(void) + { + misdn_sock_cleanup(); + Isdnl2_cleanup(); +- l1_cleanup(); ++ Isdnl1_cleanup(); + mISDN_timer_cleanup(); + class_unregister(&mISDN_class); + +diff --git a/drivers/isdn/mISDN/core.h b/drivers/isdn/mISDN/core.h +index 23b44d303327..42599f49c189 100644 +--- a/drivers/isdn/mISDN/core.h ++++ b/drivers/isdn/mISDN/core.h +@@ -60,8 +60,8 @@ struct Bprotocol *get_Bprotocol4id(u_int); + extern int mISDN_inittimer(u_int *); + extern void mISDN_timer_cleanup(void); + +-extern int l1_init(u_int *); +-extern void l1_cleanup(void); ++extern int Isdnl1_Init(u_int *); ++extern void Isdnl1_cleanup(void); + extern int Isdnl2_Init(u_int *); + extern void Isdnl2_cleanup(void); + +diff --git a/drivers/isdn/mISDN/layer1.c b/drivers/isdn/mISDN/layer1.c +index 98a3bc6c1700..7b31c25a550e 100644 +--- a/drivers/isdn/mISDN/layer1.c ++++ b/drivers/isdn/mISDN/layer1.c +@@ -398,7 +398,7 @@ create_l1(struct dchannel *dch, dchannel_l1callback *dcb) { + EXPORT_SYMBOL(create_l1); + + int +-l1_init(u_int *deb) ++Isdnl1_Init(u_int *deb) + { + debug = deb; + l1fsm_s.state_count = L1S_STATE_COUNT; +@@ -409,7 +409,7 @@ l1_init(u_int *deb) + } + + void +-l1_cleanup(void) ++Isdnl1_cleanup(void) + { + mISDN_FsmFree(&l1fsm_s); + } +-- +2.31.1 + diff --git a/patches.suse/mac80211-initialize-variable-have_higher_than_11mbit.patch b/patches.suse/mac80211-initialize-variable-have_higher_than_11mbit.patch new file mode 100644 index 0000000..6b5ec7d --- /dev/null +++ b/patches.suse/mac80211-initialize-variable-have_higher_than_11mbit.patch @@ -0,0 +1,46 @@ +From 68a18ad71378a56858141c4449e02a30c829763e Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Thu, 23 Dec 2021 08:28:48 -0800 +Subject: [PATCH] mac80211: initialize variable have_higher_than_11mbit +Git-commit: 68a18ad71378a56858141c4449e02a30c829763e +Patch-mainline: v5.16 +References: git-fixes + +Clang static analysis reports this warnings + +mlme.c:5332:7: warning: Branch condition evaluates to a + garbage value + have_higher_than_11mbit) + ^~~~~~~~~~~~~~~~~~~~~~~ + +have_higher_than_11mbit is only set to true some of the time in +ieee80211_get_rates() but is checked all of the time. So +have_higher_than_11mbit needs to be initialized to false. + +Fixes: 5d6a1b069b7f ("mac80211: set basic rates earlier") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211223162848.3243702-1-trix@redhat.com +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 37f7d975f3da..3147ca89f608 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5265,7 +5265,7 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + */ + if (new_sta) { + u32 rates = 0, basic_rates = 0; +- bool have_higher_than_11mbit; ++ bool have_higher_than_11mbit = false; + int min_rate = INT_MAX, min_rate_index = -1; + const struct cfg80211_bss_ies *ies; + int shift = ieee80211_vif_get_shift(&sdata->vif); +-- +2.31.1 + diff --git a/patches.suse/mailbox-hi3660-convert-struct-comments-to-kernel-doc.patch b/patches.suse/mailbox-hi3660-convert-struct-comments-to-kernel-doc.patch new file mode 100644 index 0000000..4ba0171 --- /dev/null +++ b/patches.suse/mailbox-hi3660-convert-struct-comments-to-kernel-doc.patch @@ -0,0 +1,78 @@ +From 79daec8b9c02e04e2afb11eefa71698b913b2c55 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Sun, 14 Nov 2021 19:31:19 -0800 +Subject: [PATCH] mailbox: hi3660: convert struct comments to kernel-doc notation +Git-commit: 79daec8b9c02e04e2afb11eefa71698b913b2c55 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Convert hi3660 struct comments to kernel-doc notation and fix +other kernel-doc warnings: + +drivers/mailbox/hi3660-mailbox.c:47: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Hi3660 mailbox channel information +drivers/mailbox/hi3660-mailbox.c:62: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Hi3660 mailbox controller data +hi3660-mailbox.c:53: warning: contents before sections +hi3660-mailbox.c:67: warning: contents before sections + +Fixes: 41c0e939d70d ("mailbox: Add support for Hi3660 mailbox") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Ruyi Wang +Cc: Kaihua Zhong +Reviewed-by: Leo Yan +Signed-off-by: Jassi Brar +Acked-by: Takashi Iwai + +--- + drivers/mailbox/hi3660-mailbox.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/mailbox/hi3660-mailbox.c b/drivers/mailbox/hi3660-mailbox.c +index e41bd2f5ea46..ab24e731a782 100644 +--- a/drivers/mailbox/hi3660-mailbox.c ++++ b/drivers/mailbox/hi3660-mailbox.c +@@ -44,14 +44,13 @@ + #define MBOX_MSG_LEN 8 + + /** +- * Hi3660 mailbox channel information ++ * struct hi3660_chan_info - Hi3660 mailbox channel information ++ * @dst_irq: Interrupt vector for remote processor ++ * @ack_irq: Interrupt vector for local processor + * + * A channel can be used for TX or RX, it can trigger remote + * processor interrupt to notify remote processor and can receive +- * interrupt if has incoming message. +- * +- * @dst_irq: Interrupt vector for remote processor +- * @ack_irq: Interrupt vector for local processor ++ * interrupt if it has an incoming message. + */ + struct hi3660_chan_info { + unsigned int dst_irq; +@@ -59,16 +58,15 @@ struct hi3660_chan_info { + }; + + /** +- * Hi3660 mailbox controller data +- * +- * Mailbox controller includes 32 channels and can allocate +- * channel for message transferring. +- * ++ * struct hi3660_mbox - Hi3660 mailbox controller data + * @dev: Device to which it is attached + * @base: Base address of the register mapping region + * @chan: Representation of channels in mailbox controller + * @mchan: Representation of channel info + * @controller: Representation of a communication channel controller ++ * ++ * Mailbox controller includes 32 channels and can allocate ++ * channel for message transferring. + */ + struct hi3660_mbox { + struct device *dev; +-- +2.31.1 + diff --git a/patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch b/patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch index 971fac1..910f3f0 100644 --- a/patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch +++ b/patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch @@ -3,8 +3,7 @@ From: Ricardo Ribalda Date: Tue, 7 Dec 2021 01:38:37 +0100 Subject: [PATCH] media: Revert "media: uvcvideo: Set unique vdev name based in type" Git-commit: f66dcb32af19faf49cc4a9222c3152b10c6ec84a -Git-repo: git://linuxtv.org/mchehab/media-next.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v5.17-rc1 References: bsc#1193255 A lot of userspace depends on a descriptive name for vdev. Without this diff --git a/patches.suse/media-aspeed-Update-signal-status-immediately-to-ens.patch b/patches.suse/media-aspeed-Update-signal-status-immediately-to-ens.patch new file mode 100644 index 0000000..527e16d --- /dev/null +++ b/patches.suse/media-aspeed-Update-signal-status-immediately-to-ens.patch @@ -0,0 +1,65 @@ +From af6d1bde395cac174ee71adcd3fa43f6435c7206 Mon Sep 17 00:00:00 2001 +From: Jammy Huang +Date: Tue, 9 Nov 2021 03:12:27 +0000 +Subject: [PATCH] media: aspeed: Update signal status immediately to ensure sane hw state +Git-commit: af6d1bde395cac174ee71adcd3fa43f6435c7206 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If res-chg, VE_INTERRUPT_MODE_DETECT_WD irq will be raised. But +v4l2_input_status won't be updated to no-signal immediately until +aspeed_video_get_resolution() in aspeed_video_resolution_work(). + +During the period of time, aspeed_video_start_frame() could be called +because it doesn't know signal becomes unstable now. If it goes with +aspeed_video_init_regs() of aspeed_video_irq_res_change() +simultaneously, it will mess up hw state. + +To fix this problem, v4l2_input_status is updated to no-signal +immediately for VE_INTERRUPT_MODE_DETECT_WD irq. + +Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") +Signed-off-by: Jammy Huang +Acked-by: Paul Menzel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/aspeed-video.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c +index 136383ad0e97..7a24daf7165a 100644 +--- a/drivers/media/platform/aspeed-video.c ++++ b/drivers/media/platform/aspeed-video.c +@@ -595,6 +595,8 @@ static void aspeed_video_irq_res_change(struct aspeed_video *video, ulong delay) + set_bit(VIDEO_RES_CHANGE, &video->flags); + clear_bit(VIDEO_FRAME_INPRG, &video->flags); + ++ video->v4l2_input_status = V4L2_IN_ST_NO_SIGNAL; ++ + aspeed_video_off(video); + aspeed_video_bufs_done(video, VB2_BUF_STATE_ERROR); + +@@ -1375,7 +1377,6 @@ static void aspeed_video_resolution_work(struct work_struct *work) + struct delayed_work *dwork = to_delayed_work(work); + struct aspeed_video *video = container_of(dwork, struct aspeed_video, + res_work); +- u32 input_status = video->v4l2_input_status; + + aspeed_video_on(video); + +@@ -1388,8 +1389,7 @@ static void aspeed_video_resolution_work(struct work_struct *work) + aspeed_video_get_resolution(video); + + if (video->detected_timings.width != video->active_timings.width || +- video->detected_timings.height != video->active_timings.height || +- input_status != video->v4l2_input_status) { ++ video->detected_timings.height != video->active_timings.height) { + static const struct v4l2_event ev = { + .type = V4L2_EVENT_SOURCE_CHANGE, + .u.src_change.changes = V4L2_EVENT_SRC_CH_RESOLUTION, +-- +2.31.1 + diff --git a/patches.suse/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch b/patches.suse/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch new file mode 100644 index 0000000..83e19b5 --- /dev/null +++ b/patches.suse/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch @@ -0,0 +1,56 @@ +From 62cea52ad4bead0ae4be2cfe1142eb0aae0e9fbd Mon Sep 17 00:00:00 2001 +From: Jammy Huang +Date: Wed, 3 Nov 2021 08:23:54 +0000 +Subject: [PATCH] media: aspeed: fix mode-detect always time out at 2nd run +Git-commit: 62cea52ad4bead0ae4be2cfe1142eb0aae0e9fbd +Patch-mainline: v5.17-rc1 +References: git-fixes + +aspeed_video_get_resolution() will try to do res-detect again if the +timing got in last try is invalid. But it will always time out because +VE_SEQ_CTRL_TRIG_MODE_DET is only cleared after 1st mode-detect. + +To fix the problem, just clear VE_SEQ_CTRL_TRIG_MODE_DET before setting +it in aspeed_video_enable_mode_detect(). + +Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") +Signed-off-by: Jammy Huang +Acked-by: Paul Menzel +Reviewed-by: Joel Stanley +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/aspeed-video.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c +index cad3f97515ae..136383ad0e97 100644 +--- a/drivers/media/platform/aspeed-video.c ++++ b/drivers/media/platform/aspeed-video.c +@@ -539,6 +539,10 @@ static void aspeed_video_enable_mode_detect(struct aspeed_video *video) + aspeed_video_update(video, VE_INTERRUPT_CTRL, 0, + VE_INTERRUPT_MODE_DETECT); + ++ /* Disable mode detect in order to re-trigger */ ++ aspeed_video_update(video, VE_SEQ_CTRL, ++ VE_SEQ_CTRL_TRIG_MODE_DET, 0); ++ + /* Trigger mode detect */ + aspeed_video_update(video, VE_SEQ_CTRL, 0, VE_SEQ_CTRL_TRIG_MODE_DET); + } +@@ -824,10 +828,6 @@ static void aspeed_video_get_resolution(struct aspeed_video *video) + return; + } + +- /* Disable mode detect in order to re-trigger */ +- aspeed_video_update(video, VE_SEQ_CTRL, +- VE_SEQ_CTRL_TRIG_MODE_DET, 0); +- + aspeed_video_check_and_set_polarity(video); + + aspeed_video_enable_mode_detect(video); +-- +2.31.1 + diff --git a/patches.suse/media-cpia2-fix-control-message-timeouts.patch b/patches.suse/media-cpia2-fix-control-message-timeouts.patch new file mode 100644 index 0000000..a417788 --- /dev/null +++ b/patches.suse/media-cpia2-fix-control-message-timeouts.patch @@ -0,0 +1,47 @@ +From 10729be03327f53258cb196362015ad5c6eabe02 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:37 +0100 +Subject: [PATCH] media: cpia2: fix control-message timeouts +Git-commit: 10729be03327f53258cb196362015ad5c6eabe02 +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: ab33d5071de7 ("V4L/DVB (3376): Add cpia2 camera support") +Cc: stable@vger.kernel.org # 2.6.17 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/cpia2/cpia2_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c +index 76aac06f9fb8..cba03b286473 100644 +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -550,7 +550,7 @@ static int write_packet(struct usb_device *udev, + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + kfree(buf); + return ret; +@@ -582,7 +582,7 @@ static int read_packet(struct usb_device *udev, + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + if (ret >= 0) + memcpy(registers, buf, size); +-- +2.31.1 + diff --git a/patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch b/patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch new file mode 100644 index 0000000..ceb528c --- /dev/null +++ b/patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch @@ -0,0 +1,56 @@ +From f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 Mon Sep 17 00:00:00 2001 +From: Michael Kuron +Date: Sun, 26 Sep 2021 21:51:26 +0100 +Subject: [PATCH] media: dib0700: fix undefined behavior in tuner shutdown +Git-commit: f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 +Patch-mainline: v5.17-rc1 +References: git-fixes + +This fixes a problem where closing the tuner would leave it in a state +where it would not tune to any channel when reopened. This problem was +discovered as part of https://github.com/hselasky/webcamd/issues/16. + +Since adap->id is 0 or 1, this bit-shift overflows, which is undefined +behavior. The driver still worked in practice as the overflow would in +most environments result in 0, which rendered the line a no-op. When +running the driver as part of webcamd however, the overflow could lead +to 0xff due to optimizations by the compiler, which would, in the end, +improperly shut down the tuner. + +The bug is a regression introduced in the commit referenced below. The +present patch causes identical behavior to before that commit for +adap->id equal to 0 or 1. The driver does not contain support for +dib0700 devices with more adapters, assuming such even exist. + +Tests have been performed with the Xbox One Digital TV Tuner on amd64. +Not all dib0700 devices are expected to be affected by the regression; +this code path is only taken by those with incorrect endpoint numbers. + +Link: https://lore.kernel.org/linux-media/1d2fc36d94ced6f67c7cc21dcc469d5e5bdd8201.1632689033.git.mchehab+huawei@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 7757ddda6f4f ("[media] DiB0700: add function to change I2C-speed") +Signed-off-by: Michael Kuron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c +index 70219b3e8566..7ea8f68b0f45 100644 +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -618,8 +618,6 @@ int dib0700_streaming_ctrl(struct dvb_usb_adapter *adap, int onoff) + deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint); + if (onoff) + st->channel_state |= 1 << (adap->id); +- else +- st->channel_state |= 1 << ~(adap->id); + } else { + if (onoff) + st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2); +-- +2.31.1 + diff --git a/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch new file mode 100644 index 0000000..5d0af50 --- /dev/null +++ b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch @@ -0,0 +1,55 @@ +From 8dbdcc7269a83305ee9d677b75064d3530a48ee2 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 16:38:05 +0100 +Subject: [PATCH] media: dib8000: Fix a memleak in dib8000_init() +Git-commit: 8dbdcc7269a83305ee9d677b75064d3530a48ee2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In dib8000_init(), the variable fe is not freed or passed out on the +failure of dib8000_identify(&state->i2c), which could lead to a memleak. + +Fix this bug by adding a kfree of fe in the error path. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DVB_DIB8000=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-frontends/dib8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index bb02354a48b8..d67f2dd997d0 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +-- +2.31.1 + diff --git a/patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch b/patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch new file mode 100644 index 0000000..f556ab1 --- /dev/null +++ b/patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch @@ -0,0 +1,104 @@ +From ab599eb11882f834951c436cc080c3455ba32b9b Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 15 Oct 2021 16:57:41 +0800 +Subject: [PATCH] media: dmxdev: fix UAF when dvb_register_device() fails +Git-commit: ab599eb11882f834951c436cc080c3455ba32b9b +Patch-mainline: v5.17-rc1 +References: git-fixes + +I got a use-after-free report: + +Dvbdev: dvb_register_device: failed to create device dvb1.dvr0 (-12) +... +================================================================== +Bug: KASAN: use-after-free in dvb_dmxdev_release+0xce/0x2f0 +... +Call Trace: + dump_stack_lvl+0x6c/0x8b + print_address_description.constprop.0+0x48/0x70 + kasan_report.cold+0x82/0xdb + __asan_load4+0x6b/0x90 + dvb_dmxdev_release+0xce/0x2f0 +... +Allocated by task 7666: + kasan_save_stack+0x23/0x50 + __kasan_kmalloc+0x83/0xa0 + kmem_cache_alloc_trace+0x22e/0x470 + dvb_register_device+0x12f/0x980 + dvb_dmxdev_init+0x1f3/0x230 +... +Freed by task 7666: + kasan_save_stack+0x23/0x50 + kasan_set_track+0x20/0x30 + kasan_set_free_info+0x24/0x40 + __kasan_slab_free+0xf2/0x130 + kfree+0xd1/0x5c0 + dvb_register_device.cold+0x1ac/0x1fa + dvb_dmxdev_init+0x1f3/0x230 +... + +When dvb_register_device() in dvb_dmxdev_init() fails, dvb_dmxdev_init() +does not return a failure, and the memory pointed to by dvbdev or +dvr_dvbdev is invalid at this point. If they are used subsequently, it +will result in UFA or null-ptr-deref. + +If dvb_register_device() in dvb_dmxdev_init() fails, fix the bug by making +dvb_dmxdev_init() return an error as well. + +Link: https://lore.kernel.org/linux-media/20211015085741.1203283-1-wanghai38@huawei.com + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dmxdev.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c +index 5d5a48475a54..01f288fa37e0 100644 +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -1413,7 +1413,7 @@ static const struct dvb_device dvbdev_dvr = { + }; + int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + { +- int i; ++ int i, ret; + + if (dmxdev->demux->open(dmxdev->demux) < 0) + return -EUSERS; +@@ -1432,14 +1432,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + DMXDEV_STATE_FREE); + } + +- dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, + DVB_DEVICE_DEMUX, dmxdev->filternum); +- dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, ++ if (ret < 0) ++ goto err_register_dvbdev; ++ ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, + dmxdev, DVB_DEVICE_DVR, dmxdev->filternum); ++ if (ret < 0) ++ goto err_register_dvr_dvbdev; + + dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192); + + return 0; ++ ++err_register_dvr_dvbdev: ++ dvb_unregister_device(dmxdev->dvbdev); ++err_register_dvbdev: ++ vfree(dmxdev->filter); ++ dmxdev->filter = NULL; ++ return ret; + } + + EXPORT_SYMBOL(dvb_dmxdev_init); +-- +2.31.1 + diff --git a/patches.suse/media-dw2102-Fix-use-after-free.patch b/patches.suse/media-dw2102-Fix-use-after-free.patch new file mode 100644 index 0000000..5f900b6 --- /dev/null +++ b/patches.suse/media-dw2102-Fix-use-after-free.patch @@ -0,0 +1,407 @@ +From 589a9f0eb799f77de2c09583bf5bad221fa5d685 Mon Sep 17 00:00:00 2001 +From: Anton Vasilyev +Date: Thu, 22 Aug 2019 12:41:47 +0200 +Subject: [PATCH] media: dw2102: Fix use after free +Git-commit: 589a9f0eb799f77de2c09583bf5bad221fa5d685 +Patch-mainline: v5.17-rc1 +References: git-fixes + +dvb_usb_device_init stores parts of properties at d->props +and d->desc and uses it on dvb_usb_device_exit. +Free of properties on module probe leads to use after free. +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204597 + +The patch makes properties static instead of allocated on heap to prevent +memleak and use after free. +Also fixes s421_properties.devices initialization to have 2 element +instead of 6 copied from p7500_properties. + +[mchehab: fix function call alignments] +Link: https://lore.kernel.org/linux-media/20190822104147.4420-1-vasilyev@ispras.ru +Signed-off-by: Anton Vasilyev +Fixes: 299c7007e936 ("media: dw2102: Fix memleak on sequence of probes") +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/dw2102.c | 338 ++++++++++++++++++----------- + 1 file changed, 215 insertions(+), 123 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index f0e686b05dc6..ca75ebdc10b3 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -2150,46 +2150,153 @@ static struct dvb_usb_device_properties s6x0_properties = { + } + }; + +-static const struct dvb_usb_device_description d1100 = { +- "Prof 1100 USB ", +- {&dw2102_table[PROF_1100], NULL}, +- {NULL}, +-}; ++static struct dvb_usb_device_properties p1100_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = P1100_FIRMWARE, ++ .no_reconnect = 1, + +-static const struct dvb_usb_device_description d660 = { +- "TeVii S660 USB", +- {&dw2102_table[TEVII_S660], NULL}, +- {NULL}, +-}; ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TBS_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = prof_rc_query, ++ }, + +-static const struct dvb_usb_device_description d480_1 = { +- "TeVii S480.1 USB", +- {&dw2102_table[TEVII_S480_1], NULL}, +- {NULL}, ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = stv0288_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 1, ++ .devices = { ++ {"Prof 1100 USB ", ++ {&dw2102_table[PROF_1100], NULL}, ++ {NULL}, ++ }, ++ } + }; + +-static const struct dvb_usb_device_description d480_2 = { +- "TeVii S480.2 USB", +- {&dw2102_table[TEVII_S480_2], NULL}, +- {NULL}, +-}; ++static struct dvb_usb_device_properties s660_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = S660_FIRMWARE, ++ .no_reconnect = 1, + +-static const struct dvb_usb_device_description d7500 = { +- "Prof 7500 USB DVB-S2", +- {&dw2102_table[PROF_7500], NULL}, +- {NULL}, +-}; ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TEVII_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = dw2102_rc_query, ++ }, + +-static const struct dvb_usb_device_description d421 = { +- "TeVii S421 PCI", +- {&dw2102_table[TEVII_S421], NULL}, +- {NULL}, ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = ds3000_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 3, ++ .devices = { ++ {"TeVii S660 USB", ++ {&dw2102_table[TEVII_S660], NULL}, ++ {NULL}, ++ }, ++ {"TeVii S480.1 USB", ++ {&dw2102_table[TEVII_S480_1], NULL}, ++ {NULL}, ++ }, ++ {"TeVii S480.2 USB", ++ {&dw2102_table[TEVII_S480_2], NULL}, ++ {NULL}, ++ }, ++ } + }; + +-static const struct dvb_usb_device_description d632 = { +- "TeVii S632 USB", +- {&dw2102_table[TEVII_S632], NULL}, +- {NULL}, ++static struct dvb_usb_device_properties p7500_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = P7500_FIRMWARE, ++ .no_reconnect = 1, ++ ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TBS_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = prof_rc_query, ++ }, ++ ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = prof_7500_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 1, ++ .devices = { ++ {"Prof 7500 USB DVB-S2", ++ {&dw2102_table[PROF_7500], NULL}, ++ {NULL}, ++ }, ++ } + }; + + static struct dvb_usb_device_properties su3000_properties = { +@@ -2273,6 +2380,59 @@ static struct dvb_usb_device_properties su3000_properties = { + } + }; + ++static struct dvb_usb_device_properties s421_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .power_ctrl = su3000_power_ctrl, ++ .num_adapters = 1, ++ .identify_state = su3000_identify_state, ++ .i2c_algo = &su3000_i2c_algo, ++ ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_SU3000, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_RC5, ++ .rc_query = su3000_rc_query, ++ }, ++ ++ .read_mac_address = su3000_read_mac_address, ++ ++ .generic_bulk_ctrl_endpoint = 0x01, ++ ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .streaming_ctrl = su3000_streaming_ctrl, ++ .frontend_attach = m88rs2000_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ } ++ } }, ++ } ++ }, ++ .num_device_descs = 2, ++ .devices = { ++ { "TeVii S421 PCI", ++ { &dw2102_table[TEVII_S421], NULL }, ++ { NULL }, ++ }, ++ { "TeVii S632 USB", ++ { &dw2102_table[TEVII_S632], NULL }, ++ { NULL }, ++ }, ++ } ++}; ++ + static struct dvb_usb_device_properties t220_properties = { + .caps = DVB_USB_IS_AN_I2C_ADAPTER, + .usb_ctrl = DEVICE_SPECIFIC, +@@ -2390,101 +2550,33 @@ static struct dvb_usb_device_properties tt_s2_4600_properties = { + static int dw2102_probe(struct usb_interface *intf, + const struct usb_device_id *id) + { +- int retval = -ENOMEM; +- struct dvb_usb_device_properties *p1100; +- struct dvb_usb_device_properties *s660; +- struct dvb_usb_device_properties *p7500; +- struct dvb_usb_device_properties *s421; +- +- p1100 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!p1100) +- goto err0; +- +- /* copy default structure */ +- /* fill only different fields */ +- p1100->firmware = P1100_FIRMWARE; +- p1100->devices[0] = d1100; +- p1100->rc.core.rc_query = prof_rc_query; +- p1100->rc.core.rc_codes = RC_MAP_TBS_NEC; +- p1100->adapter->fe[0].frontend_attach = stv0288_frontend_attach; +- +- s660 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!s660) +- goto err1; +- +- s660->firmware = S660_FIRMWARE; +- s660->num_device_descs = 3; +- s660->devices[0] = d660; +- s660->devices[1] = d480_1; +- s660->devices[2] = d480_2; +- s660->adapter->fe[0].frontend_attach = ds3000_frontend_attach; +- +- p7500 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!p7500) +- goto err2; +- +- p7500->firmware = P7500_FIRMWARE; +- p7500->devices[0] = d7500; +- p7500->rc.core.rc_query = prof_rc_query; +- p7500->rc.core.rc_codes = RC_MAP_TBS_NEC; +- p7500->adapter->fe[0].frontend_attach = prof_7500_frontend_attach; +- +- +- s421 = kmemdup(&su3000_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!s421) +- goto err3; +- +- s421->num_device_descs = 2; +- s421->devices[0] = d421; +- s421->devices[1] = d632; +- s421->adapter->fe[0].frontend_attach = m88rs2000_frontend_attach; +- +- if (0 == dvb_usb_device_init(intf, &dw2102_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &dw2104_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &dw3101_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &s6x0_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, p1100, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, s660, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, p7500, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, s421, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &su3000_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &t220_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &tt_s2_4600_properties, +- THIS_MODULE, NULL, adapter_nr)) { +- +- /* clean up copied properties */ +- kfree(s421); +- kfree(p7500); +- kfree(s660); +- kfree(p1100); ++ if (!(dvb_usb_device_init(intf, &dw2102_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &dw2104_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &dw3101_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s6x0_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &p1100_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s660_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &p7500_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s421_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &su3000_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &t220_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &tt_s2_4600_properties, ++ THIS_MODULE, NULL, adapter_nr))) { + + return 0; + } + +- retval = -ENODEV; +- kfree(s421); +-err3: +- kfree(p7500); +-err2: +- kfree(s660); +-err1: +- kfree(p1100); +-err0: +- return retval; ++ return -ENODEV; + } + + static void dw2102_disconnect(struct usb_interface *intf) +-- +2.31.1 + diff --git a/patches.suse/media-em28xx-fix-control-message-timeouts.patch b/patches.suse/media-em28xx-fix-control-message-timeouts.patch new file mode 100644 index 0000000..8a4d74b --- /dev/null +++ b/patches.suse/media-em28xx-fix-control-message-timeouts.patch @@ -0,0 +1,47 @@ +From d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:38 +0100 +Subject: [PATCH] media: em28xx: fix control-message timeouts +Git-commit: d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: a6c2ba283565 ("[PATCH] v4l: 716: support for em28xx board family") +Cc: stable@vger.kernel.org # 2.6.16 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/em28xx/em28xx-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c +index acc0bf7dbe2b..c837cc528a33 100644 +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -89,7 +89,7 @@ int em28xx_read_reg_req_len(struct em28xx *dev, u8 req, u16 reg, + mutex_lock(&dev->ctrl_urb_lock); + ret = usb_control_msg(udev, pipe, req, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + if (ret < 0) { + em28xx_regdbg("(pipe 0x%08x): IN: %02x %02x %02x %02x %02x %02x %02x %02x failed with error %i\n", + pipe, +@@ -158,7 +158,7 @@ int em28xx_write_regs_req(struct em28xx *dev, u8 req, u16 reg, char *buf, + memcpy(dev->urb_buf, buf, len); + ret = usb_control_msg(udev, pipe, req, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + mutex_unlock(&dev->ctrl_urb_lock); + + if (ret < 0) { +-- +2.31.1 + diff --git a/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch b/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch new file mode 100644 index 0000000..fd861e5 --- /dev/null +++ b/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch @@ -0,0 +1,81 @@ +From 22be5a10d0b24eec9e45decd15d7e6112b25f080 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Mon, 1 Nov 2021 09:55:39 +0000 +Subject: [PATCH] media: em28xx: fix memory leak in em28xx_init_dev +Git-commit: 22be5a10d0b24eec9e45decd15d7e6112b25f080 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails +to deallocate the media_dev allocated in the em28xx_media_device_init. + +Fix this by adding em28xx_unregister_media_device to free media_dev. + +BTW, this patch is tested in my local syzkaller instance, and it can +prevent the memory leak from occurring again. + +Cc: Pavel Skripkin +Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") +Signed-off-by: Dongliang Mu +Reported-by: syzkaller +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/em28xx/em28xx-cards.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index b207f34af5c6..b451ce3cb169 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3630,8 +3630,10 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + + if (dev->is_audio_only) { + retval = em28xx_audio_setup(dev); +- if (retval) +- return -ENODEV; ++ if (retval) { ++ retval = -ENODEV; ++ goto err_deinit_media; ++ } + em28xx_init_extension(dev); + + return 0; +@@ -3650,7 +3652,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + dev_err(&dev->intf->dev, + "%s: em28xx_i2c_register bus 0 - error [%d]!\n", + __func__, retval); +- return retval; ++ goto err_deinit_media; + } + + /* register i2c bus 1 */ +@@ -3666,9 +3668,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + "%s: em28xx_i2c_register bus 1 - error [%d]!\n", + __func__, retval); + +- em28xx_i2c_unregister(dev, 0); +- +- return retval; ++ goto err_unreg_i2c; + } + } + +@@ -3676,6 +3676,12 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + em28xx_card_setup(dev); + + return 0; ++ ++err_unreg_i2c: ++ em28xx_i2c_unregister(dev, 0); ++err_deinit_media: ++ em28xx_unregister_media_device(dev); ++ return retval; + } + + static int em28xx_duplicate_dev(struct em28xx *dev) +-- +2.31.1 + diff --git a/patches.suse/media-flexcop-usb-fix-control-message-timeouts.patch b/patches.suse/media-flexcop-usb-fix-control-message-timeouts.patch new file mode 100644 index 0000000..13d1077 --- /dev/null +++ b/patches.suse/media-flexcop-usb-fix-control-message-timeouts.patch @@ -0,0 +1,102 @@ +From cd1798a387825cc4a51282f5a611ad05bb1ad75f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:36 +0100 +Subject: [PATCH] media: flexcop-usb: fix control-message timeouts +Git-commit: cd1798a387825cc4a51282f5a611ad05bb1ad75f +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Note that the driver was multiplying some of the timeout values with HZ +twice resulting in 3000-second timeouts with HZ=1000. + +Also note that two of the timeout defines are currently unused. + +Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver") +Cc: stable@vger.kernel.org # 3.0 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/b2c2/flexcop-usb.c | 10 +++++----- + drivers/media/usb/b2c2/flexcop-usb.h | 12 ++++++------ + 2 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c +index 5d38171b7638..bfeb92d93de3 100644 +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(struct flexcop_device *fc, u16 wRegOffsPCI, + 0, + fc_usb->data, + sizeof(u32), +- B2C2_WAIT_FOR_OPERATION_RDW * HZ); ++ B2C2_WAIT_FOR_OPERATION_RDW); + + if (ret != sizeof(u32)) { + err("error while %s dword from %d (%d).", read ? "reading" : +@@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(struct flexcop_usb *fc_usb, + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + if (ret != buflen) + ret = -EIO; + +@@ -248,13 +248,13 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c, + /* DKT 020208 - add this to support special case of DiSEqC */ + case USB_FUNC_I2C_CHECKWRITE: + pipe = B2C2_USB_CTRL_PIPE_OUT; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_OUT; + break; + case USB_FUNC_I2C_READ: + case USB_FUNC_I2C_REPEATREAD: + pipe = B2C2_USB_CTRL_PIPE_IN; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_IN; + break; + default: +@@ -281,7 +281,7 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c, + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + + if (ret != buflen) + ret = -EIO; +diff --git a/drivers/media/usb/b2c2/flexcop-usb.h b/drivers/media/usb/b2c2/flexcop-usb.h +index 2f230bf72252..c7cca1a5ee59 100644 +--- a/drivers/media/usb/b2c2/flexcop-usb.h ++++ b/drivers/media/usb/b2c2/flexcop-usb.h +@@ -91,13 +91,13 @@ typedef enum { + UTILITY_SRAM_TESTVERIFY = 0x16, + } flexcop_usb_utility_function_t; + +-#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ) +-#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ) ++#define B2C2_WAIT_FOR_OPERATION_RW 1000 ++#define B2C2_WAIT_FOR_OPERATION_RDW 3000 ++#define B2C2_WAIT_FOR_OPERATION_WDW 1000 + +-#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ) ++#define B2C2_WAIT_FOR_OPERATION_V8READ 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000 + + typedef enum { + V8_MEMORY_PAGE_DVB_CI = 0x20, +-- +2.31.1 + diff --git a/patches.suse/media-hantro-Fix-probe-func-error-path.patch b/patches.suse/media-hantro-Fix-probe-func-error-path.patch new file mode 100644 index 0000000..3a4b947 --- /dev/null +++ b/patches.suse/media-hantro-Fix-probe-func-error-path.patch @@ -0,0 +1,51 @@ +From 37af43b250fda6162005d47bf7c959c70d52b107 Mon Sep 17 00:00:00 2001 +From: Jernej Skrabec +Date: Mon, 29 Nov 2021 19:26:25 +0100 +Subject: [PATCH] media: hantro: Fix probe func error path +Git-commit: 37af43b250fda6162005d47bf7c959c70d52b107 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If clocks for some reason couldn't be enabled, probe function returns +immediately, without disabling PM. This obviously leaves PM ref counters +unbalanced. + +Fix that by jumping to appropriate error path, so effects of PM functions +are reversed. + +Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") +Signed-off-by: Jernej Skrabec +Acked-by: Andrzej Pietrasiewicz +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/hantro/hantro_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/hantro/hantro_drv.c b/drivers/staging/media/hantro/hantro_drv.c +index ab2467998d29..3d3107a39dae 100644 +--- a/drivers/staging/media/hantro/hantro_drv.c ++++ b/drivers/staging/media/hantro/hantro_drv.c +@@ -981,7 +981,7 @@ static int hantro_probe(struct platform_device *pdev) + ret = clk_bulk_prepare(vpu->variant->num_clocks, vpu->clocks); + if (ret) { + dev_err(&pdev->dev, "Failed to prepare clocks\n"); +- return ret; ++ goto err_pm_disable; + } + + ret = v4l2_device_register(&pdev->dev, &vpu->v4l2_dev); +@@ -1037,6 +1037,7 @@ static int hantro_probe(struct platform_device *pdev) + v4l2_device_unregister(&vpu->v4l2_dev); + err_clk_unprepare: + clk_bulk_unprepare(vpu->variant->num_clocks, vpu->clocks); ++err_pm_disable: + pm_runtime_dont_use_autosuspend(vpu->dev); + pm_runtime_disable(vpu->dev); + return ret; +-- +2.31.1 + diff --git a/patches.suse/media-i2c-imx274-fix-trivial-typo-expsoure-exposure.patch b/patches.suse/media-i2c-imx274-fix-trivial-typo-expsoure-exposure.patch new file mode 100644 index 0000000..5e93021 --- /dev/null +++ b/patches.suse/media-i2c-imx274-fix-trivial-typo-expsoure-exposure.patch @@ -0,0 +1,36 @@ +From 4e05d5f24b2c0cdb8adb3c3b93dc05fe7facae66 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Thu, 18 Nov 2021 08:17:15 +0100 +Subject: [PATCH] media: i2c: imx274: fix trivial typo expsoure/exposure +Git-commit: 4e05d5f24b2c0cdb8adb3c3b93dc05fe7facae66 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Fix typo expsoure/exposure + +Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor") +Signed-off-by: Eugen Hristev +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/i2c/imx274.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c +index 4d9b64c61f60..5312cf3e855d 100644 +--- a/drivers/media/i2c/imx274.c ++++ b/drivers/media/i2c/imx274.c +@@ -1462,7 +1462,7 @@ static int imx274_s_stream(struct v4l2_subdev *sd, int on) + goto fail; + + /* +- * update frame rate & expsoure. if the last mode is different, ++ * update frame rate & exposure. if the last mode is different, + * HMAX could be changed. As the result, frame rate & exposure + * are changed. + * gain is not affected. +-- +2.31.1 + diff --git a/patches.suse/media-i2c-imx274-fix-trivial-typo-obainted-obtained.patch b/patches.suse/media-i2c-imx274-fix-trivial-typo-obainted-obtained.patch new file mode 100644 index 0000000..de88f2f --- /dev/null +++ b/patches.suse/media-i2c-imx274-fix-trivial-typo-obainted-obtained.patch @@ -0,0 +1,36 @@ +From 358ed66bfcdaec6de70e27c747887604b9ea2e6e Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Thu, 18 Nov 2021 13:51:51 +0100 +Subject: [PATCH] media: i2c: imx274: fix trivial typo obainted/obtained +Git-commit: 358ed66bfcdaec6de70e27c747887604b9ea2e6e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Fix typo obainted/obtained. + +Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor") +Signed-off-by: Eugen Hristev +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/i2c/imx274.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c +index 5312cf3e855d..2e804e3b70c4 100644 +--- a/drivers/media/i2c/imx274.c ++++ b/drivers/media/i2c/imx274.c +@@ -1499,7 +1499,7 @@ static int imx274_s_stream(struct v4l2_subdev *sd, int on) + /* + * imx274_get_frame_length - Function for obtaining current frame length + * @priv: Pointer to device structure +- * @val: Pointer to obainted value ++ * @val: Pointer to obtained value + * + * frame_length = vmax x (svr + 1), in unit of hmax. + * +-- +2.31.1 + diff --git a/patches.suse/media-imx-pxp-Initialize-the-spinlock-prior-to-using.patch b/patches.suse/media-imx-pxp-Initialize-the-spinlock-prior-to-using.patch new file mode 100644 index 0000000..58f9f00 --- /dev/null +++ b/patches.suse/media-imx-pxp-Initialize-the-spinlock-prior-to-using.patch @@ -0,0 +1,46 @@ +From ed2f97ad4b21072f849cf4ae6645d1f2b1d3f550 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 8 Oct 2021 15:10:14 +0200 +Subject: [PATCH] media: imx-pxp: Initialize the spinlock prior to using it +Git-commit: ed2f97ad4b21072f849cf4ae6645d1f2b1d3f550 +Patch-mainline: v5.17-rc1 +References: git-fixes + +After devm_request_threaded_irq() is called there is a chance that an +interrupt may occur before the spinlock is initialized, which will trigger +a kernel oops. + +To prevent that, move the initialization of the spinlock prior to +requesting the interrupts. + +Fixes: 51abcf7fdb70 ("media: imx-pxp: add i.MX Pixel Pipeline driver") +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/imx-pxp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/imx-pxp.c ++++ b/drivers/media/platform/imx-pxp.c +@@ -1666,6 +1666,8 @@ static int pxp_probe(struct platform_dev + return irq; + } + ++ spin_lock_init(&dev->irqlock); ++ + ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, pxp_irq_handler, + IRQF_ONESHOT, dev_name(&pdev->dev), dev); + if (ret < 0) { +@@ -1683,8 +1685,6 @@ static int pxp_probe(struct platform_dev + goto err_clk; + } + +- spin_lock_init(&dev->irqlock); +- + ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev); + if (ret) + goto err_clk; diff --git a/patches.suse/media-mceusb-fix-control-message-timeouts.patch b/patches.suse/media-mceusb-fix-control-message-timeouts.patch new file mode 100644 index 0000000..098a056 --- /dev/null +++ b/patches.suse/media-mceusb-fix-control-message-timeouts.patch @@ -0,0 +1,62 @@ +From 16394e998cbb050730536bdf7e89f5a70efbd974 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:34 +0100 +Subject: [PATCH] media: mceusb: fix control-message timeouts +Git-commit: 16394e998cbb050730536bdf7e89f5a70efbd974 +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver") +Cc: stable@vger.kernel.org # 2.6.36 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/mceusb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index d09bee82c04c..2dc810f5a73f 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1430,7 +1430,7 @@ static void mceusb_gen1_init(struct mceusb_dev *ir) + */ + ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0), + USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0, +- data, USB_CTRL_MSG_SZ, HZ * 3); ++ data, USB_CTRL_MSG_SZ, 3000); + dev_dbg(dev, "set address - ret = %d", ret); + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d", + data[0], data[1]); +@@ -1438,20 +1438,20 @@ static void mceusb_gen1_init(struct mceusb_dev *ir) + /* set feature: bit rate 38400 bps */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, +- 0xc04e, 0x0000, NULL, 0, HZ * 3); ++ 0xc04e, 0x0000, NULL, 0, 3000); + + dev_dbg(dev, "set feature - ret = %d", ret); + + /* bRequest 4: set char length to 8 bits */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 4, USB_TYPE_VENDOR, +- 0x0808, 0x0000, NULL, 0, HZ * 3); ++ 0x0808, 0x0000, NULL, 0, 3000); + dev_dbg(dev, "set char length - retB = %d", ret); + + /* bRequest 2: set handshaking to use DTR/DSR */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 2, USB_TYPE_VENDOR, +- 0x0000, 0x0100, NULL, 0, HZ * 3); ++ 0x0000, 0x0100, NULL, 0, 3000); + dev_dbg(dev, "set handshake - retC = %d", ret); + + /* device resume */ +-- +2.31.1 + diff --git a/patches.suse/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch b/patches.suse/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch new file mode 100644 index 0000000..dac1cff --- /dev/null +++ b/patches.suse/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch @@ -0,0 +1,58 @@ +From 3d5831a40d3464eea158180eb12cbd81c5edfb6a Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Tue, 26 Oct 2021 13:23:48 +0200 +Subject: [PATCH] media: msi001: fix possible null-ptr-deref in msi001_probe() +Git-commit: 3d5831a40d3464eea158180eb12cbd81c5edfb6a +Patch-mainline: v5.17-rc1 +References: git-fixes + +I got a null-ptr-deref report: + +Bug: kernel NULL pointer dereference, address: 0000000000000060 +... +Rip: 0010:v4l2_ctrl_auto_cluster+0x57/0x270 +... +Call Trace: + msi001_probe+0x13b/0x24b [msi001] + spi_probe+0xeb/0x130 +... + do_syscall_64+0x35/0xb0 + +In msi001_probe(), if the creation of control for bandwidth_auto +fails, there will be a null-ptr-deref issue when it is used in +v4l2_ctrl_auto_cluster(). + +Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug. + +Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com +Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/tuners/msi001.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c +index 78e6fd600d8e..44247049a319 100644 +--- a/drivers/media/tuners/msi001.c ++++ b/drivers/media/tuners/msi001.c +@@ -442,6 +442,13 @@ static int msi001_probe(struct spi_device *spi) + V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1); + dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000); ++ if (dev->hdl.error) { ++ ret = dev->hdl.error; ++ dev_err(&spi->dev, "Could not initialize controls\n"); ++ /* control init failed, free handler */ ++ goto err_ctrl_handler_free; ++ } ++ + v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false); + dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1); +-- +2.31.1 + diff --git a/patches.suse/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch b/patches.suse/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch new file mode 100644 index 0000000..597a40d --- /dev/null +++ b/patches.suse/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch @@ -0,0 +1,86 @@ +From 9f89c881bffbdffe4060ffaef3489a2830a6dd9c Mon Sep 17 00:00:00 2001 +From: Dafna Hirschfeld +Date: Wed, 17 Nov 2021 14:06:30 +0100 +Subject: [PATCH] media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released +Git-commit: 9f89c881bffbdffe4060ffaef3489a2830a6dd9c +Patch-mainline: v5.17-rc1 +References: git-fixes + +The func v4l2_m2m_ctx_release waits for currently running jobs +to finish and then stop streaming both queues and frees the buffers. +All this should be done before the call to mtk_vcodec_enc_release +which frees the encoder handler. This fixes null-pointer dereference bug: + +[ 638.028076] Mem abort info: +[ 638.030932] ESR = 0x96000004 +[ 638.033978] EC = 0x25: DABT (current EL), IL = 32 bits +[ 638.039293] SET = 0, FnV = 0 +[ 638.042338] EA = 0, S1PTW = 0 +[ 638.045474] FSC = 0x04: level 0 translation fault +[ 638.050349] Data abort info: +[ 638.053224] ISV = 0, ISS = 0x00000004 +[ 638.057055] CM = 0, WnR = 0 +[ 638.060018] user pgtable: 4k pages, 48-bit VAs, pgdp=000000012b6db000 +[ 638.066485] [00000000000001a0] pgd=0000000000000000, p4d=0000000000000000 +[ 638.073277] Internal error: Oops: 96000004 [#1] SMP +[ 638.078145] Modules linked in: rfkill mtk_vcodec_dec mtk_vcodec_enc uvcvideo mtk_mdp mtk_vcodec_common videobuf2_dma_contig v4l2_h264 cdc_ether v4l2_mem2mem videobuf2_vmalloc usbnet videobuf2_memops videobuf2_v4l2 r8152 videobuf2_common videodev cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf elan_i2c elants_i2c sbs_battery mc cros_usbpd_charger cros_ec_chardev cros_usbpd_logger crct10dif_ce mtk_vpu fuse ip_tables x_tables ipv6 +[ 638.118583] CPU: 0 PID: 212 Comm: kworker/u8:5 Not tainted 5.15.0-06427-g58a1d4dcfc74-dirty #109 +[ 638.127357] Hardware name: Google Elm (DT) +[ 638.131444] Workqueue: mtk-vcodec-enc mtk_venc_worker [mtk_vcodec_enc] +[ 638.137974] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 638.144925] pc : vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc] +[ 638.150493] lr : venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc] +[ 638.156060] sp : ffff8000124d3c40 +[ 638.159364] x29: ffff8000124d3c40 x28: 0000000000000000 x27: 0000000000000000 +[ 638.166493] x26: 0000000000000000 x25: ffff0000e7f252d0 x24: ffff8000124d3d58 +[ 638.173621] x23: ffff8000124d3d58 x22: ffff8000124d3d60 x21: 0000000000000001 +[ 638.180750] x20: ffff80001137e000 x19: 0000000000000000 x18: 0000000000000001 +[ 638.187878] x17: 000000040044ffff x16: 00400032b5503510 x15: 0000000000000000 +[ 638.195006] x14: ffff8000118536c0 x13: ffff8000ee1da000 x12: 0000000030d4d91d +[ 638.202134] x11: 0000000000000000 x10: 0000000000000980 x9 : ffff8000124d3b20 +[ 638.209262] x8 : ffff0000c18d4ea0 x7 : ffff0000c18d44c0 x6 : ffff0000c18d44c0 +[ 638.216391] x5 : ffff80000904a3b0 x4 : ffff8000124d3d58 x3 : ffff8000124d3d60 +[ 638.223519] x2 : ffff8000124d3d78 x1 : 0000000000000001 x0 : ffff80001137efb8 +[ 638.230648] Call trace: +[ 638.233084] vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc] +[ 638.238304] venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc] +[ 638.243525] mtk_venc_worker+0x110/0x250 [mtk_vcodec_enc] +[ 638.248918] process_one_work+0x1f8/0x498 +[ 638.252923] worker_thread+0x140/0x538 +[ 638.256664] kthread+0x148/0x158 +[ 638.259884] ret_from_fork+0x10/0x20 +[ 638.263455] Code: f90023f9 2a0103f5 aa0303f6 aa0403f8 (f940d277) +[ 638.269538] ---[ end trace e374fc10f8e181f5 ]--- + +[gst-master] root@debian:~/gst-build# [ 638.019193] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a0 + +Fixes: 4e855a6efa547 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") +Signed-off-by: Dafna Hirschfeld +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +index b576f44ce505..fa7b495c778b 100644 +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +@@ -214,11 +214,11 @@ static int fops_vcodec_release(struct file *file) + mtk_v4l2_debug(1, "[%d] encoder", ctx->id); + mutex_lock(&dev->dev_mutex); + ++ v4l2_m2m_ctx_release(ctx->m2m_ctx); + mtk_vcodec_enc_release(ctx); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); + v4l2_ctrl_handler_free(&ctx->ctrl_hdl); +- v4l2_m2m_ctx_release(ctx->m2m_ctx); + + list_del_init(&ctx->list); + kfree(ctx); +-- +2.31.1 + diff --git a/patches.suse/media-pvrusb2-fix-control-message-timeouts.patch b/patches.suse/media-pvrusb2-fix-control-message-timeouts.patch new file mode 100644 index 0000000..e83d9af --- /dev/null +++ b/patches.suse/media-pvrusb2-fix-control-message-timeouts.patch @@ -0,0 +1,65 @@ +From b82bf9b9dc305d7d3d93eab106d70dbf2171b43e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:39 +0100 +Subject: [PATCH] media: pvrusb2: fix control-message timeouts +Git-commit: b82bf9b9dc305d7d3d93eab106d70dbf2171b43e +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Cc: stable@vger.kernel.org # 2.6.18 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index d38dee1792e4..3915d551d59e 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -1467,7 +1467,7 @@ static int pvr2_upload_firmware1(struct pvr2_hdw *hdw) + for (address = 0; address < fwsize; address += 0x800) { + memcpy(fw_ptr, fw_entry->data + address, 0x800); + ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address, +- 0, fw_ptr, 0x800, HZ); ++ 0, fw_ptr, 0x800, 1000); + } + + trace_firmware("Upload done, releasing device's CPU"); +@@ -1605,7 +1605,7 @@ int pvr2_upload_firmware2(struct pvr2_hdw *hdw) + ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]); + + ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt, +- &actual_length, HZ); ++ &actual_length, 1000); + ret |= (actual_length != bcnt); + if (ret) break; + fw_done += bcnt; +@@ -3438,7 +3438,7 @@ void pvr2_hdw_cpufw_set_enabled(struct pvr2_hdw *hdw, + 0xa0,0xc0, + address,0, + hdw->fw_buffer+address, +- 0x800,HZ); ++ 0x800,1000); + if (ret < 0) break; + } + +@@ -3977,7 +3977,7 @@ void pvr2_hdw_cpureset_assert(struct pvr2_hdw *hdw,int val) + /* Write the CPUCS register on the 8051. The lsb of the register + is the reset bit; a 1 asserts reset while a 0 clears it. */ + pipe = usb_sndctrlpipe(hdw->usb_dev, 0); +- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ); ++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000); + if (ret < 0) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, + "cpureset_assert(%d) error=%d",val,ret); +-- +2.31.1 + diff --git a/patches.suse/media-rcar-csi2-Correct-the-selection-of-hsfreqrange.patch b/patches.suse/media-rcar-csi2-Correct-the-selection-of-hsfreqrange.patch new file mode 100644 index 0000000..d4c162d --- /dev/null +++ b/patches.suse/media-rcar-csi2-Correct-the-selection-of-hsfreqrange.patch @@ -0,0 +1,83 @@ +From cee44d4fbacbbdfe62697ec94e76c6e4f726c5df Mon Sep 17 00:00:00 2001 +From: Suresh Udipi +Date: Fri, 13 Aug 2021 17:07:54 +0200 +Subject: [PATCH] media: rcar-csi2: Correct the selection of hsfreqrange +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: cee44d4fbacbbdfe62697ec94e76c6e4f726c5df +Patch-mainline: v5.17-rc1 +References: git-fixes + +hsfreqrange should be chosen based on the calculated mbps which +is closer to the default bit rate and within the range as per +table[1]. But current calculation always selects first value which +is greater than or equal to the calculated mbps which may lead +to chosing a wrong range in some cases. + +For example for 360 mbps for H3/M3N +Existing logic selects +Calculated value 360Mbps : Default 400Mbps Range [368.125 -433.125 mbps] + +This hsfreqrange is out of range. + +The logic is changed to get the default value which is closest to the +calculated value [1] + +Calculated value 360Mbps : Default 350Mbps Range [320.625 -380.625 mpbs] + +[1] specs r19uh0105ej0200-r-car-3rd-generation.pdf [Table 25.9] + +Please note that According to Renesas in Table 25.9 the range for +220 default value is corrected as below + + |Range (Mbps) | Default Bit rate (Mbps) | + ----------------------------------------------- + | 197.125-244.125 | 220 | + ----------------------------------------------- + +Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") +Signed-off-by: Suresh Udipi +Signed-off-by: Kazuyoshi Akiyama +Signed-off-by: Michael Rodin +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index 11848d0c4a55..436b7be96920 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -542,16 +542,23 @@ static int rcsi2_wait_phy_start(struct rcar_csi2 *priv, + static int rcsi2_set_phypll(struct rcar_csi2 *priv, unsigned int mbps) + { + const struct rcsi2_mbps_reg *hsfreq; ++ const struct rcsi2_mbps_reg *hsfreq_prev = NULL; + +- for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++) ++ for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++) { + if (hsfreq->mbps >= mbps) + break; ++ hsfreq_prev = hsfreq; ++ } + + if (!hsfreq->mbps) { + dev_err(priv->dev, "Unsupported PHY speed (%u Mbps)", mbps); + return -ERANGE; + } + ++ if (hsfreq_prev && ++ ((mbps - hsfreq_prev->mbps) <= (hsfreq->mbps - mbps))) ++ hsfreq = hsfreq_prev; ++ + rcsi2_write(priv, PHYPLL_REG, PHYPLL_HSFREQRANGE(hsfreq->reg)); + + return 0; +-- +2.31.1 + diff --git a/patches.suse/media-rcar-csi2-Optimize-the-selection-PHTW-register.patch b/patches.suse/media-rcar-csi2-Optimize-the-selection-PHTW-register.patch new file mode 100644 index 0000000..67c91cd --- /dev/null +++ b/patches.suse/media-rcar-csi2-Optimize-the-selection-PHTW-register.patch @@ -0,0 +1,58 @@ +From 549cc89cd09a85aaa16dc07ef3db811d5cf9bcb1 Mon Sep 17 00:00:00 2001 +From: Suresh Udipi +Date: Fri, 13 Aug 2021 17:07:56 +0200 +Subject: [PATCH] media: rcar-csi2: Optimize the selection PHTW register +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 549cc89cd09a85aaa16dc07ef3db811d5cf9bcb1 +Patch-mainline: v5.17-rc1 +References: git-fixes + +PHTW register is selected based on default bit rate from Table[1]. +for the bit rates less than or equal to 250. Currently first +value of default bit rate which is greater than or equal to +the caculated mbps is selected. This selection can be further +improved by selecting the default bit rate which is nearest to +the calculated value. + +[1] specs r19uh0105ej0200-r-car-3rd-generation.pdf [Table 25.12] + +Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") +Signed-off-by: Suresh Udipi +Signed-off-by: Michael Rodin +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index db119a002414..e2c4ab69a477 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -1108,10 +1108,17 @@ static int rcsi2_phtw_write_mbps(struct rcar_csi2 *priv, unsigned int mbps, + const struct rcsi2_mbps_reg *values, u16 code) + { + const struct rcsi2_mbps_reg *value; ++ const struct rcsi2_mbps_reg *prev_value = NULL; + +- for (value = values; value->mbps; value++) ++ for (value = values; value->mbps; value++) { + if (value->mbps >= mbps) + break; ++ prev_value = value; ++ } ++ ++ if (prev_value && ++ ((mbps - prev_value->mbps) <= (value->mbps - mbps))) ++ value = prev_value; + + if (!value->mbps) { + dev_err(priv->dev, "Unsupported PHY speed (%u Mbps)", mbps); +-- +2.31.1 + diff --git a/patches.suse/media-redrat3-fix-control-message-timeouts.patch b/patches.suse/media-redrat3-fix-control-message-timeouts.patch new file mode 100644 index 0000000..da62735 --- /dev/null +++ b/patches.suse/media-redrat3-fix-control-message-timeouts.patch @@ -0,0 +1,120 @@ +From 2adc965c8bfa224e11ecccf9c92fd458c4236428 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:35 +0100 +Subject: [PATCH] media: redrat3: fix control-message timeouts +Git-commit: 2adc965c8bfa224e11ecccf9c92fd458c4236428 +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver") +Cc: stable@vger.kernel.org # 3.0 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/redrat3.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c +index ac85464864b9..cb22316b3f00 100644 +--- a/drivers/media/rc/redrat3.c ++++ b/drivers/media/rc/redrat3.c +@@ -404,7 +404,7 @@ static int redrat3_send_cmd(int cmd, struct redrat3_dev *rr3) + udev = rr3->udev; + res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0x0000, 0x0000, data, sizeof(u8), HZ * 10); ++ 0x0000, 0x0000, data, sizeof(u8), 10000); + + if (res < 0) { + dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d", +@@ -480,7 +480,7 @@ static u32 redrat3_get_timeout(struct redrat3_dev *rr3) + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5); ++ RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000); + if (ret != len) + dev_warn(rr3->dev, "Failed to read timeout from hardware\n"); + else { +@@ -510,7 +510,7 @@ static int redrat3_set_timeout(struct rc_dev *rc_dev, unsigned int timeoutus) + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout), +- HZ * 25); ++ 25000); + dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n", + be32_to_cpu(*timeout), ret); + +@@ -542,32 +542,32 @@ static void redrat3_reset(struct redrat3_dev *rr3) + *val = 0x01; + rc = usb_control_msg(udev, rxpipe, RR3_RESET, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25); ++ RR3_CPUCS_REG_ADDR, 0, val, len, 25000); + dev_dbg(dev, "reset returned 0x%02x\n", rc); + + *val = length_fuzz; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25); ++ RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000); + dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc); + + *val = (65536 - (minimum_pause * 2000)) / 256; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25); ++ RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000); + dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc); + + *val = periods_measure_carrier; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25); ++ RR3_IR_IO_PERIODS_MF, 0, val, len, 25000); + dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val, + rc); + + *val = RR3_DRIVER_MAXLENS; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25); ++ RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000); + dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc); + + kfree(val); +@@ -585,7 +585,7 @@ static void redrat3_get_firmware_rev(struct redrat3_dev *rr3) + rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0), + RR3_FW_VERSION, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5); ++ 0, 0, buffer, RR3_FW_VERSION_LEN, 5000); + + if (rc >= 0) + dev_info(rr3->dev, "Firmware rev: %s", buffer); +@@ -825,14 +825,14 @@ static int redrat3_transmit_ir(struct rc_dev *rcdev, unsigned *txbuf, + + pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress); + ret = usb_bulk_msg(rr3->udev, pipe, irdata, +- sendbuf_len, &ret_len, 10 * HZ); ++ sendbuf_len, &ret_len, 10000); + dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret); + + /* now tell the hardware to transmit what we sent it */ + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, irdata, 2, HZ * 10); ++ 0, 0, irdata, 2, 10000); + + if (ret < 0) + dev_err(dev, "Error: control msg send failed, rc %d\n", ret); +-- +2.31.1 + diff --git a/patches.suse/media-s2255-fix-control-message-timeouts.patch b/patches.suse/media-s2255-fix-control-message-timeouts.patch new file mode 100644 index 0000000..2a59091 --- /dev/null +++ b/patches.suse/media-s2255-fix-control-message-timeouts.patch @@ -0,0 +1,50 @@ +From f71d272ad4e354097020a4e6b1dc6e4b59feb50f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:40 +0100 +Subject: [PATCH] media: s2255: fix control-message timeouts +Git-commit: f71d272ad4e354097020a4e6b1dc6e4b59feb50f +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeouts. + +Fixes: 38f993ad8b1f ("V4L/DVB (8125): This driver adds support for the Sensoray 2255 devices.") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/s2255/s2255drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c +index 3b0e4ed75d99..acf18e2251a5 100644 +--- a/drivers/media/usb/s2255/s2255drv.c ++++ b/drivers/media/usb/s2255/s2255drv.c +@@ -1882,7 +1882,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + + if (r >= 0) + memcpy(TransferBuffer, buf, TransferBufferLength); +@@ -1891,7 +1891,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request, + r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + } + kfree(buf); + return r; +-- +2.31.1 + diff --git a/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch new file mode 100644 index 0000000..18a3468 --- /dev/null +++ b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch @@ -0,0 +1,64 @@ +From 0407c49ebe330333478440157c640fffd986f41b Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 17:34:44 +0100 +Subject: [PATCH] media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() +Git-commit: 0407c49ebe330333478440157c640fffd986f41b +Patch-mainline: v5.17-rc1 +References: git-fixes + +In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a +new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of mxb_probe(dev). There is a dereference of dev->vv_data +in saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_MXB=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/pci/saa7146/mxb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 73fc901ecf3d..bf0b9b0914cd 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +-- +2.31.1 + diff --git a/patches.suse/media-si2157-Fix-warm-tuner-state-detection.patch b/patches.suse/media-si2157-Fix-warm-tuner-state-detection.patch new file mode 100644 index 0000000..f44f983 --- /dev/null +++ b/patches.suse/media-si2157-Fix-warm-tuner-state-detection.patch @@ -0,0 +1,61 @@ +From a6441ea29cb2c9314654e093a1cd8020b9b851c8 Mon Sep 17 00:00:00 2001 +From: Robert Schlabbach +Date: Wed, 1 Dec 2021 22:08:43 +0100 +Subject: [PATCH] media: si2157: Fix "warm" tuner state detection +Git-commit: a6441ea29cb2c9314654e093a1cd8020b9b851c8 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Commit e955f959ac52 ("media: si2157: Better check for running tuner in +init") completely broke the "warm" tuner detection of the si2157 driver +due to a simple endian error: The Si2157 CRYSTAL_TRIM property code is +0x0402 and needs to be transmitted LSB first. However, it was inserted +MSB first, causing the warm detection to always fail and spam the kernel +log with tuner initialization messages each time the DVB frontend +device was closed and reopened: + +[ 312.215682] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 312.264334] si2157 16-0060: firmware version: 3.0.5 +[ 342.248593] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 342.295743] si2157 16-0060: firmware version: 3.0.5 +[ 372.328574] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 372.385035] si2157 16-0060: firmware version: 3.0.5 + +Also, the reinitializations were observed disturb _other_ tuners on +multi-tuner cards such as the Hauppauge WinTV-QuadHD, leading to missed +or errored packets when one of the other DVB frontend devices on that +card was opened. + +Fix the order of the property code bytes to make the warm detection work +again, also reducing the tuner initialization message in the kernel log +to once per power-on, as well as fixing the interference with other +tuners. + +Link: https://lore.kernel.org/linux-media/trinity-2a86eb9d-6264-4387-95e1-ba7b79a4050f-1638392923493@3c-app-gmx-bap03 + +Fixes: e955f959ac52 ("media: si2157: Better check for running tuner in init") +Reported-by: Robert Schlabbach +Signed-off-by: Robert Schlabbach +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/tuners/si2157.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index fefb2625f655..75ddf7ed1faf 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -90,7 +90,7 @@ static int si2157_init(struct dvb_frontend *fe) + dev_dbg(&client->dev, "\n"); + + /* Try to get Xtal trim property, to verify tuner still running */ +- memcpy(cmd.args, "\x15\x00\x04\x02", 4); ++ memcpy(cmd.args, "\x15\x00\x02\x04", 4); + cmd.wlen = 4; + cmd.rlen = 4; + ret = si2157_cmd_execute(client, &cmd); +-- +2.31.1 + diff --git a/patches.suse/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch b/patches.suse/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch new file mode 100644 index 0000000..c350f94 --- /dev/null +++ b/patches.suse/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch @@ -0,0 +1,62 @@ +From ef054e345ed8c79ce1121a3599b5a2dfd78e57a0 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Fri, 15 Oct 2021 11:58:55 +0200 +Subject: [PATCH] media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() +Git-commit: ef054e345ed8c79ce1121a3599b5a2dfd78e57a0 +Patch-mainline: v5.17-rc1 +References: git-fixes + +n the 'radio->hdl.error' error handling, ctrl handler allocated by +v4l2_ctrl_new_std() does not released, and caused memory leak as +Follows: + +unreferenced object 0xffff888033d54200 (size 256): + comm "i2c-si470x-19", pid 909, jiffies 4294914203 (age 8.072s) + hex dump (first 32 bytes): + e8 69 11 03 80 88 ff ff 00 46 d5 33 80 88 ff ff .i.......F.3.... + 10 42 d5 33 80 88 ff ff 10 42 d5 33 80 88 ff ff .B.3.....B.3.... + backtrace: + [<00000000086bd4ed>] __kmalloc_node+0x1eb/0x360 + [<00000000bdb68871>] kvmalloc_node+0x66/0x120 + [<00000000fac74e4c>] v4l2_ctrl_new+0x7b9/0x1c60 [videodev] + [<00000000693bf940>] v4l2_ctrl_new_std+0x19b/0x270 [videodev] + [<00000000c0cb91bc>] si470x_i2c_probe+0x2d3/0x9a0 [radio_si470x_i2c] + [<0000000056a6f01f>] i2c_device_probe+0x4d8/0xbe0 + +Fix the error handling path to avoid memory leak. + +Reported-by: Hulk Robot +Fixes: 8c081b6f9a9b ("media: radio: Critical v4l2 registration...") +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index bdb13c974b02..59b3d77e282d 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -367,7 +367,7 @@ static int si470x_i2c_probe(struct i2c_client *client) + if (radio->hdl.error) { + retval = radio->hdl.error; + dev_err(&client->dev, "couldn't register control\n"); +- goto err_dev; ++ goto err_all; + } + + /* video device initialization */ +@@ -452,7 +452,6 @@ static int si470x_i2c_probe(struct i2c_client *client) + return 0; + err_all: + v4l2_ctrl_handler_free(&radio->hdl); +-err_dev: + v4l2_device_unregister(&radio->v4l2_dev); + err_initial: + return retval; +-- +2.31.1 + diff --git a/patches.suse/media-stk1160-fix-control-message-timeouts.patch b/patches.suse/media-stk1160-fix-control-message-timeouts.patch new file mode 100644 index 0000000..5954c37 --- /dev/null +++ b/patches.suse/media-stk1160-fix-control-message-timeouts.patch @@ -0,0 +1,47 @@ +From 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:41 +0100 +Subject: [PATCH] media: stk1160: fix control-message timeouts +Git-commit: 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d +Patch-mainline: v5.17-rc1 +References: git-fixes + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") +Cc: stable@vger.kernel.org # 3.7 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/stk1160/stk1160-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c +index b4f8bc5db138..4e1698f78818 100644 +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -65,7 +65,7 @@ int stk1160_read_reg(struct stk1160 *dev, u16 reg, u8 *value) + return -ENOMEM; + ret = usb_control_msg(dev->udev, pipe, 0x00, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x00, reg, buf, sizeof(u8), HZ); ++ 0x00, reg, buf, sizeof(u8), 1000); + if (ret < 0) { + stk1160_err("read failed on reg 0x%x (%d)\n", + reg, ret); +@@ -85,7 +85,7 @@ int stk1160_write_reg(struct stk1160 *dev, u16 reg, u16 value) + + ret = usb_control_msg(dev->udev, pipe, 0x01, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, reg, NULL, 0, HZ); ++ value, reg, NULL, 0, 1000); + if (ret < 0) { + stk1160_err("write failed on reg 0x%x (%d)\n", + reg, ret); +-- +2.31.1 + diff --git a/patches.suse/media-streamzap-remove-unnecessary-ir_raw_event_rese.patch b/patches.suse/media-streamzap-remove-unnecessary-ir_raw_event_rese.patch new file mode 100644 index 0000000..1559da3 --- /dev/null +++ b/patches.suse/media-streamzap-remove-unnecessary-ir_raw_event_rese.patch @@ -0,0 +1,37 @@ +From 4bed9306050497f49cbe77b842f0d812f4f27593 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 5 Dec 2021 18:06:30 +0100 +Subject: [PATCH] media: streamzap: remove unnecessary ir_raw_event_reset and handle +Git-commit: 4bed9306050497f49cbe77b842f0d812f4f27593 +Patch-mainline: v5.17-rc1 +References: git-fixes + +There is no reason to have a reset after an IR timeout. +Calling ir_raw_event_handle() twice for the same interrupt has no +affect. + +Fixes: 56b0ec30c4bc ("[media] rc/streamzap: fix reporting response times") +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/streamzap.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c +index 1cc5ebb85b6c..76f5c72501c4 100644 +--- a/drivers/media/rc/streamzap.c ++++ b/drivers/media/rc/streamzap.c +@@ -244,8 +244,6 @@ static void streamzap_callback(struct urb *urb) + sz->idle = true; + if (sz->timeout_enabled) + sz_push(sz, rawir); +- ir_raw_event_handle(sz->rdev); +- ir_raw_event_reset(sz->rdev); + } else { + sz_push_full_space(sz, sz->buf_in[i]); + } +-- +2.31.1 + diff --git a/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 0000000..2928495 --- /dev/null +++ b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,48 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: [PATCH] media: uvcvideo: fix division by zero at stream start +Git-commit: 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df +Patch-mainline: v5.17-rc1 +References: git-fixes + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 9f37eaf28ce7..1b4cc934109e 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1963,6 +1963,10 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream, + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + +-- +2.31.1 + diff --git a/patches.suse/media-venus-core-Fix-a-resource-leak-in-the-error-ha.patch b/patches.suse/media-venus-core-Fix-a-resource-leak-in-the-error-ha.patch new file mode 100644 index 0000000..902a17c --- /dev/null +++ b/patches.suse/media-venus-core-Fix-a-resource-leak-in-the-error-ha.patch @@ -0,0 +1,55 @@ +From 8cc7a1b2aca067397a016cdb971a5e6ad9b640c7 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 19 Aug 2021 22:05:28 +0200 +Subject: [PATCH] media: venus: core: Fix a resource leak in the error handling path of 'venus_probe()' +Git-commit: 8cc7a1b2aca067397a016cdb971a5e6ad9b640c7 +Patch-mainline: v5.17-rc1 +References: git-fixes + +A successful 'of_platform_populate()' call should be balanced by a +corresponding 'of_platform_depopulate()' call in the error handling path +of the probe, as already done in the remove function. + +A successful 'venus_firmware_init()' call should be balanced by a +corresponding 'venus_firmware_deinit()' call in the error handling path +of the probe, as already done in the remove function. + +Update the error handling path accordingly. + +Fixes: f9799fcce4bb ("media: venus: firmware: register separate platform_device for firmware loader") +Signed-off-by: Christophe JAILLET +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -289,11 +289,11 @@ static int venus_probe(struct platform_d + + ret = venus_firmware_init(core); + if (ret) +- goto err_runtime_disable; ++ goto err_of_depopulate; + + ret = venus_boot(core); + if (ret) +- goto err_runtime_disable; ++ goto err_firmware_deinit; + + ret = hfi_core_resume(core, true); + if (ret) +@@ -329,6 +329,10 @@ err_core_deinit: + hfi_core_deinit(core, false); + err_venus_shutdown: + venus_shutdown(core); ++err_firmware_deinit: ++ venus_firmware_deinit(core); ++err_of_depopulate: ++ of_platform_depopulate(dev); + err_runtime_disable: + pm_runtime_put_noidle(dev); + pm_runtime_set_suspended(dev); diff --git a/patches.suse/mfd-intel-lpss-Fix-too-early-PM-enablement-in-the-AC.patch b/patches.suse/mfd-intel-lpss-Fix-too-early-PM-enablement-in-the-AC.patch new file mode 100644 index 0000000..448a2f9 --- /dev/null +++ b/patches.suse/mfd-intel-lpss-Fix-too-early-PM-enablement-in-the-AC.patch @@ -0,0 +1,66 @@ +From c9e143084d1a602f829115612e1ec79df3727c8b Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 1 Nov 2021 21:00:08 +0200 +Subject: [PATCH] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() +Git-commit: c9e143084d1a602f829115612e1ec79df3727c8b +Patch-mainline: v5.17-rc1 +References: git-fixes + +The runtime PM callback may be called as soon as the runtime PM facility +is enabled and activated. It means that ->suspend() may be called before +we finish probing the device in the ACPI case. Hence, NULL pointer +Dereference: + + intel-lpss INT34BA:00: IRQ index 0 not found + BUG: kernel NULL pointer dereference, address: 0000000000000030 + ... + Workqueue: pm pm_runtime_work + RIP: 0010:intel_lpss_suspend+0xb/0x40 [intel_lpss] + +To fix this, first try to register the device and only after that enable +runtime PM facility. + +Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") +Reported-by: Orlando Chamberlain +Reported-by: Aditya Garg +Signed-off-by: Andy Shevchenko +Tested-by: Aditya Garg +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211101190008.86473-1-andriy.shevchenko@linux.intel.com +Acked-by: Takashi Iwai + +--- + drivers/mfd/intel-lpss-acpi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c +index 3f1d976eb67c..f2ea6540a01e 100644 +--- a/drivers/mfd/intel-lpss-acpi.c ++++ b/drivers/mfd/intel-lpss-acpi.c +@@ -136,6 +136,7 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + { + struct intel_lpss_platform_info *info; + const struct acpi_device_id *id; ++ int ret; + + id = acpi_match_device(intel_lpss_acpi_ids, &pdev->dev); + if (!id) +@@ -149,10 +150,14 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + info->irq = platform_get_irq(pdev, 0); + ++ ret = intel_lpss_probe(&pdev->dev, info); ++ if (ret) ++ return ret; ++ + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); + +- return intel_lpss_probe(&pdev->dev, info); ++ return 0; + } + + static int intel_lpss_acpi_remove(struct platform_device *pdev) +-- +2.31.1 + diff --git a/patches.suse/misc-lattice-ecp3-config-Fix-task-hung-when-firmware.patch b/patches.suse/misc-lattice-ecp3-config-Fix-task-hung-when-firmware.patch new file mode 100644 index 0000000..f312943 --- /dev/null +++ b/patches.suse/misc-lattice-ecp3-config-Fix-task-hung-when-firmware.patch @@ -0,0 +1,94 @@ +From fcee5ce50bdb21116711e38635e3865594af907e Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 28 Dec 2021 12:55:22 +0000 +Subject: [PATCH] misc: lattice-ecp3-config: Fix task hung when firmware load failed +Git-commit: fcee5ce50bdb21116711e38635e3865594af907e +Patch-mainline: v5.17-rc1 +References: git-fixes + +When firmware load failed, kernel report task hung as follows: + +Info: task xrun:5191 blocked for more than 147 seconds. Tainted: G W 5.16.0-rc5-next-20211220+ #11 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:xrun state:D stack: 0 pid: 5191 ppid: 270 flags:0x00000004 +Call Trace: + __schedule+0xc12/0x4b50 kernel/sched/core.c:4986 + schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1) + schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857 + wait_for_completion+0x181/0x290 kernel/sched/completion.c:85 + lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221 + spi_remove+0x72/0xb0 drivers/spi/spi.c:409 + +lattice_ecp3_remove() wait for signals from firmware loading, but when +load failed, firmware_load() does not send this signal. This cause +device remove hung. Fix it by sending signal even if load failed. + +Fixes: 781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/misc/lattice-ecp3-config.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c +index 0f54730c7ed5..98828030b5a4 100644 +--- a/drivers/misc/lattice-ecp3-config.c ++++ b/drivers/misc/lattice-ecp3-config.c +@@ -76,12 +76,12 @@ static void firmware_load(const struct firmware *fw, void *context) + + if (fw == NULL) { + dev_err(&spi->dev, "Cannot load firmware, aborting\n"); +- return; ++ goto out; + } + + if (fw->size == 0) { + dev_err(&spi->dev, "Error: Firmware size is 0!\n"); +- return; ++ goto out; + } + + /* Fill dummy data (24 stuffing bits for commands) */ +@@ -103,7 +103,7 @@ static void firmware_load(const struct firmware *fw, void *context) + dev_err(&spi->dev, + "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n", + jedec_id); +- return; ++ goto out; + } + + dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name); +@@ -116,7 +116,7 @@ static void firmware_load(const struct firmware *fw, void *context) + buffer = kzalloc(fw->size + 8, GFP_KERNEL); + if (!buffer) { + dev_err(&spi->dev, "Error: Can't allocate memory!\n"); +- return; ++ goto out; + } + + /* +@@ -155,7 +155,7 @@ static void firmware_load(const struct firmware *fw, void *context) + "Error: Timeout waiting for FPGA to clear (status=%08x)!\n", + status); + kfree(buffer); +- return; ++ goto out; + } + + dev_info(&spi->dev, "Configuring the FPGA...\n"); +@@ -181,7 +181,7 @@ static void firmware_load(const struct firmware *fw, void *context) + release_firmware(fw); + + kfree(buffer); +- ++out: + complete(&data->fw_loaded); + } + +-- +2.31.1 + diff --git a/patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch b/patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch index 23f2e69..dbc4149 100644 --- a/patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch +++ b/patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch @@ -3,8 +3,7 @@ Date: Thu, 15 Jul 2021 13:34:23 +0300 Subject: misc: sram: Only map reserved areas in Tegra SYSRAM Git-commit: fec29bf04994b478a43a7e60e6dd5ac1f7cb53ae -Patch-mainline: Queued -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git +Patch-mainline: v5.15-rc1 References: git-fixes On Tegra186 and later, a portion of the SYSRAM may be reserved for use diff --git a/patches.suse/mmc-meson-mx-sdio-add-IRQ-check.patch b/patches.suse/mmc-meson-mx-sdio-add-IRQ-check.patch new file mode 100644 index 0000000..f8869b3 --- /dev/null +++ b/patches.suse/mmc-meson-mx-sdio-add-IRQ-check.patch @@ -0,0 +1,44 @@ +From 8fc9a77bc64e1f23d07953439817d8402ac9706f Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Fri, 17 Dec 2021 23:27:17 +0300 +Subject: [PATCH] mmc: meson-mx-sdio: add IRQ check +Git-commit: 8fc9a77bc64e1f23d07953439817d8402ac9706f +Patch-mainline: v5.17-rc1 +References: git-fixes + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_threaded_irq() +(which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_threaded_irq() with the +invalid IRQ #s. + +Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoC") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211217202717.10041-3-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/meson-mx-sdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c +index d4a48916bfb6..3a19a05ef55a 100644 +--- a/drivers/mmc/host/meson-mx-sdio.c ++++ b/drivers/mmc/host/meson-mx-sdio.c +@@ -662,6 +662,11 @@ static int meson_mx_mmc_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto error_free_mmc; ++ } ++ + ret = devm_request_threaded_irq(host->controller_dev, irq, + meson_mx_mmc_irq, + meson_mx_mmc_irq_thread, IRQF_ONESHOT, +-- +2.31.1 + diff --git a/patches.suse/mmc-sdhci-pci-Add-PCI-ID-for-Intel-ADL.patch b/patches.suse/mmc-sdhci-pci-Add-PCI-ID-for-Intel-ADL.patch new file mode 100644 index 0000000..01c208b --- /dev/null +++ b/patches.suse/mmc-sdhci-pci-Add-PCI-ID-for-Intel-ADL.patch @@ -0,0 +1,48 @@ +From e53e97f805cb1abeea000a61549d42f92cb10804 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 24 Nov 2021 11:48:50 +0200 +Subject: [PATCH] mmc: sdhci-pci: Add PCI ID for Intel ADL +Git-commit: e53e97f805cb1abeea000a61549d42f92cb10804 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Add PCI ID for Intel ADL eMMC host controller. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211124094850.1783220-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-pci-core.c | 1 + + drivers/mmc/host/sdhci-pci.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c +index 6f9877546830..ed53276f6ad9 100644 +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1866,6 +1866,7 @@ static const struct pci_device_id pci_ids[] = { + SDHCI_PCI_DEVICE(INTEL, JSL_SD, intel_byt_sd), + SDHCI_PCI_DEVICE(INTEL, LKF_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(INTEL, LKF_SD, intel_byt_sd), ++ SDHCI_PCI_DEVICE(INTEL, ADL_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(O2, 8120, o2), + SDHCI_PCI_DEVICE(O2, 8220, o2), + SDHCI_PCI_DEVICE(O2, 8221, o2), +diff --git a/drivers/mmc/host/sdhci-pci.h b/drivers/mmc/host/sdhci-pci.h +index 5e3193278ff9..3661a224fb04 100644 +--- a/drivers/mmc/host/sdhci-pci.h ++++ b/drivers/mmc/host/sdhci-pci.h +@@ -59,6 +59,7 @@ + #define PCI_DEVICE_ID_INTEL_JSL_SD 0x4df8 + #define PCI_DEVICE_ID_INTEL_LKF_EMMC 0x98c4 + #define PCI_DEVICE_ID_INTEL_LKF_SD 0x98f8 ++#define PCI_DEVICE_ID_INTEL_ADL_EMMC 0x54c4 + + #define PCI_DEVICE_ID_SYSKONNECT_8000 0x8000 + #define PCI_DEVICE_ID_VIA_95D0 0x95d0 +-- +2.31.1 + diff --git a/patches.suse/mtd-rawnand-mpc5121-Remove-unused-variable-in-ads512.patch b/patches.suse/mtd-rawnand-mpc5121-Remove-unused-variable-in-ads512.patch new file mode 100644 index 0000000..5f4740e --- /dev/null +++ b/patches.suse/mtd-rawnand-mpc5121-Remove-unused-variable-in-ads512.patch @@ -0,0 +1,41 @@ +From 33a0da68fb073360d36ce1a0e852f75fede7c21e Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 22 Nov 2021 14:21:38 +0100 +Subject: [PATCH] mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 33a0da68fb073360d36ce1a0e852f75fede7c21e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Drivers/mtd/nand/raw/mpc5121_nfc.c: In function ‘ads5121_select_chip’: +drivers/mtd/nand/raw/mpc5121_nfc.c:294:19: warning: unused variable ‘mtd’ [-Wunused-variable] + 294 | struct mtd_info *mtd = nand_to_mtd(nand); + | ^~~ + +Fixes: 758b56f58b66bebc ("mtd: rawnand: Pass a nand_chip object to chip->select_chip()") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211122132138.3899138-1-geert@linux-m68k.org +Acked-by: Takashi Iwai + +--- + drivers/mtd/nand/raw/mpc5121_nfc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/mpc5121_nfc.c b/drivers/mtd/nand/raw/mpc5121_nfc.c +index cb293c50acb8..5b9271b9c326 100644 +--- a/drivers/mtd/nand/raw/mpc5121_nfc.c ++++ b/drivers/mtd/nand/raw/mpc5121_nfc.c +@@ -291,7 +291,6 @@ static int ads5121_chipselect_init(struct mtd_info *mtd) + /* Control chips select signal on ADS5121 board */ + static void ads5121_select_chip(struct nand_chip *nand, int chip) + { +- struct mtd_info *mtd = nand_to_mtd(nand); + struct mpc5121_nfc_prv *prv = nand_get_controller_data(nand); + u8 v; + +-- +2.31.1 + diff --git a/patches.suse/mwifiex-Fix-possible-ABBA-deadlock.patch b/patches.suse/mwifiex-Fix-possible-ABBA-deadlock.patch new file mode 100644 index 0000000..8283692 --- /dev/null +++ b/patches.suse/mwifiex-Fix-possible-ABBA-deadlock.patch @@ -0,0 +1,82 @@ +From 1b8bb8919ef81bfc8873d223b9361f1685f2106d Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 29 Nov 2021 16:47:34 -0800 +Subject: [PATCH] mwifiex: Fix possible ABBA deadlock +Git-commit: 1b8bb8919ef81bfc8873d223b9361f1685f2106d +Patch-mainline: v5.17-rc1 +References: git-fixes + +Quoting Jia-Ju Bai : + + mwifiex_dequeue_tx_packet() + spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 1432 (Lock A) + mwifiex_send_addba() + spin_lock_bh(&priv->sta_list_spinlock); --> Line 608 (Lock B) + + mwifiex_process_sta_tx_pause() + spin_lock_bh(&priv->sta_list_spinlock); --> Line 398 (Lock B) + mwifiex_update_ralist_tx_pause() + spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 941 (Lock A) + +Similar report for mwifiex_process_uap_tx_pause(). + +While the locking expectations in this driver are a bit unclear, the +Fixed commit only intended to protect the sta_ptr, so we can drop the +lock as soon as we're done with it. + +IIUC, this deadlock cannot actually happen, because command event +processing (which calls mwifiex_process_sta_tx_pause()) is +sequentialized with TX packet processing (e.g., +mwifiex_dequeue_tx_packet()) via the main loop (mwifiex_main_process()). +But it's good not to leave this potential issue lurking. + +Fixes: f0f7c2275fb9 ("mwifiex: minor cleanups w/ sta_list_spinlock in cfg80211.c") +Cc: Douglas Anderson +Reported-by: TOTE Robot +Link: https://lore.kernel.org/linux-wireless/0e495b14-efbb-e0da-37bd-af6bd677ee2c@gmail.com/ +Signed-off-by: Brian Norris +Reviewed-by: Douglas Anderson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YaV0pllJ5p/EuUat@google.com +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c +index 80e5d44bad9d..7d42c5d2dbf6 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c +@@ -365,10 +365,12 @@ static void mwifiex_process_uap_tx_pause(struct mwifiex_private *priv, + sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac); + if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) { + sta_ptr->tx_pause = tp->tx_pause; ++ spin_unlock_bh(&priv->sta_list_spinlock); + mwifiex_update_ralist_tx_pause(priv, tp->peermac, + tp->tx_pause); ++ } else { ++ spin_unlock_bh(&priv->sta_list_spinlock); + } +- spin_unlock_bh(&priv->sta_list_spinlock); + } + } + +@@ -400,11 +402,13 @@ static void mwifiex_process_sta_tx_pause(struct mwifiex_private *priv, + sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac); + if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) { + sta_ptr->tx_pause = tp->tx_pause; ++ spin_unlock_bh(&priv->sta_list_spinlock); + mwifiex_update_ralist_tx_pause(priv, + tp->peermac, + tp->tx_pause); ++ } else { ++ spin_unlock_bh(&priv->sta_list_spinlock); + } +- spin_unlock_bh(&priv->sta_list_spinlock); + } + } + } +-- +2.31.1 + diff --git a/patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch b/patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch index 0830676..a9f6732 100644 --- a/patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch +++ b/patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch @@ -3,8 +3,7 @@ From: Zekun Shen Date: Sat, 30 Oct 2021 22:42:50 -0400 Subject: [PATCH] mwifiex: Fix skb_over_panic in mwifiex_usb_recv() Git-commit: 04d80663f67ccef893061b49ec8a42ff7045ae84 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v5.17-rc1 References: CVE-2021-43976 bsc#1192847 Currently, with an unknown recv_type, mwifiex_usb_recv diff --git a/patches.suse/net-create-netdev-dev_addr-assignment-helpers.patch b/patches.suse/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 0000000..9ab35d3 --- /dev/null +++ b/patches.suse/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,80 @@ +From 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: [PATCH] net: create netdev->dev_addr assignment helpers +Git-commit: 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 +References: git-fixes +Patch-mainline: v5.15-rc1 + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Oliver Neukum +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 330345b1be54..928c411bd509 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -299,6 +299,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 7c41593c1d6a..d79163208dfd 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4641,6 +4641,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.26.2 + diff --git a/patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch b/patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch new file mode 100644 index 0000000..4e295e4 --- /dev/null +++ b/patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch @@ -0,0 +1,49 @@ +From: Arthur Kiyanovski +Date: Sun, 2 Jan 2022 07:37:28 +0000 +Subject: net: ena: Fix error handling when calculating max IO queues number +Patch-mainline: v5.16 +Git-commit: 5055dc0348b8b7c168e3296044bccd724e1ae6cd +References: bsc#1154492 + +The role of ena_calc_max_io_queue_num() is to return the number +of queues supported by the device, which means the return value +should be >=0. + +The function that calls ena_calc_max_io_queue_num(), checks +the return value. If it is 0, it means the device reported +it supports 0 IO queues. This case is considered an error +and is handled by the calling function accordingly. + +However the current implementation of ena_calc_max_io_queue_num() +is wrong, since when it detects the device supports 0 IO queues, +it returns -EFAULT. + +In such a case the calling function doesn't detect the error, +and therefore doesn't handle it. + +This commit changes ena_calc_max_io_queue_num() to return 0 +in case the device reported it supports 0 queues, allowing the +calling function to properly handle the error case. + +Fixes: 736ce3f414cc ("net: ena: make ethtool -l show correct max number of queues") +Signed-off-by: Shay Agroskin +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3939,10 +3939,6 @@ static u32 ena_calc_max_io_queue_num(str + max_num_io_queues = min_t(u32, max_num_io_queues, io_tx_cq_num); + /* 1 IRQ for for mgmnt and 1 IRQs for each IO direction */ + max_num_io_queues = min_t(u32, max_num_io_queues, pci_msix_vec_count(pdev) - 1); +- if (unlikely(!max_num_io_queues)) { +- dev_err(&pdev->dev, "The device doesn't have io queues\n"); +- return -EFAULT; +- } + + return max_num_io_queues; + } diff --git a/patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch b/patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch new file mode 100644 index 0000000..950fd49 --- /dev/null +++ b/patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch @@ -0,0 +1,101 @@ +From: Arthur Kiyanovski +Date: Sun, 2 Jan 2022 07:37:26 +0000 +Subject: net: ena: Fix undefined state when tx request id is out of bounds +Patch-mainline: v5.16 +Git-commit: c255a34e02efb1393d23ffb205ba1a11320aeffb +References: bsc#1154492 + +ena_com_tx_comp_req_id_get() checks the req_id of a received completion, +and if it is out of bounds returns -EINVAL. This is a sign that +something is wrong with the device and it needs to be reset. + +The current code does not reset the device in this case, which leaves +the driver in an undefined state, where this completion is not properly +handled. + +This commit adds a call to handle_invalid_req_id() in ena_clean_tx_irq() +and ena_clean_xdp_irq() which resets the device to fix the issue. + +This commit also removes unnecessary request id checks from +validate_tx_req_id() and validate_xdp_req_id(). This check is unneeded +because it was already performed in ena_com_tx_comp_req_id_get(), which +is called right before these functions. + +Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") +Signed-off-by: Shay Agroskin +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 34 +++++++++++++++------------ + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1208,26 +1208,22 @@ static int handle_invalid_req_id(struct + + static int validate_tx_req_id(struct ena_ring *tx_ring, u16 req_id) + { +- struct ena_tx_buffer *tx_info = NULL; ++ struct ena_tx_buffer *tx_info; + +- if (likely(req_id < tx_ring->ring_size)) { +- tx_info = &tx_ring->tx_buffer_info[req_id]; +- if (likely(tx_info->skb)) +- return 0; +- } ++ tx_info = &tx_ring->tx_buffer_info[req_id]; ++ if (likely(tx_info->skb)) ++ return 0; + + return handle_invalid_req_id(tx_ring, req_id, tx_info, false); + } + + static int validate_xdp_req_id(struct ena_ring *xdp_ring, u16 req_id) + { +- struct ena_tx_buffer *tx_info = NULL; ++ struct ena_tx_buffer *tx_info; + +- if (likely(req_id < xdp_ring->ring_size)) { +- tx_info = &xdp_ring->tx_buffer_info[req_id]; +- if (likely(tx_info->xdpf)) +- return 0; +- } ++ tx_info = &xdp_ring->tx_buffer_info[req_id]; ++ if (likely(tx_info->xdpf)) ++ return 0; + + return handle_invalid_req_id(xdp_ring, req_id, tx_info, true); + } +@@ -1252,9 +1248,14 @@ static int ena_clean_tx_irq(struct ena_r + + rc = ena_com_tx_comp_req_id_get(tx_ring->ena_com_io_cq, + &req_id); +- if (rc) ++ if (rc) { ++ if (unlikely(rc == -EINVAL)) ++ handle_invalid_req_id(tx_ring, req_id, NULL, ++ false); + break; ++ } + ++ /* validate that the request id points to a valid skb */ + rc = validate_tx_req_id(tx_ring, req_id); + if (rc) + break; +@@ -1810,9 +1811,14 @@ static int ena_clean_xdp_irq(struct ena_ + + rc = ena_com_tx_comp_req_id_get(xdp_ring->ena_com_io_cq, + &req_id); +- if (rc) ++ if (rc) { ++ if (unlikely(rc == -EINVAL)) ++ handle_invalid_req_id(xdp_ring, req_id, NULL, ++ true); + break; ++ } + ++ /* validate that the request id points to a valid xdp_frame */ + rc = validate_xdp_req_id(xdp_ring, req_id); + if (rc) + break; diff --git a/patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch b/patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch new file mode 100644 index 0000000..4ab5ff1 --- /dev/null +++ b/patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch @@ -0,0 +1,50 @@ +From: Arthur Kiyanovski +Date: Sun, 2 Jan 2022 07:37:27 +0000 +Subject: net: ena: Fix wrong rx request id by resetting device +Patch-mainline: v5.16 +Git-commit: cb3d4f98f0b26eafa0b913ac3716e4714254a747 +References: git-fixes + +A wrong request id received from the device is a sign that +something is wrong with it, therefore trigger a device reset. + +Also add some debug info to the "Page is NULL" print to make +it easier to debug. + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1349,6 +1349,7 @@ static struct sk_buff *ena_rx_skb(struct + { + struct sk_buff *skb; + struct ena_rx_buffer *rx_info; ++ struct ena_adapter *adapter; + u16 len, req_id, buf = 0; + void *va; + +@@ -1358,8 +1359,16 @@ static struct sk_buff *ena_rx_skb(struct + rx_info = &rx_ring->rx_buffer_info[req_id]; + + if (unlikely(!rx_info->page)) { +- netif_err(rx_ring->adapter, rx_err, rx_ring->netdev, +- "Page is NULL\n"); ++ adapter = rx_ring->adapter; ++ netif_err(adapter, rx_err, rx_ring->netdev, ++ "Page is NULL. qid %u req_id %u\n", rx_ring->qid, req_id); ++ u64_stats_update_begin(&rx_ring->syncp); ++ rx_ring->rx_stats.bad_req_id++; ++ u64_stats_update_end(&rx_ring->syncp); ++ adapter->reset_reason = ENA_REGS_RESET_INV_RX_REQ_ID; ++ /* Make sure reset reason is set before triggering the reset */ ++ smp_mb__before_atomic(); ++ set_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags); + return NULL; + } + diff --git a/patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch b/patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch new file mode 100644 index 0000000..8e11fe7 --- /dev/null +++ b/patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch @@ -0,0 +1,36 @@ +From: Jie Wang +Date: Fri, 10 Dec 2021 21:09:33 +0800 +Subject: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg +Patch-mainline: v5.16-rc6 +Git-commit: 27cbf64a766e86f068ce6214f04c00ceb4db1af4 +References: jsc#SLE-14777 + +Currently, the hns3_remove function firstly uninstall client instance, +and then uninstall acceletion engine device. The netdevice is freed in +client instance uninstall process, but acceletion engine device uninstall +process still use it to trace runtime information. This causes a use after +free problem. + +So fixes it by check the instance register state to avoid use after free. + +Fixes: d8355240cf8f ("net: hns3: add trace event support for PF/VF mailbox") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c +@@ -109,7 +109,8 @@ int hclgevf_send_mbx_msg(struct hclgevf_ + + memcpy(&req->msg, send_msg, sizeof(struct hclge_vf_to_pf_msg)); + +- trace_hclge_vf_mbx_send(hdev, req); ++ if (test_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state)) ++ trace_hclge_vf_mbx_send(hdev, req); + + /* synchronous send */ + if (need_resp) { diff --git a/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch new file mode 100644 index 0000000..dfd035b --- /dev/null +++ b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch @@ -0,0 +1,40 @@ +From: Miaoqian Lin +Date: Wed, 22 Dec 2021 06:54:53 +0000 +Subject: net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources +Patch-mainline: v5.16-rc8 +Git-commit: 6b8b42585886c59a008015083282aae434349094 +References: jsc#SLE-8464 + +The mlx5_get_uars_page() function returns error pointers. +Using IS_ERR() to check the return value to fix this. + +Fixes: 4ec9e7b02697 ("net/mlx5: DR, Expose steering domain functionality") +Signed-off-by: Miaoqian Lin +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2019 Mellanox Technologies. */ + + #include ++#include + #include "dr_types.h" + + static int dr_domain_init_cache(struct mlx5dr_domain *dmn) +@@ -64,9 +65,9 @@ static int dr_domain_init_resources(stru + } + + dmn->uar = mlx5_get_uars_page(dmn->mdev); +- if (!dmn->uar) { ++ if (IS_ERR(dmn->uar)) { + mlx5dr_err(dmn, "Couldn't allocate UAR\n"); +- ret = -ENOMEM; ++ ret = PTR_ERR(dmn->uar); + goto clean_pd; + } + diff --git a/patches.suse/net-mlx5-Set-command-entry-semaphore-up-once-got-ind.patch b/patches.suse/net-mlx5-Set-command-entry-semaphore-up-once-got-ind.patch new file mode 100644 index 0000000..a3c81fd --- /dev/null +++ b/patches.suse/net-mlx5-Set-command-entry-semaphore-up-once-got-ind.patch @@ -0,0 +1,65 @@ +From: Moshe Shemesh +Date: Sun, 5 Dec 2021 12:07:49 +0200 +Subject: net/mlx5: Set command entry semaphore up once got index free +Patch-mainline: v5.17-rc1 +Git-commit: 8e715cd613a1e872b9d918e912d90b399785761a +References: jsc#SLE-15172 + +Avoid a race where command work handler may fail to allocate command +entry index, by holding the command semaphore down till command entry +index is being freed. + +Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation") +Signed-off-by: Moshe Shemesh +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -147,8 +147,12 @@ static void cmd_ent_put(struct mlx5_cmd_ + if (!refcount_dec_and_test(&ent->refcnt)) + return; + +- if (ent->idx >= 0) +- cmd_free_index(ent->cmd, ent->idx); ++ if (ent->idx >= 0) { ++ struct mlx5_cmd *cmd = ent->cmd; ++ ++ cmd_free_index(cmd, ent->idx); ++ up(ent->page_queue ? &cmd->pages_sem : &cmd->sem); ++ } + + cmd_free_ent(ent); + } +@@ -1582,8 +1586,6 @@ static void mlx5_cmd_comp_handler(struct + vector = vec & 0xffffffff; + for (i = 0; i < (1 << cmd->log_sz); i++) { + if (test_bit(i, &vector)) { +- struct semaphore *sem; +- + ent = cmd->ent_arr[i]; + + /* if we already completed the command, ignore it */ +@@ -1606,10 +1608,6 @@ static void mlx5_cmd_comp_handler(struct + dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) + cmd_ent_put(ent); + +- if (ent->page_queue) +- sem = &cmd->pages_sem; +- else +- sem = &cmd->sem; + ent->ts2 = ktime_get_ns(); + memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out)); + dump_command(dev, ent, 0); +@@ -1663,7 +1661,6 @@ static void mlx5_cmd_comp_handler(struct + */ + complete(&ent->done); + } +- up(sem); + } + } + } diff --git a/patches.suse/net-mlx5e-Fix-wrong-features-assignment-in-case-of-e.patch b/patches.suse/net-mlx5e-Fix-wrong-features-assignment-in-case-of-e.patch new file mode 100644 index 0000000..461a05c --- /dev/null +++ b/patches.suse/net-mlx5e-Fix-wrong-features-assignment-in-case-of-e.patch @@ -0,0 +1,79 @@ +From: Gal Pressman +Date: Mon, 29 Nov 2021 11:08:41 +0200 +Subject: net/mlx5e: Fix wrong features assignment in case of error +Patch-mainline: v5.16-rc8 +Git-commit: 992d8a4e38f0527f24e273ce3a9cd6dea1a6a436 +References: git-fixes + +In case of an error in mlx5e_set_features(), 'netdev->features' must be +updated with the correct state of the device to indicate which features +were updated successfully. +To do that we maintain a copy of 'netdev->features' and update it after +successful feature changes, so we can assign it to back to +'netdev->features' if needed. + +However, since not all netdev features are handled by the driver (e.g. +GRO/TSO/etc), some features may not be updated correctly in case of an +error updating another feature. + +For example, while requesting to disable TSO (feature which is not +handled by the driver) and enable HW-GRO, if an error occurs during +HW-GRO enable, 'oper_features' will be assigned with 'netdev->features' +and HW-GRO turned off. TSO will remain enabled in such case, which is a +bug. + +To solve that, instead of using 'netdev->features' as the baseline of +'oper_features' and changing it on set feature success, use 'features' +instead and update it in case of errors. + +Fixes: 75b81ce719b7 ("net/mlx5e: Don't override netdev features field unless in error flow") +Signed-off-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3907,12 +3907,11 @@ static int set_feature_arfs(struct net_d + + static int mlx5e_handle_feature(struct net_device *netdev, + netdev_features_t *features, +- netdev_features_t wanted_features, + netdev_features_t feature, + mlx5e_feature_handler feature_handler) + { +- netdev_features_t changes = wanted_features ^ netdev->features; +- bool enable = !!(wanted_features & feature); ++ netdev_features_t changes = *features ^ netdev->features; ++ bool enable = !!(*features & feature); + int err; + + if (!(changes & feature)) +@@ -3920,22 +3919,22 @@ static int mlx5e_handle_feature(struct n + + err = feature_handler(netdev, enable); + if (err) { ++ MLX5E_SET_FEATURE(features, feature, !enable); + netdev_err(netdev, "%s feature %pNF failed, err %d\n", + enable ? "Enable" : "Disable", &feature, err); + return err; + } + +- MLX5E_SET_FEATURE(features, feature, enable); + return 0; + } + + int mlx5e_set_features(struct net_device *netdev, netdev_features_t features) + { +- netdev_features_t oper_features = netdev->features; ++ netdev_features_t oper_features = features; + int err = 0; + + #define MLX5E_HANDLE_FEATURE(feature, handler) \ +- mlx5e_handle_feature(netdev, &oper_features, features, feature, handler) ++ mlx5e_handle_feature(netdev, &oper_features, feature, handler) + + err |= MLX5E_HANDLE_FEATURE(NETIF_F_LRO, set_feature_lro); + err |= MLX5E_HANDLE_FEATURE(NETIF_F_HW_VLAN_CTAG_FILTER, diff --git a/patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch b/patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch new file mode 100644 index 0000000..5bd45f3 --- /dev/null +++ b/patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch @@ -0,0 +1,85 @@ +From: Amir Tzin +Date: Tue, 30 Nov 2021 16:05:44 +0200 +Subject: net/mlx5e: Wrap the tx reporter dump callback to extract the sq +Patch-mainline: v5.16-rc8 +Git-commit: 918fc3855a6507a200e9cf22c20be852c0982687 +References: jsc#SLE-15172 + +Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct +mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually +of type struct mlx5e_tx_timeout_ctx *. + + mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected + mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000 + BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae) + kernel stack overflow (page fault): 0000 [#1] SMP NOPTI + CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core] + RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 + [mlx5_core] + Call Trace: + mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core] + devlink_health_do_dump.part.91+0x71/0xd0 + devlink_health_report+0x157/0x1b0 + mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core] + ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0 + [mlx5_core] + ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core] + ? update_load_avg+0x19b/0x550 + ? set_next_entity+0x72/0x80 + ? pick_next_task_fair+0x227/0x340 + ? finish_task_switch+0xa2/0x280 + mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core] + process_one_work+0x1de/0x3a0 + worker_thread+0x2d/0x3c0 + ? process_one_work+0x3a0/0x3a0 + kthread+0x115/0x130 + ? kthread_park+0x90/0x90 + ret_from_fork+0x1f/0x30 + --[ end trace 51ccabea504edaff ]--- + RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 + PKRU: 55555554 + Kernel panic - not syncing: Fatal exception + Kernel Offset: disabled + end Kernel panic - not syncing: Fatal exception + +To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which +extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the +TX-timeout-recovery flow dump callback. + +Fixes: 5f29458b77d5 ("net/mlx5e: Support dump callback in TX reporter") +Signed-off-by: Aya Levin +Signed-off-by: Amir Tzin +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -335,6 +335,14 @@ static int mlx5e_tx_reporter_dump_sq(str + return mlx5e_health_fmsg_named_obj_nest_end(fmsg); + } + ++static int mlx5e_tx_reporter_timeout_dump(struct mlx5e_priv *priv, struct devlink_fmsg *fmsg, ++ void *ctx) ++{ ++ struct mlx5e_tx_timeout_ctx *to_ctx = ctx; ++ ++ return mlx5e_tx_reporter_dump_sq(priv, fmsg, to_ctx->sq); ++} ++ + static int mlx5e_tx_reporter_dump_all_sqs(struct mlx5e_priv *priv, + struct devlink_fmsg *fmsg) + { +@@ -418,7 +426,7 @@ int mlx5e_reporter_tx_timeout(struct mlx + to_ctx.sq = sq; + err_ctx.ctx = &to_ctx; + err_ctx.recover = mlx5e_tx_reporter_timeout_recover; +- err_ctx.dump = mlx5e_tx_reporter_dump_sq; ++ err_ctx.dump = mlx5e_tx_reporter_timeout_dump; + snprintf(err_str, sizeof(err_str), + "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u", + sq->channel->ix, sq->sqn, sq->cq.mcq.cqn, sq->cc, sq->pc, diff --git a/patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch b/patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch new file mode 100644 index 0000000..b572d40 --- /dev/null +++ b/patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch @@ -0,0 +1,94 @@ +From: Eric Dumazet +Date: Thu, 9 Dec 2021 00:49:37 -0800 +Subject: net/sched: fq_pie: prevent dismantle issue +Patch-mainline: v5.16-rc5 +Git-commit: 61c2402665f1e10c5742033fce18392e369931d7 +References: jsc#SLE-15172 + +For some reason, fq_pie_destroy() did not copy +working code from pie_destroy() and other qdiscs, +thus causing elusive bug. + +Before calling del_timer_sync(&q->adapt_timer), +we need to ensure timer will not rearm itself. + +rcu: INFO: rcu_preempt self-detected stall on CPU +rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 + (t=10501 jiffies g=13085 q=3989) +NMI backtrace for cpu 0 +CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 + nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62 + trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] + rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343 + print_cpu_stall kernel/rcu/tree_stall.h:627 [inline] + check_cpu_stall kernel/rcu/tree_stall.h:711 [inline] + rcu_pending kernel/rcu/tree.c:3878 [inline] + rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 + update_process_times+0x16d/0x200 kernel/time/timer.c:1785 + tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 + tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 + __run_hrtimer kernel/time/hrtimer.c:1685 [inline] + __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 + hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 + local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] + __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 + sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 + + + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 +RIP: 0010:write_comp_data kernel/kcov.c:221 [inline] +RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273 +Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 +RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 +RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 +RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 + pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418 + fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383 + call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 + expire_timers kernel/time/timer.c:1466 [inline] + __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 + __run_timers kernel/time/timer.c:1715 [inline] + run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 + __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 + run_ksoftirqd kernel/softirq.c:921 [inline] + run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 + smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 + kthread+0x405/0x4f0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + + +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Mohit P. Tahiliani +Cc: Sachin D. Patil +Cc: V. Saicharan +Cc: Mohit Bhasi +Cc: Leslie Monis +Cc: Gautam Ramakrishnan +Link: https://lore.kernel.org/r/20211209084937.3500020-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + net/sched/sch_fq_pie.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -531,6 +531,7 @@ static void fq_pie_destroy(struct Qdisc + struct fq_pie_sched_data *q = qdisc_priv(sch); + + tcf_block_put(q->block); ++ q->p_params.tupdate = 0; + del_timer_sync(&q->adapt_timer); + kvfree(q->flows); + } diff --git a/patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch b/patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch new file mode 100644 index 0000000..3bece79 --- /dev/null +++ b/patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch @@ -0,0 +1,102 @@ +From: Davide Caratti +Date: Fri, 10 Dec 2021 17:42:47 +0100 +Subject: net/sched: sch_ets: don't remove idle classes from the round-robin + list +Patch-mainline: v5.16-rc6 +Git-commit: c062f2a0b04d86c5b8c9d973bea43493eaca3d32 +References: bsc#1176774 + +Shuang reported that the following script: + + 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 + 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & + 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 + +crashes systematically when line 2) is commented: + + list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:47! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 + Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe + RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 + RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 + RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff + RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 + R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 + FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 + Call Trace: + + ets_qdisc_change+0x58b/0xa70 [sch_ets] + tc_modify_qdisc+0x323/0x880 + rtnetlink_rcv_msg+0x169/0x4a0 + netlink_rcv_skb+0x50/0x100 + netlink_unicast+0x1a5/0x280 + netlink_sendmsg+0x257/0x4d0 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x1f2/0x260 + ___sys_sendmsg+0x7c/0xc0 + __sys_sendmsg+0x57/0xa0 + do_syscall_64+0x3a/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7efdc8031338 + Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 + RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338 + RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 + RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 + R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 + + Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets] + ---[ end trace f35878d1912655c2 ]--- + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 + Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe + RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 + RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 + RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff + RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 + R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 + FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: 0x4e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +we can remove 'q->classes[i].alist' only if DRR class 'i' was part of the +active list. In the ETS scheduler DRR classes belong to that list only if +the queue length is greater than zero: we need to test for non-zero value +of 'q->classes[i].qdisc->q.qlen' before removing from the list, similarly +to what has been done elsewhere in the ETS code. + +Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'") +Reported-by: Shuang Li +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/sched/sch_ets.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -668,9 +668,9 @@ static int ets_qdisc_change(struct Qdisc + } + } + for (i = q->nbands; i < oldbands; i++) { +- qdisc_tree_flush_backlog(q->classes[i].qdisc); +- if (i >= q->nstrict) ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del(&q->classes[i].alist); ++ qdisc_tree_flush_backlog(q->classes[i].qdisc); + } + q->nstrict = nstrict; + memcpy(q->prio2band, priomap, sizeof(priomap)); diff --git a/patches.suse/net-usb-lan78xx-add-Allied-Telesis-AT29M2-AF.patch b/patches.suse/net-usb-lan78xx-add-Allied-Telesis-AT29M2-AF.patch new file mode 100644 index 0000000..6e36cb8 --- /dev/null +++ b/patches.suse/net-usb-lan78xx-add-Allied-Telesis-AT29M2-AF.patch @@ -0,0 +1,47 @@ +From ef8a0f6eab1ca5d1a75c242c5c7b9d386735fa0a Mon Sep 17 00:00:00 2001 +From: Greg Jesionowski +Date: Tue, 14 Dec 2021 15:10:27 -0700 +Subject: [PATCH] net: usb: lan78xx: add Allied Telesis AT29M2-AF +Git-commit: ef8a0f6eab1ca5d1a75c242c5c7b9d386735fa0a +Patch-mainline: v5.16-rc6 +References: git-fixes + +This adds the vendor and product IDs for the AT29M2-AF which is a +lan7801-based device. + +Signed-off-by: Greg Jesionowski +Link: https://lore.kernel.org/r/20211214221027.305784-1-jesionowskigreg@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/usb/lan78xx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 8cd265fc1fd9..075f8abde5cd 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -76,6 +76,8 @@ + #define LAN7801_USB_PRODUCT_ID (0x7801) + #define LAN78XX_EEPROM_MAGIC (0x78A5) + #define LAN78XX_OTP_MAGIC (0x78F3) ++#define AT29M2AF_USB_VENDOR_ID (0x07C9) ++#define AT29M2AF_USB_PRODUCT_ID (0x0012) + + #define MII_READ 1 + #define MII_WRITE 0 +@@ -4734,6 +4736,10 @@ static const struct usb_device_id products[] = { + /* LAN7801 USB Gigabit Ethernet Device */ + USB_DEVICE(LAN78XX_USB_VENDOR_ID, LAN7801_USB_PRODUCT_ID), + }, ++ { ++ /* ATM2-AF USB Gigabit Ethernet Device */ ++ USB_DEVICE(AT29M2AF_USB_VENDOR_ID, AT29M2AF_USB_PRODUCT_ID), ++ }, + {}, + }; + MODULE_DEVICE_TABLE(usb, products); +-- +2.31.1 + diff --git a/patches.suse/net-usb-pegasus-Do-not-drop-long-Ethernet-frames.patch b/patches.suse/net-usb-pegasus-Do-not-drop-long-Ethernet-frames.patch new file mode 100644 index 0000000..97fd989 --- /dev/null +++ b/patches.suse/net-usb-pegasus-Do-not-drop-long-Ethernet-frames.patch @@ -0,0 +1,63 @@ +From ca506fca461b260ab32952b610c3d4aadc6c11fd Mon Sep 17 00:00:00 2001 +From: Matthias-Christian Ott +Date: Sun, 26 Dec 2021 23:12:08 +0100 +Subject: [PATCH] net: usb: pegasus: Do not drop long Ethernet frames +Git-commit: ca506fca461b260ab32952b610c3d4aadc6c11fd +Patch-mainline: v5.16-rc8 +References: git-fixes + +The D-Link DSB-650TX (2001:4002) is unable to receive Ethernet frames +that are longer than 1518 octets, for example, Ethernet frames that +contain 802.1Q VLAN tags. + +The frames are sent to the pegasus driver via USB but the driver +discards them because they have the Long_pkt field set to 1 in the +received status report. The function read_bulk_callback of the pegasus +driver treats such received "packets" (in the terminology of the +hardware) as errors but the field simply does just indicate that the +Ethernet frame (MAC destination to FCS) is longer than 1518 octets. + +It seems that in the 1990s there was a distinction between +"giant" (> 1518) and "runt" (< 64) frames and the hardware includes +flags to indicate this distinction. It seems that the purpose of the +distinction "giant" frames was to not allow infinitely long frames due +to transmission errors and to allow hardware to have an upper limit of +the frame size. However, the hardware already has such limit with its +2048 octet receive buffer and, therefore, Long_pkt is merely a +convention and should not be treated as a receive error. + +Actually, the hardware is even able to receive Ethernet frames with 2048 +octets which exceeds the claimed limit frame size limit of the driver of +1536 octets (PEGASUS_MTU). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Matthias-Christian Ott +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/usb/pegasus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index c4cd40b090fd..feb247e355f7 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -493,11 +493,11 @@ static void read_bulk_callback(struct urb *urb) + goto goon; + + rx_status = buf[count - 2]; +- if (rx_status & 0x1e) { ++ if (rx_status & 0x1c) { + netif_dbg(pegasus, rx_err, net, + "RX packet error %x\n", rx_status); + net->stats.rx_errors++; +- if (rx_status & 0x06) /* long or runt */ ++ if (rx_status & 0x04) /* runt */ + net->stats.rx_length_errors++; + if (rx_status & 0x08) + net->stats.rx_crc_errors++; +-- +2.31.1 + diff --git a/patches.suse/netdevsim-Zero-initialize-memory-for-new-map-s-value.patch b/patches.suse/netdevsim-Zero-initialize-memory-for-new-map-s-value.patch new file mode 100644 index 0000000..395c76e --- /dev/null +++ b/patches.suse/netdevsim-Zero-initialize-memory-for-new-map-s-value.patch @@ -0,0 +1,42 @@ +From: Haimin Zhang +Date: Wed, 15 Dec 2021 19:15:30 +0800 +Subject: netdevsim: Zero-initialize memory for new map's value in function + nsim_bpf_map_alloc +Patch-mainline: v5.16-rc6 +Git-commit: 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 +References: bsc#1193927 CVE-2021-4135 + +Zero-initialize memory for new map's value in function nsim_bpf_map_alloc +since it may cause a potential kernel information leak issue, as follows: +1. nsim_bpf_map_alloc calls nsim_map_alloc_elem to allocate elements for +a new map. +2. nsim_map_alloc_elem uses kmalloc to allocate map's value, but doesn't +zero it. +3. A user application can use IOCTL BPF_MAP_LOOKUP_ELEM to get specific +element's information in the map. +4. The kernel function map_lookup_elem will call bpf_map_copy_value to get +the information allocated at step-2, then use copy_to_user to copy to the +user buffer. +This can only leak information for an array map. + +Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") +Suggested-by: Jakub Kicinski +Acked-by: Jakub Kicinski +Signed-off-by: Haimin Zhang +Link: https://lore.kernel.org/r/20211215111530.72103-1-tcs.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/netdevsim/bpf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -512,6 +512,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, + goto err_free; + key = nmap->entry[i].key; + *key = i; ++ memset(nmap->entry[i].value, 0, offmap->map.value_size); + } + } + diff --git a/patches.suse/netfilter-nf_tables-initialize-set-before-expression.patch b/patches.suse/netfilter-nf_tables-initialize-set-before-expression.patch new file mode 100644 index 0000000..6c21657 --- /dev/null +++ b/patches.suse/netfilter-nf_tables-initialize-set-before-expression.patch @@ -0,0 +1,113 @@ +From: Pablo Neira Ayuso +Date: Fri, 4 Jun 2021 03:07:28 +0200 +Subject: netfilter: nf_tables: initialize set before expression setup +Patch-mainline: v5.13-rc7 +Git-commit: ad9f151e560b016b6ad3280b48e42fa11e1a5440 +References: bsc#1194518 CVE-2021-46283 + +nft_set_elem_expr_alloc() needs an initialized set if expression sets on +the NFT_EXPR_GC flag. Move set fields initialization before expression +setup. + +[4512935.019450] ================================================================== +[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables] +[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532 +[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48 +[...] +[4512935.019502] Call Trace: +[4512935.019505] dump_stack+0x89/0xb4 +[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables] +[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables] +[4512935.019560] kasan_report.cold.12+0x5f/0xd8 +[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables] +[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables] +[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables] + +Reported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com +Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") +Signed-off-by: Pablo Neira Ayuso +Acked-by: Thomas Bogendoerfer +--- + net/netfilter/nf_tables_api.c | 41 +++++++++++++++++++++-------------------- + 1 file changed, 21 insertions(+), 20 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4220,15 +4220,7 @@ static int nf_tables_newset(struct net * + err = nf_tables_set_alloc_name(&ctx, set, name); + kfree(name); + if (err < 0) +- goto err_set_alloc_name; +- +- if (nla[NFTA_SET_EXPR]) { +- expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); +- if (IS_ERR(expr)) { +- err = PTR_ERR(expr); +- goto err_set_alloc_name; +- } +- } ++ goto err_set_name; + + udata = NULL; + if (udlen) { +@@ -4239,21 +4231,19 @@ static int nf_tables_newset(struct net * + INIT_LIST_HEAD(&set->bindings); + set->table = table; + write_pnet(&set->net, net); +- set->ops = ops; ++ set->ops = ops; + set->ktype = ktype; +- set->klen = desc.klen; ++ set->klen = desc.klen; + set->dtype = dtype; + set->objtype = objtype; +- set->dlen = desc.dlen; +- set->expr = expr; ++ set->dlen = desc.dlen; + set->flags = flags; +- set->size = desc.size; ++ set->size = desc.size; + set->policy = policy; +- set->udlen = udlen; +- set->udata = udata; ++ set->udlen = udlen; ++ set->udata = udata; + set->timeout = timeout; + set->gc_int = gc_int; +- set->handle = nf_tables_alloc_handle(table); + + set->field_count = desc.field_count; + for (i = 0; i < desc.field_count; i++) +@@ -4263,6 +4253,17 @@ static int nf_tables_newset(struct net * + if (err < 0) + goto err_set_init; + ++ if (nla[NFTA_SET_EXPR]) { ++ expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); ++ if (IS_ERR(expr)) { ++ err = PTR_ERR(expr); ++ goto err_set_expr_alloc; ++ } ++ set->expr = expr; ++ } ++ ++ set->handle = nf_tables_alloc_handle(table); ++ + err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); + if (err < 0) + goto err_set_trans; +@@ -4272,11 +4273,11 @@ static int nf_tables_newset(struct net * + return 0; + + err_set_trans: +- ops->destroy(set); +-err_set_init: + if (expr) + nft_expr_destroy(&ctx, expr); +-err_set_alloc_name: ++err_set_expr_alloc: ++ ops->destroy(set); ++err_set_init: + kfree(set->name); + err_set_name: + kvfree(set); diff --git a/patches.suse/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch b/patches.suse/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch new file mode 100644 index 0000000..5084fee --- /dev/null +++ b/patches.suse/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch @@ -0,0 +1,51 @@ +From: Florian Westphal +Date: Wed, 5 Jan 2022 14:19:54 +0100 +Subject: netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone +Patch-mainline: v5.17-rc1 +Git-commit: 23c54263efd7cb605e2f7af72717a2a951999217 +References: bsc#1176447 + +This is needed in case a new transaction is made that doesn't insert any +new elements into an already existing set. + +Else, after second 'nft -f ruleset.txt', lookups in such a set will fail +because ->lookup() encounters raw_cpu_ptr(m->scratch) == NULL. + +For the initial rule load, insertion of elements takes care of the +allocation, but for rule reloads this isn't guaranteed: we might not +have additions to the set. + +Fixes: 3c4287f62044a90e ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: etkaar +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Acked-by: Thomas Bogendoerfer +--- + net/netfilter/nft_set_pipapo.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1290,6 +1290,11 @@ static struct nft_pipapo_match *pipapo_c + if (!new->scratch_aligned) + goto out_scratch; + #endif ++ for_each_possible_cpu(i) ++ *per_cpu_ptr(new->scratch, i) = NULL; ++ ++ if (pipapo_realloc_scratch(new, old->bsize_max)) ++ goto out_scratch_realloc; + + rcu_head_init(&new->rcu); + +@@ -1334,6 +1339,9 @@ out_lt: + kvfree(dst->lt); + dst--; + } ++out_scratch_realloc: ++ for_each_possible_cpu(i) ++ kfree(*per_cpu_ptr(new->scratch, i)); + #ifdef NFT_PIPAPO_ALIGN + free_percpu(new->scratch_aligned); + #endif diff --git a/patches.suse/nfsd-Fix-nsfd-startup-race-again.patch b/patches.suse/nfsd-Fix-nsfd-startup-race-again.patch new file mode 100644 index 0000000..7affa9d --- /dev/null +++ b/patches.suse/nfsd-Fix-nsfd-startup-race-again.patch @@ -0,0 +1,108 @@ +From: Alexander Sverdlin +Date: Tue, 7 Dec 2021 15:00:39 +0100 +Subject: [PATCH] nfsd: Fix nsfd startup race (again) +Git-commit: b10252c7ae9c9d7c90552f88b544a44ee773af64 +Patch-mainline: v5.16 +References: git-fixes + +Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") +has re-opened rpc_pipefs_event() race against nfsd_net_id registration +(register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76 +("nfsd: fix nsfd startup race triggering BUG_ON"). + +Restore the order of register_pernet_subsys() vs register_cld_notifier(). +Add WARN_ON() to prevent a future regression. + +Crash info: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012 +Cpu: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 +pc : rpc_pipefs_event+0x54/0x120 [nfsd] +lr : rpc_pipefs_event+0x48/0x120 [nfsd] +Call trace: + rpc_pipefs_event+0x54/0x120 [nfsd] + blocking_notifier_call_chain + rpc_fill_super + get_tree_keyed + rpc_fs_get_tree + vfs_get_tree + do_mount + ksys_mount + __arm64_sys_mount + el0_svc_handler + el0_svc + +Fixes: bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Signed-off-by: J. Bruce Fields +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4recover.c | 1 + + fs/nfsd/nfsctl.c | 14 +++++++------- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -1913,6 +1913,7 @@ static struct notifier_block nfsd4_cld_b + int + register_cld_notifier(void) + { ++ WARN_ON(!nfsd_net_id); + return rpc_pipefs_notifier_register(&nfsd4_cld_block); + } + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1523,12 +1523,9 @@ static int __init init_nfsd(void) + int retval; + printk(KERN_INFO "Installing knfsd (copyright (C) 1996 okir@monad.swb.de).\n"); + +- retval = register_cld_notifier(); +- if (retval) +- return retval; + retval = nfsd4_init_slabs(); + if (retval) +- goto out_unregister_notifier; ++ return retval; + retval = nfsd4_init_pnfs(); + if (retval) + goto out_free_slabs; +@@ -1546,9 +1543,14 @@ static int __init init_nfsd(void) + goto out_free_exports; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) ++ goto out_free_filesystem; ++ retval = register_cld_notifier(); ++ if (retval) + goto out_free_all; + return 0; + out_free_all: ++ unregister_pernet_subsys(&nfsd_net_ops); ++out_free_filesystem: + unregister_filesystem(&nfsd_fs_type); + out_free_exports: + remove_proc_entry("fs/nfs/exports", NULL); +@@ -1562,13 +1564,12 @@ out_free_stat: + nfsd4_exit_pnfs(); + out_free_slabs: + nfsd4_free_slabs(); +-out_unregister_notifier: +- unregister_cld_notifier(); + return retval; + } + + static void __exit exit_nfsd(void) + { ++ unregister_cld_notifier(); + unregister_pernet_subsys(&nfsd_net_ops); + nfsd_drc_slab_free(); + remove_proc_entry("fs/nfs/exports", NULL); +@@ -1579,7 +1580,6 @@ static void __exit exit_nfsd(void) + nfsd4_exit_pnfs(); + nfsd_fault_inject_cleanup(); + unregister_filesystem(&nfsd_fs_type); +- unregister_cld_notifier(); + } + + MODULE_AUTHOR("Olaf Kirch "); diff --git a/patches.suse/nft_set_pipapo-Fix-bucket-load-in-AVX2-lookup-routin.patch b/patches.suse/nft_set_pipapo-Fix-bucket-load-in-AVX2-lookup-routin.patch new file mode 100644 index 0000000..649f291 --- /dev/null +++ b/patches.suse/nft_set_pipapo-Fix-bucket-load-in-AVX2-lookup-routin.patch @@ -0,0 +1,38 @@ +From: Stefano Brivio +Date: Sat, 27 Nov 2021 11:33:37 +0100 +Subject: nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit + groups +Patch-mainline: v5.16-rc5 +Git-commit: b7e945e228d7df1b1473ef6fd2cdec67433065fb +References: bsc#1176447 + +The sixth byte of packet data has to be looked up in the sixth group, +not in the seventh one, even if we load the bucket data into ymm6 +(and not ymm5, for convenience of tracking stalls). + +Without this fix, matching on a MAC address as first field of a set, +if 8-bit groups are selected (due to a small set size) would fail, +that is, the given MAC address would never match. + +Reported-by: Nikita Yushchenko +Cc: # 5.6.x +Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") +Signed-off-by: Stefano Brivio +Tested-By: Nikita Yushchenko +Signed-off-by: Pablo Neira Ayuso +Acked-by: Thomas Bogendoerfer +--- + net/netfilter/nft_set_pipapo_avx2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -887,7 +887,7 @@ static int nft_pipapo_avx2_lookup_8b_6(u + NFT_PIPAPO_AVX2_BUCKET_LOAD8(4, lt, 4, pkt[4], bsize); + + NFT_PIPAPO_AVX2_AND(5, 0, 1); +- NFT_PIPAPO_AVX2_BUCKET_LOAD8(6, lt, 6, pkt[5], bsize); ++ NFT_PIPAPO_AVX2_BUCKET_LOAD8(6, lt, 5, pkt[5], bsize); + NFT_PIPAPO_AVX2_AND(7, 2, 3); + + /* Stall */ diff --git a/patches.suse/pcmcia-fix-setting-of-kthread-task-states.patch b/patches.suse/pcmcia-fix-setting-of-kthread-task-states.patch new file mode 100644 index 0000000..5eab8a5 --- /dev/null +++ b/patches.suse/pcmcia-fix-setting-of-kthread-task-states.patch @@ -0,0 +1,55 @@ +From fbb3485f1f931102d8ba606f1c28123f5b48afa3 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 9 Jan 2022 10:02:51 +0100 +Subject: [PATCH] pcmcia: fix setting of kthread task states +Git-commit: fbb3485f1f931102d8ba606f1c28123f5b48afa3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +We need to set TASK_INTERRUPTIBLE before calling kthread_should_stop(). +Otherwise, kthread_stop() might see that the pccardd thread is still +in TASK_RUNNING state and fail to wake it up. + +Additionally, we only need to set the state back to TASK_RUNNING if +kthread_should_stop() breaks the loop. + +Cc: Greg Kroah-Hartman +Reported-by: Al Viro +Reviewed-by: Matthew Wilcox (Oracle) +Fixes: d3046ba809ce ("pcmcia: fix a boot time warning in pcmcia cs code") +Signed-off-by: Dominik Brodowski +Acked-by: Takashi Iwai + +--- + drivers/pcmcia/cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index e211e2619680..f70197154a36 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -666,18 +666,16 @@ static int pccardd(void *__skt) + if (events || sysfs_events) + continue; + ++ set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + +- set_current_state(TASK_INTERRUPTIBLE); +- + schedule(); + +- /* make sure we are running */ +- __set_current_state(TASK_RUNNING); +- + try_to_freeze(); + } ++ /* make sure we are running before we exit */ ++ __set_current_state(TASK_RUNNING); + + /* shut down socket, if a device is still present */ + if (skt->state & SOCKET_PRESENT) { +-- +2.31.1 + diff --git a/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference-977d2e7c63c3.patch b/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference-977d2e7c63c3.patch new file mode 100644 index 0000000..735ebae --- /dev/null +++ b/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference-977d2e7c63c3.patch @@ -0,0 +1,54 @@ +From 977d2e7c63c3d04d07ba340b39987742e3241554 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 02:11:40 +0800 +Subject: [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() +Git-commit: 977d2e7c63c3d04d07ba340b39987742e3241554 +Patch-mainline: v5.17-rc1 +References: git-fixes + +In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +Signed-off-by: Dominik Brodowski +Acked-by: Takashi Iwai + +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 827ca6e9ee54..1cac52870711 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -812,6 +812,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num, + unsigned long min, max; + int ret, i, j; + ++ if (!res) ++ return NULL; ++ + low = low || !(s->features & SS_CAP_PAGE_REGS); + + data.mask = align - 1; +-- +2.31.1 + diff --git a/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference.patch b/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference.patch new file mode 100644 index 0000000..d1098b3 --- /dev/null +++ b/patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference.patch @@ -0,0 +1,55 @@ +From ca0fe0d7c35c97528bdf621fdca75f13157c27af Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 00:59:23 +0800 +Subject: [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() +Git-commit: ca0fe0d7c35c97528bdf621fdca75f13157c27af +Patch-mainline: v5.17-rc1 +References: git-fixes + +In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There is a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +[linux@dominikbrodowski.net: Fix typo in commit message] +Signed-off-by: Dominik Brodowski +Acked-by: Takashi Iwai + +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index bb15a8bdbaab..827ca6e9ee54 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -690,6 +690,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s, + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + data.map = &s_data->io_db; +-- +2.31.1 + diff --git a/patches.suse/pipe-increase-minimum-default-pipe-size-to-2-pages.patch b/patches.suse/pipe-increase-minimum-default-pipe-size-to-2-pages.patch new file mode 100644 index 0000000..70c3b63 --- /dev/null +++ b/patches.suse/pipe-increase-minimum-default-pipe-size-to-2-pages.patch @@ -0,0 +1,75 @@ +From 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" +Date: Thu, 5 Aug 2021 10:40:47 -0400 +Subject: [PATCH] pipe: increase minimum default pipe size to 2 pages +Git-commit: 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 +Patch-mainline: v5.14-rc5 +References: bsc#1194587 + +This program always prints 4096 and hangs before the patch, and always +prints 8192 and exits successfully after: + + int main() + { + int pipefd[2]; + for (int i = 0; i < 1025; i++) + if (pipe(pipefd) == -1) + return 1; + size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ); + printf("%zd\n", bufsz); + char *buf = calloc(bufsz, 1); + write(pipefd[1], buf, bufsz); + read(pipefd[0], buf, bufsz-1); + write(pipefd[1], buf, 1); + } + +Note that you may need to increase your RLIMIT_NOFILE before running the +program. + +Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes") +Cc: +Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/ +Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/ +Signed-off-by: Alex Xu (Hello71) +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/pipe.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -31,6 +31,21 @@ + #include "internal.h" + + /* ++ * New pipe buffers will be restricted to this size while the user is exceeding ++ * their pipe buffer quota. The general pipe use case needs at least two ++ * buffers: one for data yet to be read, and one for new data. If this is less ++ * than two, then a write to a non-empty pipe may block even if the pipe is not ++ * full. This can occur with GNU make jobserver or similar uses of pipes as ++ * semaphores: multiple processes may be waiting to write tokens back to the ++ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/. ++ * ++ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their ++ * own risk, namely: pipe writes to non-full pipes may block until the pipe is ++ * emptied. ++ */ ++#define PIPE_MIN_DEF_BUFFERS 2 ++ ++/* + * The max size that a non-root user is allowed to grow the pipe. Can + * be set by root in /proc/sys/fs/pipe-max-size + */ +@@ -666,8 +681,8 @@ struct pipe_inode_info *alloc_pipe_info( + user_bufs = account_pipe_buffers(user, 0, pipe_bufs); + + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { +- user_bufs = account_pipe_buffers(user, pipe_bufs, 1); +- pipe_bufs = 1; ++ user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS); ++ pipe_bufs = PIPE_MIN_DEF_BUFFERS; + } + + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) diff --git a/patches.suse/platform-x86-apple-gmux-use-resource_size-with-res.patch b/patches.suse/platform-x86-apple-gmux-use-resource_size-with-res.patch new file mode 100644 index 0000000..a87fcf8 --- /dev/null +++ b/patches.suse/platform-x86-apple-gmux-use-resource_size-with-res.patch @@ -0,0 +1,37 @@ +From eb66fb03a727cde0ab9b1a3858de55c26f3007da Mon Sep 17 00:00:00 2001 +From: Wang Qing +Date: Tue, 14 Dec 2021 04:18:36 -0800 +Subject: [PATCH] platform/x86: apple-gmux: use resource_size() with res +Git-commit: eb66fb03a727cde0ab9b1a3858de55c26f3007da +Patch-mainline: v5.16-rc7 +References: git-fixes + +This should be (res->end - res->start + 1) here actually, +use resource_size() derectly. + +Signed-off-by: Wang Qing +Link: https://lore.kernel.org/r/1639484316-75873-1-git-send-email-wangqing@vivo.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Acked-by: Takashi Iwai + +--- + drivers/platform/x86/apple-gmux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/apple-gmux.c b/drivers/platform/x86/apple-gmux.c +index 9aae45a45200..57553f9b4d1d 100644 +--- a/drivers/platform/x86/apple-gmux.c ++++ b/drivers/platform/x86/apple-gmux.c +@@ -625,7 +625,7 @@ static int gmux_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + } + + gmux_data->iostart = res->start; +- gmux_data->iolen = res->end - res->start; ++ gmux_data->iolen = resource_size(res); + + if (gmux_data->iolen < GMUX_MIN_IO_LEN) { + pr_err("gmux I/O region too small (%lu < %u)\n", +-- +2.31.1 + diff --git a/patches.suse/power-reset-ltc2952-Fix-use-of-floating-point-litera.patch b/patches.suse/power-reset-ltc2952-Fix-use-of-floating-point-litera.patch new file mode 100644 index 0000000..a8c0400 --- /dev/null +++ b/patches.suse/power-reset-ltc2952-Fix-use-of-floating-point-litera.patch @@ -0,0 +1,63 @@ +From 644106cdb89844be2496b21175b7c0c2e0fab381 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 5 Nov 2021 08:20:50 -0700 +Subject: [PATCH] power: reset: ltc2952: Fix use of floating point literals +Git-commit: 644106cdb89844be2496b21175b7c0c2e0fab381 +Patch-mainline: v5.16 +References: git-fixes + +A new commit in LLVM causes an error on the use of 'long double' when +'-mno-x87' is used, which the kernel does through an alias, +'-mno-80387' (see the LLVM commit below for more details around why it +does this). + +drivers/power/reset/ltc2952-poweroff.c:162:28: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it + data->wde_interval = 300L * 1E6L; + ^ +drivers/power/reset/ltc2952-poweroff.c:162:21: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it + data->wde_interval = 300L * 1E6L; + ^ +drivers/power/reset/ltc2952-poweroff.c:163:41: error: expression requires 'long double' type support, but target 'x86_64-unknown-linux-gnu' does not support it + data->trigger_delay = ktime_set(2, 500L*1E6L); + ^ +3 errors generated. + +This happens due to the use of a 'long double' literal. The 'E6' part of +'1E6L' causes the literal to be a 'double' then the 'L' suffix promotes +it to 'long double'. + +There is no visible reason for floating point values in this driver, as +the values are only assigned to integer types. Use NSEC_PER_MSEC, which +is the same integer value as '1E6L', to avoid changing functionality but +fix the error. + +Fixes: 6647156c00cc ("power: reset: add LTC2952 poweroff driver") +Link: https://github.com/ClangBuiltLinux/linux/issues/1497 +Link: https://github.com/llvm/llvm-project/commit/a8083d42b1c346e21623a1d36d1f0cadd7801d83 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/reset/ltc2952-poweroff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/reset/ltc2952-poweroff.c b/drivers/power/reset/ltc2952-poweroff.c +index fbb344353fe4..65d9528cc989 100644 +--- a/drivers/power/reset/ltc2952-poweroff.c ++++ b/drivers/power/reset/ltc2952-poweroff.c +@@ -159,8 +159,8 @@ static void ltc2952_poweroff_kill(void) + + static void ltc2952_poweroff_default(struct ltc2952_poweroff *data) + { +- data->wde_interval = 300L * 1E6L; +- data->trigger_delay = ktime_set(2, 500L*1E6L); ++ data->wde_interval = 300L * NSEC_PER_MSEC; ++ data->trigger_delay = ktime_set(2, 500L * NSEC_PER_MSEC); + + hrtimer_init(&data->timer_trigger, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + data->timer_trigger.function = ltc2952_poweroff_timer_trigger; +-- +2.31.1 + diff --git a/patches.suse/power-supply-core-Break-capacity-loop.patch b/patches.suse/power-supply-core-Break-capacity-loop.patch new file mode 100644 index 0000000..b46769b --- /dev/null +++ b/patches.suse/power-supply-core-Break-capacity-loop.patch @@ -0,0 +1,42 @@ +From 51c7b6a0398f54b9120795796a4cff4fc9634f7d Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 15 Nov 2021 00:12:07 +0100 +Subject: [PATCH] power: supply: core: Break capacity loop +Git-commit: 51c7b6a0398f54b9120795796a4cff4fc9634f7d +Patch-mainline: v5.16 +References: git-fixes + +We should not go on looking for more capacity tables after +we realize we have looked at the last one in +power_supply_find_ocv2cap_table(). + +Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table") +Cc: Chunyan Zhang +Cc: Baolin Wang +Signed-off-by: Linus Walleij +Reviewed-by: Baolin Wang +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/supply/power_supply_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c +index fc12a4f407f4..6093754cebd5 100644 +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -853,6 +853,10 @@ power_supply_find_ocv2cap_table(struct power_supply_battery_info *info, + return NULL; + + for (i = 0; i < POWER_SUPPLY_OCV_TEMP_MAX; i++) { ++ /* Out of capacity tables */ ++ if (!info->ocv_table[i]) ++ break; ++ + temp_diff = abs(info->ocv_temp[i] - temp); + + if (temp_diff < best_temp_diff) { +-- +2.31.1 + diff --git a/patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch b/patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch index 5515d43..ca85a66 100644 --- a/patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch +++ b/patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch @@ -5,8 +5,7 @@ Subject: [PATCH] powerpc/fadump: Fix inaccurate CPU state info in vmcore generated with panic References: bsc#1193901 ltc#194976 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 06e629c25daa519be620a8c17359ae8fc7a2e903 In panic path, fadump is triggered via a panic notifier function. diff --git a/patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch b/patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch index 9de2ef9..0824b4b 100644 --- a/patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch +++ b/patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch @@ -5,8 +5,7 @@ Subject: [PATCH] powerpc: handle kdump appropriately with crash_kexec_post_notifiers option References: bsc#1193901 ltc#194976 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 219572d2fc4135b5ce65c735d881787d48b10e71 Kdump can be triggered after panic_notifers since commit f06e5153f4ae2 diff --git a/patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch b/patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch index fa57624..cd63f4b 100644 --- a/patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch +++ b/patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch @@ -5,8 +5,7 @@ Subject: [PATCH] powerpc/watchdog: Avoid holding wd_smp_lock over printk and smp_send_nmi_ipi References: bsc#1187541 ltc#192129 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 76521c4b0291ad25723638ade5a0ff4d5f659771 There is a deadlock with the console_owner lock and the wd_smp_lock: diff --git a/patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch b/patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch index 87f3052..02ec5c2 100644 --- a/patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch +++ b/patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch @@ -5,8 +5,7 @@ Subject: [PATCH] powerpc/watchdog: Fix missed watchdog reset due to memory ordering race References: bsc#1187541 ltc#192129 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 5dad4ba68a2483fc80d70b9dc90bbe16e1f27263 It is possible for all CPUs to miss the pending cpumask becoming clear, diff --git a/patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch b/patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch index cb68442..eb1f989 100644 --- a/patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch +++ b/patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch @@ -4,8 +4,7 @@ Date: Thu, 25 Nov 2021 20:33:46 +1000 Subject: [PATCH] powerpc/watchdog: Fix wd_smp_last_reset_tb reporting References: bsc#1187541 ltc#192129 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 3d030e301856da366380b3865fce6c03037b08a6 wd_smp_last_reset_tb now gets reset by watchdog_smp_panic() as part of diff --git a/patches.suse/powerpc-watchdog-read-TB-close-to-where-it-is-used.patch b/patches.suse/powerpc-watchdog-read-TB-close-to-where-it-is-used.patch index d64573a..afcbe7c 100644 --- a/patches.suse/powerpc-watchdog-read-TB-close-to-where-it-is-used.patch +++ b/patches.suse/powerpc-watchdog-read-TB-close-to-where-it-is-used.patch @@ -4,8 +4,7 @@ Date: Wed, 10 Nov 2021 12:50:56 +1000 Subject: [PATCH] powerpc/watchdog: read TB close to where it is used References: bsc#1187541 ltc#192129 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 1f01bf90765fa5f88fbae452c131c1edf5cda7ba When taking watchdog actions, printing messages, comparing and diff --git a/patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch b/patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch index 9f63313..295ca82 100644 --- a/patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch +++ b/patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch @@ -4,8 +4,7 @@ Date: Wed, 10 Nov 2021 12:50:54 +1000 Subject: [PATCH] powerpc/watchdog: tighten non-atomic read-modify-write access References: bsc#1187541 ltc#192129 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.17-rc1 Git-commit: 858c93c31504ac1507084493d7eafbe7e2302dc2 Most updates to wd_smp_cpus_pending are under lock except the watchdog diff --git a/patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch b/patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch index 933df6e..1282a42 100644 --- a/patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch +++ b/patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch @@ -1,9 +1,8 @@ From: Hannes Reinecke Date: Wed, 9 Jun 2021 11:49:56 +0200 Subject: qla2xxx: synchronize rport dev_loss_tmo setting -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.17-rc1 Git-commit: baea0e833f7612483dcb2351240da19f0d0bc011 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git References: bsc#1182470 bsc#1185486 bsc#1189158 Currently, the dev_loss_tmo setting is only ever used for SCSI diff --git a/patches.suse/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch b/patches.suse/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch new file mode 100644 index 0000000..301798b --- /dev/null +++ b/patches.suse/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch @@ -0,0 +1,92 @@ +From: Jiasheng Jiang +Date: Fri, 17 Dec 2021 17:39:11 +0800 +Subject: qlcnic: potential dereference null pointer of rx_queue->page_ring +Patch-mainline: v5.16-rc7 +Git-commit: 60ec7fcfe76892a1479afab51ff17a4281923156 +References: git-fixes + +The return value of kcalloc() needs to be checked. +To avoid dereference of null pointer in case of the failure of alloc. +Therefore, it might be better to change the return type of +qlcnic_sriov_alloc_vlans() and return -ENOMEM when alloc fails and +return 0 the others. +Also, qlcnic_sriov_set_guest_vlan_mode() and __qlcnic_pci_sriov_enable() +should deal with the return value of qlcnic_sriov_alloc_vlans(). + +Fixes: 154d0c810c53 ("qlcnic: VLAN enhancement for 84XX adapters") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +++++++++--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +@@ -202,7 +202,7 @@ int qlcnic_sriov_get_vf_vport_info(struc + struct qlcnic_info *, u16); + int qlcnic_sriov_cfg_vf_guest_vlan(struct qlcnic_adapter *, u16, u8); + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *); +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); + bool qlcnic_sriov_check_any_vlan(struct qlcnic_vf_info *); + void qlcnic_sriov_del_vlan_id(struct qlcnic_sriov *, + struct qlcnic_vf_info *, u16); +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -433,7 +433,7 @@ static int qlcnic_sriov_set_guest_vlan_m + struct qlcnic_cmd_args *cmd) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; +- int i, num_vlans; ++ int i, num_vlans, ret; + u16 *vlans; + + if (sriov->allowed_vlans) +@@ -444,7 +444,9 @@ static int qlcnic_sriov_set_guest_vlan_m + dev_info(&adapter->pdev->dev, "Number of allowed Guest VLANs = %d\n", + sriov->num_allowed_vlans); + +- qlcnic_sriov_alloc_vlans(adapter); ++ ret = qlcnic_sriov_alloc_vlans(adapter); ++ if (ret) ++ return ret; + + if (!sriov->any_vlan) + return 0; +@@ -2160,7 +2162,7 @@ static int qlcnic_sriov_vf_resume(struct + return err; + } + +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; + struct qlcnic_vf_info *vf; +@@ -2170,7 +2172,11 @@ void qlcnic_sriov_alloc_vlans(struct qlc + vf = &sriov->vf_info[i]; + vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans, + sizeof(*vf->sriov_vlans), GFP_KERNEL); ++ if (!vf->sriov_vlans) ++ return -ENOMEM; + } ++ ++ return 0; + } + + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *adapter) +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +@@ -598,7 +598,9 @@ static int __qlcnic_pci_sriov_enable(str + if (err) + goto del_flr_queue; + +- qlcnic_sriov_alloc_vlans(adapter); ++ err = qlcnic_sriov_alloc_vlans(adapter); ++ if (err) ++ goto del_flr_queue; + + return err; + diff --git a/patches.suse/quota-check-block-number-when-reading-the-block-in-q.patch b/patches.suse/quota-check-block-number-when-reading-the-block-in-q.patch new file mode 100644 index 0000000..06551af --- /dev/null +++ b/patches.suse/quota-check-block-number-when-reading-the-block-in-q.patch @@ -0,0 +1,60 @@ +From 9bf3d20331295b1ecb81f4ed9ef358c51699a050 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Fri, 8 Oct 2021 17:38:20 +0800 +Subject: [PATCH] quota: check block number when reading the block in quota + file +Git-commit: 9bf3d20331295b1ecb81f4ed9ef358c51699a050 +Patch-mainline: v5.16-rc1 +References: bsc#1194589 + +The block number in the quota tree on disk should be smaller than the +v2_disk_dqinfo.dqi_blocks. If the quota file was corrupted, we may be +allocating an 'allocated' block and that would lead to a loop in a tree, +which will probably trigger oops later. This patch adds a check for the +block number in the quota tree to prevent such potential issue. + +Link: https://lore.kernel.org/r/20211008093821.1001186-2-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Cc: stable@kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/quota/quota_tree.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c +index d3e995e1046f..583b7f7715f9 100644 +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -479,6 +479,13 @@ static int remove_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot, + goto out_buf; + } + newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); ++ if (newblk < QT_TREEOFF || newblk >= info->dqi_blocks) { ++ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", ++ newblk, info->dqi_blocks); ++ ret = -EUCLEAN; ++ goto out_buf; ++ } ++ + if (depth == info->dqi_qtree_depth - 1) { + ret = free_dqentry(info, dquot, newblk); + newblk = 0; +@@ -578,6 +585,13 @@ static loff_t find_tree_dqentry(struct qtree_mem_dqinfo *info, + blk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); + if (!blk) /* No reference? */ + goto out_buf; ++ if (blk < QT_TREEOFF || blk >= info->dqi_blocks) { ++ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", ++ blk, info->dqi_blocks); ++ ret = -EUCLEAN; ++ goto out_buf; ++ } ++ + if (depth < info->dqi_qtree_depth - 1) + ret = find_tree_dqentry(info, dquot, blk, depth+1); + else +-- +2.31.1 + diff --git a/patches.suse/quota-correct-error-number-in-free_dqentry.patch b/patches.suse/quota-correct-error-number-in-free_dqentry.patch new file mode 100644 index 0000000..5e09466 --- /dev/null +++ b/patches.suse/quota-correct-error-number-in-free_dqentry.patch @@ -0,0 +1,37 @@ +From d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Fri, 8 Oct 2021 17:38:21 +0800 +Subject: [PATCH] quota: correct error number in free_dqentry() +Git-commit: d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b +Patch-mainline: v5.16-rc1 +References: bsc#1194590 + +Fix the error path in free_dqentry(), pass out the error number if the +block to free is not correct. + +Fixes: 1ccd14b9c271 ("quota: Split off quota tree handling into a separate file") +Link: https://lore.kernel.org/r/20211008093821.1001186-3-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Cc: stable@kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/quota/quota_tree.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c +index 583b7f7715f9..5f2405994280 100644 +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -414,6 +414,7 @@ static int free_dqentry(struct qtree_mem_dqinfo *info, struct dquot *dquot, + quota_error(dquot->dq_sb, "Quota structure has offset to " + "other block (%u) than it should (%u)", blk, + (uint)(dquot->dq_off >> info->dqi_blocksize_bits)); ++ ret = -EIO; + goto out_buf; + } + ret = read_blk(info, blk, buf); +-- +2.31.1 + diff --git a/patches.suse/random-fix-data-race-on-crng-init-time.patch b/patches.suse/random-fix-data-race-on-crng-init-time.patch new file mode 100644 index 0000000..51838f9 --- /dev/null +++ b/patches.suse/random-fix-data-race-on-crng-init-time.patch @@ -0,0 +1,71 @@ +From 009ba8568be497c640cab7571f7bfd18345d7b24 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 20 Dec 2021 16:41:57 -0600 +Subject: [PATCH] random: fix data race on crng init time +Git-commit: 009ba8568be497c640cab7571f7bfd18345d7b24 +Patch-mainline: v5.17-rc1 +References: git-fixes + +_extract_crng() does plain loads of crng->init_time and +crng_global_init_time, which causes undefined behavior if +crng_reseed() and RNDRESEEDCRNG modify these corrently. + +Use READ_ONCE() and WRITE_ONCE() to make the behavior defined. + +Don't fix the race on crng->init_time by protecting it with crng->lock, +since it's not a problem for duplicate reseedings to occur. I.e., the +lockless access with READ_ONCE() is fine. + +Fixes: d848e5f8e1eb ("random: add new ioctl RNDRESEEDCRNG") +Fixes: e192be9d9a30 ("random: replace non-blocking pool with a Chacha20-based CRNG") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Paul E. McKenney +Signed-off-by: Jason A. Donenfeld +Acked-by: Takashi Iwai + +--- + drivers/char/random.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1071,7 +1071,7 @@ static void crng_reseed(struct crng_stat + crng->state[i+4] ^= buf.key[i] ^ rv; + } + memzero_explicit(&buf, sizeof(buf)); +- crng->init_time = jiffies; ++ WRITE_ONCE(crng->init_time, jiffies); + spin_unlock_irqrestore(&crng->lock, flags); + if (crng == &primary_crng && crng_init < 2) { + invalidate_batched_entropy(); +@@ -1098,12 +1098,15 @@ static void crng_reseed(struct crng_stat + static void _extract_crng(struct crng_state *crng, + __u8 out[CHACHA_BLOCK_SIZE]) + { +- unsigned long v, flags; ++ unsigned long v, flags, init_time; + +- if (crng_ready() && +- (time_after(crng_global_init_time, crng->init_time) || +- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) +- crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); ++ if (crng_ready()) { ++ init_time = READ_ONCE(crng->init_time); ++ if (time_after(READ_ONCE(crng_global_init_time), init_time) || ++ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL)) ++ crng_reseed(crng, crng == &primary_crng ? ++ &input_pool : NULL); ++ } + spin_lock_irqsave(&crng->lock, flags); + if (arch_get_random_long(&v)) + crng->state[14] ^= v; +@@ -2182,7 +2185,7 @@ static long random_ioctl(struct file *f, + if (crng_init < 2) + return -ENODATA; + crng_reseed(&primary_crng, &input_pool); +- crng_global_init_time = jiffies - 1; ++ WRITE_ONCE(crng_global_init_time, jiffies - 1); + return 0; + default: + return -EINVAL; diff --git a/patches.suse/random-fix-data-race-on-crng_node_pool.patch b/patches.suse/random-fix-data-race-on-crng_node_pool.patch new file mode 100644 index 0000000..09bf92b --- /dev/null +++ b/patches.suse/random-fix-data-race-on-crng_node_pool.patch @@ -0,0 +1,111 @@ +From 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 20 Dec 2021 16:41:56 -0600 +Subject: [PATCH] random: fix data race on crng_node_pool +Git-commit: 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de +Patch-mainline: v5.17-rc1 +References: git-fixes + +extract_crng() and crng_backtrack_protect() load crng_node_pool with a +plain load, which causes undefined behavior if do_numa_crng_init() +modifies it concurrently. + +Fix this by using READ_ONCE(). Note: as per the previous discussion +https://lore.kernel.org/lkml/20211219025139.31085-1-ebiggers@kernel.org/T/#u, +READ_ONCE() is believed to be sufficient here, and it was requested that +it be used here instead of smp_load_acquire(). + +Also change do_numa_crng_init() to set crng_node_pool using +cmpxchg_release() instead of mb() + cmpxchg(), as the former is +sufficient here but is more lightweight. + +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Paul E. McKenney +Signed-off-by: Jason A. Donenfeld +Acked-by: Takashi Iwai + +--- + drivers/char/random.c | 42 ++++++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 20 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 4b0753eb8bfb..5e3046606640 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -854,8 +854,8 @@ static void do_numa_crng_init(struct work_struct *work) + crng_initialize_secondary(crng); + pool[i] = crng; + } +- mb(); +- if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ /* pairs with READ_ONCE() in select_crng() */ ++ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { + for_each_node(i) + kfree(pool[i]); + kfree(pool); +@@ -868,8 +868,26 @@ static void numa_crng_init(void) + { + schedule_work(&numa_crng_init_work); + } ++ ++static struct crng_state *select_crng(void) ++{ ++ struct crng_state **pool; ++ int nid = numa_node_id(); ++ ++ /* pairs with cmpxchg_release() in do_numa_crng_init() */ ++ pool = READ_ONCE(crng_node_pool); ++ if (pool && pool[nid]) ++ return pool[nid]; ++ ++ return &primary_crng; ++} + #else + static void numa_crng_init(void) {} ++ ++static struct crng_state *select_crng(void) ++{ ++ return &primary_crng; ++} + #endif + + /* +@@ -1016,15 +1034,7 @@ static void _extract_crng(struct crng_state *crng, + + static void extract_crng(__u8 out[CHACHA_BLOCK_SIZE]) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _extract_crng(crng, out); ++ _extract_crng(select_crng(), out); + } + + /* +@@ -1053,15 +1063,7 @@ static void _crng_backtrack_protect(struct crng_state *crng, + + static void crng_backtrack_protect(__u8 tmp[CHACHA_BLOCK_SIZE], int used) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _crng_backtrack_protect(crng, tmp, used); ++ _crng_backtrack_protect(select_crng(), tmp, used); + } + + static ssize_t extract_crng_user(void __user *buf, size_t nbytes) +-- +2.31.1 + diff --git a/patches.suse/regmap-Call-regmap_debugfs_exit-prior-to-_init.patch b/patches.suse/regmap-Call-regmap_debugfs_exit-prior-to-_init.patch new file mode 100644 index 0000000..4de7c6e --- /dev/null +++ b/patches.suse/regmap-Call-regmap_debugfs_exit-prior-to-_init.patch @@ -0,0 +1,61 @@ +From 530792efa6cb86f5612ff093333fec735793b582 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 7 Jan 2022 13:33:07 -0300 +Subject: [PATCH] regmap: Call regmap_debugfs_exit() prior to _init() +Git-commit: 530792efa6cb86f5612ff093333fec735793b582 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Since commit cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when +calling regmap_attach_dev"), the following debugfs error is seen +on i.MX boards: + +Debugfs: Directory 'dummy-iomuxc-gpr@20e0000' with parent 'regmap' already present! + +In the attempt to fix the memory leak, the above commit added a NULL check +for map->debugfs_name. For the first debufs entry, map->debugfs_name is NULL +and then the new name is allocated via kasprintf(). + +For the second debugfs entry, map->debugfs_name() is no longer NULL, so +it will keep using the old entry name and the duplicate name error is seen. + +Quoting Mark Brown: + +"That means that if the device gets freed we'll end up with the old debugfs +file hanging around pointing at nothing. +... +To be more explicit this means we need a call to regmap_debugfs_exit() +which will clean up all the existing debugfs stuff before we loose +references to it." + +Call regmap_debugfs_exit() prior to regmap_debugfs_init() to fix +the problem. + +Tested on i.MX6Q and i.MX6SX boards. + +Fixes: cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when calling regmap_attach_dev") +Suggested-by: Mark Brown +Signed-off-by: Fabio Estevam +Link: https://lore.kernel.org/r/20220107163307.335404-1-festevam@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/base/regmap/regmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 2d74f9f82aa9..8f9fe5fd4707 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -647,6 +647,7 @@ int regmap_attach_dev(struct device *dev, struct regmap *map, + if (ret) + return ret; + ++ regmap_debugfs_exit(map); + regmap_debugfs_init(map); + + /* Add a devres resource for dev_get_regmap() */ +-- +2.31.1 + diff --git a/patches.suse/rndis_host-support-Hytera-digital-radios.patch b/patches.suse/rndis_host-support-Hytera-digital-radios.patch new file mode 100644 index 0000000..c37078d --- /dev/null +++ b/patches.suse/rndis_host-support-Hytera-digital-radios.patch @@ -0,0 +1,56 @@ +From 29262e1f773b4b6a43711120be564c57fca07cfb Mon Sep 17 00:00:00 2001 +From: Thomas Toye +Date: Sat, 1 Jan 2022 18:22:07 +0100 +Subject: [PATCH] rndis_host: support Hytera digital radios +Git-commit: 29262e1f773b4b6a43711120be564c57fca07cfb +Patch-mainline: v5.16 +References: git-fixes + +Hytera makes a range of digital (DMR) radios. These radios can be +programmed to a allow a computer to control them over Ethernet over USB, +either using NCM or RNDIS. + +This commit adds support for RNDIS for Hytera radios. I tested with a +Hytera PD785 and a Hytera MD785G. When these radios are programmed to +set up a Radio to PC Network using RNDIS, an USB interface will be added +with class 2 (Communications), subclass 2 (Abstract Modem Control) and +an interface protocol of 255 ("vendor specific" - lsusb even hints "MSFT +RNDIS?"). + +This patch is similar to the solution of this StackOverflow user, but +that only works for the Hytera MD785: +https://stackoverflow.com/a/53550858 + +To use the "Radio to PC Network" functionality of Hytera DMR radios, the +radios need to be programmed correctly in CPS (Hytera's Customer +Programming Software). "Forward to PC" should be checked in "Network" +(under "General Setting" in "Conventional") and the "USB Network +Communication Protocol" should be set to RNDIS. + +Signed-off-by: Thomas Toye +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/usb/rndis_host.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c +index 4a84f90e377c..247f58cb0f84 100644 +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -608,6 +608,11 @@ static const struct usb_device_id products [] = { + USB_DEVICE_AND_INTERFACE_INFO(0x1630, 0x0042, + USB_CLASS_COMM, 2 /* ACM */, 0x0ff), + .driver_info = (unsigned long) &rndis_poll_status_info, ++}, { ++ /* Hytera Communications DMR radios' "Radio to PC Network" */ ++ USB_VENDOR_AND_INTERFACE_INFO(0x238b, ++ USB_CLASS_COMM, 2 /* ACM */, 0x0ff), ++ .driver_info = (unsigned long)&rndis_info, + }, { + /* RNDIS is MSFT's un-official variant of CDC ACM */ + USB_INTERFACE_INFO(USB_CLASS_COMM, 2 /* ACM */, 0x0ff), +-- +2.31.1 + diff --git a/patches.suse/rtlwifi-rtl8192cu-Fix-WARNING-when-calling-local_irq.patch b/patches.suse/rtlwifi-rtl8192cu-Fix-WARNING-when-calling-local_irq.patch new file mode 100644 index 0000000..3fb3c5b --- /dev/null +++ b/patches.suse/rtlwifi-rtl8192cu-Fix-WARNING-when-calling-local_irq.patch @@ -0,0 +1,49 @@ +From 8b144dedb928e4e2f433a328d58f44c3c098d63e Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 15 Dec 2021 11:11:05 -0600 +Subject: [PATCH] rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled +Git-commit: 8b144dedb928e4e2f433a328d58f44c3c098d63e +Patch-mainline: v5.17-rc1 +References: git-fixes + +Syzbot reports the following WARNING: + +[200~raw_local_irq_restore() called with IRQs enabled +Warning: CPU: 1 PID: 1206 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 + +Hardware initialization for the rtl8188cu can run for as long as 350 ms, +and the routine may be called with interrupts disabled. To avoid locking +the machine for this long, the current routine saves the interrupt flags +and enables local interrupts. The problem is that it restores the flags +at the end without disabling local interrupts first. + +This patch fixes commit a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long +disable of IRQs"). + +Reported-by: syzbot+cce1ee31614c171f5595@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Fixes: a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long disable of IRQs") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211215171105.20623-1-Larry.Finger@lwfinger.net +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +index 6312fddd9c00..eaba66113328 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1000,6 +1000,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw) + _initpabias(hw); + rtl92c_dm_init(hw); + exit: ++ local_irq_disable(); + local_irq_restore(flags); + return err; + } +-- +2.31.1 + diff --git a/patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch b/patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch index 4b00a93..d429123 100644 --- a/patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch +++ b/patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:43 -0800 Subject: scsi: lpfc: Add additional debugfs support for CMF -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 6014a2468f0e49194f612b1f09f99eacee0a409a References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch b/patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch index eef5d90..90a4c68 100644 --- a/patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch +++ b/patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:41 -0800 Subject: scsi: lpfc: Adjust CMF total bytes and rxmonitor -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: a6269f837045acb02904f31f05acde847ec8f8a7 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch b/patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch index 4f711b8..56b5e05 100644 --- a/patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch +++ b/patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:42 -0800 Subject: scsi: lpfc: Cap CMF read bytes to MBPI -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 05116ef9c4b444f7fdbb56f9e13c2ec941726639 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch b/patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch index 1e02bdb..8f883b5 100644 --- a/patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch +++ b/patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:37 -0800 Subject: scsi: lpfc: Change return code on I/Os received during link bounce -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 2e81b1a374da5d6024208c16c4a5224a70cafa64 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch b/patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch index 88cfefc..ea08ce5 100644 --- a/patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch +++ b/patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:39 -0800 Subject: scsi: lpfc: Fix NPIV port deletion crash -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 8ed190a91950564775cbaae9e8e8083a69a8da23 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch b/patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch index 9550fee..587eeb1 100644 --- a/patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch +++ b/patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:36 -0800 Subject: scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: f0d3919697492950f57a26a1093aee53880d669d References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch b/patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch index 887ba24..1648c56 100644 --- a/patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch +++ b/patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:38 -0800 Subject: scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 7576d48c64f36f6fea9df2882f710a474fa35f40 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch b/patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch index 3720a6d..c5b5811 100644 --- a/patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch +++ b/patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:40 -0800 Subject: scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 7dd2e2a923173d637c272e483966be8e96a72b64 References: bsc#1194266 diff --git a/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch b/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch index e4bd4d3..2944781 100644 --- a/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch +++ b/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 3 Dec 2021 16:26:44 -0800 Subject: scsi: lpfc: Update lpfc version to 14.0.0.4 -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.17-rc1 Git-commit: 4437503bfbec2f02b41b2492520fe627715889a7 References: bsc#1194266 diff --git a/patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch b/patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch new file mode 100644 index 0000000..519b20f --- /dev/null +++ b/patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch @@ -0,0 +1,141 @@ +From 68514dacf2715d11b91ca50d88de047c086fea9c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 10 Jan 2022 19:19:23 +0100 +Subject: [PATCH] select: Fix indefinitely sleeping task in + poll_schedule_timeout() +Git-commit: 68514dacf2715d11b91ca50d88de047c086fea9c +Patch-mainline: v5.17-rc1 +References: bsc#1194027 + +A task can end up indefinitely sleeping in do_select() -> +poll_schedule_timeout() when the following race happens: + + TASK1 (thread1) TASK2 TASK1 (thread2) + do_select() + setup poll_wqueues table + with 'fd' + write data to 'fd' + pollwake() + table->triggered = 1 + closes 'fd' thread1 is + waiting for + poll_schedule_timeout() + - sees table->triggered + table->triggered = 0 + return -EINTR + loop back in do_select() + +But at this point when TASK1 loops back, the fdget() in the setup of +poll_wqueues fails. So now so we never find 'fd' is ready for reading +and sleep in poll_schedule_timeout() indefinitely. + +Treat an fd that got closed as a fd on which some event happened. This +makes sure cannot block indefinitely in do_select(). + +Another option would be to return -EBADF in this case but that has a +potential of subtly breaking applications that excercise this behavior +and it happens to work for them. So returning fd as active seems like a +safer choice. + +Suggested-by: Linus Torvalds +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/select.c | 63 ++++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 30 deletions(-) + +diff --git a/fs/select.c b/fs/select.c +index 02cd8cb5e69f..0ee55af1a55c 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -459,9 +459,11 @@ static int max_select_fd(unsigned long n, fd_set_bits *fds) + return max; + } + +-#define POLLIN_SET (EPOLLRDNORM | EPOLLRDBAND | EPOLLIN | EPOLLHUP | EPOLLERR) +-#define POLLOUT_SET (EPOLLWRBAND | EPOLLWRNORM | EPOLLOUT | EPOLLERR) +-#define POLLEX_SET (EPOLLPRI) ++#define POLLIN_SET (EPOLLRDNORM | EPOLLRDBAND | EPOLLIN | EPOLLHUP | EPOLLERR |\ ++ EPOLLNVAL) ++#define POLLOUT_SET (EPOLLWRBAND | EPOLLWRNORM | EPOLLOUT | EPOLLERR |\ ++ EPOLLNVAL) ++#define POLLEX_SET (EPOLLPRI | EPOLLNVAL) + + static inline void wait_key_set(poll_table *wait, unsigned long in, + unsigned long out, unsigned long bit, +@@ -528,6 +530,7 @@ static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) + break; + if (!(bit & all_bits)) + continue; ++ mask = EPOLLNVAL; + f = fdget(i); + if (f.file) { + wait_key_set(wait, in, out, bit, +@@ -535,34 +538,34 @@ static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) + mask = vfs_poll(f.file, wait); + + fdput(f); +- if ((mask & POLLIN_SET) && (in & bit)) { +- res_in |= bit; +- retval++; +- wait->_qproc = NULL; +- } +- if ((mask & POLLOUT_SET) && (out & bit)) { +- res_out |= bit; +- retval++; +- wait->_qproc = NULL; +- } +- if ((mask & POLLEX_SET) && (ex & bit)) { +- res_ex |= bit; +- retval++; +- wait->_qproc = NULL; +- } +- /* got something, stop busy polling */ +- if (retval) { +- can_busy_loop = false; +- busy_flag = 0; +- +- /* +- * only remember a returned +- * POLL_BUSY_LOOP if we asked for it +- */ +- } else if (busy_flag & mask) +- can_busy_loop = true; +- + } ++ if ((mask & POLLIN_SET) && (in & bit)) { ++ res_in |= bit; ++ retval++; ++ wait->_qproc = NULL; ++ } ++ if ((mask & POLLOUT_SET) && (out & bit)) { ++ res_out |= bit; ++ retval++; ++ wait->_qproc = NULL; ++ } ++ if ((mask & POLLEX_SET) && (ex & bit)) { ++ res_ex |= bit; ++ retval++; ++ wait->_qproc = NULL; ++ } ++ /* got something, stop busy polling */ ++ if (retval) { ++ can_busy_loop = false; ++ busy_flag = 0; ++ ++ /* ++ * only remember a returned ++ * POLL_BUSY_LOOP if we asked for it ++ */ ++ } else if (busy_flag & mask) ++ can_busy_loop = true; ++ + } + if (res_in) + *rinp = res_in; +-- +2.31.1 + diff --git a/patches.suse/selftests-KVM-Explicitly-use-movq-to-read-xmm-regist.patch b/patches.suse/selftests-KVM-Explicitly-use-movq-to-read-xmm-regist.patch new file mode 100644 index 0000000..468196b --- /dev/null +++ b/patches.suse/selftests-KVM-Explicitly-use-movq-to-read-xmm-regist.patch @@ -0,0 +1,93 @@ +From 23d9e85b195f99a1a3c913c8829350e3943f2e3f Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Fri, 24 Sep 2021 00:51:47 +0000 +Subject: [PATCH 1/1] selftests: KVM: Explicitly use movq to read xmm registers +Git-commit: 386ca9d7fd189b641bc5a82871e38dea9f67af85 +Patch-mainline: 5.15-rc4 +References: git-fixes + +Compiling the KVM selftests with clang emits the following warning: + +>> include/x86_64/processor.h:297:25: error: variable 'xmm0' is uninitialized when used here [-Werror,-Wuninitialized] +>> return (unsigned long)xmm0; + +where xmm0 is accessed via an uninitialized register variable. + +Indeed, this is a misuse of register variables, which really should only +be used for specifying register constraints on variables passed to +inline assembly. Rather than attempting to read xmm registers via +register variables, just explicitly perform the movq from the desired +xmm register. + +Fixes: 783e9e51266e ("kvm: selftests: add API testing infrastructure") +Signed-off-by: Oliver Upton +Message-Id: <20210924005147.1122357-1-oupton@google.com> +Reviewed-by: Ricardo Koller +Signed-off-by: Paolo Bonzini +Signed-off-by: Li Zhang +--- + .../selftests/kvm/include/x86_64/processor.h | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/tools/testing/selftests/kvm/include/x86_64/processor.h b/tools/testing/selftests/kvm/include/x86_64/processor.h +index 242ae8e09a65..eba8bd08293e 100644 +--- a/tools/testing/selftests/kvm/include/x86_64/processor.h ++++ b/tools/testing/selftests/kvm/include/x86_64/processor.h +@@ -312,37 +312,37 @@ static inline void set_xmm(int n, unsigned long val) + } + } + +-typedef unsigned long v1di __attribute__ ((vector_size (8))); ++#define GET_XMM(__xmm) \ ++({ \ ++ unsigned long __val; \ ++ asm volatile("movq %%"#__xmm", %0" : "=r"(__val) : : #__xmm); \ ++ __val; \ ++}) ++ + static inline unsigned long get_xmm(int n) + { + assert(n >= 0 && n <= 7); + +- register v1di xmm0 __asm__("%xmm0"); +- register v1di xmm1 __asm__("%xmm1"); +- register v1di xmm2 __asm__("%xmm2"); +- register v1di xmm3 __asm__("%xmm3"); +- register v1di xmm4 __asm__("%xmm4"); +- register v1di xmm5 __asm__("%xmm5"); +- register v1di xmm6 __asm__("%xmm6"); +- register v1di xmm7 __asm__("%xmm7"); + switch (n) { + case 0: +- return (unsigned long)xmm0; ++ return GET_XMM(xmm0); + case 1: +- return (unsigned long)xmm1; ++ return GET_XMM(xmm1); + case 2: +- return (unsigned long)xmm2; ++ return GET_XMM(xmm2); + case 3: +- return (unsigned long)xmm3; ++ return GET_XMM(xmm3); + case 4: +- return (unsigned long)xmm4; ++ return GET_XMM(xmm4); + case 5: +- return (unsigned long)xmm5; ++ return GET_XMM(xmm5); + case 6: +- return (unsigned long)xmm6; ++ return GET_XMM(xmm6); + case 7: +- return (unsigned long)xmm7; ++ return GET_XMM(xmm7); + } ++ ++ /* never reached */ + return 0; + } + +-- +2.31.1 + diff --git a/patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch b/patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch new file mode 100644 index 0000000..08f17fe --- /dev/null +++ b/patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch @@ -0,0 +1,63 @@ +From 2e08df3c7c4e4e74e3dd5104c100f0bf6288aaa8 Mon Sep 17 00:00:00 2001 +From: Bernard Zhao +Date: Fri, 10 Dec 2021 04:03:58 -0800 +Subject: [PATCH] selinux: fix potential memleak in selinux_add_opt() +Git-commit: 2e08df3c7c4e4e74e3dd5104c100f0bf6288aaa8 +Patch-mainline: v5.17-rc1 +References: git-fixes + +This patch try to fix potential memleak in error branch. + +Fixes: ba6418623385 ("selinux: new helper - selinux_add_opt()") +Signed-off-by: Bernard Zhao +[pm: tweak the subject line, add Fixes tag] +Signed-off-by: Paul Moore +Acked-by: Takashi Iwai + +--- + security/selinux/hooks.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 818ce976ff6c..8ef63b7af855 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -970,18 +970,22 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, + static int selinux_add_opt(int token, const char *s, void **mnt_opts) + { + struct selinux_mnt_opts *opts = *mnt_opts; ++ bool is_alloc_opts = false; + + if (token == Opt_seclabel) /* eaten and completely ignored */ + return 0; + ++ if (!s) ++ return -ENOMEM; ++ + if (!opts) { + opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + *mnt_opts = opts; ++ is_alloc_opts = true; + } +- if (!s) +- return -ENOMEM; ++ + switch (token) { + case Opt_context: + if (opts->context || opts->defcontext) +@@ -1006,6 +1010,10 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts) + } + return 0; + Einval: ++ if (is_alloc_opts) { ++ kfree(opts); ++ *mnt_opts = NULL; ++ } + pr_warn(SEL_MOUNT_FAIL_MSG); + return -EINVAL; + } +-- +2.31.1 + diff --git a/patches.suse/sfc-Check-null-pointer-of-rx_queue-page_ring.patch b/patches.suse/sfc-Check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 0000000..21a884d --- /dev/null +++ b/patches.suse/sfc-Check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,35 @@ +From: Jiasheng Jiang +Date: Mon, 20 Dec 2021 21:56:03 +0800 +Subject: sfc: Check null pointer of rx_queue->page_ring +Patch-mainline: v5.16-rc7 +Git-commit: bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 +References: git-fixes + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220135603.954944-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/sfc/rx_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/rx_common.c ++++ b/drivers/net/ethernet/sfc/rx_common.c +@@ -150,7 +150,10 @@ static void efx_init_rx_recycle_ring(str + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + static void efx_fini_rx_recycle_ring(struct efx_rx_queue *rx_queue) diff --git a/patches.suse/sfc-The-RX-page_ring-is-optional.patch b/patches.suse/sfc-The-RX-page_ring-is-optional.patch new file mode 100644 index 0000000..09cd429 --- /dev/null +++ b/patches.suse/sfc-The-RX-page_ring-is-optional.patch @@ -0,0 +1,65 @@ +From: Martin Habets +Date: Sun, 2 Jan 2022 08:41:22 +0000 +Subject: sfc: The RX page_ring is optional +Patch-mainline: v5.16 +Git-commit: 1d5a474240407c38ca8c7484a656ee39f585399c +References: git-fixes + +The RX page_ring is an optional feature that improves +performance. When allocation fails the driver can still +function, but possibly with a lower bandwidth. +Guard against dereferencing a NULL page_ring. + +Fixes: 2768935a4660 ("sfc: reuse pages to avoid DMA mapping/unmapping costs") +Signed-off-by: Martin Habets +Reported-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/164111288276.5798.10330502993729113868.stgit@palantir17.mph.net +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/sfc/falcon/rx.c | 5 +++++ + drivers/net/ethernet/sfc/rx_common.c | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/net/ethernet/sfc/falcon/rx.c ++++ b/drivers/net/ethernet/sfc/falcon/rx.c +@@ -110,6 +110,8 @@ static struct page *ef4_reuse_page(struc + struct ef4_rx_page_state *state; + unsigned index; + ++ if (unlikely(!rx_queue->page_ring)) ++ return NULL; + index = rx_queue->page_remove & rx_queue->page_ptr_mask; + page = rx_queue->page_ring[index]; + if (page == NULL) +@@ -292,6 +294,9 @@ static void ef4_recycle_rx_pages(struct + { + struct ef4_rx_queue *rx_queue = ef4_channel_get_rx_queue(channel); + ++ if (unlikely(!rx_queue->page_ring)) ++ return; ++ + do { + ef4_recycle_rx_page(channel, rx_buf); + rx_buf = ef4_rx_buf_next(rx_queue, rx_buf); +--- a/drivers/net/ethernet/sfc/rx_common.c ++++ b/drivers/net/ethernet/sfc/rx_common.c +@@ -45,6 +45,8 @@ static struct page *efx_reuse_page(struc + unsigned int index; + struct page *page; + ++ if (unlikely(!rx_queue->page_ring)) ++ return NULL; + index = rx_queue->page_remove & rx_queue->page_ptr_mask; + page = rx_queue->page_ring[index]; + if (page == NULL) +@@ -114,6 +116,9 @@ void efx_recycle_rx_pages(struct efx_cha + { + struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel); + ++ if (unlikely(!rx_queue->page_ring)) ++ return; ++ + do { + efx_recycle_rx_page(channel, rx_buf); + rx_buf = efx_rx_buf_next(rx_queue, rx_buf); diff --git a/patches.suse/sfc-falcon-Check-null-pointer-of-rx_queue-page_ring.patch b/patches.suse/sfc-falcon-Check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 0000000..a6331cd --- /dev/null +++ b/patches.suse/sfc-falcon-Check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,35 @@ +From: Jiasheng Jiang +Date: Mon, 20 Dec 2021 22:03:44 +0800 +Subject: sfc: falcon: Check null pointer of rx_queue->page_ring +Patch-mainline: v5.16-rc7 +Git-commit: 9b8bdd1eb5890aeeab7391dddcf8bd51f7b07216 +References: git-fixes + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220140344.978408-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/sfc/falcon/rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/falcon/rx.c ++++ b/drivers/net/ethernet/sfc/falcon/rx.c +@@ -726,7 +726,10 @@ static void ef4_init_rx_recycle_ring(str + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + void ef4_init_rx_queue(struct ef4_rx_queue *rx_queue) diff --git a/patches.suse/sfc_ef100-potential-dereference-of-null-pointer.patch b/patches.suse/sfc_ef100-potential-dereference-of-null-pointer.patch new file mode 100644 index 0000000..336d7d6 --- /dev/null +++ b/patches.suse/sfc_ef100-potential-dereference-of-null-pointer.patch @@ -0,0 +1,31 @@ +From: Jiasheng Jiang +Date: Wed, 15 Dec 2021 22:37:31 +0800 +Subject: sfc_ef100: potential dereference of null pointer +Patch-mainline: v5.16-rc6 +Git-commit: 407ecd1bd726f240123f704620d46e285ff30dd9 +References: jsc#SLE-16683 + +The return value of kmalloc() needs to be checked. +To avoid use in efx_nic_update_stats() in case of the failure of alloc. + +Fixes: b593b6f1b492 ("sfc_ef100: statistics gathering") +Signed-off-by: Jiasheng Jiang +Reported-by: kernel test robot +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/sfc/ef100_nic.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -597,6 +597,9 @@ static size_t ef100_update_stats(struct + ef100_common_stat_mask(mask); + ef100_ethtool_stat_mask(mask); + ++ if (!mc_stats) ++ return 0; ++ + efx_nic_copy_stats(efx, mc_stats); + efx_nic_update_stats(ef100_stat_desc, EF100_STAT_COUNT, mask, + stats, mc_stats, false); diff --git a/patches.suse/spi-spi-meson-spifc-Add-missing-pm_runtime_disable-i.patch b/patches.suse/spi-spi-meson-spifc-Add-missing-pm_runtime_disable-i.patch new file mode 100644 index 0000000..1b17ecd --- /dev/null +++ b/patches.suse/spi-spi-meson-spifc-Add-missing-pm_runtime_disable-i.patch @@ -0,0 +1,37 @@ +From 69c1b87516e327a60b39f96b778fe683259408bf Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Fri, 7 Jan 2022 07:54:24 +0000 +Subject: [PATCH] spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe +Git-commit: 69c1b87516e327a60b39f96b778fe683259408bf +Patch-mainline: v5.17-rc1 +References: git-fixes + +If the probe fails, we should use pm_runtime_disable() to balance +pm_runtime_enable(). +Add missing pm_runtime_disable() for meson_spifc_probe. + +Fixes: c3e4bc5434d2 ("spi: meson: Add support for Amlogic Meson SPIFC") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220107075424.7774-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-meson-spifc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c +index 8eca6f24cb79..c8ed7815c4ba 100644 +--- a/drivers/spi/spi-meson-spifc.c ++++ b/drivers/spi/spi-meson-spifc.c +@@ -349,6 +349,7 @@ static int meson_spifc_probe(struct platform_device *pdev) + return 0; + out_clk: + clk_disable_unprepare(spifc->clk); ++ pm_runtime_disable(spifc->dev); + out_err: + spi_master_put(master); + return ret; +-- +2.31.1 + diff --git a/patches.suse/spi-spi-rspi-Drop-redeclaring-ret-variable-in-qspi_t.patch b/patches.suse/spi-spi-rspi-Drop-redeclaring-ret-variable-in-qspi_t.patch new file mode 100644 index 0000000..da6cc74 --- /dev/null +++ b/patches.suse/spi-spi-rspi-Drop-redeclaring-ret-variable-in-qspi_t.patch @@ -0,0 +1,49 @@ +From 1d734f592e1a1d41af80e90001d109cec1c98fb4 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Thu, 18 Nov 2021 03:10:41 +0000 +Subject: [PATCH] spi: spi-rspi: Drop redeclaring ret variable in qspi_transfer_in() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 1d734f592e1a1d41af80e90001d109cec1c98fb4 +Patch-mainline: v5.17-rc1 +References: git-fixes + +"ret" variable is already declared in qspi_transfer_in() at the +beginning of function, drop redeclaring ret in the if block, fixing +Below: + +Spi-rspi.c: In function ‘qspi_transfer_in’: +spi-rspi.c:838:7: warning: declaration of ‘ret’ shadows a previous local + 838 | int ret = rspi_dma_transfer(rspi, NULL, &xfer->rx_sg); + | ^~~ +spi-rspi.c:835:6: note: shadowed declaration is here + 835 | int ret; + +Fixes: db30083813b55 ("spi: rspi: avoid uninitialized variable access") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20211118031041.2312-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-rspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c +index b7df49a57e5f..bd5708d7e5a1 100644 +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -835,7 +835,7 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer) + int ret; + + if (rspi->ctlr->can_dma && __rspi_can_dma(rspi, xfer)) { +- int ret = rspi_dma_transfer(rspi, NULL, &xfer->rx_sg); ++ ret = rspi_dma_transfer(rspi, NULL, &xfer->rx_sg); + if (ret != -EAGAIN) + return ret; + } +-- +2.31.1 + diff --git a/patches.suse/staging-rtl8192e-return-error-code-from-rtllib_softm.patch b/patches.suse/staging-rtl8192e-return-error-code-from-rtllib_softm.patch new file mode 100644 index 0000000..488bac0 --- /dev/null +++ b/patches.suse/staging-rtl8192e-return-error-code-from-rtllib_softm.patch @@ -0,0 +1,64 @@ +From 68bf78ff59a0891eb1239948e94ce10f73a9dd30 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Thu, 2 Dec 2021 11:07:02 +0800 +Subject: [PATCH] staging: rtl8192e: return error code from rtllib_softmac_init() +Git-commit: 68bf78ff59a0891eb1239948e94ce10f73a9dd30 +Patch-mainline: v5.17-rc1 +References: git-fixes + +If it fails to allocate 'dot11d_info', rtllib_softmac_init() +should return error code. And remove unneccessary error message. + +Fixes: 94a799425eee ("From: wlanfae ") +Reviewed-by: Dan Carpenter +Reviewed-by: Pavel Skripkin +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211202030704.2425621-2-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8192e/rtllib.h | 2 +- + drivers/staging/rtl8192e/rtllib_softmac.c | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8192e/rtllib.h ++++ b/drivers/staging/rtl8192e/rtllib.h +@@ -1982,7 +1982,7 @@ void rtllib_softmac_xmit(struct rtllib_t + void rtllib_stop_send_beacons(struct rtllib_device *ieee); + void notify_wx_assoc_event(struct rtllib_device *ieee); + void rtllib_start_ibss(struct rtllib_device *ieee); +-void rtllib_softmac_init(struct rtllib_device *ieee); ++int rtllib_softmac_init(struct rtllib_device *ieee); + void rtllib_softmac_free(struct rtllib_device *ieee); + void rtllib_disassociate(struct rtllib_device *ieee); + void rtllib_stop_scan(struct rtllib_device *ieee); +--- a/drivers/staging/rtl8192e/rtllib_softmac.c ++++ b/drivers/staging/rtl8192e/rtllib_softmac.c +@@ -2953,7 +2953,7 @@ void rtllib_start_protocol(struct rtllib + } + } + +-void rtllib_softmac_init(struct rtllib_device *ieee) ++int rtllib_softmac_init(struct rtllib_device *ieee) + { + int i; + +@@ -2964,7 +2964,8 @@ void rtllib_softmac_init(struct rtllib_d + ieee->seq_ctrl[i] = 0; + ieee->dot11d_info = kzalloc(sizeof(struct rt_dot11d_info), GFP_ATOMIC); + if (!ieee->dot11d_info) +- netdev_err(ieee->dev, "Can't alloc memory for DOT11D\n"); ++ return -ENOMEM; ++ + ieee->LinkDetectInfo.SlotIndex = 0; + ieee->LinkDetectInfo.SlotNum = 2; + ieee->LinkDetectInfo.NumRecvBcnInPeriod = 0; +@@ -3030,6 +3031,7 @@ void rtllib_softmac_init(struct rtllib_d + + tasklet_init(&ieee->ps_task, rtllib_sta_ps, (unsigned long)ieee); + ++ return 0; + } + + void rtllib_softmac_free(struct rtllib_device *ieee) diff --git a/patches.suse/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch b/patches.suse/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch new file mode 100644 index 0000000..167766c --- /dev/null +++ b/patches.suse/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch @@ -0,0 +1,71 @@ +From e730cd57ac2dfe94bca0f14a3be8e1b21de41a9c Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Thu, 2 Dec 2021 11:07:03 +0800 +Subject: [PATCH] staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib() +Git-commit: e730cd57ac2dfe94bca0f14a3be8e1b21de41a9c +Patch-mainline: v5.17-rc1 +References: git-fixes + +Some variables are leaked in the error handling in alloc_rtllib(), free +the variables in the error path. + +Fixes: 94a799425eee ("From: wlanfae ") +Reviewed-by: Dan Carpenter +Reviewed-by: Pavel Skripkin +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211202030704.2425621-3-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8192e/rtllib_module.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_module.c b/drivers/staging/rtl8192e/rtllib_module.c +index 64d9feee1f39..f00ac94b2639 100644 +--- a/drivers/staging/rtl8192e/rtllib_module.c ++++ b/drivers/staging/rtl8192e/rtllib_module.c +@@ -88,7 +88,7 @@ struct net_device *alloc_rtllib(int sizeof_priv) + err = rtllib_networks_allocate(ieee); + if (err) { + pr_err("Unable to allocate beacon storage: %d\n", err); +- goto failed; ++ goto free_netdev; + } + rtllib_networks_initialize(ieee); + +@@ -121,11 +121,13 @@ struct net_device *alloc_rtllib(int sizeof_priv) + ieee->hwsec_active = 0; + + memset(ieee->swcamtable, 0, sizeof(struct sw_cam_table) * 32); +- rtllib_softmac_init(ieee); ++ err = rtllib_softmac_init(ieee); ++ if (err) ++ goto free_crypt_info; + + ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput), GFP_KERNEL); + if (!ieee->pHTInfo) +- return NULL; ++ goto free_softmac; + + HTUpdateDefaultSetting(ieee); + HTInitializeHTInfo(ieee); +@@ -141,8 +143,14 @@ struct net_device *alloc_rtllib(int sizeof_priv) + + return dev; + +- failed: ++free_softmac: ++ rtllib_softmac_free(ieee); ++free_crypt_info: ++ lib80211_crypt_info_free(&ieee->crypt_info); ++ rtllib_networks_free(ieee); ++free_netdev: + free_netdev(dev); ++ + return NULL; + } + EXPORT_SYMBOL(alloc_rtllib); +-- +2.31.1 + diff --git a/patches.suse/staging-wlan-ng-Avoid-bitwise-vs-logical-OR-warning-.patch b/patches.suse/staging-wlan-ng-Avoid-bitwise-vs-logical-OR-warning-.patch new file mode 100644 index 0000000..7bf3c71 --- /dev/null +++ b/patches.suse/staging-wlan-ng-Avoid-bitwise-vs-logical-OR-warning-.patch @@ -0,0 +1,74 @@ +From 502408a61f4b7eb4713f44bd77f4a48e6cb1b59a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 14 Oct 2021 14:57:03 -0700 +Subject: [PATCH] staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() +Git-commit: 502408a61f4b7eb4713f44bd77f4a48e6cb1b59a +Patch-mainline: v5.16-rc1 +References: git-fixes + +A new warning in clang points out a place in this file where a bitwise +OR is being used with boolean expressions: + +In file included from drivers/staging/wlan-ng/prism2usb.c:2: +drivers/staging/wlan-ng/hfa384x_usb.c:3787:7: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + ((test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) && + ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/staging/wlan-ng/hfa384x_usb.c:3787:7: note: cast one or both operands to int to silence this warning +1 warning generated. + +The comment explains that short circuiting here is undesirable, as the +calls to test_and_{clear,set}_bit() need to happen for both sides of the +expression. + +Clang's suggestion would work to silence the warning but the readability +of the expression would suffer even more. To clean up the warning and +make the block more readable, use a variable for each side of the +bitwise expression. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1478 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20211014215703.3705371-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/wlan-ng/hfa384x_usb.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c +index 59aa84d1837d..938e11a1a0b6 100644 +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -3778,18 +3778,18 @@ static void hfa384x_usb_throttlefn(struct timer_list *t) + + spin_lock_irqsave(&hw->ctlxq.lock, flags); + +- /* +- * We need to check BOTH the RX and the TX throttle controls, +- * so we use the bitwise OR instead of the logical OR. +- */ + pr_debug("flags=0x%lx\n", hw->usb_flags); +- if (!hw->wlandev->hwremoved && +- ((test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) && +- !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags)) | +- (test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) && +- !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags)) +- )) { +- schedule_work(&hw->usb_work); ++ if (!hw->wlandev->hwremoved) { ++ bool rx_throttle = test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) && ++ !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags); ++ bool tx_throttle = test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) && ++ !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags); ++ /* ++ * We need to check BOTH the RX and the TX throttle controls, ++ * so we use the bitwise OR instead of the logical OR. ++ */ ++ if (rx_throttle | tx_throttle) ++ schedule_work(&hw->usb_work); + } + + spin_unlock_irqrestore(&hw->ctlxq.lock, flags); +-- +2.31.1 + diff --git a/patches.suse/thermal-drivers-imx8mm-Enable-ADC-when-enabling-moni.patch b/patches.suse/thermal-drivers-imx8mm-Enable-ADC-when-enabling-moni.patch new file mode 100644 index 0000000..12a34db --- /dev/null +++ b/patches.suse/thermal-drivers-imx8mm-Enable-ADC-when-enabling-moni.patch @@ -0,0 +1,53 @@ +From 3de89d8842a2b5d3dd22ebf97dd561ae0a330948 Mon Sep 17 00:00:00 2001 +From: Paul Gerber +Date: Mon, 22 Nov 2021 12:42:25 +0100 +Subject: [PATCH] thermal/drivers/imx8mm: Enable ADC when enabling monitor +Git-commit: 3de89d8842a2b5d3dd22ebf97dd561ae0a330948 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The i.MX 8MP has a ADC_PD bit in the TMU_TER register that controls the +operating mode of the ADC: +* 0 means normal operating mode +* 1 means power down mode + +When enabling/disabling the TMU, the ADC operating mode must be set +accordingly. + +i.MX 8M Mini & Nano are lacking this bit. + +Signed-off-by: Paul Gerber +Signed-off-by: Alexander Stein +Fixes: 2b8f1f0337c5 ("thermal: imx8mm: Add i.MX8MP support") +Link: https://lore.kernel.org/r/20211122114225.196280-1-alexander.stein@ew.tq-group.com +Signed-off-by: Daniel Lezcano +Acked-by: Takashi Iwai + +--- + drivers/thermal/imx8mm_thermal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/thermal/imx8mm_thermal.c b/drivers/thermal/imx8mm_thermal.c +index 7442e013738f..af666bd9e8d4 100644 +--- a/drivers/thermal/imx8mm_thermal.c ++++ b/drivers/thermal/imx8mm_thermal.c +@@ -21,6 +21,7 @@ + #define TPS 0x4 + #define TRITSR 0x20 /* TMU immediate temp */ + ++#define TER_ADC_PD BIT(30) + #define TER_EN BIT(31) + #define TRITSR_TEMP0_VAL_MASK 0xff + #define TRITSR_TEMP1_VAL_MASK 0xff0000 +@@ -113,6 +114,8 @@ static void imx8mm_tmu_enable(struct imx8mm_tmu *tmu, bool enable) + + val = readl_relaxed(tmu->base + TER); + val = enable ? (val | TER_EN) : (val & ~TER_EN); ++ if (tmu->socdata->version == TMU_VER2) ++ val = enable ? (val & ~TER_ADC_PD) : (val | TER_ADC_PD); + writel_relaxed(val, tmu->base + TER); + } + +-- +2.31.1 + diff --git a/patches.suse/tpm-add-request_locality-before-write-TPM_INT_ENABLE.patch b/patches.suse/tpm-add-request_locality-before-write-TPM_INT_ENABLE.patch new file mode 100644 index 0000000..f636ba2 --- /dev/null +++ b/patches.suse/tpm-add-request_locality-before-write-TPM_INT_ENABLE.patch @@ -0,0 +1,44 @@ +From 0ef333f5ba7f24f5d8478425c163d3097f1c7afd Mon Sep 17 00:00:00 2001 +From: Chen Jun +Date: Wed, 13 Oct 2021 06:25:56 +0000 +Subject: [PATCH] tpm: add request_locality before write TPM_INT_ENABLE +Git-commit: 0ef333f5ba7f24f5d8478425c163d3097f1c7afd +Patch-mainline: v5.17-rc1 +References: git-fixes + +Locality is not appropriately requested before writing the int mask. +Add the missing boilerplate. + +Fixes: e6aef069b6e9 ("tpm_tis: convert to using locality callbacks") +Signed-off-by: Chen Jun +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Acked-by: Takashi Iwai + +--- + drivers/char/tpm/tpm_tis_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index b2659a4c4016..e2df1098a812 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -994,7 +994,15 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | + TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; + intmask &= ~TPM_GLOBAL_INT_ENABLE; ++ ++ rc = request_locality(chip, 0); ++ if (rc < 0) { ++ rc = -ENODEV; ++ goto out_err; ++ } ++ + tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask); ++ release_locality(chip, 0); + + rc = tpm_chip_start(chip); + if (rc) +-- +2.31.1 + diff --git a/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch b/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch new file mode 100644 index 0000000..5fa23de --- /dev/null +++ b/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch @@ -0,0 +1,69 @@ +From eabad7ba2c752392ae50f24a795093fb115b686d Mon Sep 17 00:00:00 2001 +From: Lino Sanfilippo +Date: Mon, 20 Dec 2021 16:06:35 +0100 +Subject: [PATCH] tpm: fix potential NULL pointer access in tpm_del_char_device +Git-commit: eabad7ba2c752392ae50f24a795093fb115b686d +Patch-mainline: v5.17-rc1 +References: git-fixes + +Some SPI controller drivers unregister the controller in the shutdown +handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave +chip->ops may be accessed when it is already NULL: + +At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down +TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration +tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() +which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: +(tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which +calls chip->ops->clk_enable). + +Avoid the NULL pointer access by testing if chip->ops is valid and skipping +the TPM 2 shutdown procedure in case it is NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Lino Sanfilippo +Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus") +Reviewed-by: Stefan Berger +Tested-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Acked-by: Takashi Iwai + +--- + drivers/char/tpm/tpm-chip.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index b4ed3ae67a4b..b009e7479b70 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -474,13 +474,21 @@ static void tpm_del_char_device(struct tpm_chip *chip) + + /* Make the driver uncallable. */ + down_write(&chip->ops_sem); +- if (chip->flags & TPM_CHIP_FLAG_TPM2) { +- if (!tpm_chip_start(chip)) { +- tpm2_shutdown(chip, TPM2_SU_CLEAR); +- tpm_chip_stop(chip); ++ ++ /* ++ * Check if chip->ops is still valid: In case that the controller ++ * drivers shutdown handler unregisters the controller in its ++ * shutdown handler we are called twice and chip->ops to NULL. ++ */ ++ if (chip->ops) { ++ if (chip->flags & TPM_CHIP_FLAG_TPM2) { ++ if (!tpm_chip_start(chip)) { ++ tpm2_shutdown(chip, TPM2_SU_CLEAR); ++ tpm_chip_stop(chip); ++ } + } ++ chip->ops = NULL; + } +- chip->ops = NULL; + up_write(&chip->ops_sem); + } + +-- +2.31.1 + diff --git a/patches.suse/tty-serial-atmel-Call-dma_async_issue_pending.patch b/patches.suse/tty-serial-atmel-Call-dma_async_issue_pending.patch new file mode 100644 index 0000000..5942b62 --- /dev/null +++ b/patches.suse/tty-serial-atmel-Call-dma_async_issue_pending.patch @@ -0,0 +1,50 @@ +From 4f4b9b5895614eb2e2b5f4cab7858f44bd113e1b Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 25 Nov 2021 11:00:18 +0200 +Subject: [PATCH] tty: serial: atmel: Call dma_async_issue_pending() +Git-commit: 4f4b9b5895614eb2e2b5f4cab7858f44bd113e1b +Patch-mainline: v5.17-rc1 +References: git-fixes + +The driver wrongly assummed that tx_submit() will start the transfer, +which is not the case, now that the at_xdmac driver is fixed. tx_submit +is supposed to push the current transaction descriptor to a pending queue, +waiting for issue_pending to be called. issue_pending must start the +transfer, not tx_submit. + +Fixes: 34df42f59a60 ("serial: at91: add rx dma support") +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211125090028.786832-4-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/atmel_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 376f7a9c2868..269b4500e9e7 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1009,6 +1009,8 @@ static void atmel_tx_dma(struct uart_port *port) + atmel_port->cookie_tx); + return; + } ++ ++ dma_async_issue_pending(chan); + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1269,6 +1271,8 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + goto chan_err; + } + ++ dma_async_issue_pending(atmel_port->chan_rx); ++ + return 0; + + chan_err: +-- +2.31.1 + diff --git a/patches.suse/tty-serial-atmel-Check-return-code-of-dmaengine_subm.patch b/patches.suse/tty-serial-atmel-Check-return-code-of-dmaengine_subm.patch new file mode 100644 index 0000000..a074a36 --- /dev/null +++ b/patches.suse/tty-serial-atmel-Check-return-code-of-dmaengine_subm.patch @@ -0,0 +1,59 @@ +From 1e67bd2b8cb90b66e89562598e9c2046246832d3 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 25 Nov 2021 11:00:17 +0200 +Subject: [PATCH] tty: serial: atmel: Check return code of dmaengine_submit() +Git-commit: 1e67bd2b8cb90b66e89562598e9c2046246832d3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The tx_submit() method of struct dma_async_tx_descriptor is entitled +to do sanity checks and return errors if encountered. It's not the +case for the DMA controller drivers that this client is using +(at_h/xdmac), because they currently don't do sanity checks and always +return a positive cookie at tx_submit() method. In case the controller +drivers will implement sanity checks and return errors, print a message +so that the client will be informed that something went wrong at +tx_submit() level. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/20211125090028.786832-3-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/atmel_serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 2c99a47a2535..376f7a9c2868 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1004,6 +1004,11 @@ static void atmel_tx_dma(struct uart_port *port) + desc->callback = atmel_complete_tx_dma; + desc->callback_param = atmel_port; + atmel_port->cookie_tx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_tx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_tx); ++ return; ++ } + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1258,6 +1263,11 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + desc->callback_param = port; + atmel_port->desc_rx = desc; + atmel_port->cookie_rx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_rx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_rx); ++ goto chan_err; ++ } + + return 0; + +-- +2.31.1 + diff --git a/patches.suse/tty-serial-uartlite-allow-64-bit-address.patch b/patches.suse/tty-serial-uartlite-allow-64-bit-address.patch new file mode 100644 index 0000000..904b97c --- /dev/null +++ b/patches.suse/tty-serial-uartlite-allow-64-bit-address.patch @@ -0,0 +1,39 @@ +From 3672fb65155530b5eea6225685c75329b6debec3 Mon Sep 17 00:00:00 2001 +From: Lizhi Hou +Date: Mon, 29 Nov 2021 12:23:02 -0800 +Subject: [PATCH] tty: serial: uartlite: allow 64 bit address +Git-commit: 3672fb65155530b5eea6225685c75329b6debec3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The base address of uartlite registers could be 64 bit address which is from +device resource. When ulite_probe() calls ulite_assign(), this 64 bit +address is casted to 32-bit. The fix is to replace "u32" type with +"phys_addr_t" type for the base address in ulite_assign() argument list. + +Fixes: 8fa7b6100693 ("[POWERPC] Uartlite: Separate the bus binding from the driver proper") +Signed-off-by: Lizhi Hou +Link: https://lore.kernel.org/r/20211129202302.1319033-1-lizhi.hou@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/uartlite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c +index d3d9566e5dbd..e1fa52d31474 100644 +--- a/drivers/tty/serial/uartlite.c ++++ b/drivers/tty/serial/uartlite.c +@@ -626,7 +626,7 @@ static struct uart_driver ulite_uart_driver = { + * + * Returns: 0 on success, <0 otherwise + */ +-static int ulite_assign(struct device *dev, int id, u32 base, int irq, ++static int ulite_assign(struct device *dev, int id, phys_addr_t base, int irq, + struct uartlite_data *pdata) + { + struct uart_port *port; +-- +2.31.1 + diff --git a/patches.suse/udf-Fix-crash-after-seekdir.patch b/patches.suse/udf-Fix-crash-after-seekdir.patch new file mode 100644 index 0000000..7fff556 --- /dev/null +++ b/patches.suse/udf-Fix-crash-after-seekdir.patch @@ -0,0 +1,166 @@ +From a48fc69fe6588b48d878d69de223b91a386a7cb4 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 Nov 2021 15:22:35 +0100 +Subject: [PATCH] udf: Fix crash after seekdir +Git-commit: a48fc69fe6588b48d878d69de223b91a386a7cb4 +Patch-mainline: v5.16-rc2 +References: bsc#1194592 + +udf_readdir() didn't validate the directory position it should start +reading from. Thus when user uses lseek(2) on directory file descriptor +it can trick udf_readdir() into reading from a position in the middle of +directory entry which then upsets directory parsing code resulting in +errors or even possible kernel crashes. Similarly when the directory is +modified between two readdir calls, the directory position need not be +valid anymore. + +Add code to validate current offset in the directory. This is actually +rather expensive for UDF as we need to read from the beginning of the +directory and parse all directory entries. This is because in UDF a +directory is just a stream of data containing directory entries and +since file names are fully under user's control we cannot depend on +detecting magic numbers and checksums in the header of directory entry +as a malicious attacker could fake them. We skip this step if we detect +that nothing changed since the last readdir call. + +Reported-by: Nathan Wilson +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/dir.c | 32 ++++++++++++++++++++++++++++++-- + fs/udf/namei.c | 3 +++ + fs/udf/super.c | 2 ++ + 3 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/dir.c b/fs/udf/dir.c +index 70abdfad2df1..42e3e551fa4c 100644 +--- a/fs/udf/dir.c ++++ b/fs/udf/dir.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "udf_i.h" + #include "udf_sb.h" +@@ -43,7 +44,7 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + struct fileIdentDesc *fi = NULL; + struct fileIdentDesc cfi; + udf_pblk_t block, iblock; +- loff_t nf_pos; ++ loff_t nf_pos, emit_pos = 0; + int flen; + unsigned char *fname = NULL, *copy_name = NULL; + unsigned char *nameptr; +@@ -57,6 +58,7 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + int i, num, ret = 0; + struct extent_position epos = { NULL, 0, {0, 0} }; + struct super_block *sb = dir->i_sb; ++ bool pos_valid = false; + + if (ctx->pos == 0) { + if (!dir_emit_dot(file, ctx)) +@@ -67,6 +69,21 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + if (nf_pos >= size) + goto out; + ++ /* ++ * Something changed since last readdir (either lseek was called or dir ++ * changed)? We need to verify the position correctly points at the ++ * beginning of some dir entry so that the directory parsing code does ++ * not get confused. Since UDF does not have any reliable way of ++ * identifying beginning of dir entry (names are under user control), ++ * we need to scan the directory from the beginning. ++ */ ++ if (!inode_eq_iversion(dir, file->f_version)) { ++ emit_pos = nf_pos; ++ nf_pos = 0; ++ } else { ++ pos_valid = true; ++ } ++ + fname = kmalloc(UDF_NAME_LEN, GFP_NOFS); + if (!fname) { + ret = -ENOMEM; +@@ -122,13 +139,21 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + + while (nf_pos < size) { + struct kernel_lb_addr tloc; ++ loff_t cur_pos = nf_pos; + +- ctx->pos = (nf_pos >> 2) + 1; ++ /* Update file position only if we got past the current one */ ++ if (nf_pos >= emit_pos) { ++ ctx->pos = (nf_pos >> 2) + 1; ++ pos_valid = true; ++ } + + fi = udf_fileident_read(dir, &nf_pos, &fibh, &cfi, &epos, &eloc, + &elen, &offset); + if (!fi) + goto out; ++ /* Still not at offset where user asked us to read from? */ ++ if (cur_pos < emit_pos) ++ continue; + + liu = le16_to_cpu(cfi.lengthOfImpUse); + lfi = cfi.lengthFileIdent; +@@ -186,8 +211,11 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + } /* end while */ + + ctx->pos = (nf_pos >> 2) + 1; ++ pos_valid = true; + + out: ++ if (pos_valid) ++ file->f_version = inode_query_iversion(dir); + if (fibh.sbh != fibh.ebh) + brelse(fibh.ebh); + brelse(fibh.sbh); +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index caeef08efed2..0ed4861b038f 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + static inline int udf_match(int len1, const unsigned char *name1, int len2, + const unsigned char *name2) +@@ -134,6 +135,8 @@ int udf_write_fi(struct inode *inode, struct fileIdentDesc *cfi, + mark_buffer_dirty_inode(fibh->ebh, inode); + mark_buffer_dirty_inode(fibh->sbh, inode); + } ++ inode_inc_iversion(inode); ++ + return 0; + } + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 34247fba6df9..f26b5e0b84b6 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + + #include "udf_sb.h" + #include "udf_i.h" +@@ -149,6 +150,7 @@ static struct inode *udf_alloc_inode(struct super_block *sb) + init_rwsem(&ei->i_data_sem); + ei->cached_extent.lstart = -1; + spin_lock_init(&ei->i_extent_cache_lock); ++ inode_set_iversion(&ei->vfs_inode, 1); + + return &ei->vfs_inode; + } +-- +2.31.1 + diff --git a/patches.suse/uio-uio_dmem_genirq-Catch-the-Exception.patch b/patches.suse/uio-uio_dmem_genirq-Catch-the-Exception.patch new file mode 100644 index 0000000..75bd4ba --- /dev/null +++ b/patches.suse/uio-uio_dmem_genirq-Catch-the-Exception.patch @@ -0,0 +1,36 @@ +From eec91694f927d1026974444eb6a3adccd4f1cbc2 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Sat, 4 Dec 2021 08:03:26 +0800 +Subject: [PATCH] uio: uio_dmem_genirq: Catch the Exception +Git-commit: eec91694f927d1026974444eb6a3adccd4f1cbc2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The return value of dma_set_coherent_mask() is not always 0. +To catch the exception in case that dma is not support the mask. + +Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211204000326.1592687-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/uio/uio_dmem_genirq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -192,7 +192,11 @@ static int uio_dmem_genirq_probe(struct + goto bad0; + } + +- dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(&pdev->dev, "DMA enable failed\n"); ++ return ret; ++ } + + priv->uioinfo = uioinfo; + spin_lock_init(&priv->lock); diff --git a/patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch b/patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch new file mode 100644 index 0000000..68567df --- /dev/null +++ b/patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch @@ -0,0 +1,52 @@ +From 1646566b5e0c556f779180a8514e521ac735de1e Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 17 Dec 2021 16:34:28 +0800 +Subject: [PATCH] usb: ftdi-elan: fix memory leak on device disconnect +Git-commit: 1646566b5e0c556f779180a8514e521ac735de1e +Patch-mainline: v5.17-rc1 +References: git-fixes + +'ftdi' is alloced when probe device, but not free on device disconnect, +this cause a memory leak as follows: + +unreferenced object 0xffff88800d584000 (size 8400): + comm "kworker/0:2", pid 3809, jiffies 4295453055 (age 13.784s) + hex dump (first 32 bytes): + 00 40 58 0d 80 88 ff ff 00 40 58 0d 80 88 ff ff .@X......@X..... + 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. + backtrace: + [<000000000d47f947>] kmalloc_order_trace+0x19/0x110 mm/slab_common.c:960 + [<000000008548ac68>] ftdi_elan_probe+0x8c/0x880 drivers/usb/misc/ftdi-elan.c:2647 + [<000000007f73e422>] usb_probe_interface+0x31b/0x800 drivers/usb/core/driver.c:396 + [<00000000fe8d07fc>] really_probe+0x299/0xc30 drivers/base/dd.c:517 + [<0000000005da7d32>] __driver_probe_device+0x357/0x500 drivers/base/dd.c:751 + [<000000003c2c9579>] driver_probe_device+0x4e/0x140 drivers/base/dd.c:781 + +Fix it by freeing 'ftdi' after nobody use it. + +Fixes: a5c66e4b2418 ("USB: ftdi-elan: client driver for ELAN Uxxx adapters") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211217083428.2441-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/misc/ftdi-elan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c +index e5a8fcdbb78e..6c38c62d29b2 100644 +--- a/drivers/usb/misc/ftdi-elan.c ++++ b/drivers/usb/misc/ftdi-elan.c +@@ -202,6 +202,7 @@ static void ftdi_elan_delete(struct kref *kref) + mutex_unlock(&ftdi_module_lock); + kfree(ftdi->bulk_in_buffer); + ftdi->bulk_in_buffer = NULL; ++ kfree(ftdi); + } + + static void ftdi_elan_put_kref(struct usb_ftdi *ftdi) +-- +2.31.1 + diff --git a/patches.suse/usb-gadget-u_ether-fix-race-in-setting-MAC-address-i.patch b/patches.suse/usb-gadget-u_ether-fix-race-in-setting-MAC-address-i.patch new file mode 100644 index 0000000..c0cfb10 --- /dev/null +++ b/patches.suse/usb-gadget-u_ether-fix-race-in-setting-MAC-address-i.patch @@ -0,0 +1,102 @@ +From 890d5b40908bfd1a79be018d2d297cf9df60f4ee Mon Sep 17 00:00:00 2001 +From: Marian Postevca +Date: Sat, 4 Dec 2021 23:49:12 +0200 +Subject: [PATCH] usb: gadget: u_ether: fix race in setting MAC address in + setup phase +Git-commit: 890d5b40908bfd1a79be018d2d297cf9df60f4ee +References: git-fixes +Patch-mainline: v5.16-rc6 + +When listening for notifications through netlink of a new interface being +registered, sporadically, it is possible for the MAC to be read as zero. +The zero MAC address lasts a short period of time and then switches to a +valid random MAC address. + +This causes problems for netd in Android, which assumes that the interface +is malfunctioning and will not use it. + +In the good case we get this log: +InterfaceController::getCfg() ifName usb0 + hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002 + +In the error case we get these logs: +InterfaceController::getCfg() ifName usb0 + hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002 + +netd : interfaceGetCfg("usb0") +netd : interfaceSetCfg() -> ServiceSpecificException + (99, "[Cannot assign requested address] : ioctl() failed") + +The reason for the issue is the order in which the interface is setup, +it is first registered through register_netdev() and after the MAC +address is set. + +Fixed by first setting the MAC address of the net_device and after that +calling register_netdev(). + +Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters") +Cc: stable@vger.kernel.org +Signed-off-by: Marian Postevca +Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/gadget/function/u_ether.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index e0ad5aed6ac9..6f5d45ef2e39 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "u_ether.h" + +@@ -863,19 +864,23 @@ int gether_register_netdev(struct net_device *net) + { + struct eth_dev *dev; + struct usb_gadget *g; +- struct sockaddr sa; + int status; + + if (!net->dev.parent) + return -EINVAL; + dev = netdev_priv(net); + g = dev->gadget; ++ ++ net->addr_assign_type = NET_ADDR_RANDOM; ++ eth_hw_addr_set(net, dev->dev_mac); ++ + status = register_netdev(net); + if (status < 0) { + dev_dbg(&g->dev, "register_netdev failed, %d\n", status); + return status; + } else { + INFO(dev, "HOST MAC %pM\n", dev->host_mac); ++ INFO(dev, "MAC %pM\n", dev->dev_mac); + + /* two kinds of host-initiated state changes: + * - iff DATA transfer is active, carrier is "on" +@@ -883,15 +888,6 @@ int gether_register_netdev(struct net_device *net) + */ + netif_carrier_off(net); + } +- sa.sa_family = net->type; +- memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN); +- rtnl_lock(); +- status = dev_set_mac_address(net, &sa, NULL); +- rtnl_unlock(); +- if (status) +- pr_warn("cannot set self ethernet address: %d\n", status); +- else +- INFO(dev, "MAC %pM\n", dev->dev_mac); + + return status; + } +-- +2.26.2 + diff --git a/patches.suse/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch b/patches.suse/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch new file mode 100644 index 0000000..acad9a9 --- /dev/null +++ b/patches.suse/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch @@ -0,0 +1,47 @@ +From e3d4621c22f90c33321ae6a6baab60cdb8e5a77c Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Sat, 18 Dec 2021 17:57:46 +0800 +Subject: [PATCH] usb: mtu3: fix interval value for intr and isoc +Git-commit: e3d4621c22f90c33321ae6a6baab60cdb8e5a77c +Patch-mainline: v5.16-rc8 +References: git-fixes + +Use the Interval value from isoc/intr endpoint descriptor, no need +minus one. The original code doesn't cause transfer error for +normal cases, but it may have side effect with respond time of ERDY +or tPingTimeout. + +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20211218095749.6250-1-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/mtu3/mtu3_gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c +index a9a65b4bbfed..c51be015345b 100644 +--- a/drivers/usb/mtu3/mtu3_gadget.c ++++ b/drivers/usb/mtu3/mtu3_gadget.c +@@ -77,7 +77,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) + if (usb_endpoint_xfer_int(desc) || + usb_endpoint_xfer_isoc(desc)) { + interval = desc->bInterval; +- interval = clamp_val(interval, 1, 16) - 1; ++ interval = clamp_val(interval, 1, 16); + if (usb_endpoint_xfer_isoc(desc) && comp_desc) + mult = comp_desc->bmAttributes; + } +@@ -89,7 +89,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) + if (usb_endpoint_xfer_isoc(desc) || + usb_endpoint_xfer_int(desc)) { + interval = desc->bInterval; +- interval = clamp_val(interval, 1, 16) - 1; ++ interval = clamp_val(interval, 1, 16); + mult = usb_endpoint_maxp_mult(desc) - 1; + } + break; +-- +2.31.1 + diff --git a/patches.suse/wcn36xx-Indicate-beacon-not-connection-loss-on-MISSE.patch b/patches.suse/wcn36xx-Indicate-beacon-not-connection-loss-on-MISSE.patch new file mode 100644 index 0000000..8ab72f0 --- /dev/null +++ b/patches.suse/wcn36xx-Indicate-beacon-not-connection-loss-on-MISSE.patch @@ -0,0 +1,51 @@ +From 588b45c88ae130fe373a8c50edaf54735c3f4fe3 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 28 Oct 2021 00:25:29 +0100 +Subject: [PATCH] wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND +Git-commit: 588b45c88ae130fe373a8c50edaf54735c3f4fe3 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Firmware can trigger a missed beacon indication, this is not the same as a +lost signal. + +Flag to Linux the missed beacon and let the WiFi stack decide for itself if +the link is up or down by sending its own probe to determine this. + +We should only be signalling the link is lost when the firmware indicates + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027232529.657764-1-bryan.odonoghue@linaro.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index e44506e4f1d5..d3285a504429 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -2736,7 +2736,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + tmp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + } + return 0; + } +@@ -2751,7 +2751,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + rsp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + return 0; + } + } +-- +2.31.1 + diff --git a/patches.suse/wcn36xx-Release-DMA-channel-descriptor-allocations.patch b/patches.suse/wcn36xx-Release-DMA-channel-descriptor-allocations.patch new file mode 100644 index 0000000..7181d86 --- /dev/null +++ b/patches.suse/wcn36xx-Release-DMA-channel-descriptor-allocations.patch @@ -0,0 +1,38 @@ +From 3652096e5263ad67604b0323f71d133485f410e5 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 5 Nov 2021 12:21:51 +0000 +Subject: [PATCH] wcn36xx: Release DMA channel descriptor allocations +Git-commit: 3652096e5263ad67604b0323f71d133485f410e5 +Patch-mainline: v5.17-rc1 +References: git-fixes + +When unloading the driver we are not releasing the DMA descriptors which we +previously allocated. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211105122152.1580542-3-bryan.odonoghue@linaro.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index d6c621518c7b..d6c951f7dec3 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -1061,4 +1061,9 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn) + + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch); + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch); ++ ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_l_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_h_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_l_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_h_ch); + } +-- +2.31.1 + diff --git a/patches.suse/wireless-iwlwifi-Fix-a-double-free-in-iwl_txq_dyn_al.patch b/patches.suse/wireless-iwlwifi-Fix-a-double-free-in-iwl_txq_dyn_al.patch new file mode 100644 index 0000000..d9492b2 --- /dev/null +++ b/patches.suse/wireless-iwlwifi-Fix-a-double-free-in-iwl_txq_dyn_al.patch @@ -0,0 +1,43 @@ +From f973795a8d19cbf3d03807704eb7c6ff65788d5a Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Fri, 2 Apr 2021 22:47:55 -0700 +Subject: [PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma +Git-commit: f973795a8d19cbf3d03807704eb7c6ff65788d5a +Patch-mainline: v5.17-rc1 +References: git-fixes + +In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by: +iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But +it forgot to set txq->tfds to NULL. + +Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by: +goto error->iwl_txq_gen2_free_memory()->dma_free_coherent(). + +My patch sets txq->tfds to NULL after the first free to avoid the +double free. + +Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code") +Signed-off-by: Lv Yunlong +Link: https://lore.kernel.org/r/20210403054755.4781-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Luca Coelho +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c +index 451b06069350..0f3526b0c5b0 100644 +--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c +@@ -1072,6 +1072,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num, + return 0; + err_free_tfds: + dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr); ++ txq->tfds = NULL; + error: + if (txq->entries && cmd_queue) + for (i = 0; i < slots_num; i++) +-- +2.31.1 + diff --git a/patches.suse/x86-platform-uv-Add-more-to-secondary-CPU-kdump-info.patch b/patches.suse/x86-platform-uv-Add-more-to-secondary-CPU-kdump-info.patch new file mode 100644 index 0000000..c637e59 --- /dev/null +++ b/patches.suse/x86-platform-uv-Add-more-to-secondary-CPU-kdump-info.patch @@ -0,0 +1,108 @@ +From 0b45143b4b9440579e7fa889708cfc4bc7fdb9a3 Mon Sep 17 00:00:00 2001 +From: Georges Aureau +Date: Thu, 11 Mar 2021 09:10:28 -0600 +Subject: [PATCH] x86/platform/uv: Add more to secondary CPU kdump info +Git-commit: 0b45143b4b9440579e7fa889708cfc4bc7fdb9a3 +Patch-mainline: v5.13-rc1 +References: bsc#1194493 + +Add call to run_crash_ipi_callback() to gather more info of what the +secondary CPUs were doing to help with failure analysis. + +Excerpt from Georges: + +'It is only changing where crash secondaries will be stalling after +having taken care of properly laying down "crash note regs". Please +note that "crash note regs" are a key piece of data used by crash dump +debuggers to provide a reliable backtrace of running processors.' + +Secondary change pursuant to + + a5f526ecb075 ("CodingStyle: Inclusive Terminology"): + +change master/slave to main/secondary. + + [ bp: Massage commit message. ] + +Signed-off-by: Georges Aureau +Signed-off-by: Mike Travis +Signed-off-by: Borislav Petkov +Reviewed-by: Steve Wahl +Link: https://lkml.kernel.org/r/20210311151028.82678-1-mike.travis@hpe.com +--- + arch/x86/platform/uv/uv_nmi.c | 39 +++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/platform/uv/uv_nmi.c b/arch/x86/platform/uv/uv_nmi.c +index eafc530c8767..f83810f7bcc2 100644 +--- a/arch/x86/platform/uv/uv_nmi.c ++++ b/arch/x86/platform/uv/uv_nmi.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -834,34 +835,42 @@ static void uv_nmi_touch_watchdogs(void) + touch_nmi_watchdog(); + } + +-static atomic_t uv_nmi_kexec_failed; +- + #if defined(CONFIG_KEXEC_CORE) +-static void uv_nmi_kdump(int cpu, int master, struct pt_regs *regs) ++static atomic_t uv_nmi_kexec_failed; ++static void uv_nmi_kdump(int cpu, int main, struct pt_regs *regs) + { ++ /* Check if kdump kernel loaded for both main and secondary CPUs */ ++ if (!kexec_crash_image) { ++ if (main) ++ pr_err("UV: NMI error: kdump kernel not loaded\n"); ++ return; ++ } ++ + /* Call crash to dump system state */ +- if (master) { ++ if (main) { + pr_emerg("UV: NMI executing crash_kexec on CPU%d\n", cpu); + crash_kexec(regs); + +- pr_emerg("UV: crash_kexec unexpectedly returned, "); ++ pr_emerg("UV: crash_kexec unexpectedly returned\n"); + atomic_set(&uv_nmi_kexec_failed, 1); +- if (!kexec_crash_image) { +- pr_cont("crash kernel not loaded\n"); +- return; ++ ++ } else { /* secondary */ ++ ++ /* If kdump kernel fails, secondaries will exit this loop */ ++ while (atomic_read(&uv_nmi_kexec_failed) == 0) { ++ ++ /* Once shootdown cpus starts, they do not return */ ++ run_crash_ipi_callback(regs); ++ ++ mdelay(10); + } +- pr_cont("kexec busy, stalling cpus while waiting\n"); + } +- +- /* If crash exec fails the slaves should return, otherwise stall */ +- while (atomic_read(&uv_nmi_kexec_failed) == 0) +- mdelay(10); + } + + #else /* !CONFIG_KEXEC_CORE */ +-static inline void uv_nmi_kdump(int cpu, int master, struct pt_regs *regs) ++static inline void uv_nmi_kdump(int cpu, int main, struct pt_regs *regs) + { +- if (master) ++ if (main) + pr_err("UV: NMI kdump: KEXEC not supported in this kernel\n"); + atomic_set(&uv_nmi_kexec_failed, 1); + } +-- +2.31.1 + diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py index 764a63d..ce2d679 100755 --- a/scripts/git_sort/git_sort.py +++ b/scripts/git_sort/git_sort.py @@ -209,8 +209,9 @@ remotes = ( Head(RepoURL("https://github.com/kdave/btrfs-devel.git"), "misc-next"), Head(RepoURL("git://anongit.freedesktop.org/drm/drm"), "drm-next"), Head(RepoURL("git://anongit.freedesktop.org/drm/drm-misc"), "drm-misc-next"), + Head(RepoURL("gregkh/driver-core.git"), "driver-core-next"), Head(RepoURL("gregkh/tty.git"), "tty-next"), - Head(RepoURL("gregkh/usb.git"), "usb-testing"), + Head(RepoURL("gregkh/usb.git"), "usb-next"), Head(RepoURL("jj/linux-apparmor.git"), "apparmor-next"), Head(RepoURL("pablo/nf.git")), Head(RepoURL("pablo/nf-next.git")), diff --git a/scripts/git_sort/lib.py b/scripts/git_sort/lib.py index 4a4f9d3..bf3a834 100644 --- a/scripts/git_sort/lib.py +++ b/scripts/git_sort/lib.py @@ -35,6 +35,11 @@ import git_sort from patch import Patch import series_conf +try: + from collections.abc import MutableSet +except ImportError: + from collections import MutableSet + # https://stackoverflow.com/a/952952 flatten = lambda l: [item for sublist in l for item in sublist] @@ -566,7 +571,7 @@ class Link(object): __slots__ = 'prev', 'next', 'key', '__weakref__' -class OrderedSet(collections.MutableSet): +class OrderedSet(MutableSet): 'Set the remembers the order elements were added' # Big-O running times for all methods are the same as for regular sets. # The internal self.__map dictionary maps keys to links in a doubly linked list. diff --git a/series.conf b/series.conf index 8f50b79..ea95754 100644 --- a/series.conf +++ b/series.conf @@ -1147,6 +1147,7 @@ patches.suse/ASoC-codec2codec-name-link-using-stream-direction.patch patches.suse/ASoC-codec2codec-deal-with-params-when-necessary.patch patches.suse/ASoC-ti-davinci-mcasp-Support-for-correct-symmetric-.patch + patches.suse/ASoC-sunxi-fix-a-sound-binding-broken-reference.patch patches.suse/ASoC-codec2codec-fix-missing-return-of-error-return-.patch patches.suse/ASoC-Intel-Skylake-Remove-static-table-index-when-pa.patch patches.suse/ASoC-meson-g12a-tohdmitx-override-codec2codec-params.patch @@ -34118,6 +34119,7 @@ patches.suse/HID-i2c-hid-add-Schneider-SCL142ALM-to-descriptor-ov.patch patches.suse/HID-Add-quirks-for-Trust-Panora-Graphic-Tablet.patch patches.suse/HID-sony-Fix-for-broken-buttons-on-DS3-USB-dongles.patch + patches.suse/HID-asus-Add-depends-on-USB_HID-to-HID_ASUS-Kconfig-.patch patches.suse/HID-intel-ish-hid-avoid-bogus-uninitialized-variable.patch patches.suse/HID-multitouch-enable-multi-input-as-a-quirk-for-som.patch patches.suse/HID-multitouch-Remove-MT_CLS_WIN_8_DUAL.patch @@ -36270,6 +36272,7 @@ patches.suse/dm-zoned-fix-unused-but-set-variable-warnings.patch patches.suse/0004-dm-zoned-Fix-zone-reclaim-trigger.patch patches.suse/0003-dm-use-noio-when-sending-kobject-event.patch + patches.suse/drm-mediatek-Check-plane-visibility-in-atomic_update.patch patches.suse/1407-drm-meson-viu-fix-setting-the-OSD-burst-length-in-VI.patch patches.suse/1408-drm-hisilicon-hibmc-Move-drm_fbdev_generic_setup-dow.patch patches.suse/1409-drm-nouveau-kms-nv50-bail-from-nv50_audio_disable-ea.patch @@ -37037,7 +37040,6 @@ patches.suse/blk-iolatency-only-call-ktime_get-if-needed.patch patches.suse/floppy-use-block_size.patch patches.suse/dcssblk-don-t-set-bd_block_size-in-open.patch - patches.suse/block-simplify-set_init_blocksize.patch patches.suse/block-remove-the-bd_block_size-field-from-struct-blo.patch patches.suse/block-remove-the-bd_queue-field-from-struct-block_de.patch patches.suse/block-remove-the-unused-bd_private-field-from-struct.patch @@ -46301,6 +46303,7 @@ patches.suse/can-m_can-fix-nominal-bitiming-tseg2-min-for-version.patch patches.suse/soc-fsl-dpio-Get-the-cpumask-through-cpumask_of-cpu.patch patches.suse/ARM-dts-dra76x-m_can-fix-order-of-clocks.patch + patches.suse/phy-tegra-xusb-Fix-dangling-pointer-on-probe-failure.patch patches.suse/USB-quirks-Add-USB_QUIRK_DISCONNECT_SUSPEND-quirk-fo.patch patches.suse/usb-gadget-f_midi-Fix-memleak-in-f_midi_alloc.patch patches.suse/usb-gadget-Fix-memleak-in-gadgetfs_fill_super.patch @@ -48846,6 +48849,7 @@ patches.suse/powerpc-uaccess-Avoid-might_fault-when-user-access-i.patch patches.suse/powerpc-kuap-Restore-AMR-after-replaying-soft-interr.patch patches.suse/powerpc-kexec_file-fix-FDT-size-estimation-for-kdump.patch + patches.suse/cgroup-cgroup.-procs-threads-factor-out-common-parts.patch patches.suse/objtool-fix-error-handling-for-std-cld-warnings.patch patches.suse/objtool-fix-retpoline-detection-in-asm-code.patch patches.suse/objtool-fix-cold-section-suffix-check-for-newer-versions-of-gcc.patch @@ -49625,6 +49629,7 @@ patches.suse/x86-boot-compressed-64-check-sev-encryption-in-the-32-bit-boot-path patches.suse/x86-sev-es-replace-open-coded-hlt-loops-with-sev_es_terminate patches.suse/x86-platform-uv-set-section-block-size-for-hubless-architectures.patch + patches.suse/x86-platform-uv-Add-more-to-secondary-CPU-kdump-info.patch patches.suse/genirq-Reduce-irqdebug-cacheline-bouncing.patch patches.suse/posix-timers-Preserve-return-value-in-clock_adjtime3.patch patches.suse/xen-blkback-fix-compatibility-bug-with-single-page-r.patch @@ -50964,6 +50969,7 @@ patches.suse/net-mlx5-Consider-RoCE-cap-before-init-RDMA-resource.patch patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-UDP.patch patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-GRE.patch + patches.suse/netfilter-nf_tables-initialize-set-before-expression.patch patches.suse/alx-Fix-an-error-handling-path-in-alx_probe.patch patches.suse/cxgb4-fix-endianness-when-flashing-boot-image.patch patches.suse/cxgb4-fix-sleep-in-atomic-when-flashing-PHY-firmware.patch @@ -51960,6 +51966,7 @@ patches.suse/Revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch patches.suse/gpio-tqmx86-really-make-IRQ-optional.patch patches.suse/scsi-ibmvfc-Fix-command-state-accounting-and-stale-r.patch + patches.suse/pipe-increase-minimum-default-pipe-size-to-2-pages.patch patches.suse/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch patches.suse/tracing-histogram-Give-calculation-hist_fields-a-size.patch patches.suse/tracing-Reject-string-operand-in-the-histogram-expression.patch @@ -52288,6 +52295,7 @@ patches.suse/fpga-altera-freeze-bridge-Address-warning-about-unus.patch patches.suse/fpga-xiilnx-spi-Address-warning-about-unused-variabl.patch patches.suse/fpga-zynqmp-fpga-Address-warning-about-unused-variab.patch + patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch patches.suse/firmware-raspberrypi-Fix-a-leak-in-rpi_firmware_get.patch patches.suse/parport-remove-non-zero-check-on-count.patch patches.suse/VMCI-fix-NULL-pointer-dereference-when-unmapping-que.patch @@ -52593,6 +52601,7 @@ patches.suse/qlcnic-Remove-redundant-unlock-in-qlcnic_pinit_from_.patch patches.suse/bnxt_en-fix-stored-FW_PSID-version-masks.patch patches.suse/bnxt_en-Fix-asic.rev-in-devlink-dev-info-command.patch + patches.suse/net-create-netdev-dev_addr-assignment-helpers.patch patches.suse/iwlwifi-Add-support-for-ax201-in-Samsung-Galaxy-Book.patch patches.suse/PCI-Call-Max-Payload-Size-related-fixup-quirks-early.patch patches.suse/PCI-Restrict-ASMedia-ASM1062-SATA-Max-Payload-Size-S.patch @@ -52732,6 +52741,7 @@ patches.suse/HID-u2fzero-ignore-incomplete-packets-without-data.patch patches.suse/watchdog-sb_watchdog-fix-compilation-problem-due-to-.patch patches.suse/media-cedrus-Fix-SUNXI-tile-size-calculation.patch + patches.suse/selftests-KVM-Explicitly-use-movq-to-read-xmm-regist.patch patches.suse/pinctrl-qcom-spmi-gpio-correct-parent-irqspec-transl.patch patches.suse/pinctrl-rockchip-add-a-queue-for-deferred-pin-output.patch patches.suse/gpio-rockchip-fetch-deferred-output-settings-on-prob.patch @@ -52951,6 +52961,7 @@ patches.suse/mmc-vub300-fix-control-message-timeouts.patch patches.suse/scsi-ibmvfc-Fix-up-duplicate-response-detection.patch patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch + patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch patches.suse/lib-xz-Avoid-overlapping-memcpy-with-invalid-input-w.patch patches.suse/lib-xz-Validate-the-value-before-assigning-it-to-an-.patch patches.suse/btrfs-fix-deadlock-between-chunk-allocation-and-chun.patch @@ -53170,6 +53181,7 @@ patches.suse/USB-iowarrior-fix-control-message-timeouts.patch patches.suse/USB-serial-keyspan-fix-memleak-on-probe-errors.patch patches.suse/staging-ks7010-select-CRYPTO_HASH-CRYPTO_MICHAEL_MIC.patch + patches.suse/staging-wlan-ng-Avoid-bitwise-vs-logical-OR-warning-.patch patches.suse/staging-rtl8192u-fix-control-message-timeouts.patch patches.suse/staging-r8712u-fix-control-message-timeout.patch patches.suse/iio-dac-ad5446-Fix-ad5622_write-return-value.patch @@ -53249,6 +53261,9 @@ patches.suse/PCI-aardvark-Read-all-16-bits-from-PCIE_MSI_PAYLOAD_.patch patches.suse/PCI-cadence-Add-cdns_plat_pcie_probe-missing-return.patch patches.suse/PCI-uniphier-Serialize-INTx-masking-unmasking-and-fi.patch + patches.suse/quota-check-block-number-when-reading-the-block-in-q.patch + patches.suse/quota-correct-error-number-in-free_dqentry.patch + patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch patches.suse/cifs-To-match-file-servers-make-sure-the-server-hostname-matches.patch patches.suse/cifs-add-mount-parameter-tcpnodelay.patch patches.suse/cifs-Create-a-new-shared-file-holding-smb2-pdu-definitions.patch @@ -53285,6 +53300,7 @@ patches.suse/NFS-Fix-up-commit-deadlocks.patch patches.suse/NFSv4-Fix-a-regression-in-nfs_set_open_stateid_locke.patch patches.suse/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch + patches.suse/ext4-fix-lazy-initialization-next-schedule-time-comp.patch patches.suse/xhci-Fix-USB-3.1-enumeration-issues-by-increasing-ro.patch patches.suse/ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch patches.suse/ice-Fix-VF-true-promiscuous-mode.patch @@ -53353,6 +53369,7 @@ patches.suse/ARM-9155-1-fix-early-early_iounmap.patch patches.suse/tracing-Add-length-protection-to-histogram-string-copies.patch patches.suse/printk-Remove-printk.h-inclusion-in-percpu.h.patch + patches.suse/udf-Fix-crash-after-seekdir.patch patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch patches.suse/net-bnx2x-fix-variable-dereferenced-before-check.patch patches.suse/atlantic-Fix-OOB-read-and-write-in-hw_atl_utils_fw_r.patch @@ -53433,6 +53450,8 @@ patches.suse/igb-fix-netpoll-exit-with-traffic.patch patches.suse/mdio-aspeed-Fix-Link-is-Down-issue.patch patches.suse/net-sched-sch_ets-don-t-peek-at-classes-beyond-nband.patch + patches.suse/NFSv42-Don-t-fail-clone-unless-the-OP_CLONE-operatio.patch + patches.suse/NFSv42-Fix-pagecache-invalidation-after-COPY-CLONE.patch patches.suse/scsi-qla2xxx-edif-Fix-off-by-one-bug-in-qla_edif_app.patch patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test patches.suse/scsi-mpt3sas-Fix-system-going-into-read-only-mode @@ -53497,16 +53516,20 @@ patches.suse/qede-validate-non-LSO-skb-length.patch patches.suse/net-cdc_ncm-Allow-for-dwNtbOutMaxSize-to-be-unset-or.patch patches.suse/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_car.patch + patches.suse/iavf-restore-MSI-state-on-reset.patch patches.suse/iavf-Fix-reporting-when-setting-descriptor-count.patch patches.suse/i40e-Fix-failed-opcode-appearing-if-handling-message.patch patches.suse/i40e-Fix-pre-set-max-number-of-queues-for-VF.patch + patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch patches.suse/bpf-x86-Fix-no-previous-prototype-warning.patch patches.suse/ice-ignore-dropped-packets-during-init.patch + patches.suse/nft_set_pipapo-Fix-bucket-load-in-AVX2-lookup-routin.patch patches.suse/can-kvaser_usb-get-CAN-clock-frequency-from-device.patch patches.suse/nfc-fix-segfault-in-nfc_genl_dump_devices_done.patch patches.suse/nfc-fix-potential-NULL-pointer-deref-in-nfc_genl_dum.patch patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch patches.suse/msft-hv-2484-net-mana-Fix-memory-leak-in-mana_hwc_create_wq.patch + patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch patches.suse/drm-syncobj-Deal-with-signalled-fences-in-drm_syncob.patch patches.suse/ALSA-pcm-oss-Fix-negative-period-buffer-sizes.patch patches.suse/ALSA-pcm-oss-Limit-the-period-size-to-16MB.patch @@ -53519,7 +53542,9 @@ patches.suse/ASoC-codecs-wsa881x-fix-return-values-from-kcontrol-.patch patches.suse/ALSA-hda-realtek-Add-headset-Mic-support-for-Lenovo-.patch patches.suse/libata-add-horkage-for-ASMedia-1092.patch + patches.suse/nfsd-Fix-nsfd-startup-race-again.patch patches.suse/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch + patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc patches.suse/scsi-qla2xxx-Format-log-strings-only-if-needed.patch patches.suse/misc-fastrpc-fix-improper-packet-size-calculation.patch @@ -53547,6 +53572,9 @@ patches.suse/firmware-tegra-Fix-error-application-of-sizeof-to-po.patch patches.suse/firmware-arm_scpi-Fix-string-overflow-in-SCPI-genpd-.patch patches.suse/soc-tegra-fuse-Fix-bitwise-vs.-logical-OR-warning.patch + patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch + patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch + patches.suse/flow_offload-return-EOPNOTSUPP-for-the-unsupported-m.patch patches.suse/mac80211-track-only-QoS-data-frames-for-admission-co.patch patches.suse/mac80211-fix-regression-in-SSN-handling-of-addba-tx.patch patches.suse/mac80211-send-ADDBA-requests-using-the-tid-queue-of-.patch @@ -53554,10 +53582,18 @@ patches.suse/mac80211-validate-extended-element-ID-is-present.patch patches.suse/mac80211-fix-lookup-when-adding-AddBA-extension-elem.patch patches.suse/mac80211-mark-TX-during-stop-for-TX-in-in_reconfig.patch + patches.suse/netdevsim-Zero-initialize-memory-for-new-map-s-value.patch + patches.suse/net-usb-lan78xx-add-Allied-Telesis-AT29M2-AF.patch + patches.suse/igb-Fix-removal-of-unicast-MAC-filters-of-VFs.patch + patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch + patches.suse/igc-Fix-typo-in-i225-LTR-functions.patch + patches.suse/ixgbe-set-X550-MDIO-speed-before-talking-to-PHY.patch + patches.suse/sfc_ef100-potential-dereference-of-null-pointer.patch patches.suse/drm-ast-potential-dereference-of-null-pointer.patch patches.suse/drm-amdgpu-correct-register-access-for-RLC_JUMP_TABL.patch patches.suse/dmaengine-st_fdma-fix-MODULE_ALIAS.patch patches.suse/libata-if-T_LENGTH-is-zero-dma-direction-should-be-D.patch + patches.suse/usb-gadget-u_ether-fix-race-in-setting-MAC-address-i.patch patches.suse/USB-gadget-bRequestType-is-a-bitfield-not-a-enum.patch patches.suse/usb-xhci-Extend-support-for-runtime-power-management.patch patches.suse/USB-NO_LPM-quirk-Lenovo-USB-C-to-Ethernet-Adapher-RT.patch @@ -53571,6 +53607,7 @@ patches.suse/xen-netback-fix-rx-queue-stall-detection.patch patches.suse/xen-netback-don-t-queue-unlimited-number-of-packages.patch patches.suse/spi-change-clk_disable_unprepare-to-clk_unprepare.patch + patches.suse/RDMA-hns-Replace-kfree-with-kvfree.patch patches.suse/mmc-sdhci-tegra-Fix-switch-to-HS400ES-mode.patch patches.suse/ALSA-drivers-opl3-Fix-incorrect-use-of-vp-state.patch patches.suse/ALSA-jack-Check-the-return-value-of-kstrdup.patch @@ -53580,7 +53617,13 @@ patches.suse/ALSA-hda-hdmi-Disable-silent-stream-on-GLK.patch patches.suse/ALSA-hda-realtek-Fix-quirk-for-Clevo-NJ51CU.patch patches.suse/ax25-NPD-bug-when-detaching-AX25-device.patch + patches.suse/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch + patches.suse/sfc-Check-null-pointer-of-rx_queue-page_ring.patch + patches.suse/sfc-falcon-Check-null-pointer-of-rx_queue-page_ring.patch + patches.suse/platform-x86-apple-gmux-use-resource_size-with-res.patch + patches.suse/Input-i8042-add-deferred-probe-support.patch patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch + patches.suse/Input-i8042-enable-deferred-probe-quirk-for-ASUS-UM3.patch patches.suse/Input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_.patch patches.suse/hwmon-lm90-Fix-usage-of-CONFIG2-register-in-detect-f.patch patches.suse/hwmon-lm90-Drop-critical-attribute-support-for-MAX66.patch @@ -53590,15 +53633,170 @@ patches.suse/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch patches.suse/recordmcount.pl-fix-typo-in-s390-mcount-regex.patch patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch + patches.suse/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch patches.suse/usb-mtu3-add-memory-barrier-before-set-GPD-s-HWO.patch patches.suse/usb-mtu3-fix-list_head-check-warning.patch patches.suse/usb-mtu3-set-interval-of-FS-intr-and-isoc-endpoint.patch patches.suse/xhci-Fresco-FL1100-controller-should-not-have-BROKEN.patch + patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch + patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch + patches.suse/atlantic-Fix-buff_ring-OOB-in-aq_ring_rx_clean.patch + patches.suse/net-usb-pegasus-Do-not-drop-long-Ethernet-frames.patch + patches.suse/mISDN-change-function-names-to-avoid-conflicts.patch patches.suse/NFC-st21nfca-Fix-memory-leak-in-device-probe-and-rem.patch + patches.suse/ionic-Initialize-the-lif-dbid_inuse-bitmap.patch + patches.suse/net-mlx5e-Fix-wrong-features-assignment-in-case-of-e.patch patches.suse/Input-appletouch-initialize-work-before-device-regis.patch + patches.suse/Input-spaceball-fix-parsing-of-movement-data-packets.patch patches.suse/i2c-validate-user-data-in-compat-ioctl.patch - - # jejb/scsi for-next + patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch + patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch + patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch + patches.suse/rndis_host-support-Hytera-digital-radios.patch + patches.suse/batman-adv-mcast-don-t-send-link-local-multicast-to-.patch + patches.suse/mac80211-initialize-variable-have_higher_than_11mbit.patch + patches.suse/sfc-The-RX-page_ring-is-optional.patch + patches.suse/i40e-Fix-to-not-show-opcode-msg-on-unsuccessful-VF-M.patch + patches.suse/i40e-fix-use-after-free-in-i40e_sync_filters_subtask.patch + patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch + patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch + patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch + patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch + patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch + patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch + patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch + patches.suse/power-supply-core-Break-capacity-loop.patch + patches.suse/power-reset-ltc2952-Fix-use-of-floating-point-litera.patch + patches.suse/random-fix-data-race-on-crng_node_pool.patch + patches.suse/random-fix-data-race-on-crng-init-time.patch + patches.suse/drm-bridge-display-connector-fix-an-uninitialized-po.patch + patches.suse/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch + patches.suse/drm-panel-kingdisplay-kd097d04-Delete-panel-on-attac.patch + patches.suse/drm-panel-innolux-p079zca-Delete-panel-on-attach-fai.patch + patches.suse/drm-rockchip-dsi-Hold-pm-runtime-across-bind-unbind.patch + patches.suse/drm-rockchip-dsi-Reconfigure-hardware-on-resume.patch + patches.suse/drm-rockchip-dsi-Fix-unbalanced-clock-on-probe-error.patch + patches.suse/drm-rockchip-dsi-Disable-PLL-clock-on-bind-error.patch + patches.suse/clk-bcm-2835-Pick-the-closest-clock-rate.patch + patches.suse/clk-bcm-2835-Remove-rounding-up-the-dividers.patch + patches.suse/drm-vc4-hdmi-Set-a-default-HSM-rate.patch + patches.suse/drm-vc4-hdmi-Make-sure-the-controller-is-powered-up-.patch + patches.suse/drm-bridge-analogix_dp-Make-PSR-exit-block-less.patch + patches.suse/drm-i915-Avoid-bitwise-vs-logical-OR-warning-in-snb_.patch + patches.suse/drm-vboxvideo-fix-a-NULL-vs-IS_ERR-check.patch + patches.suse/dma_fence_array-Fix-PENDING_ERROR-leak-in-dma_fence_.patch + patches.suse/drm-bridge-ti-sn65dsi86-Set-max-register-for-regmap.patch + patches.suse/drm-amdgpu-Fix-a-NULL-pointer-dereference-in-amdgpu_.patch + patches.suse/drm-radeon-radeon_kms-Fix-a-NULL-pointer-dereference.patch + patches.suse/drm-tegra-vic-Fix-DMA-API-misuse.patch + patches.suse/gpu-host1x-Add-back-arm_iommu_detach_device.patch + patches.suse/drm-msm-dpu-fix-safe-status-debugfs-file.patch + patches.suse/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch + patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch + patches.suse/media-aspeed-Update-signal-status-immediately-to-ens.patch + patches.suse/media-mceusb-fix-control-message-timeouts.patch + patches.suse/media-redrat3-fix-control-message-timeouts.patch + patches.suse/media-flexcop-usb-fix-control-message-timeouts.patch + patches.suse/media-cpia2-fix-control-message-timeouts.patch + patches.suse/media-em28xx-fix-control-message-timeouts.patch + patches.suse/media-pvrusb2-fix-control-message-timeouts.patch + patches.suse/media-s2255-fix-control-message-timeouts.patch + patches.suse/media-stk1160-fix-control-message-timeouts.patch + patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch + patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch + patches.suse/media-i2c-imx274-fix-trivial-typo-expsoure-exposure.patch + patches.suse/media-i2c-imx274-fix-trivial-typo-obainted-obtained.patch + patches.suse/media-rcar-csi2-Correct-the-selection-of-hsfreqrange.patch + patches.suse/media-rcar-csi2-Optimize-the-selection-PHTW-register.patch + patches.suse/media-imx-pxp-Initialize-the-spinlock-prior-to-using.patch + patches.suse/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch + patches.suse/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch + patches.suse/media-venus-core-Fix-a-resource-leak-in-the-error-ha.patch + patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch + patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch + patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch + patches.suse/media-si2157-Fix-warm-tuner-state-detection.patch + patches.suse/media-streamzap-remove-unnecessary-ir_raw_event_rese.patch + patches.suse/media-dw2102-Fix-use-after-free.patch + patches.suse/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch + patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch + patches.suse/media-hantro-Fix-probe-func-error-path.patch + patches.suse/Bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_.patch + patches.suse/Bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch + patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch + patches.suse/Bluetooth-stop-proccessing-malicious-adv-data.patch + patches.suse/wcn36xx-Indicate-beacon-not-connection-loss-on-MISSE.patch + patches.suse/wcn36xx-Release-DMA-channel-descriptor-allocations.patch + patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch + patches.suse/mwifiex-Fix-possible-ABBA-deadlock.patch + patches.suse/wireless-iwlwifi-Fix-a-double-free-in-iwl_txq_dyn_al.patch + patches.suse/rtlwifi-rtl8192cu-Fix-WARNING-when-calling-local_irq.patch + patches.suse/iwlwifi-mvm-fix-32-bit-build-in-FTM.patch + patches.suse/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch + patches.suse/Bluetooth-btmtksdio-fix-resume-failure.patch + patches.suse/Bluetooth-L2CAP-Fix-using-wrong-mode.patch + patches.suse/Bluetooth-hci_qca-Stop-IBS-timer-during-BT-OFF.patch + patches.suse/can-usb_8dev-remove-unused-member-echo_skb-from-stru.patch + patches.suse/Bluetooth-hci_bcm-Check-for-error-irq.patch + patches.suse/iwlwifi-mvm-Use-div_s64-instead-of-do_div-in-iwl_mvm.patch + patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch + patches.suse/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch + patches.suse/net-mlx5-Set-command-entry-semaphore-up-once-got-ind.patch + patches.suse/Revert-net-mlx5-Add-retry-mechanism-to-the-command-e.patch + patches.suse/can-softing_cs-softingcs_probe-fix-memleak-on-regist.patch + patches.suse/can-softing-softing_startstop-fix-set-but-not-used-v.patch + patches.suse/can-xilinx_can-xcan_probe-check-for-error-irq.patch + patches.suse/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flag.patch + patches.suse/ACPI-scan-Create-platform-device-for-BCM4752-and-LNV.patch + patches.suse/PCI-ACPI-Fix-acpi_pci_osc_control_set-kernel-doc-com.patch + patches.suse/thermal-drivers-imx8mm-Enable-ADC-when-enabling-moni.patch + patches.suse/device-property-Fix-documentation-for-FWNODE_GRAPH_D.patch + patches.suse/Documentation-ACPI-Fix-data-node-reference-documenta.patch + patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch + patches.suse/Documentation-refer-to-config-RANDOMIZE_BASE-for-ker.patch + patches.suse/crypto-caam-replace-this_cpu_ptr-with-raw_cpu_ptr.patch + patches.suse/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch + patches.suse/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch + patches.suse/crypto-stm32-cryp-fix-double-pm-exit.patch + patches.suse/crypto-stm32-cryp-fix-lrw-chaining-mode.patch + patches.suse/crypto-stm32-crc32-Fix-kernel-BUG-triggered-in-probe.patch + patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc.patch + patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-0a94131d6920.patch + patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-ff6b548afe4d.patch + patches.suse/HID-hid-uclogic-params-Invalid-parameter-check-in-uc-aa320fdbbbb4.patch + patches.suse/mtd-rawnand-mpc5121-Remove-unused-variable-in-ads512.patch + patches.suse/regmap-Call-regmap_debugfs_exit-prior-to-_init.patch + patches.suse/spi-spi-rspi-Drop-redeclaring-ret-variable-in-qspi_t.patch + patches.suse/spi-spi-meson-spifc-Add-missing-pm_runtime_disable-i.patch + patches.suse/mfd-intel-lpss-Fix-too-early-PM-enablement-in-the-AC.patch + patches.suse/backlight-qcom-wled-Validate-enabled-string-indices-.patch + patches.suse/backlight-qcom-wled-Pass-number-of-elements-to-read-.patch + patches.suse/backlight-qcom-wled-Fix-off-by-one-maximum-with-defa.patch + patches.suse/backlight-qcom-wled-Override-default-length-with-qco.patch + patches.suse/mmc-sdhci-pci-Add-PCI-ID-for-Intel-ADL.patch + patches.suse/mmc-meson-mx-sdio-add-IRQ-check.patch + patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference.patch + patches.suse/pcmcia-rsrc_nonstatic-Fix-a-NULL-pointer-dereference-977d2e7c63c3.patch + patches.suse/pcmcia-fix-setting-of-kthread-task-states.patch + patches.suse/tpm-add-request_locality-before-write-TPM_INT_ENABLE.patch + patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch + patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch + patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch + patches.suse/floppy-Fix-hang-in-watchdog-when-disk-is-ejected.patch + patches.suse/staging-rtl8192e-return-error-code-from-rtllib_softm.patch + patches.suse/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch + patches.suse/tty-serial-atmel-Check-return-code-of-dmaengine_subm.patch + patches.suse/tty-serial-atmel-Call-dma_async_issue_pending.patch + patches.suse/tty-serial-uartlite-allow-64-bit-address.patch + patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch + patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch + patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch + patches.suse/clk-imx-pllv1-fix-kernel-doc-notation-for-struct-clk.patch + patches.suse/clk-Gemini-fix-struct-name-in-kernel-doc.patch + patches.suse/clk-stm32-Fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch + patches.suse/clk-imx8mn-Fix-imx8mn_clko1_sels.patch + patches.suse/PCI-MSI-Fix-pci_irq_vector-pci_irq_get_affinity.patch + patches.suse/mailbox-hi3660-convert-struct-comments-to-kernel-doc.patch patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch @@ -53609,8 +53807,23 @@ patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch - - # powerpc/linux next + patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch + patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch + patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch + patches.suse/ALSA-jack-Add-missing-rwsem-around-snd_ctl_remove-ca.patch + patches.suse/ALSA-PCM-Add-missing-rwsem-around-snd_ctl_remove-cal.patch + patches.suse/ALSA-hda-Add-missing-rwsem-around-snd_ctl_remove-cal.patch + patches.suse/ALSA-hda-Make-proper-use-of-timecounter.patch + patches.suse/ALSA-oss-fix-compile-error-when-OSS_DEBUG-is-enabled.patch + patches.suse/ALSA-usb-audio-Drop-superfluous-0-in-Presonus-Studio.patch + patches.suse/ALSA-hda-realtek-Fix-silent-output-on-Gigabyte-X570--c19330086795.patch + patches.suse/ASoC-uniphier-drop-selecting-non-existing-SND_SOC_UN.patch + patches.suse/ASoC-rt5663-Handle-device_property_read_u32_array-er.patch + patches.suse/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch + patches.suse/ASoC-mediatek-Check-for-error-clk-pointer.patch + patches.suse/ASoC-samsung-idma-Check-of-ioremap-return-value.patch + patches.suse/ASoC-fsl_mqs-fix-MODULE_ALIAS.patch + patches.suse/ASoC-fsl_asrc-refine-the-check-of-available-clock-di.patch patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch @@ -53618,6 +53831,27 @@ patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/char-mwave-Adjust-io-port-register-size.patch + patches.suse/uio-uio_dmem_genirq-Catch-the-Exception.patch + patches.suse/firmware-Update-Kconfig-help-text-for-Google-firmwar.patch + patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch + patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch + patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch + patches.suse/misc-lattice-ecp3-config-Fix-task-hung-when-firmware.patch + patches.suse/drm-atomic-Check-new_crtc_state-active-to-determine-.patch + patches.suse/drm-sun4i-dw-hdmi-Fix-missing-put_device-call-in-sun.patch + patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch + patches.suse/NFSD-Fix-zero-length-NFSv3-WRITEs.patch + patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch + patches.suse/PCI-dwc-Do-not-remap-invalid-res.patch + patches.suse/PCI-mvebu-Check-for-errors-from-pci_bridge_emul_init.patch + patches.suse/PCI-mvebu-Do-not-modify-PCI-IO-type-bits-in-conf_wri.patch + patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_DEVCTL-on-emulated.patch + patches.suse/PCI-mvebu-Fix-support-for-PCI_EXP_RTSTA-on-emulated-.patch + patches.suse/PCI-mvebu-Fix-support-for-DEVCAP2-DEVCTL2-and-LNKCTL.patch + patches.suse/PCI-xgene-Fix-IB-window-setup.patch + patches.suse/PCI-pci-bridge-emul-Properly-mark-reserved-PCIe-bits.patch + patches.suse/PCI-pci-bridge-emul-Set-PCI_STATUS_CAP_LIST-for-PCIe.patch # out-of-tree patches patches.suse/ibmvfc-disable-MQ-channelization-by-default.patch @@ -53646,16 +53880,10 @@ patches.suse/ahci-Add-Intel-Emmitsburg-PCH-RAID-PCI-IDs.patch patches.suse/block-genhd-use-atomic_t-for-disk_event-block.patch patches.suse/nxp-nci-add-NXP1002-id.patch - patches.suse/misc-sram-Only-map-reserved-areas-in-Tegra-SYSRAM.patch - patches.suse/phy-tegra-xusb-Fix-dangling-pointer-on-probe-failure.patch patches.suse/NFS-change-nfs_access_get_cached-to-only-report-the-.patch patches.suse/NFS-pass-cred-explicitly-for-access-tests.patch patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch - patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch - patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch - patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch patches.suse/ARM-socfpga-Fix-crash-with-CONFIG_FORTIRY_SOURCE.patch - patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch patches.suse/MM-reclaim-mustn-t-enter-FS-for-swap-over-NFS.patch patches.suse/NFS-do-not-take-i_rwsem-for-swap-IO.patch patches.suse/NFS-move-generic_write_checks-call-from-nfs_file_dir.patch @@ -53664,8 +53892,6 @@ patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch - patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch - patches.suse/media-Revert-media-uvcvideo-Set-unique-vdev-name-bas.patch ######################################################## # kbuild/module infrastructure fixes diff --git a/supported.conf b/supported.conf index 387e3bd..cfa04a6 100644 --- a/supported.conf +++ b/supported.conf @@ -3388,7 +3388,8 @@ drivers/scsi/megaraid/megaraid_mm drivers/scsi/megaraid/megaraid_sas drivers/scsi/mpt3sas/mpt3sas -- drivers/scsi/mpi3mr/mpi3mr + drivers/scsi/mpi3mr/mpi3mr # Broadcom MPI3 Storage Controller (jsc#SLE-18120) + drivers/scsi/mvsas/mvsas - drivers/scsi/mvumi - drivers/scsi/myrb