diff --git a/blacklist.conf b/blacklist.conf index 7e1d840..4f34bca 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -159,6 +159,7 @@ c9dfadeee89d4c5d335969356c4e63e9b279d038 # duplicate of b049e03ca57f238e74a79e44 311ae9e159d81a1ec1cf645daf40b39ae5a0bd84 # Fixes 32960613b7c33 merged in 5.4-rc1 e39e773ad100ac94f8358d862f20101e802ae54c # kernel-doc comment fix a44f71a9ab99b509fec9d5a9f5c222debd89934f # bug: cosmetic change; related to a larger code clean up +3ad1a6cb0abc63d036fc866bd7c2c5983516dec5 # bug: clean up; compiler likely does the same optimization 44d282796f81eb1debc1d7cb53245b4cb3214cb5 # Got reverted in 73e08e711d9c1 d9e9866803f7b6c3fdd35d345e97fb0b2908bbbc # Whitespace fix 4f0bd808134d73184054ad09173821c84f31dd5d # we don't support nds32 architecture @@ -1282,6 +1283,7 @@ a20dcf53ea9836387b229c4878f9559cf1b55b71 # depends on USB PD 3.0, which we do no 39c0c8553bfb5a3d108aa47f1256076d507605e3 # reverts 0dcec41acb85 ("scsi: qla2xxx: Make sure that aborted commands are freed") 28e5e44aa3f4e0e0370864ed008fb5e2d85f4dc8 # we don't support SGX in 15SP3 75d3e7f4769d276a056efa1cc7f08de571fc9b4b # we build test_unwind module out of tree +f9398f15605a50110bf570aaa361163a85113dd1 # test_stackinit module is not built bd1ed17d19eba00792cb29f369b8c29da1008d38 # not applicable, the driver has not been converted to new error codes a73f863af4ce9730795eab7097fb2102e6854365 # We don't care about !CONFIG_JUMP_LABEL b3656d8227f4c45812c6b40815d8f4e446ed372a # Documentation only @@ -1435,3 +1437,16 @@ b781d8db580c058ecd54ed7d5dde7f8270b25f5b # Bug introduced with db18a53e5ba8 "blk 2fc428f6b7ca80794cb9928c90d4de524366659f # Bug introduced by fd41e60331b13 "bfq-iosched: stop using blkg->stat_bytes and ->stat_ios" 5ff9f19231a0e670b3d79c563f1b0b185abeca91 # Reverted by 8dc932d3e8afb65e12eba7495f046c83884c49bf 064a91771f7aae4ea2d13033b64e921951d216ce # Cosmetic +f28439db470cca8b6b082239314e9fd10bd39034 # sparse warning fix only +3e2a56e6f639492311e0a8533f0a7aed60816308 # optimization only +79ca6f74dae067681a779fd573c2eb59649989bc # breaks kABI +2e4c6c1a9db5e12556a12ea722df71096247e178 # not applicable +c6883985d46319e0d4f159de8932b09ff93e877d # not applicable +5a184d959d5a5a66b377cb5cd4c95a80388e0c88 # not applicable +b601c16b7ba8f3bb7a7e773b238da6b63657fa1d # not applicable +c9d9fdbc108af8915d3f497bbdf3898bf8f321b8 # not applicable +5810323ba692895b045e3f1b3e107605c3717dab # not applicable +93b713304188844b8514074dc13ffd56d12235d3 # not applicable +0c980a006d3fbee86c4d0698f66d6f5381831787 # not applicable +244a36e50da05c33b860d20638ee4628017a5334 # not applicable +a2308836880bf1501ff9373c611dc2970247d42b # not applicable diff --git a/kabi/severities b/kabi/severities index 75634f4..c0cac3b 100644 --- a/kabi/severities +++ b/kabi/severities @@ -51,3 +51,6 @@ drivers/net/wireless/ath/ath9k/* PASS # local symbols sound/soc/rockchip/* PASS +# not used externally, mark it pass in +# order to catch any wrong use bsc#1193767 +drivers/tee/tee PASS diff --git a/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch new file mode 100644 index 0000000..5b43760 --- /dev/null +++ b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch @@ -0,0 +1,50 @@ +From: Greg Kroah-Hartman +Date: Wed, 12 Jan 2022 19:27:11 +0100 +Subject: [PATCH] moxart: fix potential use-after-free on remove path +Patch-mainline: Not yet, will be fixed on the mainline soon +References: bsc#1194516 + +It was reported that the mmc host structure could be accessed after it +was freed in moxart_remove(), so fix this by saving the base register of +the device and using it instead of the pointer dereference. + +Cc: Ulf Hansson +Cc: Xiyu Yang +Cc: Xin Xiong +Cc: Xin Tan +Cc: Tony Lindgren +Cc: Yang Li +Cc: linux-mmc@vger.kernel.org +Cc: stable +Reported-by: whitehat002 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Vasant Karasulli +--- + drivers/mmc/host/moxart-mmc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -687,6 +687,7 @@ static int moxart_remove(struct platform + { + struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); + struct moxart_host *host = mmc_priv(mmc); ++ void __iomem *base = host->base; + + dev_set_drvdata(&pdev->dev, NULL); + +@@ -698,10 +699,10 @@ static int moxart_remove(struct platform + mmc_remove_host(mmc); + mmc_free_host(mmc); + +- writel(0, host->base + REG_INTERRUPT_MASK); +- writel(0, host->base + REG_POWER_CONTROL); +- writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, +- host->base + REG_CLOCK_CONTROL); ++ writel(0, base + REG_INTERRUPT_MASK); ++ writel(0, base + REG_POWER_CONTROL); ++ writel(readl(base + REG_CLOCK_CONTROL) | CLK_OFF, ++ base + REG_CLOCK_CONTROL); + } + return 0; + } diff --git a/patches.suse/ACPI-APD-Check-for-NULL-pointer-after-calling-devm_i.patch b/patches.suse/ACPI-APD-Check-for-NULL-pointer-after-calling-devm_i.patch new file mode 100644 index 0000000..02c57a8 --- /dev/null +++ b/patches.suse/ACPI-APD-Check-for-NULL-pointer-after-calling-devm_i.patch @@ -0,0 +1,44 @@ +From 2cea3ec5b0099d0e9dd6752aa86e08bce38d6b32 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 7 Jan 2022 11:35:16 +0800 +Subject: [PATCH] ACPI: APD: Check for NULL pointer after calling devm_ioremap() +Git-commit: 2cea3ec5b0099d0e9dd6752aa86e08bce38d6b32 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Because devres_alloc() may fail, devm_ioremap() may return NULL. + +Then, 'clk_data->base' will be assigned to clkdev->data->base in +platform_device_register_data(). + +The PTR_ERR_OR_ZERO() check on clk_data does not cover 'base', so +it is better to add an explicit check against NULL after updating +it. + +Fixes: 3f4ba94e3615 ("ACPI: APD: Add AMD misc clock handler support") +Signed-off-by: Jiasheng Jiang +[ rjw: Changelog rewrite ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/acpi_apd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/acpi_apd.c b/drivers/acpi/acpi_apd.c +index 6e02448d15d9..9db6409ecb47 100644 +--- a/drivers/acpi/acpi_apd.c ++++ b/drivers/acpi/acpi_apd.c +@@ -95,6 +95,8 @@ static int fch_misc_setup(struct apd_private_data *pdata) + resource_size(rentry->res)); + break; + } ++ if (!clk_data->base) ++ return -ENOMEM; + + acpi_dev_free_resource_list(&resource_list); + +-- +2.31.1 + diff --git a/patches.suse/Documentation-dmaengine-Correctly-describe-dmatest-w.patch b/patches.suse/Documentation-dmaengine-Correctly-describe-dmatest-w.patch new file mode 100644 index 0000000..00c26b6 --- /dev/null +++ b/patches.suse/Documentation-dmaengine-Correctly-describe-dmatest-w.patch @@ -0,0 +1,47 @@ +From c61d7b2ef141abf81140756b45860a2306f395a2 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Thu, 18 Nov 2021 10:09:52 +0000 +Subject: [PATCH] Documentation: dmaengine: Correctly describe dmatest with channel unset +Git-commit: c61d7b2ef141abf81140756b45860a2306f395a2 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Currently the documentation states that channels must be configured before +running the dmatest. This has not been true since commit 6b41030fdc79 +("dmaengine: dmatest: Restore default for channel"). Fix accordingly. + +Fixes: 6b41030fdc79 ("dmaengine: dmatest: Restore default for channel") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20211118100952.27268-3-daniel.thompson@linaro.org +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + Documentation/driver-api/dmaengine/dmatest.rst | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Documentation/driver-api/dmaengine/dmatest.rst b/Documentation/driver-api/dmaengine/dmatest.rst +index 529cc2cbbb1b..cf9859cd0b43 100644 +--- a/Documentation/driver-api/dmaengine/dmatest.rst ++++ b/Documentation/driver-api/dmaengine/dmatest.rst +@@ -153,13 +153,14 @@ Part 5 - Handling channel allocation + Allocating Channels + ------------------- + +-Channels are required to be configured prior to starting the test run. +-Attempting to run the test without configuring the channels will fail. ++Channels do not need to be configured prior to starting a test run. Attempting ++to run the test without configuring the channels will result in testing any ++channels that are available. + + Example:: + + % echo 1 > /sys/module/dmatest/parameters/run +- dmatest: Could not start test, no channels configured ++ dmatest: No channels configured, continue with any + + Channels are registered using the "channel" parameter. Channels can be requested by their + name, once requested, the channel is registered and a pending thread is added to the test list. +-- +2.31.1 + diff --git a/patches.suse/Input-ti_am335x_tsc-fix-STEPCONFIG-setup-for-Z2.patch b/patches.suse/Input-ti_am335x_tsc-fix-STEPCONFIG-setup-for-Z2.patch new file mode 100644 index 0000000..d634305 --- /dev/null +++ b/patches.suse/Input-ti_am335x_tsc-fix-STEPCONFIG-setup-for-Z2.patch @@ -0,0 +1,41 @@ +From 6bfeb6c21e1bdc11c328b7d996d20f0f73c6b9b0 Mon Sep 17 00:00:00 2001 +From: Dario Binacchi +Date: Sun, 12 Dec 2021 21:14:48 -0800 +Subject: [PATCH] Input: ti_am335x_tsc - fix STEPCONFIG setup for Z2 +Git-commit: 6bfeb6c21e1bdc11c328b7d996d20f0f73c6b9b0 +Patch-mainline: v5.17-rc1 +References: git-fixes + +The Z2 step configuration doesn't erase the SEL_INP_SWC_3_0 bit-field +before setting the ADC channel. This way its value could be corrupted by +the ADC channel selected for the Z1 coordinate. + +Fixes: 8c896308feae ("input: ti_am335x_adc: use only FIFO0 and clean up a little") +Signed-off-by: Dario Binacchi +Link: https://lore.kernel.org/r/20211212125358.14416-3-dariobin@libero.it +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/ti_am335x_tsc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/ti_am335x_tsc.c b/drivers/input/touchscreen/ti_am335x_tsc.c +index fd3ffdd23470..cfc943423241 100644 +--- a/drivers/input/touchscreen/ti_am335x_tsc.c ++++ b/drivers/input/touchscreen/ti_am335x_tsc.c +@@ -196,7 +196,10 @@ static void titsc_step_config(struct titsc *ts_dev) + STEPCONFIG_OPENDLY); + + end_step++; +- config |= STEPCONFIG_INP(ts_dev->inp_yn); ++ config = STEPCONFIG_MODE_HWSYNC | ++ STEPCONFIG_AVG_16 | ts_dev->bit_yp | ++ ts_dev->bit_xn | STEPCONFIG_INM_ADCREFM | ++ STEPCONFIG_INP(ts_dev->inp_yn); + titsc_writel(ts_dev, REG_STEPCONFIG(end_step), config); + titsc_writel(ts_dev, REG_STEPDELAY(end_step), + STEPCONFIG_OPENDLY); +-- +2.31.1 + diff --git a/patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch b/patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch new file mode 100644 index 0000000..349fc31 --- /dev/null +++ b/patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch @@ -0,0 +1,42 @@ +From 73cca71a903202cddc8279fc76b2da4995da5bea Mon Sep 17 00:00:00 2001 +From: Dario Binacchi +Date: Sun, 12 Dec 2021 21:14:35 -0800 +Subject: [PATCH] Input: ti_am335x_tsc - set ADCREFM for X configuration +Git-commit: 73cca71a903202cddc8279fc76b2da4995da5bea +Patch-mainline: v5.17-rc1 +References: git-fixes + +As reported by the STEPCONFIG[1-16] registered field descriptions of the +TI reference manual, for the ADC "in single ended, SEL_INM_SWC_3_0 must +be 1xxx". + +Unlike the Y and Z coordinates, this bit has not been set for the step +configuration registers used to sample the X coordinate. + +Fixes: 1b8be32e6914 ("Input: add support for TI Touchscreen controller") +Signed-off-by: Dario Binacchi +Link: https://lore.kernel.org/r/20211212125358.14416-2-dariobin@libero.it +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/ti_am335x_tsc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/ti_am335x_tsc.c b/drivers/input/touchscreen/ti_am335x_tsc.c +index 83e685557a19..fd3ffdd23470 100644 +--- a/drivers/input/touchscreen/ti_am335x_tsc.c ++++ b/drivers/input/touchscreen/ti_am335x_tsc.c +@@ -131,7 +131,8 @@ static void titsc_step_config(struct titsc *ts_dev) + u32 stepenable; + + config = STEPCONFIG_MODE_HWSYNC | +- STEPCONFIG_AVG_16 | ts_dev->bit_xp; ++ STEPCONFIG_AVG_16 | ts_dev->bit_xp | ++ STEPCONFIG_INM_ADCREFM; + switch (ts_dev->wires) { + case 4: + config |= STEPCONFIG_INP(ts_dev->inp_yp) | ts_dev->bit_xn; +-- +2.31.1 + diff --git a/patches.suse/arm64-Kconfig-add-a-choice-for-endianness.patch b/patches.suse/arm64-Kconfig-add-a-choice-for-endianness.patch new file mode 100644 index 0000000..1106fa3 --- /dev/null +++ b/patches.suse/arm64-Kconfig-add-a-choice-for-endianness.patch @@ -0,0 +1,61 @@ +From d8e85e144bbe12e8d82c6b05d690a34da62cc991 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 13 Nov 2019 10:26:52 +0100 +Subject: [PATCH] arm64: Kconfig: add a choice for endianness +Git-commit: d8e85e144bbe12e8d82c6b05d690a34da62cc991 +Patch-mainline: v5.5-rc1 +References: jsc#SLE-23432 + +When building allmodconfig KCONFIG_ALLCONFIG=$(pwd)/arch/arm64/configs/defconfig +CONFIG_CPU_BIG_ENDIAN gets enabled. Which tends not to be what most +people want. Another concern that has come up is that ACPI isn't built +for an allmodconfig kernel today since that also depends on !CPU_BIG_ENDIAN. + +Rework so that we introduce a 'choice' and default the choice to +CPU_LITTLE_ENDIAN. That means that when we build an allmodconfig kernel +it will default to CPU_LITTLE_ENDIAN that most people tends to want. + +Reviewed-by: John Garry +Acked-by: Will Deacon +Signed-off-by: Anders Roxell +Signed-off-by: Catalin Marinas +Acked-by: Chester Lin +--- + arch/arm64/Kconfig | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 8a0800e5be9d..d66a9727344d 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -877,10 +877,26 @@ config ARM64_PA_BITS + default 48 if ARM64_PA_BITS_48 + default 52 if ARM64_PA_BITS_52 + ++choice ++ prompt "Endianness" ++ default CPU_LITTLE_ENDIAN ++ help ++ Select the endianness of data accesses performed by the CPU. Userspace ++ applications will need to be compiled and linked for the endianness ++ that is selected here. ++ + config CPU_BIG_ENDIAN + bool "Build big-endian kernel" + help +- Say Y if you plan on running a kernel in big-endian mode. ++ Say Y if you plan on running a kernel with a big-endian userspace. ++ ++config CPU_LITTLE_ENDIAN ++ bool "Build little-endian kernel" ++ help ++ Say Y if you plan on running a kernel with a little-endian userspace. ++ This is usually the case for distributions targeting arm64. ++ ++endchoice + + config SCHED_MC + bool "Multi-core scheduler support" +-- +2.33.1 + diff --git a/patches.suse/block-scsi-ioctl-Fix-kernel-infoleak-in-scsi_put_cdr.patch b/patches.suse/block-scsi-ioctl-Fix-kernel-infoleak-in-scsi_put_cdr.patch new file mode 100644 index 0000000..e15a544 --- /dev/null +++ b/patches.suse/block-scsi-ioctl-Fix-kernel-infoleak-in-scsi_put_cdr.patch @@ -0,0 +1,40 @@ +From: Peilin Ye +Date: Fri, 2 Oct 2020 10:22:23 -0400 +Subject: [PATCH] block/scsi-ioctl: Fix kernel-infoleak in + scsi_put_cdrom_generic_arg() +Git-commit: 6d53a9fe5a1983490bc14b3a64d49fabb4ccc651 +Patch-mainline: v5.9-rc1 +References: git-fixes + +scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to +userspace, since the compiler may leave a 3-byte hole in the middle of +`cgc32`. Fix it by adding a padding field to `struct +compat_cdrom_generic_command`. + +Cc: stable@vger.kernel.org +Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi") +Suggested-by: Dan Carpenter +Suggested-by: Arnd Bergmann +Reported-by: syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com +Signed-off-by: Peilin Ye +Signed-off-by: Jens Axboe +Acked-by: Hannes Reinecke +--- + block/scsi_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index ef722f04f88a..72108404718f 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -651,6 +651,7 @@ struct compat_cdrom_generic_command { + compat_int_t stat; + compat_caddr_t sense; + unsigned char data_direction; ++ unsigned char pad[3]; + compat_int_t quiet; + compat_int_t timeout; + compat_caddr_t reserved[1]; +-- +2.29.2 + diff --git a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch deleted file mode 100644 index 556e014..0000000 --- a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 -From: Chen Yu -Date: Fri, 10 Jul 2020 12:12:01 +0800 -Subject: [PATCH] intel_idle: Customize IceLake server support -Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 -Patch-mainline: v5.9-rc1 -References: jsc#SLE-12679 - -On ICX platform, the C1E auto-promotion is enabled by default. -As a result, the CPU might fall into C1E more offen than previous -platforms. Besides, the C1E is not exposed to sysfs on ICX, which -is inconsistent with previous server platforms. - -So disable C1E auto-promotion and expose C1E as a separate idle -state, so the C1E and C6 can be disabled via sysfs when necessary. - -Beside C1 and C1E, the exit latency of C6 was measured -by a dedicated tool. However the exit latency(41us) exposed -by _CST is much smaller than the one we measured(128us). This -is probably due to the _CST uses the exit latency when woken -up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose -the latter as we need the longest latency in theory. - -Reported-by: kernel test robot -Tested-by: Artem Bityutskiy -Acked-by: Artem Bityutskiy -Reviewed-by: Zhang Rui -Signed-off-by: Chen Yu -Signed-off-by: Rafael J. Wysocki -Acked-by: Takashi Iwai - ---- - drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c -index 3f86f36dab2b..fd0fa9e7900b 100644 ---- a/drivers/idle/intel_idle.c -+++ b/drivers/idle/intel_idle.c -@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { - .enter = NULL } - }; - -+static struct cpuidle_state icx_cstates[] __initdata = { -+ { -+ .name = "C1", -+ .desc = "MWAIT 0x00", -+ .flags = MWAIT2flg(0x00), -+ .exit_latency = 1, -+ .target_residency = 1, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C1E", -+ .desc = "MWAIT 0x01", -+ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, -+ .exit_latency = 4, -+ .target_residency = 4, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C6", -+ .desc = "MWAIT 0x20", -+ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, -+ .exit_latency = 128, -+ .target_residency = 384, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .enter = NULL } -+}; -+ - static struct cpuidle_state atom_cstates[] __initdata = { - { - .name = "C1E", -@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { - .use_acpi = true, - }; - -+static const struct idle_cpu idle_cpu_icx __initconst = { -+ .state_table = icx_cstates, -+ .disable_promotion_to_c1e = true, -+ .use_acpi = true, -+}; -+ - static const struct idle_cpu idle_cpu_avn __initconst = { - .state_table = avn_cstates, - .disable_promotion_to_c1e = true, -@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), -+ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), --- -2.16.4 - diff --git a/patches.suse/debugfs-lockdown-Allow-reading-debugfs-files-that-ar.patch b/patches.suse/debugfs-lockdown-Allow-reading-debugfs-files-that-ar.patch new file mode 100644 index 0000000..027254a --- /dev/null +++ b/patches.suse/debugfs-lockdown-Allow-reading-debugfs-files-that-ar.patch @@ -0,0 +1,39 @@ +From 358fcf5ddbec4e6706405847d6a666f5933a6c25 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 4 Jan 2022 18:05:05 +0100 +Subject: [PATCH] debugfs: lockdown: Allow reading debugfs files that are not + world readable + +References: bsc#1193328 ltc#195566 +Patch-mainline: v5.17-rc1 +Git-commit: 358fcf5ddbec4e6706405847d6a666f5933a6c25 + +When the kernel is locked down the kernel allows reading only debugfs +files with mode 444. Mode 400 is also valid but is not allowed. + +Make the 444 into a mask. + +Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/20220104170505.10248-1-msuchanek@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + fs/debugfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 7d162b0efbf0..950c63fa4d0b 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -147,7 +147,7 @@ static int debugfs_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) + { +- if ((inode->i_mode & 07777) == 0444 && ++ if ((inode->i_mode & 07777 & ~0444) == 0 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && +-- +2.31.1 + diff --git a/patches.suse/dm-crypt-document-encrypted-keyring-key-option.patch b/patches.suse/dm-crypt-document-encrypted-keyring-key-option.patch new file mode 100644 index 0000000..76fdf2e --- /dev/null +++ b/patches.suse/dm-crypt-document-encrypted-keyring-key-option.patch @@ -0,0 +1,36 @@ +From: Milan Broz +Date: Thu, 20 Aug 2020 21:20:26 +0200 +Subject: [PATCH] dm crypt: document encrypted keyring key option +Git-commit: 4c07ae0ad493b7b2d3dd3e53870e594f136ce8a5 +Patch-mainline: v5.9-rc7 +References: git-fixes + +Commit 27f5411a718c4 ("dm crypt: support using encrypted keys") +introduced support for encrypted keyring type. + +Fix documentation in admin guide to mention this type. + +Fixes: 27f5411a718c4 ("dm crypt: support using encrypted keys") +Signed-off-by: Milan Broz +Signed-off-by: Mike Snitzer +Acked-by: Hannes Reinecke +--- + Documentation/admin-guide/device-mapper/dm-crypt.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst +index 40dc2df58cd5..bc28a9527ee5 100644 +--- a/Documentation/admin-guide/device-mapper/dm-crypt.rst ++++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst +@@ -67,7 +67,7 @@ Parameters:: + the value passed in . + + +- Either 'logon' or 'user' kernel key type. ++ Either 'logon', 'user' or 'encrypted' kernel key type. + + + The kernel keyring key description crypt target should look for +-- +2.29.2 + diff --git a/patches.suse/dm-writecache-add-cleaner-and-max_age-to-Documentati.patch b/patches.suse/dm-writecache-add-cleaner-and-max_age-to-Documentati.patch new file mode 100644 index 0000000..bb03827 --- /dev/null +++ b/patches.suse/dm-writecache-add-cleaner-and-max_age-to-Documentati.patch @@ -0,0 +1,52 @@ +From: Mike Snitzer +Date: Fri, 25 Jun 2021 15:18:59 -0400 +Subject: [PATCH] dm writecache: add "cleaner" and "max_age" to Documentation +Git-commit: cd039afa0ad86e1f01921cc5abf7f80d2449543a +Patch-mainline: v5.14-rc1 +References: git-fixes + +Backfill missing Documentation. + +Fixes: 93de44eb3fc8 ("dm writecache: implement the "cleaner" policy") +Fixes: 3923d4854e18 ("dm writecache: implement gradual cleanup") +Signed-off-by: Mike Snitzer +Acked-by: Hannes Reinecke +--- + .../admin-guide/device-mapper/writecache.rst | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/Documentation/admin-guide/device-mapper/writecache.rst b/Documentation/admin-guide/device-mapper/writecache.rst +index dce0184e07ca..c181f26af769 100644 +--- a/Documentation/admin-guide/device-mapper/writecache.rst ++++ b/Documentation/admin-guide/device-mapper/writecache.rst +@@ -53,6 +53,21 @@ Constructor parameters: + + - some underlying devices perform better with fua, some + with nofua. The user should test it ++ cleaner ++ when this option is activated (either in the constructor ++ arguments or by a message), the cache will not promote ++ new writes (however, writes to already cached blocks are ++ promoted, to avoid data corruption due to misordered ++ writes) and it will gradually writeback any cached ++ data. The userspace can then monitor the cleaning ++ process with "dmsetup status". When the number of cached ++ blocks drops to zero, userspace can unload the ++ dm-writecache target and replace it with dm-linear or ++ other targets. ++ max_age n ++ specifies the maximum age of a block in milliseconds. If ++ a block is stored in the cache for too long, it will be ++ written to the underlying device and cleaned up. + + Status: + 1. error indicator - 0 if there was no error, otherwise error number +@@ -77,3 +92,5 @@ Messages: + 5. resume the device, so that it will use the linear + target + 6. the cache device is now inactive and it can be deleted ++ cleaner ++ See above "cleaner" constructor documentation. +-- +2.29.2 + diff --git a/patches.suse/dm-writecache-advance-the-number-of-arguments-when-r.patch b/patches.suse/dm-writecache-advance-the-number-of-arguments-when-r.patch new file mode 100644 index 0000000..f9d9272 --- /dev/null +++ b/patches.suse/dm-writecache-advance-the-number-of-arguments-when-r.patch @@ -0,0 +1,36 @@ +From: Mikulas Patocka +Date: Tue, 10 Nov 2020 07:44:01 -0500 +Subject: [PATCH] dm writecache: advance the number of arguments when reporting + max_age +Git-commit: e5d41cbca1b2036362c9e29d705d3a175a01eff8 +Patch-mainline: v5.10-rc7 +References: git-fixes + +When reporting the "max_age" value the number of arguments must +advance by two. + +Signed-off-by: Mikulas Patocka +Fixes: 3923d4854e18 ("dm writecache: implement gradual cleanup") +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Mike Snitzer +Acked-by: Hannes Reinecke +--- + drivers/md/dm-writecache.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 9ae4ce7df95c..1ea923af47c6 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -2479,6 +2479,8 @@ static void writecache_status(struct dm_target *ti, status_type_t type, + extra_args += 2; + if (wc->autocommit_time_set) + extra_args += 2; ++ if (wc->max_age != MAX_AGE_UNSPECIFIED) ++ extra_args += 2; + if (wc->cleaner) + extra_args++; + if (wc->writeback_fua_set) +-- +2.29.2 + diff --git a/patches.suse/dm-writecache-fix-performance-degradation-in-ssd-mod.patch b/patches.suse/dm-writecache-fix-performance-degradation-in-ssd-mod.patch new file mode 100644 index 0000000..f8e3df8 --- /dev/null +++ b/patches.suse/dm-writecache-fix-performance-degradation-in-ssd-mod.patch @@ -0,0 +1,37 @@ +From: Mikulas Patocka +Date: Sat, 23 Jan 2021 09:19:56 -0500 +Subject: [PATCH] dm writecache: fix performance degradation in ssd mode +Git-commit: cb728484a7710c202f02b96aa0962ce9b07aa5c2 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Fix a thinko in ssd_commit_superblock. region.count is in sectors, not +bytes. This bug doesn't corrupt data, but it causes performance +degradation. + +Signed-off-by: Mikulas Patocka +Fixes: dc8a01ae1dbd ("dm writecache: optimize superblock write") +Cc: stable@vger.kernel.org # v5.7+ +Reported-by: J. Bruce Fields +Signed-off-by: Mike Snitzer +Acked-by: Hannes Reinecke +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index d5223a0e5cc5..1769653c3d6b 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -523,7 +523,7 @@ static void ssd_commit_superblock(struct dm_writecache *wc) + + region.bdev = wc->ssd_dev->bdev; + region.sector = 0; +- region.count = PAGE_SIZE; ++ region.count = PAGE_SIZE >> SECTOR_SHIFT; + + if (unlikely(region.sector + region.count > wc->metadata_sectors)) + region.count = wc->metadata_sectors - region.sector; +-- +2.29.2 + diff --git a/patches.suse/dm-writecache-flush-origin-device-when-writing-and-c.patch b/patches.suse/dm-writecache-flush-origin-device-when-writing-and-c.patch new file mode 100644 index 0000000..3b7bb88 --- /dev/null +++ b/patches.suse/dm-writecache-flush-origin-device-when-writing-and-c.patch @@ -0,0 +1,66 @@ +From: Mikulas Patocka +Date: Tue, 15 Jun 2021 13:45:55 -0400 +Subject: [PATCH] dm writecache: flush origin device when writing and cache is + full +Git-commit: ee55b92a7391bf871939330f662651b54be51b73 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Commit d53f1fafec9d086f1c5166436abefdaef30e0363 ("dm writecache: do +direct write if the cache is full") changed dm-writecache, so that it +writes directly to the origin device if the cache is full. +Unfortunately, it doesn't forward flush requests to the origin device, +so that there is a bug where flushes are being ignored. + +Fix this by adding missing flush forwarding. + +For PMEM mode, we fix this bug by disabling direct writes to the origin +device, because it performs better. + +Signed-off-by: Mikulas Patocka +Fixes: d53f1fafec9d ("dm writecache: do direct write if the cache is full") +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Mike Snitzer +Acked-by: Hannes Reinecke +--- + drivers/md/dm-writecache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 28bb6890fcf4..ddd368e0491d 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -1297,8 +1297,12 @@ static int writecache_map(struct dm_target *ti, struct bio *bio) + writecache_flush(wc); + if (writecache_has_error(wc)) + goto unlock_error; ++ if (unlikely(wc->cleaner)) ++ goto unlock_remap_origin; + goto unlock_submit; + } else { ++ if (dm_bio_get_target_bio_nr(bio)) ++ goto unlock_remap_origin; + writecache_offload_bio(wc, bio); + goto unlock_return; + } +@@ -1377,7 +1381,7 @@ static int writecache_map(struct dm_target *ti, struct bio *bio) + } + e = writecache_pop_from_freelist(wc, (sector_t)-1); + if (unlikely(!e)) { +- if (!found_entry) { ++ if (!WC_MODE_PMEM(wc) && !found_entry) { + direct_write: + e = writecache_find_entry(wc, bio->bi_iter.bi_sector, WFE_RETURN_FOLLOWING); + if (e) { +@@ -2484,7 +2488,7 @@ static int writecache_ctr(struct dm_target *ti, unsigned argc, char **argv) + goto bad; + } + +- ti->num_flush_bios = 1; ++ ti->num_flush_bios = WC_MODE_PMEM(wc) ? 1 : 2; + ti->flush_supported = true; + ti->num_discard_bios = 1; + +-- +2.29.2 + diff --git a/patches.suse/dmaengine-at_xdmac-Don-t-start-transactions-at-tx_su.patch b/patches.suse/dmaengine-at_xdmac-Don-t-start-transactions-at-tx_su.patch new file mode 100644 index 0000000..a249897 --- /dev/null +++ b/patches.suse/dmaengine-at_xdmac-Don-t-start-transactions-at-tx_su.patch @@ -0,0 +1,58 @@ +From bccfb96b59179d4f96cbbd1ddff8fac6d335eae4 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 15 Dec 2021 13:01:04 +0200 +Subject: [PATCH] dmaengine: at_xdmac: Don't start transactions at tx_submit level +Git-commit: bccfb96b59179d4f96cbbd1ddff8fac6d335eae4 +Patch-mainline: v5.17-rc1 +References: git-fixes + +tx_submit is supposed to push the current transaction descriptor to a +pending queue, waiting for issue_pending() to be called. issue_pending() +must start the transfer, not tx_submit(), thus remove +at_xdmac_start_xfer() from at_xdmac_tx_submit(). Clients of at_xdmac that +assume that tx_submit() starts the transfer must be updated and call +dma_async_issue_pending() if they miss to call it (one example is +atmel_serial). + +As the at_xdmac_start_xfer() is now called only from +at_xdmac_advance_work() when !at_xdmac_chan_is_enabled(), the +at_xdmac_chan_is_enabled() check is no longer needed in +at_xdmac_start_xfer(), thus remove it. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-2-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/at_xdmac.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index e42dede5b243..4ff12b083136 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -385,9 +385,6 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan, + + dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, first); + +- if (at_xdmac_chan_is_enabled(atchan)) +- return; +- + /* Set transfer as active to not try to start it again. */ + first->active_xfer = true; + +@@ -479,9 +476,6 @@ static dma_cookie_t at_xdmac_tx_submit(struct dma_async_tx_descriptor *tx) + dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n", + __func__, atchan, desc); + list_add_tail(&desc->xfer_node, &atchan->xfers_list); +- if (list_is_singular(&atchan->xfers_list)) +- at_xdmac_start_xfer(atchan, desc); +- + spin_unlock_irqrestore(&atchan->lock, irqflags); + return cookie; + } +-- +2.31.1 + diff --git a/patches.suse/dmaengine-at_xdmac-Fix-at_xdmac_lld-struct-definitio.patch b/patches.suse/dmaengine-at_xdmac-Fix-at_xdmac_lld-struct-definitio.patch new file mode 100644 index 0000000..9ed5a0a --- /dev/null +++ b/patches.suse/dmaengine-at_xdmac-Fix-at_xdmac_lld-struct-definitio.patch @@ -0,0 +1,55 @@ +From 912f7c6f7fac273f40e621447cf17d14b50d6e5b Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 15 Dec 2021 13:01:13 +0200 +Subject: [PATCH] dmaengine: at_xdmac: Fix at_xdmac_lld struct definition +Git-commit: 912f7c6f7fac273f40e621447cf17d14b50d6e5b +Patch-mainline: v5.17-rc1 +References: git-fixes + +The hardware channel next descriptor view structure contains just +fields of 32 bits, while dma_addr_t can be of type u64 or u32 +depending on CONFIG_ARCH_DMA_ADDR_T_64BIT. Force u32 to comply with +what the hardware expects. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-11-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/at_xdmac.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 6e5bfc9b3825..abe8c4615e65 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -253,15 +253,15 @@ struct at_xdmac { + + /* Linked List Descriptor */ + struct at_xdmac_lld { +- dma_addr_t mbr_nda; /* Next Descriptor Member */ +- u32 mbr_ubc; /* Microblock Control Member */ +- dma_addr_t mbr_sa; /* Source Address Member */ +- dma_addr_t mbr_da; /* Destination Address Member */ +- u32 mbr_cfg; /* Configuration Register */ +- u32 mbr_bc; /* Block Control Register */ +- u32 mbr_ds; /* Data Stride Register */ +- u32 mbr_sus; /* Source Microblock Stride Register */ +- u32 mbr_dus; /* Destination Microblock Stride Register */ ++ u32 mbr_nda; /* Next Descriptor Member */ ++ u32 mbr_ubc; /* Microblock Control Member */ ++ u32 mbr_sa; /* Source Address Member */ ++ u32 mbr_da; /* Destination Address Member */ ++ u32 mbr_cfg; /* Configuration Register */ ++ u32 mbr_bc; /* Block Control Register */ ++ u32 mbr_ds; /* Data Stride Register */ ++ u32 mbr_sus; /* Source Microblock Stride Register */ ++ u32 mbr_dus; /* Destination Microblock Stride Register */ + }; + + /* 64-bit alignment needed to update CNDA and CUBC registers in an atomic way. */ +-- +2.31.1 + diff --git a/patches.suse/dmaengine-at_xdmac-Fix-concurrency-over-xfers_list.patch b/patches.suse/dmaengine-at_xdmac-Fix-concurrency-over-xfers_list.patch new file mode 100644 index 0000000..275592b --- /dev/null +++ b/patches.suse/dmaengine-at_xdmac-Fix-concurrency-over-xfers_list.patch @@ -0,0 +1,55 @@ +From 18deddea9184b62941395889ff7659529c877326 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 15 Dec 2021 13:01:10 +0200 +Subject: [PATCH] dmaengine: at_xdmac: Fix concurrency over xfers_list +Git-commit: 18deddea9184b62941395889ff7659529c877326 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Since tx_submit can be called from a hard IRQ, xfers_list must be +protected with a lock to avoid concurency on the list's elements. +Since at_xdmac_handle_cyclic() is called from a tasklet, spin_lock_irq +is enough to protect from a hard IRQ. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-8-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/at_xdmac.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index b6547f1b5645..eeb03065d484 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1608,14 +1608,17 @@ static void at_xdmac_handle_cyclic(struct at_xdmac_chan *atchan) + struct at_xdmac_desc *desc; + struct dma_async_tx_descriptor *txd; + +- if (!list_empty(&atchan->xfers_list)) { +- desc = list_first_entry(&atchan->xfers_list, +- struct at_xdmac_desc, xfer_node); +- txd = &desc->tx_dma_desc; +- +- if (txd->flags & DMA_PREP_INTERRUPT) +- dmaengine_desc_get_callback_invoke(txd, NULL); ++ spin_lock_irq(&atchan->lock); ++ if (list_empty(&atchan->xfers_list)) { ++ spin_unlock_irq(&atchan->lock); ++ return; + } ++ desc = list_first_entry(&atchan->xfers_list, struct at_xdmac_desc, ++ xfer_node); ++ spin_unlock_irq(&atchan->lock); ++ txd = &desc->tx_dma_desc; ++ if (txd->flags & DMA_PREP_INTERRUPT) ++ dmaengine_desc_get_callback_invoke(txd, NULL); + } + + static void at_xdmac_handle_error(struct at_xdmac_chan *atchan) +-- +2.31.1 + diff --git a/patches.suse/dmaengine-at_xdmac-Fix-lld-view-setting.patch b/patches.suse/dmaengine-at_xdmac-Fix-lld-view-setting.patch new file mode 100644 index 0000000..cba6a3c --- /dev/null +++ b/patches.suse/dmaengine-at_xdmac-Fix-lld-view-setting.patch @@ -0,0 +1,46 @@ +From 1385eb4d14d447cc5d744bc2ac34f43be66c9963 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 15 Dec 2021 13:01:12 +0200 +Subject: [PATCH] dmaengine: at_xdmac: Fix lld view setting +Git-commit: 1385eb4d14d447cc5d744bc2ac34f43be66c9963 +Patch-mainline: v5.17-rc1 +References: git-fixes + +AT_XDMAC_CNDC_NDVIEW_NDV3 was set even for AT_XDMAC_MBR_UBC_NDV2, +because of the wrong bit handling. Fix it. + +Fixes: ee0fe35c8dcd ("dmaengine: xdmac: Handle descriptor's view 3 registers") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-10-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/at_xdmac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 0b09ec752db4..6e5bfc9b3825 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -99,6 +99,7 @@ + #define AT_XDMAC_CNDC_NDE (0x1 << 0) /* Channel x Next Descriptor Enable */ + #define AT_XDMAC_CNDC_NDSUP (0x1 << 1) /* Channel x Next Descriptor Source Update */ + #define AT_XDMAC_CNDC_NDDUP (0x1 << 2) /* Channel x Next Descriptor Destination Update */ ++#define AT_XDMAC_CNDC_NDVIEW_MASK GENMASK(28, 27) + #define AT_XDMAC_CNDC_NDVIEW_NDV0 (0x0 << 3) /* Channel x Next Descriptor View 0 */ + #define AT_XDMAC_CNDC_NDVIEW_NDV1 (0x1 << 3) /* Channel x Next Descriptor View 1 */ + #define AT_XDMAC_CNDC_NDVIEW_NDV2 (0x2 << 3) /* Channel x Next Descriptor View 2 */ +@@ -402,7 +403,8 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan, + */ + if (at_xdmac_chan_is_cyclic(atchan)) + reg = AT_XDMAC_CNDC_NDVIEW_NDV1; +- else if (first->lld.mbr_ubc & AT_XDMAC_MBR_UBC_NDV3) ++ else if ((first->lld.mbr_ubc & ++ AT_XDMAC_CNDC_NDVIEW_MASK) == AT_XDMAC_MBR_UBC_NDV3) + reg = AT_XDMAC_CNDC_NDVIEW_NDV3; + else + reg = AT_XDMAC_CNDC_NDVIEW_NDV2; +-- +2.31.1 + diff --git a/patches.suse/dmaengine-at_xdmac-Print-debug-message-after-realeas.patch b/patches.suse/dmaengine-at_xdmac-Print-debug-message-after-realeas.patch new file mode 100644 index 0000000..fb02ff4 --- /dev/null +++ b/patches.suse/dmaengine-at_xdmac-Print-debug-message-after-realeas.patch @@ -0,0 +1,43 @@ +From 5edc24ac876a928f36f407a0fcdb33b94a3a210f Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 15 Dec 2021 13:01:06 +0200 +Subject: [PATCH] dmaengine: at_xdmac: Print debug message after realeasing the lock +Git-commit: 5edc24ac876a928f36f407a0fcdb33b94a3a210f +Patch-mainline: v5.17-rc1 +References: git-fixes + +It is desirable to do the prints without the lock held if possible, so +move the print after the lock is released. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-4-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/at_xdmac.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index c3d3e1270236..7d3560acedbb 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -473,10 +473,12 @@ static dma_cookie_t at_xdmac_tx_submit(struct dma_async_tx_descriptor *tx) + spin_lock_irqsave(&atchan->lock, irqflags); + cookie = dma_cookie_assign(tx); + +- dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n", +- __func__, atchan, desc); + list_add_tail(&desc->xfer_node, &atchan->xfers_list); + spin_unlock_irqrestore(&atchan->lock, irqflags); ++ ++ dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n", ++ __func__, atchan, desc); ++ + return cookie; + } + +-- +2.31.1 + diff --git a/patches.suse/dmaengine-idxd-add-module-parameter-to-force-disable.patch b/patches.suse/dmaengine-idxd-add-module-parameter-to-force-disable.patch new file mode 100644 index 0000000..25f4a53 --- /dev/null +++ b/patches.suse/dmaengine-idxd-add-module-parameter-to-force-disable.patch @@ -0,0 +1,67 @@ +From 03d939c7e3d8800a9feb54808929c5776ac510eb Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Fri, 22 Jan 2021 11:46:00 -0700 +Subject: [PATCH] dmaengine: idxd: add module parameter to force disable of SVA +Git-commit: 03d939c7e3d8800a9feb54808929c5776ac510eb +Patch-mainline: v5.12-rc1 +References: bsc#1192931 + +Add a module parameter that overrides the SVA feature enabling. This keeps +the driver in legacy mode even when intel_iommu=sm_on is set. In this mode, +the descriptor fields must be programmed with dma_addr_t from the Linux DMA +API for source, destination, and completion descriptors. + +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/161134110457.4005461.13171197785259115852.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ + drivers/dma/idxd/init.c | 8 +++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -1582,6 +1582,12 @@ + In such case C2/C3 won't be used again. + idle=nomwait: Disable mwait for CPU C-states + ++ idxd.sva= [HW] ++ Format: ++ Allow force disabling of Shared Virtual Memory (SVA) ++ support for the idxd driver. By default it is set to ++ true (1). ++ + ieee754= [MIPS] Select IEEE Std 754 conformance mode + Format: { strict | legacy | 2008 | relaxed } + Default: strict +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -26,6 +26,10 @@ MODULE_VERSION(IDXD_DRIVER_VERSION); + MODULE_LICENSE("GPL v2"); + MODULE_AUTHOR("Intel Corporation"); + ++static bool sva = true; ++module_param(sva, bool, 0644); ++MODULE_PARM_DESC(sva, "Toggle SVA support on/off"); ++ + #define DRV_NAME "idxd" + + bool support_enqcmd; +@@ -323,12 +327,14 @@ static int idxd_probe(struct idxd_device + + dev_dbg(dev, "IDXD reset complete\n"); + +- if (IS_ENABLED(CONFIG_INTEL_IDXD_SVM)) { ++ if (IS_ENABLED(CONFIG_INTEL_IDXD_SVM) && sva) { + rc = idxd_enable_system_pasid(idxd); + if (rc < 0) + dev_warn(dev, "Failed to enable PASID. No SVA support: %d\n", rc); + else + set_bit(IDXD_FLAG_PASID_ENABLED, &idxd->flags); ++ } else if (!sva) { ++ dev_warn(dev, "User forced SVA off via module param.\n"); + } + + idxd_read_caps(idxd); diff --git a/patches.suse/dmaengine-idxd-enable-SVA-feature-for-IOMMU.patch b/patches.suse/dmaengine-idxd-enable-SVA-feature-for-IOMMU.patch new file mode 100644 index 0000000..036665b --- /dev/null +++ b/patches.suse/dmaengine-idxd-enable-SVA-feature-for-IOMMU.patch @@ -0,0 +1,63 @@ +From cf5f86a7d47df149857ba2fb72f9c6c9da46af2e Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Tue, 20 Apr 2021 11:46:46 -0700 +Subject: [PATCH] dmaengine: idxd: enable SVA feature for IOMMU +Git-commit: cf5f86a7d47df149857ba2fb72f9c6c9da46af2e +Patch-mainline: v5.13-rc1 +References: bsc#1192931 + +Enable IOMMU_DEV_FEAT_SVA before attempt to bind pasid. This is needed +according to iommu_sva_bind_device() comment. Currently Intel IOMMU code +does this before bind call. It really needs to be controlled by the driver. + +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/161894440621.3202472.17644507396206848134.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/idxd/init.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -328,11 +328,18 @@ static int idxd_probe(struct idxd_device + dev_dbg(dev, "IDXD reset complete\n"); + + if (IS_ENABLED(CONFIG_INTEL_IDXD_SVM) && sva) { +- rc = idxd_enable_system_pasid(idxd); +- if (rc < 0) +- dev_warn(dev, "Failed to enable PASID. No SVA support: %d\n", rc); +- else +- set_bit(IDXD_FLAG_PASID_ENABLED, &idxd->flags); ++ rc = iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA); ++ if (rc == 0) { ++ rc = idxd_enable_system_pasid(idxd); ++ if (rc < 0) { ++ iommu_dev_disable_feature(dev, IOMMU_DEV_FEAT_SVA); ++ dev_warn(dev, "Failed to enable PASID. No SVA support: %d\n", rc); ++ } else { ++ set_bit(IDXD_FLAG_PASID_ENABLED, &idxd->flags); ++ } ++ } else { ++ dev_warn(dev, "Unable to turn on SVA feature.\n"); ++ } + } else if (!sva) { + dev_warn(dev, "User forced SVA off via module param.\n"); + } +@@ -369,6 +376,7 @@ static int idxd_probe(struct idxd_device + err_setup: + if (device_pasid_enabled(idxd)) + idxd_disable_system_pasid(idxd); ++ iommu_dev_disable_feature(dev, IOMMU_DEV_FEAT_SVA); + return rc; + } + +@@ -523,6 +531,7 @@ static void idxd_remove(struct pci_dev * + mutex_lock(&idxd_idr_lock); + idr_remove(&idxd_idrs[idxd->type], idxd->id); + mutex_unlock(&idxd_idr_lock); ++ iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA); + } + + static struct pci_driver idxd_pci_driver = { diff --git a/patches.suse/drm-amd-display-Set-plane-update-flags-for-all-plane.patch b/patches.suse/drm-amd-display-Set-plane-update-flags-for-all-plane.patch index fdde75b..a0a72d8 100644 --- a/patches.suse/drm-amd-display-Set-plane-update-flags-for-all-plane.patch +++ b/patches.suse/drm-amd-display-Set-plane-update-flags-for-all-plane.patch @@ -5,6 +5,7 @@ Subject: drm/amd/display: Set plane update flags for all planes in reset Git-commit: 21431f70f6014f81b0d118ff4fcee12b00b9dd70 Patch-mainline: v5.16-rc3 References: git-fixes +Alt-commit: 6984fa418b8efde7662af151bae4b8dc66e65fcf [Why] We're only setting the flags on stream[0]'s planes so this logic fails diff --git a/patches.suse/drm-amdgpu-revert-Add-autodump-debugfs-node-for-gpu-.patch b/patches.suse/drm-amdgpu-revert-Add-autodump-debugfs-node-for-gpu-.patch new file mode 100644 index 0000000..6b46277 --- /dev/null +++ b/patches.suse/drm-amdgpu-revert-Add-autodump-debugfs-node-for-gpu-.patch @@ -0,0 +1,166 @@ +From c8365dbda056578eebe164bf110816b1a39b4b7f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Thu, 30 Sep 2021 11:22:51 +0200 +Subject: drm/amdgpu: revert "Add autodump debugfs node for gpu reset v8" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: c8365dbda056578eebe164bf110816b1a39b4b7f +Patch-mainline: v5.16-rc1 +References: git-fixes + +This reverts commit 728e7e0cd61899208e924472b9e641dbeb0775c4. + +Further discussion reveals that this feature is severely broken +and needs to be reverted ASAP. + +GPU reset can never be delayed by userspace even for debugging or +otherwise we can run into in kernel deadlocks. + +Signed-off-by: Christian König +Acked-by: Alex Deucher +Acked-by: Nirmoy Das +Signed-off-by: Alex Deucher +Signed-off-by: Patrik Jakobsson +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 76 ---------------------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.h | 6 -- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + 4 files changed, 86 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -992,8 +992,6 @@ struct amdgpu_device { + char product_name[32]; + char serial[20]; + +- struct amdgpu_autodump autodump; +- + atomic_t throttling_logging_enabled; + struct ratelimit_state throttling_logging_rs; + }; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -74,82 +74,8 @@ int amdgpu_debugfs_add_files(struct amdg + return 0; + } + +-int amdgpu_debugfs_wait_dump(struct amdgpu_device *adev) +-{ +-#if defined(CONFIG_DEBUG_FS) +- unsigned long timeout = 600 * HZ; +- int ret; +- +- wake_up_interruptible(&adev->autodump.gpu_hang); +- +- ret = wait_for_completion_interruptible_timeout(&adev->autodump.dumping, timeout); +- if (ret == 0) { +- pr_err("autodump: timeout, move on to gpu recovery\n"); +- return -ETIMEDOUT; +- } +-#endif +- return 0; +-} +- + #if defined(CONFIG_DEBUG_FS) + +-static int amdgpu_debugfs_autodump_open(struct inode *inode, struct file *file) +-{ +- struct amdgpu_device *adev = inode->i_private; +- int ret; +- +- file->private_data = adev; +- +- mutex_lock(&adev->lock_reset); +- if (adev->autodump.dumping.done) { +- reinit_completion(&adev->autodump.dumping); +- ret = 0; +- } else { +- ret = -EBUSY; +- } +- mutex_unlock(&adev->lock_reset); +- +- return ret; +-} +- +-static int amdgpu_debugfs_autodump_release(struct inode *inode, struct file *file) +-{ +- struct amdgpu_device *adev = file->private_data; +- +- complete_all(&adev->autodump.dumping); +- return 0; +-} +- +-static unsigned int amdgpu_debugfs_autodump_poll(struct file *file, struct poll_table_struct *poll_table) +-{ +- struct amdgpu_device *adev = file->private_data; +- +- poll_wait(file, &adev->autodump.gpu_hang, poll_table); +- +- if (adev->in_gpu_reset) +- return POLLIN | POLLRDNORM | POLLWRNORM; +- +- return 0; +-} +- +-static const struct file_operations autodump_debug_fops = { +- .owner = THIS_MODULE, +- .open = amdgpu_debugfs_autodump_open, +- .poll = amdgpu_debugfs_autodump_poll, +- .release = amdgpu_debugfs_autodump_release, +-}; +- +-static void amdgpu_debugfs_autodump_init(struct amdgpu_device *adev) +-{ +- init_completion(&adev->autodump.dumping); +- complete_all(&adev->autodump.dumping); +- init_waitqueue_head(&adev->autodump.gpu_hang); +- +- debugfs_create_file("amdgpu_autodump", 0600, +- adev->ddev->primary->debugfs_root, +- adev, &autodump_debug_fops); +-} +- + /** + * amdgpu_debugfs_process_reg_op - Handle MMIO register reads/writes + * +@@ -1621,8 +1547,6 @@ int amdgpu_debugfs_init(struct amdgpu_de + + amdgpu_ras_debugfs_create_all(adev); + +- amdgpu_debugfs_autodump_init(adev); +- + return amdgpu_debugfs_add_files(adev, amdgpu_debugfs_list, + ARRAY_SIZE(amdgpu_debugfs_list)); + } +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.h +@@ -31,11 +31,6 @@ struct amdgpu_debugfs { + unsigned num_files; + }; + +-struct amdgpu_autodump { +- struct completion dumping; +- struct wait_queue_head gpu_hang; +-}; +- + int amdgpu_debugfs_regs_init(struct amdgpu_device *adev); + int amdgpu_debugfs_init(struct amdgpu_device *adev); + void amdgpu_debugfs_fini(struct amdgpu_device *adev); +@@ -45,4 +40,3 @@ int amdgpu_debugfs_add_files(struct amdg + int amdgpu_debugfs_fence_init(struct amdgpu_device *adev); + int amdgpu_debugfs_firmware_init(struct amdgpu_device *adev); + int amdgpu_debugfs_gem_init(struct amdgpu_device *adev); +-int amdgpu_debugfs_wait_dump(struct amdgpu_device *adev); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3963,8 +3963,6 @@ static int amdgpu_device_pre_asic_reset( + int i, r = 0; + bool need_full_reset = *need_full_reset_arg; + +- amdgpu_debugfs_wait_dump(adev); +- + /* block all schedulers and reset given job's ring */ + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; diff --git a/patches.suse/drm-i915-fb-Fix-rounding-error-in-subsampled-plane-s.patch b/patches.suse/drm-i915-fb-Fix-rounding-error-in-subsampled-plane-s.patch new file mode 100644 index 0000000..7ce2730 --- /dev/null +++ b/patches.suse/drm-i915-fb-Fix-rounding-error-in-subsampled-plane-s.patch @@ -0,0 +1,39 @@ +From 90ab96f3872eae816f4e07deaa77322a91237960 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 27 Oct 2021 01:50:59 +0300 +Subject: drm/i915/fb: Fix rounding error in subsampled plane size calculation +Git-commit: 90ab96f3872eae816f4e07deaa77322a91237960 +Patch-mainline: v5.16-rc1 +References: git-fixes +Alt-commit: 2ee5ef9c934ad26376c9282171e731e6c0339815 + +For NV12 FBs with odd main surface tile-row height the CCS surface +height was incorrectly calculated 1 less than the actual value. Fix this +by rounding up the result of divison. For consistency do the same for +the CCS surface width calculation. + +Fixes: b3e57bccd68a ("drm/i915/tgl: Gen-12 render decompression") +Signed-off-by: Imre Deak +Reviewed-by: Juha-Pekka Heikkila +Link: https://patchwork.freedesktop.org/patch/msgid/20211026225105.2783797-2-imre.deak@intel.com +(cherry picked from commit 2ee5ef9c934ad26376c9282171e731e6c0339815) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Patrik Jakobsson +--- + drivers/gpu/drm/i915/display/intel_display.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -2967,8 +2967,9 @@ intel_fb_plane_dims(int *w, int *h, stru + + intel_fb_plane_get_subsampling(&main_hsub, &main_vsub, fb, main_plane); + intel_fb_plane_get_subsampling(&hsub, &vsub, fb, color_plane); +- *w = fb->width / main_hsub / hsub; +- *h = fb->height / main_vsub / vsub; ++ ++ *w = DIV_ROUND_UP(fb->width, main_hsub * hsub); ++ *h = DIV_ROUND_UP(fb->height, main_vsub * vsub); + } + + /* diff --git a/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch b/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch new file mode 100644 index 0000000..f4237f5 --- /dev/null +++ b/patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch @@ -0,0 +1,135 @@ +From e386dfc56f837da66d00a078e5314bc8382fab83 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 10 Dec 2021 14:00:15 -0800 +Subject: [PATCH] fget: clarify and improve __fget_files() implementation +Git-commit: e386dfc56f837da66d00a078e5314bc8382fab83 +Patch-mainline: v5.16-rc6 +References: bsc#1193727 + +Commit 054aa8d439b9 ("fget: check that the fd still exists after getting +a ref to it") fixed a race with getting a reference to a file just as it +was being closed. It was a fairly minimal patch, and I didn't think +re-checking the file pointer lookup would be a measurable overhead, +since it was all right there and cached. + +But I was wrong, as pointed out by the kernel test robot. + +The 'poll2' case of the will-it-scale.per_thread_ops benchmark regressed +quite noticeably. Admittedly it seems to be a very artificial test: +doing "poll()" system calls on regular files in a very tight loop in +multiple threads. + +That means that basically all the time is spent just looking up file +descriptors without ever doing anything useful with them (not that doing +'poll()' on a regular file is useful to begin with). And as a result it +shows the extra "re-check fd" cost as a sore thumb. + +Happily, the regression is fixable by just writing the code to loook up +the fd to be better and clearer. There's still a cost to verify the +file pointer, but now it's basically in the noise even for that +benchmark that does nothing else - and the code is more understandable +and has better comments too. + +[ Side note: this patch is also a classic case of one that looks very + messy with the default greedy Myers diff - it's much more legible with + either the patience of histogram diff algorithm ] + +Link: https://lore.kernel.org/lkml/20211210053743.GA36420@xsang-OptiPlex-9020/ +Link: https://lore.kernel.org/lkml/20211213083154.GA20853@linux.intel.com/ +Reported-by: kernel test robot +Tested-by: Carel Si +Cc: Jann Horn +Cc: Miklos Szeredi +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/file.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 55 insertions(+), 15 deletions(-) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -706,28 +706,68 @@ void do_close_on_exec(struct files_struc + spin_unlock(&files->file_lock); + } + +-static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) ++static struct file *__fget_rcu(unsigned int fd, fmode_t mask, unsigned int refs) + { + struct files_struct *files = current->files; +- struct file *file; + +- rcu_read_lock(); +-loop: +- file = fcheck_files(files, fd); +- if (file) { +- /* File object ref couldn't be taken. +- * dup2() atomicity guarantee is the reason +- * we loop to catch the new file (or NULL pointer) ++ for (;;) { ++ struct file *file; ++ struct fdtable *fdt = rcu_dereference_raw(files->fdt); ++ struct file __rcu **fdentry; ++ ++ if (unlikely(fd >= fdt->max_fds)) ++ return NULL; ++ ++ fdentry = fdt->fd + array_index_nospec(fd, fdt->max_fds); ++ file = rcu_dereference_raw(*fdentry); ++ if (unlikely(!file)) ++ return NULL; ++ ++ if (unlikely(file->f_mode & mask)) ++ return NULL; ++ ++ /* ++ * Ok, we have a file pointer. However, because we do ++ * this all locklessly under RCU, we may be racing with ++ * that file being closed. ++ * ++ * Such a race can take two forms: ++ * ++ * (a) the file ref already went down to zero, ++ * and get_file_rcu_many() fails. Just try ++ * again: ++ */ ++ if (unlikely(!get_file_rcu_many(file, refs))) ++ continue; ++ ++ /* ++ * (b) the file table entry has changed under us. ++ * Note that we don't need to re-check the 'fdt->fd' ++ * pointer having changed, because it always goes ++ * hand-in-hand with 'fdt'. ++ * ++ * If so, we need to put our refs and try again. + */ +- if (file->f_mode & mask) +- file = NULL; +- else if (!get_file_rcu_many(file, refs)) +- goto loop; +- else if (__fcheck_files(files, fd) != file) { ++ if (unlikely(rcu_dereference_raw(files->fdt) != fdt) || ++ unlikely(rcu_dereference_raw(*fdentry) != file)) { + fput_many(file, refs); +- goto loop; ++ continue; + } ++ ++ /* ++ * Ok, we have a ref to the file, and checked that it ++ * still exists. ++ */ ++ return file; + } ++} ++ ++static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) ++{ ++ struct file *file; ++ ++ rcu_read_lock(); ++ file = __fget_rcu(fd, mask, refs); + rcu_read_unlock(); + + return file; diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch b/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch index 01dfd12..56072e4 100644 --- a/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch +++ b/patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch @@ -3,6 +3,7 @@ From: Johan Hovold Date: Wed, 1 Dec 2021 14:25:25 +0100 Subject: [PATCH] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Git-commit: a57ac7acdcc1665662e369993898194def56e888 +Alt-commit: d3e305592d69e21e36b76d24ca3c01971a2d09be Patch-mainline: v5.17-rc1 References: git-fixes diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch b/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch index c80ff74..93b1f05 100644 --- a/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch +++ b/patches.suse/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error.patch @@ -3,6 +3,7 @@ From: Johan Hovold Date: Wed, 1 Dec 2021 14:25:26 +0100 Subject: [PATCH] firmware: qemu_fw_cfg: fix kobject leak in probe error path Git-commit: 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 +Alt-commit: 6004e351da50565fb561be85d45151dc9c370023 Patch-mainline: v5.17-rc1 References: git-fixes diff --git a/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch b/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch index d421990..3f44d2e 100644 --- a/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch +++ b/patches.suse/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch @@ -3,6 +3,7 @@ From: Johan Hovold Date: Wed, 1 Dec 2021 14:25:27 +0100 Subject: [PATCH] firmware: qemu_fw_cfg: fix sysfs information leak Git-commit: 433b7cd1e702b0918ef90cbf06c3da24313625d2 +Alt-commit: 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 Patch-mainline: v5.17-rc1 References: git-fixes diff --git a/patches.suse/fuse-Pass-correct-lend-value-to-filemap_write_and_wait_range.patch b/patches.suse/fuse-Pass-correct-lend-value-to-filemap_write_and_wait_range.patch new file mode 100644 index 0000000..ed7a3d8 --- /dev/null +++ b/patches.suse/fuse-Pass-correct-lend-value-to-filemap_write_and_wait_range.patch @@ -0,0 +1,37 @@ +From: Xie Yongji +Date: Mon, 22 Nov 2021 17:05:31 +0800 +Subject: fuse: Pass correct lend value to filemap_write_and_wait_range() +Git-commit: e388164ea385f04666c4633f5dc4f951fca71890 +Patch-mainline: v5.16 or v5.16-rc9 (next release) +References: bsc#1194953 + +The acceptable maximum value of lend parameter in +filemap_write_and_wait_range() is LLONG_MAX rather than -1. And there is +also some logic depending on LLONG_MAX check in write_cache_pages(). So +let's pass LLONG_MAX to filemap_write_and_wait_range() in +fuse_writeback_range() instead. + +Fixes: 59bda8ecee2f ("fuse: flush extending writes") +Signed-off-by: Xie Yongji +Cc: # v5.15 +Signed-off-by: Miklos Szeredi +Acked-by: Luis Henriques + +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 9d6c5f6361f7..df81768c81a7 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2910,7 +2910,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter) + + static int fuse_writeback_range(struct inode *inode, loff_t start, loff_t end) + { +- int err = filemap_write_and_wait_range(inode->i_mapping, start, -1); ++ int err = filemap_write_and_wait_range(inode->i_mapping, start, LLONG_MAX); + + if (!err) + fuse_sync_writes(inode); + diff --git a/patches.suse/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch b/patches.suse/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch new file mode 100644 index 0000000..1deba20 --- /dev/null +++ b/patches.suse/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch @@ -0,0 +1,42 @@ +From f18f98110f2b179792cb70d85cba697320a3790f Mon Sep 17 00:00:00 2001 +From: Jamie Iles +Date: Wed, 22 Sep 2021 17:56:00 +0100 +Subject: [PATCH] i3c: fix incorrect address slot lookup on 64-bit +Git-commit: f18f98110f2b179792cb70d85cba697320a3790f +Patch-mainline: v5.17-rc1 +References: git-fixes + +The address slot bitmap is an array of unsigned long's which are the +same size as an int on 32-bit platforms but not 64-bit. Loading the +bitmap into an int could result in the incorrect status being returned +for a slot and slots being reported as the wrong status. + +Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") +Cc: Boris Brezillon +Cc: Alexandre Belloni +Signed-off-by: Jamie Iles +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210922165600.179394-1-quic_jiles@quicinc.com +Acked-by: Takashi Iwai + +--- + drivers/i3c/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index c3b4c677b442..dfe18dcd008d 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -343,7 +343,8 @@ struct bus_type i3c_bus_type = { + static enum i3c_addr_slot_status + i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr) + { +- int status, bitpos = addr * 2; ++ unsigned long status; ++ int bitpos = addr * 2; + + if (addr > I2C_MAX_ADDR) + return I3C_ADDR_SLOT_RSVD; +-- +2.31.1 + diff --git a/patches.suse/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch b/patches.suse/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch new file mode 100644 index 0000000..5875470 --- /dev/null +++ b/patches.suse/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch @@ -0,0 +1,45 @@ +From 13462ba1815db5a96891293a9cfaa2451f7bd623 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Sat, 8 Jan 2022 07:09:48 -0800 +Subject: [PATCH] i3c: master: dw: check return of dw_i3c_master_get_free_pos() +Git-commit: 13462ba1815db5a96891293a9cfaa2451f7bd623 +Patch-mainline: v5.17-rc1 +References: git-fixes + +Clang static analysis reports this problem +dw-i3c-master.c:799:9: warning: The result of the left shift is + undefined because the left operand is negative + COMMAND_PORT_DEV_INDEX(pos) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +pos can be negative because dw_i3c_master_get_free_pos() can return an +error. So check for an error. + +Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP") +Signed-off-by: Tom Rix +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220108150948.3988790-1-trix@redhat.com +Acked-by: Takashi Iwai + +--- + drivers/i3c/master/dw-i3c-master.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c +index 03a368da51b9..51a8608203de 100644 +--- a/drivers/i3c/master/dw-i3c-master.c ++++ b/drivers/i3c/master/dw-i3c-master.c +@@ -793,6 +793,10 @@ static int dw_i3c_master_daa(struct i3c_master_controller *m) + return -ENOMEM; + + pos = dw_i3c_master_get_free_pos(master); ++ if (pos < 0) { ++ dw_i3c_master_free_xfer(xfer); ++ return pos; ++ } + cmd = &xfer->cmds[0]; + cmd->cmd_hi = 0x1; + cmd->cmd_lo = COMMAND_PORT_DEV_COUNT(master->maxdevs - pos) | +-- +2.31.1 + diff --git a/patches.suse/intel_idle-Customize-IceLake-server-support.patch b/patches.suse/intel_idle-Customize-IceLake-server-support.patch new file mode 100644 index 0000000..556e014 --- /dev/null +++ b/patches.suse/intel_idle-Customize-IceLake-server-support.patch @@ -0,0 +1,99 @@ +From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 +From: Chen Yu +Date: Fri, 10 Jul 2020 12:12:01 +0800 +Subject: [PATCH] intel_idle: Customize IceLake server support +Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 +Patch-mainline: v5.9-rc1 +References: jsc#SLE-12679 + +On ICX platform, the C1E auto-promotion is enabled by default. +As a result, the CPU might fall into C1E more offen than previous +platforms. Besides, the C1E is not exposed to sysfs on ICX, which +is inconsistent with previous server platforms. + +So disable C1E auto-promotion and expose C1E as a separate idle +state, so the C1E and C6 can be disabled via sysfs when necessary. + +Beside C1 and C1E, the exit latency of C6 was measured +by a dedicated tool. However the exit latency(41us) exposed +by _CST is much smaller than the one we measured(128us). This +is probably due to the _CST uses the exit latency when woken +up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose +the latter as we need the longest latency in theory. + +Reported-by: kernel test robot +Tested-by: Artem Bityutskiy +Acked-by: Artem Bityutskiy +Reviewed-by: Zhang Rui +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index 3f86f36dab2b..fd0fa9e7900b 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { + .enter = NULL } + }; + ++static struct cpuidle_state icx_cstates[] __initdata = { ++ { ++ .name = "C1", ++ .desc = "MWAIT 0x00", ++ .flags = MWAIT2flg(0x00), ++ .exit_latency = 1, ++ .target_residency = 1, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C1E", ++ .desc = "MWAIT 0x01", ++ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, ++ .exit_latency = 4, ++ .target_residency = 4, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C6", ++ .desc = "MWAIT 0x20", ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .exit_latency = 128, ++ .target_residency = 384, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .enter = NULL } ++}; ++ + static struct cpuidle_state atom_cstates[] __initdata = { + { + .name = "C1E", +@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { + .use_acpi = true, + }; + ++static const struct idle_cpu idle_cpu_icx __initconst = { ++ .state_table = icx_cstates, ++ .disable_promotion_to_c1e = true, ++ .use_acpi = true, ++}; ++ + static const struct idle_cpu idle_cpu_avn __initconst = { + .state_table = avn_cstates, + .disable_promotion_to_c1e = true, +@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), ++ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), +-- +2.16.4 + diff --git a/patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch b/patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch new file mode 100644 index 0000000..6b7cb54 --- /dev/null +++ b/patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch @@ -0,0 +1,66 @@ +From: David Vernet +Date: Wed, 29 Dec 2021 13:56:47 -0800 +Subject: livepatch: Avoid CPU hogging with cond_resched +Git-commit: f5bdb34bf0c9314548f2d8e2360b703ff3610303 +Patch-mainline: v5.16 or v5.16-rc9 (next release) +References: bsc#1071995 + +When initializing a 'struct klp_object' in klp_init_object_loaded(), and +performing relocations in klp_resolve_symbols(), klp_find_object_symbol() +is invoked to look up the address of a symbol in an already-loaded module +(or vmlinux). This, in turn, calls kallsyms_on_each_symbol() or +module_kallsyms_on_each_symbol() to find the address of the symbol that is +being patched. + +It turns out that symbol lookups often take up the most CPU time when +enabling and disabling a patch, and may hog the CPU and cause other tasks +on that CPU's runqueue to starve -- even in paths where interrupts are +enabled. For example, under certain workloads, enabling a KLP patch with +many objects or functions may cause ksoftirqd to be starved, and thus for +interrupts to be backlogged and delayed. This may end up causing TCP +retransmits on the host where the KLP patch is being applied, and in +general, may cause any interrupts serviced by softirqd to be delayed while +the patch is being applied. + +So as to ensure that kallsyms_on_each_symbol() does not end up hogging the +CPU, this patch adds a call to cond_resched() in kallsyms_on_each_symbol() +and module_kallsyms_on_each_symbol(), which are invoked when doing a symbol +lookup in vmlinux and a module respectively. Without this patch, if a +live-patch is applied on a 36-core Intel host with heavy TCP traffic, a +~10x spike is observed in TCP retransmits while the patch is being applied. +Additionally, collecting sched events with perf indicates that ksoftirqd is +awakened ~1.3 seconds before it's eventually scheduled. With the patch, no +increase in TCP retransmit events is observed, and ksoftirqd is scheduled +shortly after it's awakened. + +Signed-off-by: David Vernet +Acked-by: Miroslav Benes +Acked-by: Song Liu +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20211229215646.830451-1-void@manifault.com +--- + kernel/kallsyms.c | 1 + + kernel/module.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -190,6 +190,7 @@ int kallsyms_on_each_symbol(int (*fn)(vo + ret = fn(data, namebuf, NULL, kallsyms_sym_address(i)); + if (ret != 0) + return ret; ++ cond_resched(); + } + return module_kallsyms_on_each_symbol(fn, data); + } +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -4301,6 +4301,8 @@ int module_kallsyms_on_each_symbol(int ( + mod, kallsyms_symbol_value(sym)); + if (ret != 0) + return ret; ++ ++ cond_resched(); + } + } + return 0; diff --git a/patches.suse/nvme-tcp-block-BH-in-sk-state_change-sk-callback.patch b/patches.suse/nvme-tcp-block-BH-in-sk-state_change-sk-callback.patch new file mode 100644 index 0000000..ddc6e27 --- /dev/null +++ b/patches.suse/nvme-tcp-block-BH-in-sk-state_change-sk-callback.patch @@ -0,0 +1,43 @@ +From: Sagi Grimberg +Date: Sun, 21 Mar 2021 00:08:48 -0700 +Subject: [PATCH] nvme-tcp: block BH in sk state_change sk callback +Git-commit: 8b73b45d54a14588f86792869bfb23098ea254cb +Patch-mainline: v5.13-rc1 +References: git-fixes + +The TCP stack can run from process context for a long time +so we should disable BH here. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 7de9bee1e5e9..b9e8ea3a7501 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -870,7 +870,7 @@ static void nvme_tcp_state_change(struct sock *sk) + { + struct nvme_tcp_queue *queue; + +- read_lock(&sk->sk_callback_lock); ++ read_lock_bh(&sk->sk_callback_lock); + queue = sk->sk_user_data; + if (!queue) + goto done; +@@ -891,7 +891,7 @@ static void nvme_tcp_state_change(struct sock *sk) + + queue->state_change(sk); + done: +- read_unlock(&sk->sk_callback_lock); ++ read_unlock_bh(&sk->sk_callback_lock); + } + + static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-can-t-set-sk_user_data-without-write_lock.patch b/patches.suse/nvme-tcp-can-t-set-sk_user_data-without-write_lock.patch new file mode 100644 index 0000000..58ebbcf --- /dev/null +++ b/patches.suse/nvme-tcp-can-t-set-sk_user_data-without-write_lock.patch @@ -0,0 +1,41 @@ +From: Maurizio Lombardi +Date: Fri, 2 Jul 2021 10:11:21 +0200 +Subject: [PATCH] nvme-tcp: can't set sk_user_data without write_lock +Git-commit: 0755d3be2d9bb6ea38598ccd30d6bbaa1a5c3a50 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The sk_user_data pointer is supposed to be modified only while +holding the write_lock "sk_callback_lock", otherwise +we could race with other threads and crash the kernel. + +we can't take the write_lock in nvmet_tcp_state_change() +because it would cause a deadlock, but the release_work queue +will set the pointer to NULL later so we can simply remove +the assignment. + +Fixes: b5332a9f3f3d ("nvmet-tcp: fix incorrect locking in state_change sk callback") + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/target/tcp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index d8aceef83284..07ee347ea3f3 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1497,7 +1497,6 @@ static void nvmet_tcp_state_change(struct sock *sk) + case TCP_CLOSE_WAIT: + case TCP_CLOSE: + /* FALLTHRU */ +- sk->sk_user_data = NULL; + nvmet_tcp_schedule_release_queue(queue); + break; + default: +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-check-sgl-supported-by-target.patch b/patches.suse/nvme-tcp-check-sgl-supported-by-target.patch new file mode 100644 index 0000000..3f1fade --- /dev/null +++ b/patches.suse/nvme-tcp-check-sgl-supported-by-target.patch @@ -0,0 +1,37 @@ +From: Max Gurtovoy +Date: Tue, 30 Mar 2021 23:01:19 +0000 +Subject: [PATCH] nvme-tcp: check sgl supported by target +Git-commit: 73ffcefcfca047e5c13a3f81d2cf22eff18732c1 +Patch-mainline: v5.13-rc1 +References: git-fixes + +SGLs support is mandatory for NVMe/tcp, make sure that the target is +aligned to the specification. + +Signed-off-by: Max Gurtovoy +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index b9e8ea3a7501..8e55d8bc0c50 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1966,6 +1966,11 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new) + goto destroy_admin; + } + ++ if (!(ctrl->sgls & ((1 << 0) | (1 << 1)))) { ++ dev_err(ctrl->device, "Mandatory sgls are not supported!\n"); ++ goto destroy_admin; ++ } ++ + if (opts->queue_size > ctrl->sqsize + 1) + dev_warn(ctrl->device, + "queue_size %zu > ctrl sqsize %u, clamping down\n", +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch b/patches.suse/nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch new file mode 100644 index 0000000..d28959c --- /dev/null +++ b/patches.suse/nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch @@ -0,0 +1,45 @@ +From: Ruozhu Li +Date: Sat, 7 Aug 2021 11:50:23 +0800 +Subject: [PATCH] nvme-tcp: don't update queue count when failing to set io + queues +Git-commit: 664227fde63844d69e9ec9e90a8a7801e6ff072d +Patch-mainline: v5.15-rc1 +References: git-fixes + +We update ctrl->queue_count and schedule another reconnect when io queue +count is zero.But we will never try to create any io queue in next reco- +nnection, because ctrl->queue_count already set to zero.We will end up +having an admin-only session in Live state, which is exactly what we try +to avoid in the original patch. +Update ctrl->queue_count after queue_count zero checking to fix it. + +Signed-off-by: Ruozhu Li +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 95d4cf777d24..645025620154 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1763,13 +1763,13 @@ static int nvme_tcp_alloc_io_queues(struct nvme_ctrl *ctrl) + if (ret) + return ret; + +- ctrl->queue_count = nr_io_queues + 1; +- if (ctrl->queue_count < 2) { ++ if (nr_io_queues == 0) { + dev_err(ctrl->device, + "unable to set any I/O queues\n"); + return -ENOMEM; + } + ++ ctrl->queue_count = nr_io_queues + 1; + dev_info(ctrl->device, + "creating %d I/O queues.\n", nr_io_queues); + +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-a-NULL-deref-when-receiving-a-0-length-.patch b/patches.suse/nvme-tcp-fix-a-NULL-deref-when-receiving-a-0-length-.patch new file mode 100644 index 0000000..2e350dd --- /dev/null +++ b/patches.suse/nvme-tcp-fix-a-NULL-deref-when-receiving-a-0-length-.patch @@ -0,0 +1,42 @@ +From: Sagi Grimberg +Date: Mon, 15 Mar 2021 14:08:11 -0700 +Subject: [PATCH] nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU +Git-commit: fd0823f405090f9f410fc3e3ff7efb52e7b486fa +Patch-mainline: v5.12-rc1 +References: git-fixes + +When the controller sends us a 0-length r2t PDU we should not attempt to +try to set up a h2cdata PDU but rather conclude that this is a buggy +controller (forward progress is not possible) and simply fail it +immediately. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Reported-by: Belanger, Martin +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index c535836e7065..5b23e1d52cb3 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -568,6 +568,13 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + req->pdu_len = le32_to_cpu(pdu->r2t_length); + req->pdu_sent = 0; + ++ if (unlikely(!req->pdu_len)) { ++ dev_err(queue->ctrl->ctrl.device, ++ "req %d r2t len is %u, probably a bug...\n", ++ rq->tag, req->pdu_len); ++ return -EPROTO; ++ } ++ + if (unlikely(req->data_sent + req->pdu_len > req->data_len)) { + dev_err(queue->ctrl->ctrl.device, + "req %d r2t len %u exceeded data len %u (%zu sent)\n", +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-crash-triggered-with-a-dataless-request.patch b/patches.suse/nvme-tcp-fix-crash-triggered-with-a-dataless-request.patch new file mode 100644 index 0000000..467f95f --- /dev/null +++ b/patches.suse/nvme-tcp-fix-crash-triggered-with-a-dataless-request.patch @@ -0,0 +1,78 @@ +From: Sagi Grimberg +Date: Wed, 10 Feb 2021 14:04:00 -0800 +Subject: [PATCH] nvme-tcp: fix crash triggered with a dataless request + submission +Git-commit: e11e5116171dedeaf63735931e72ad5de0f30ed5 +Patch-mainline: v5.12-rc1 +References: git-fixes + +write-zeros has a bio, but does not have any data buffers associated +with it. Hence should not initialize the request iter for it (which +attempts to reference the bi_io_vec (and crash). +-- + run blktests nvme/012 at 2021-02-05 21:53:34 + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP NOPTI + CPU: 15 PID: 12069 Comm: kworker/15:2H Tainted: G S I 5.11.0-rc6+ #1 + Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 + Workqueue: kblockd blk_mq_run_work_fn + RIP: 0010:nvme_tcp_init_iter+0x7d/0xd0 [nvme_tcp] + RSP: 0018:ffffbd084447bd18 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffffa0bba9f3ce80 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000002000000 + RBP: ffffa0ba8ac6fec0 R08: 0000000002000000 R09: 0000000000000000 + R10: 0000000002800809 R11: 0000000000000000 R12: 0000000000000000 + R13: ffffa0bba9f3cf90 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffffa0c9ff9c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 00000001c9c6c005 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + nvme_tcp_queue_rq+0xef/0x330 [nvme_tcp] + blk_mq_dispatch_rq_list+0x11c/0x7c0 + ? blk_mq_flush_busy_ctxs+0xf6/0x110 + __blk_mq_sched_dispatch_requests+0x12b/0x170 + blk_mq_sched_dispatch_requests+0x30/0x60 + __blk_mq_run_hw_queue+0x2b/0x60 + process_one_work+0x1cb/0x360 + ? process_one_work+0x360/0x360 + worker_thread+0x30/0x370 + ? process_one_work+0x360/0x360 + kthread+0x116/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x1f/0x30 +-- + +Fixes: cb9b870fba3e ("nvme-tcp: fix wrong setting of request iov_iter") +Reported-by: Yi Zhang +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Tested-by: Yi Zhang +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 619b0d8f6e38..69f59d2c5799 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2271,7 +2271,7 @@ static blk_status_t nvme_tcp_setup_cmd_pdu(struct nvme_ns *ns, + req->data_len = blk_rq_nr_phys_segments(rq) ? + blk_rq_payload_bytes(rq) : 0; + req->curr_bio = rq->bio; +- if (req->curr_bio) ++ if (req->curr_bio && req->data_len) + nvme_tcp_init_iter(req, rq_data_dir(rq)); + + if (rq_data_dir(rq) == WRITE && +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-error-codes-in-nvme_tcp_setup_ctrl.patch b/patches.suse/nvme-tcp-fix-error-codes-in-nvme_tcp_setup_ctrl.patch new file mode 100644 index 0000000..271d316 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-error-codes-in-nvme_tcp_setup_ctrl.patch @@ -0,0 +1,41 @@ +From: Dan Carpenter +Date: Sat, 5 Jun 2021 15:48:16 +0300 +Subject: [PATCH] nvme-tcp: fix error codes in nvme_tcp_setup_ctrl() +Git-commit: 522af60cb2f8e3658bda1902fb7f200dcf888a5c +Patch-mainline: v5.14-rc1 +References: git-fixes + +These error paths currently return success but they should return +-EOPNOTSUPP. + +Fixes: 73ffcefcfca0 ("nvme-tcp: check sgl supported by target") +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 5fc6c568c626..6a65b0516180 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1988,11 +1988,13 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new) + return ret; + + if (ctrl->icdoff) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->device, "icdoff is not supported!\n"); + goto destroy_admin; + } + + if (!(ctrl->sgls & ((1 << 0) | (1 << 1)))) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->device, "Mandatory sgls are not supported!\n"); + goto destroy_admin; + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-io_work-priority-inversion.patch b/patches.suse/nvme-tcp-fix-io_work-priority-inversion.patch new file mode 100644 index 0000000..3029b5f --- /dev/null +++ b/patches.suse/nvme-tcp-fix-io_work-priority-inversion.patch @@ -0,0 +1,84 @@ +From: Keith Busch +Date: Thu, 9 Sep 2021 08:54:52 -0700 +Subject: [PATCH] nvme-tcp: fix io_work priority inversion +Git-commit: 70f437fb4395ad4d1d16fab9a1ad9fbc9fc0579b +Patch-mainline: v5.15-rc1 +References: git-fixes + +Dispatching requests inline with the .queue_rq() call may block while +holding the send_mutex. If the tcp io_work also happens to schedule, it +may see the req_list is non-empty, leaving "pending" true and remaining +in TASK_RUNNING. Since io_work is of higher scheduling priority, the +.queue_rq task may not get a chance to run, blocking forward progress +and leading to io timeouts. + +Instead of checking for pending requests within io_work, let the queueing +restart io_work outside the send_mutex lock if there is more work to be +done. + +Fixes: a0fdd1418007f ("nvme-tcp: rerun io_work if req_list is not empty") +Reported-by: Samuel Jones +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index e2ab12f3f51c..e4249b7dc056 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -274,6 +274,12 @@ static inline void nvme_tcp_send_all(struct nvme_tcp_queue *queue) + } while (ret > 0); + } + ++static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) ++{ ++ return !list_empty(&queue->send_list) || ++ !llist_empty(&queue->req_list) || queue->more_requests; ++} ++ + static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req, + bool sync, bool last) + { +@@ -294,9 +300,10 @@ static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req, + nvme_tcp_send_all(queue); + queue->more_requests = false; + mutex_unlock(&queue->send_mutex); +- } else if (last) { +- queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work); + } ++ ++ if (last && nvme_tcp_queue_more(queue)) ++ queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work); + } + + static void nvme_tcp_process_req_list(struct nvme_tcp_queue *queue) +@@ -906,12 +913,6 @@ static void nvme_tcp_state_change(struct sock *sk) + read_unlock_bh(&sk->sk_callback_lock); + } + +-static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) +-{ +- return !list_empty(&queue->send_list) || +- !llist_empty(&queue->req_list) || queue->more_requests; +-} +- + static inline void nvme_tcp_done_send_req(struct nvme_tcp_queue *queue) + { + queue->request = NULL; +@@ -1145,8 +1146,7 @@ static void nvme_tcp_io_work(struct work_struct *w) + pending = true; + else if (unlikely(result < 0)) + break; +- } else +- pending = !llist_empty(&queue->req_list); ++ } + + result = nvme_tcp_try_recv(queue); + if (result > 0) +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-possible-data-corruption-with-bio-merge.patch b/patches.suse/nvme-tcp-fix-possible-data-corruption-with-bio-merge.patch new file mode 100644 index 0000000..02a0985 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-possible-data-corruption-with-bio-merge.patch @@ -0,0 +1,44 @@ +From: Sagi Grimberg +Date: Wed, 13 Jan 2021 13:56:57 -0800 +Subject: [PATCH] nvme-tcp: fix possible data corruption with bio merges +Git-commit: ca1ff67d0fb14f39cf0cc5102b1fbcc3b14f6fb9 +Patch-mainline: v5.11-rc1 +References: git-fixes + +When a bio merges, we can get a request that spans multiple +bios, and the overall request payload size is the sum of +all bios. When we calculate how much we need to send +from the existing bio (and bvec), we did not take into +account the iov_iter byte count cap. + +Since multipage bvecs support, bvecs can split in the middle +which means that when we account for the last bvec send we +should also take the iov_iter byte count cap as it might be +lower than the last bvec size. + +Reported-by: Hao Wang +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Tested-by: Hao Wang +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index b2e0865785ef..216619926563 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -201,7 +201,7 @@ static inline size_t nvme_tcp_req_cur_offset(struct nvme_tcp_request *req) + + static inline size_t nvme_tcp_req_cur_length(struct nvme_tcp_request *req) + { +- return min_t(size_t, req->iter.bvec->bv_len - req->iter.iov_offset, ++ return min_t(size_t, iov_iter_single_seg_count(&req->iter), + req->pdu_len - req->pdu_sent); + } + +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch b/patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch new file mode 100644 index 0000000..da0d3f0 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch @@ -0,0 +1,57 @@ +From: Varun Prakash +Date: Tue, 26 Oct 2021 19:01:55 +0530 +Subject: [PATCH] nvme-tcp: fix possible req->offset corruption +Git-commit: ce7723e9cdae4eb3030da082876580f4b2dc0861 +Patch-mainline: v5.15-rc1 +References: git-fixes + +With commit db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq +context") r2t and response PDU can get processed while send function +is executing. + +Current data digest send code uses req->offset after kernel_sendmsg(), +this creates a race condition where req->offset gets reset before it +is used in send function. + +This can happen in two cases - +1. Target sends r2t PDU which resets req->offset. +2. Target send response PDU which completes the req and then req is + used for a new command, nvme_tcp_setup_cmd_pdu() resets req->offset. + +Fix this by storing req->offset in a local variable and using +this local variable after kernel_sendmsg(). + +Fixes: db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context") +Signed-off-by: Varun Prakash +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 0626d14e6d4c..1a209f0d7181 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1050,6 +1050,7 @@ static int nvme_tcp_try_send_data_pdu(struct nvme_tcp_request *req) + static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + { + struct nvme_tcp_queue *queue = req->queue; ++ size_t offset = req->offset; + int ret; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +@@ -1066,7 +1067,7 @@ static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + if (unlikely(ret <= 0)) + return ret; + +- if (req->offset + ret == NVME_TCP_DIGEST_LENGTH) { ++ if (offset + ret == NVME_TCP_DIGEST_LENGTH) { + nvme_tcp_done_send_req(queue); + return 1; + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-wrong-setting-of-request-iov_iter.patch b/patches.suse/nvme-tcp-fix-wrong-setting-of-request-iov_iter.patch new file mode 100644 index 0000000..22b19d5 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-wrong-setting-of-request-iov_iter.patch @@ -0,0 +1,56 @@ +From: Sagi Grimberg +Date: Thu, 14 Jan 2021 13:15:24 -0800 +Subject: [PATCH] nvme-tcp: fix wrong setting of request iov_iter +Git-commit: cb9b870fba3eba57cf3bcd7c6c4d4aa88bc5fe70 +Patch-mainline: v5.12-rc1 +References: git-fixes + +We might set the iov_iter direction wrong, which is harmless for this +use-case, but get it right. Also this makes the code slightly cleaner. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 881d28eb15e9..4367923d03e4 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -983,7 +983,6 @@ static int nvme_tcp_try_send_cmd_pdu(struct nvme_tcp_request *req) + req->state = NVME_TCP_SEND_DATA; + if (queue->data_digest) + crypto_ahash_init(queue->snd_hash); +- nvme_tcp_init_iter(req, WRITE); + } else { + nvme_tcp_done_send_req(queue); + } +@@ -1016,8 +1015,6 @@ static int nvme_tcp_try_send_data_pdu(struct nvme_tcp_request *req) + req->state = NVME_TCP_SEND_DATA; + if (queue->data_digest) + crypto_ahash_init(queue->snd_hash); +- if (!req->data_sent) +- nvme_tcp_init_iter(req, WRITE); + return 1; + } + req->offset += ret; +@@ -2268,12 +2265,12 @@ static blk_status_t nvme_tcp_setup_cmd_pdu(struct nvme_ns *ns, + req->data_len = blk_rq_nr_phys_segments(rq) ? + blk_rq_payload_bytes(rq) : 0; + req->curr_bio = rq->bio; ++ if (req->curr_bio) ++ nvme_tcp_init_iter(req, rq_data_dir(rq)); + + if (rq_data_dir(rq) == WRITE && + req->data_len <= nvme_tcp_inline_data_size(queue)) + req->pdu_len = req->data_len; +- else if (req->curr_bio) +- nvme_tcp_init_iter(req, READ); + + pdu->hdr.type = nvme_tcp_cmd; + pdu->hdr.flags = 0; +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-get-rid-of-unused-helper-function.patch b/patches.suse/nvme-tcp-get-rid-of-unused-helper-function.patch new file mode 100644 index 0000000..1d23996 --- /dev/null +++ b/patches.suse/nvme-tcp-get-rid-of-unused-helper-function.patch @@ -0,0 +1,33 @@ +From: Sagi Grimberg +Date: Thu, 14 Jan 2021 13:15:25 -0800 +Subject: [PATCH] nvme-tcp: get rid of unused helper function +Git-commit: 60141aa08c08a43f3d22626b3a2532106a90a191 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 4367923d03e4..f2f3471faed3 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -206,11 +206,6 @@ static inline size_t nvme_tcp_req_cur_length(struct nvme_tcp_request *req) + req->pdu_len - req->pdu_sent); + } + +-static inline size_t nvme_tcp_req_offset(struct nvme_tcp_request *req) +-{ +- return req->iter.iov_offset; +-} +- + static inline size_t nvme_tcp_pdu_data_left(struct nvme_tcp_request *req) + { + return rq_data_dir(blk_mq_rq_from_pdu(req)) == WRITE ? +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-pair-send_mutex-init-with-destroy.patch b/patches.suse/nvme-tcp-pair-send_mutex-init-with-destroy.patch new file mode 100644 index 0000000..a1ef47f --- /dev/null +++ b/patches.suse/nvme-tcp-pair-send_mutex-init-with-destroy.patch @@ -0,0 +1,40 @@ +From: Keith Busch +Date: Fri, 6 Aug 2021 08:41:43 -0700 +Subject: [PATCH] nvme-tcp: pair send_mutex init with destroy +Git-commit: d48f92cd2739258a1292be56bbeadb5b6a57ea09 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Each mutex_init() should have a corresponding mutex_destroy(). + +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 0a97ba02f61e..95d4cf777d24 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1220,6 +1220,7 @@ static void nvme_tcp_free_queue(struct nvme_ctrl *nctrl, int qid) + + sock_release(queue->sock); + kfree(queue->pdu); ++ mutex_destroy(&queue->send_mutex); + mutex_destroy(&queue->queue_lock); + } + +@@ -1525,6 +1526,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, + sock_release(queue->sock); + queue->sock = NULL; + err_destroy_mutex: ++ mutex_destroy(&queue->send_mutex); + mutex_destroy(&queue->queue_lock); + return ret; + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-pass-multipage-bvec-to-request-iov_iter.patch b/patches.suse/nvme-tcp-pass-multipage-bvec-to-request-iov_iter.patch new file mode 100644 index 0000000..87f10e6 --- /dev/null +++ b/patches.suse/nvme-tcp-pass-multipage-bvec-to-request-iov_iter.patch @@ -0,0 +1,61 @@ +From: Sagi Grimberg +Date: Thu, 14 Jan 2021 13:15:26 -0800 +Subject: [PATCH] nvme-tcp: pass multipage bvec to request iov_iter +Git-commit: 0dc9edaf80ea3c48231d94cd482355699d453888 +Patch-mainline: v5.12-rc1 +References: git-fixes + +iov_iter uses the right helpers so we should be able +to pass in a multipage bvec. Right now the iov_iter is +initialized with more segments that it needs which doesn't +fail because the iov_iter is capped by byte count, but it +is better to use a full multipage bvec iter. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index f2f3471faed3..4c13c7110dbe 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -224,24 +224,29 @@ static void nvme_tcp_init_iter(struct nvme_tcp_request *req, + struct request *rq = blk_mq_rq_from_pdu(req); + struct bio_vec *vec; + unsigned int size; +- int nsegs; ++ int nr_bvec; + size_t offset; + + if (rq->rq_flags & RQF_SPECIAL_PAYLOAD) { + vec = &rq->special_vec; +- nsegs = 1; ++ nr_bvec = 1; + size = blk_rq_payload_bytes(rq); + offset = 0; + } else { + struct bio *bio = req->curr_bio; ++ struct bvec_iter bi; ++ struct bio_vec bv; + + vec = __bvec_iter_bvec(bio->bi_io_vec, bio->bi_iter); +- nsegs = bio_segments(bio); ++ nr_bvec = 0; ++ bio_for_each_bvec(bv, bio, bi) { ++ nr_bvec++; ++ } + size = bio->bi_iter.bi_size; + offset = bio->bi_iter.bi_bvec_done; + } + +- iov_iter_bvec(&req->iter, dir, vec, nsegs, size); ++ iov_iter_bvec(&req->iter, dir, vec, nr_bvec, size); + req->iter.iov_offset = offset; + } + +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-remove-incorrect-Kconfig-dep-in-BLK_DEV_NVM.patch b/patches.suse/nvme-tcp-remove-incorrect-Kconfig-dep-in-BLK_DEV_NVM.patch new file mode 100644 index 0000000..5587782 --- /dev/null +++ b/patches.suse/nvme-tcp-remove-incorrect-Kconfig-dep-in-BLK_DEV_NVM.patch @@ -0,0 +1,35 @@ +From: Sagi Grimberg +Date: Fri, 21 May 2021 14:51:15 -0700 +Subject: [PATCH] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME +Git-commit: 042a3eaad6daeabcfaf163aa44da8ea3cf8b5496 +Patch-mainline: v5.13-rc1 +References: git-fixes + +We need to select NVME_CORE. + +Signed-off-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig +index a44d49d63968..494675aeaaad 100644 +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -71,7 +71,8 @@ config NVME_FC + config NVME_TCP + tristate "NVM Express over Fabrics TCP host driver" + depends on INET +- depends on BLK_DEV_NVME ++ depends on BLOCK ++ select NVME_CORE + select NVME_FABRICS + select CRYPTO + select CRYPTO_CRC32C +-- +2.29.2 + diff --git a/patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch b/patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch new file mode 100644 index 0000000..5f36e5e --- /dev/null +++ b/patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch @@ -0,0 +1,144 @@ +From 3e607dc4df180b72a38e75030cb0f94d12808712 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 5 Oct 2021 00:56:38 +1000 +Subject: [PATCH] powerpc/64s: fix program check interrupt emergency stack path + +References: bsc#1156395 +Patch-mainline: v5.15-rc5 +Git-commit: 3e607dc4df180b72a38e75030cb0f94d12808712 + +Emergency stack path was jumping into a 3: label inside the +__GEN_COMMON_BODY macro for the normal path after it had finished, +rather than jumping over it. By a small miracle this is the correct +place to build up a new interrupt frame with the existing stack +pointer, so things basically worked okay with an added weird looking +700 trap frame on top (which had the wrong ->nip so it didn't decode +bug messages either). + +Fix this by avoiding using numeric labels when jumping over non-trivial +macros. + +Before: + + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637 + NIP: 7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0 + REGS: c0000000fffb3a50 TRAP: 0700 Not tainted + MSR: 9000000000021031 CR: 00000700 XER: 20040000 + CFAR: c0000000000098b0 IRQMASK: 0 + GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000 + GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 + GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 + GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 + GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 + GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 + GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 + GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 + NIP [7265677368657265] 0x7265677368657265 + LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 + Call Trace: + [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable) + --- interrupt: 700 at decrementer_common_virt+0xb8/0x230 + NIP: c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0 + REGS: c0000000fffb3d60 TRAP: 0700 Not tainted + MSR: 9000000000021031 CR: 22424282 XER: 20040000 + CFAR: c0000000000098b0 IRQMASK: 0 + GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000 + GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 + GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 + GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 + GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 + GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 + GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 + GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 + NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230 + LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 + --- interrupt: 700 + Instruction dump: + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + ---[ end trace 6d28218e0cc3c949 ]--- + +After: + + ------------[ cut here ]------------ + kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638 + NIP: c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0 + REGS: c0000000fffb3d60 TRAP: 0700 Not tainted + MSR: 9000000000021031 CR: 24482227 XER: 00040000 + CFAR: c0000000000098b0 IRQMASK: 0 + GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868 + GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009 + GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c + GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00 + GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90 + GPR20: 00000000100eed90 0000000010000000 000000001000a49c 00000000100f1430 + GPR24: c000000001271868 0000000002000000 0000000000000215 0000000000000300 + GPR28: c000000001271800 0000000042000000 00000000100f0d29 c000000080647860 + NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230 + LR [c00000000006bf04] ___do_page_fault+0x234/0xb10 + Call Trace: + Instruction dump: + 4182000c 39400001 48000008 894d0932 714a0001 39400008 408225fc 718a4000 + 7c2a0b78 3821fcf0 41c20008 e82d0910 <0981fcf0> f92101a0 f9610170 f9810178 + ---[ end trace a5dbd1f5ea4ccc51 ]--- + +Fixes: 0a882e28468f4 ("powerpc/64s/exception: remove bad stack branch") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211004145642.1331214-2-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/exceptions-64s.S | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 37859e62a8dc..024d9231f88c 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1665,27 +1665,30 @@ EXC_COMMON_BEGIN(program_check_common) + */ + + andi. r10,r12,MSR_PR +- bne 2f /* If userspace, go normal path */ ++ bne .Lnormal_stack /* If userspace, go normal path */ + + andis. r10,r12,(SRR1_PROGTM)@h +- bne 1f /* If TM, emergency */ ++ bne .Lemergency_stack /* If TM, emergency */ + + cmpdi r1,-INT_FRAME_SIZE /* check if r1 is in userspace */ +- blt 2f /* normal path if not */ ++ blt .Lnormal_stack /* normal path if not */ + + /* Use the emergency stack */ +-1: andi. r10,r12,MSR_PR /* Set CR0 correctly for label */ ++.Lemergency_stack: ++ andi. r10,r12,MSR_PR /* Set CR0 correctly for label */ + /* 3 in EXCEPTION_PROLOG_COMMON */ + mr r10,r1 /* Save r1 */ + ld r1,PACAEMERGSP(r13) /* Use emergency stack */ + subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */ + __ISTACK(program_check)=0 + __GEN_COMMON_BODY program_check +- b 3f +-2: ++ b .Ldo_program_check ++ ++.Lnormal_stack: + __ISTACK(program_check)=1 + __GEN_COMMON_BODY program_check +-3: ++ ++.Ldo_program_check: + addi r3,r1,STACK_FRAME_OVERHEAD + bl program_check_exception + REST_NVGPRS(r1) /* instruction emulation may change GPRs */ +-- +2.31.1 + diff --git a/patches.suse/powerpc-add-interrupt_cond_local_irq_enable-helper.patch b/patches.suse/powerpc-add-interrupt_cond_local_irq_enable-helper.patch new file mode 100644 index 0000000..39b23ec --- /dev/null +++ b/patches.suse/powerpc-add-interrupt_cond_local_irq_enable-helper.patch @@ -0,0 +1,125 @@ +From e6f8a6c86ce7b2108c03c1cc014fdae278573df1 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Sat, 30 Jan 2021 23:08:39 +1000 +Subject: [PATCH] powerpc: add interrupt_cond_local_irq_enable helper + +References: bsc#1065729 +Patch-mainline: v5.12-rc1 +Git-commit: e6f8a6c86ce7b2108c03c1cc014fdae278573df1 + +Simple helper for synchronous interrupt handlers (i.e., process-context) +to enable interrupts if it was taken in an interrupts-enabled context. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210130130852.2952424-30-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/interrupt.h | 7 +++++++ + arch/powerpc/kernel/traps.c | 24 +++++++----------------- + arch/powerpc/mm/fault.c | 4 +--- + 3 files changed, 15 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/include/asm/irq.h b/arch/powerpc/include/asm/irq.h +--- a/arch/powerpc/include/asm/irq.h ++++ b/arch/powerpc/include/asm/irq.h +@@ -63,5 +63,11 @@ extern void __do_irq(struct pt_regs *regs); + + int irq_choose_cpu(const struct cpumask *mask); + ++static inline void interrupt_cond_local_irq_enable(struct pt_regs *regs) ++{ ++ if (!arch_irq_disabled_regs(regs)) ++ local_irq_enable(); ++} ++ + #endif /* _ASM_IRQ_H */ + #endif /* __KERNEL__ */ +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 51e56b7fceb7..20c90a3548f6 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -343,8 +343,8 @@ static bool exception_common(int signr, struct pt_regs *regs, int code, + + show_signal_msg(signr, regs, code, addr); + +- if (arch_irqs_disabled() && !arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ if (arch_irqs_disabled()) ++ interrupt_cond_local_irq_enable(regs); + + current->thread.trap_nr = code; + +@@ -1555,9 +1555,7 @@ static void do_program_check(struct pt_regs *regs) + if (!user_mode(regs)) + goto sigill; + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + /* (reason & REASON_ILLEGAL) would be the obvious thing here, + * but there seems to be a hardware bug on the 405GP (RevD) +@@ -1622,9 +1620,7 @@ DEFINE_INTERRUPT_HANDLER(alignment_exception) + int sig, code, fixed = 0; + unsigned long reason; + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + reason = get_reason(regs); + +@@ -1785,9 +1781,7 @@ DEFINE_INTERRUPT_HANDLER(facility_unavailable_exception) + die("Unexpected facility unavailable exception", regs, SIGABRT); + } + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + if (status == FSCR_DSCR_LG) { + /* +@@ -2172,9 +2166,7 @@ DEFINE_INTERRUPT_HANDLER(SPEFloatingPointException) + int code = FPE_FLTUNK; + int err; + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + flush_spe_to_thread(current); + +@@ -2221,9 +2213,7 @@ DEFINE_INTERRUPT_HANDLER(SPEFloatingPointRoundException) + extern int speround_handler(struct pt_regs *regs); + int err; + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + preempt_disable(); + if (regs->msr & MSR_SPE) +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index f8eb42aaafab..8552ab6c008b 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -434,9 +434,7 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address, + return bad_area_nosemaphore(regs, address); + } + +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); ++ interrupt_cond_local_irq_enable(regs); + + perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address); + +-- +2.31.1 + diff --git a/patches.suse/powerpc-perf-Fix-PMU-callbacks-to-clear-pending-PMI-.patch b/patches.suse/powerpc-perf-Fix-PMU-callbacks-to-clear-pending-PMI-.patch new file mode 100644 index 0000000..23f9d66 --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-PMU-callbacks-to-clear-pending-PMI-.patch @@ -0,0 +1,273 @@ +From 2c9ac51b850d84ee496b0a5d832ce66d411ae552 Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Wed, 21 Jul 2021 01:48:29 -0400 +Subject: [PATCH] powerpc/perf: Fix PMU callbacks to clear pending PMI before + resetting an overflown PMC + +References: bsc#1156395 +Patch-mainline: v5.17-rc1 +Git-commit: 2c9ac51b850d84ee496b0a5d832ce66d411ae552 + +Running perf fuzzer showed below in dmesg logs: + "Can't find PMC that caused IRQ" + +This means a PMU exception happened, but none of the PMC's (Performance +Monitor Counter) were found to be overflown. There are some corner cases +that clears the PMCs after PMI gets masked. In such cases, the perf +interrupt handler will not find the active PMC values that had caused +the overflow and thus leads to this message while replaying. + +Case 1: PMU Interrupt happens during replay of other interrupts and +counter values gets cleared by PMU callbacks before replay: + +During replay of interrupts like timer, __do_irq() and doorbell +exception, we conditionally enable interrupts via may_hard_irq_enable(). +This could potentially create a window to generate a PMI. Since irq soft +mask is set to ALL_DISABLED, the PMI will get masked here. We could get +IPIs run before perf interrupt is replayed and the PMU events could +be deleted or stopped. This will change the PMU SPR values and resets +the counters. Snippet of ftrace log showing PMU callbacks invoked in +__do_irq(): + + -0 [051] dns. 132025441306354: __do_irq <-call_do_irq + -0 [051] dns. 132025441306430: irq_enter <-__do_irq + -0 [051] dns. 132025441306503: irq_enter_rcu <-__do_irq + -0 [051] dnH. 132025441306599: xive_get_irq <-__do_irq + <<>> + -0 [051] dnH. 132025441307770: generic_smp_call_function_single_interrupt <-smp_ipi_demux_relaxed + -0 [051] dnH. 132025441307839: flush_smp_call_function_queue <-smp_ipi_demux_relaxed + -0 [051] dnH. 132025441308057: _raw_spin_lock <-event_function + -0 [051] dnH. 132025441308206: power_pmu_disable <-perf_pmu_disable + -0 [051] dnH. 132025441308337: power_pmu_del <-event_sched_out + -0 [051] dnH. 132025441308407: power_pmu_read <-power_pmu_del + -0 [051] dnH. 132025441308477: read_pmc <-power_pmu_read + -0 [051] dnH. 132025441308590: isa207_disable_pmc <-power_pmu_del + -0 [051] dnH. 132025441308663: write_pmc <-power_pmu_del + -0 [051] dnH. 132025441308787: power_pmu_event_idx <-perf_event_update_userpage + -0 [051] dnH. 132025441308859: rcu_read_unlock_strict <-perf_event_update_userpage + -0 [051] dnH. 132025441308975: power_pmu_enable <-perf_pmu_enable + <<>> + -0 [051] dnH. 132025441311108: irq_exit <-__do_irq + -0 [051] dns. 132025441311319: performance_monitor_exception <-replay_soft_interrupts + +Case 2: PMI's masked during local_* operations, example local_add(). If +the local_add() operation happens within a local_irq_save(), replay of +PMI will be during local_irq_restore(). Similar to case 1, this could +also create a window before replay where PMU events gets deleted or +stopped. + +Fix it by updating the PMU callback function power_pmu_disable() to +check for pending perf interrupt. If there is an overflown PMC and +pending perf interrupt indicated in paca, clear the PMI bit in paca to +drop that sample. Clearing of PMI bit is done in power_pmu_disable() +since disable is invoked before any event gets deleted/stopped. With +this fix, if there are more than one event running in the PMU, there is +a chance that we clear the PMI bit for the event which is not getting +deleted/stopped. The other events may still remain active. Hence to make +sure we don't drop valid sample in such cases, another check is added in +power_pmu_enable. This checks if there is an overflown PMC found among +the active events and if so enable back the PMI bit. Two new helper +functions are introduced to clear/set the PMI, ie +clear_pmi_irq_pending() and set_pmi_irq_pending(). Helper function +pmi_irq_pending() is introduced to give a warning if there is pending +PMI bit in paca, but no PMC is overflown. + +Also there are corner cases which result in performance monitor +interrupts being triggered during power_pmu_disable(). This happens +since PMXE bit is not cleared along with disabling of other MMCR0 bits +in the pmu_disable. Such PMI's could leave the PMU running and could +trigger PMI again which will set MMCR0 PMAO bit. This could lead to +spurious interrupts in some corner cases. Example, a timer after +power_pmu_del() which will re-enable interrupts and triggers a PMI again +since PMAO bit is still set. But fails to find valid overflow since PMC +was cleared in power_pmu_del(). Fix that by disabling PMXE along with +disabling of other MMCR0 bits in power_pmu_disable(). + +We can't just replay PMI any time. Hence this approach is preferred +rather than replaying PMI before resetting overflown PMC. Patch also +documents core-book3s on a race condition which can trigger these PMC +messages during idle path in PowerNV. + +Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them") +Reported-by: Nageswara R Sastry +Suggested-by: Nicholas Piggin +Suggested-by: Madhavan Srinivasan +Signed-off-by: Athira Rajeev +Tested-by: Nageswara R Sastry +Reviewed-by: Nicholas Piggin +[mpe: Make pmi_irq_pending() return bool, reflow/reword some comments] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1626846509-1350-2-git-send-email-atrajeev@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/hw_irq.h | 40 +++++++++++++++++++++ + arch/powerpc/perf/core-book3s.c | 58 ++++++++++++++++++++++++++++++- + 2 files changed, 97 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/hw_irq.h b/arch/powerpc/include/asm/hw_irq.h +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -224,6 +224,42 @@ static inline bool arch_irqs_disabled(void) + return arch_irqs_disabled_flags(arch_local_save_flags()); + } + ++static inline void set_pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to set PMI bit in the paca. ++ * This has to be called with irq's disabled (via hard_irq_disable()). ++ */ ++ if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) ++ WARN_ON_ONCE(mfmsr() & MSR_EE); ++ ++ get_paca()->irq_happened |= PACA_IRQ_PMI; ++} ++ ++static inline void clear_pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to clear the pending PMI bit ++ * in the paca. ++ */ ++ if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) ++ WARN_ON_ONCE(mfmsr() & MSR_EE); ++ ++ get_paca()->irq_happened &= ~PACA_IRQ_PMI; ++} ++ ++static inline bool pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to check if there is a pending ++ * PMI bit in the paca. ++ */ ++ if (get_paca()->irq_happened & PACA_IRQ_PMI) ++ return true; ++ ++ return false; ++} ++ + #ifdef CONFIG_PPC_BOOK3S + /* + * To support disabling and enabling of irq with PMI, set of +@@ -408,6 +444,10 @@ static inline void do_hard_irq_enable(void) + + static inline void may_hard_irq_enable(void) { } + ++static inline void clear_pmi_irq_pending(void) { } ++static inline void set_pmi_irq_pending(void) { } ++static inline bool pmi_irq_pending(void) { return false; } ++ + #endif /* CONFIG_PPC64 */ + + #define ARCH_IRQ_INIT_FLAGS IRQ_NOREQUEST +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -857,6 +857,19 @@ static void write_pmc(int idx, unsigned long val) + } + } + ++static int any_pmc_overflown(struct cpu_hw_events *cpuhw) ++{ ++ int i, idx; ++ ++ for (i = 0; i < cpuhw->n_events; i++) { ++ idx = cpuhw->event[i]->hw.idx; ++ if ((idx) && ((int)read_pmc(idx) < 0)) ++ return idx; ++ } ++ ++ return 0; ++} ++ + /* Called from sysrq_handle_showregs() */ + void perf_event_print_debug(void) + { +@@ -1281,11 +1294,13 @@ static void power_pmu_disable(struct pmu *pmu) + + /* + * Set the 'freeze counters' bit, clear EBE/BHRBA/PMCC/PMAO/FC56 ++ * Also clear PMXE to disable PMI's getting triggered in some ++ * corner cases during PMU disable. + */ + val = mmcr0 = mfspr(SPRN_MMCR0); + val |= MMCR0_FC; + val &= ~(MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC | MMCR0_PMAO | +- MMCR0_FC56); ++ MMCR0_PMXE | MMCR0_FC56); + /* Set mmcr0 PMCCEXT for p10 */ + if (ppmu->flags & PPMU_ARCH_31) + val |= MMCR0_PMCCEXT; +@@ -1299,6 +1314,23 @@ static void power_pmu_disable(struct pmu *pmu) + mb(); + isync(); + ++ /* ++ * Some corner cases could clear the PMU counter overflow ++ * while a masked PMI is pending. One such case is when ++ * a PMI happens during interrupt replay and perf counter ++ * values are cleared by PMU callbacks before replay. ++ * ++ * If any PMC corresponding to the active PMU events are ++ * overflown, disable the interrupt by clearing the paca ++ * bit for PMI since we are disabling the PMU now. ++ * Otherwise provide a warning if there is PMI pending, but ++ * no counter is found overflown. ++ */ ++ if (any_pmc_overflown(cpuhw)) ++ clear_pmi_irq_pending(); ++ else ++ WARN_ON(pmi_irq_pending()); ++ + val = mmcra = cpuhw->mmcr.mmcra; + + /* +@@ -1390,6 +1422,15 @@ static void power_pmu_enable(struct pmu *pmu) + * (possibly updated for removal of events). + */ + if (!cpuhw->n_added) { ++ /* ++ * If there is any active event with an overflown PMC ++ * value, set back PACA_IRQ_PMI which would have been ++ * cleared in power_pmu_disable(). ++ */ ++ hard_irq_disable(); ++ if (any_pmc_overflown(cpuhw)) ++ set_pmi_irq_pending(); ++ + mtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra & ~MMCRA_SAMPLE_ENABLE); + mtspr(SPRN_MMCR1, cpuhw->mmcr.mmcr1); + if (ppmu->flags & PPMU_ARCH_31) +@@ -2337,6 +2378,14 @@ static void __perf_event_interrupt(struct pt_regs *regs) + break; + } + } ++ ++ /* ++ * Clear PACA_IRQ_PMI in case it was set by ++ * set_pmi_irq_pending() when PMU was enabled ++ * after accounting for interrupts. ++ */ ++ clear_pmi_irq_pending(); ++ + if (!active) + /* reset non active counters that have overflowed */ + write_pmc(i + 1, 0); +@@ -2356,6 +2405,13 @@ static void __perf_event_interrupt(struct pt_regs *regs) + } + } + } ++ ++ /* ++ * During system wide profling or while specific CPU is monitored for an ++ * event, some corner cases could cause PMC to overflow in idle path. This ++ * will trigger a PMI after waking up from idle. Since counter values are _not_ ++ * saved/restored in idle path, can lead to below "Can't find PMC" message. ++ */ + if (!found && !nmi && printk_ratelimit()) + printk(KERN_WARNING "Can't find PMC that caused IRQ\n"); + +-- +2.31.1 + diff --git a/patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch b/patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch new file mode 100644 index 0000000..5c6e71c --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch @@ -0,0 +1,89 @@ +From 26da4abfb38201c3cbe127daeded76d4c2bc9077 Mon Sep 17 00:00:00 2001 +From: Kajol Jain +Date: Wed, 6 Oct 2021 19:36:54 +0530 +Subject: [PATCH] powerpc/perf: Fix data source encodings for L2.1 and L3.1 + accesses + +References: bsc#1065729 +Patch-mainline: v5.16-rc1 +Git-commit: 26da4abfb38201c3cbe127daeded76d4c2bc9077 + +Fix the data source encodings to represent L2.1/L3.1(another core's +L2/L3 on the same node) accesses properly for power10 and older +plaforms. + +Add new macros(LEVEL/REM) which can be used to add mem_lvl_num and remote +field data inside perf_mem_data_src structure. + +Result in power9 system with patch changes: + +localhost:~/linux/tools/perf # ./perf mem report | grep Remote + 0.01% 1 252 Remote core, same node L3 or L3 hit [.] 0x0000000000002dd0 producer_consumer [.] 0x00007fff7f25eb90 +anon HitM N/A No N/A 0 0 + 0.01% 1 220 Remote core, same node L3 or L3 hit [.] 0x0000000000002dd0 producer_consumer [.] 0x00007fff77776d90 +anon HitM N/A No N/A 0 0 + 0.01% 1 220 Remote core, same node L3 or L3 hit [.] 0x0000000000002dd0 producer_consumer [.] 0x00007fff817d9410 +anon HitM N/A No N/A 0 0 + +Fixes: 79e96f8f930d ("powerpc/perf: Export memory hierarchy info to user space") +Signed-off-by: Kajol Jain +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20211006140654.298352-5-kjain@linux.ibm.com +[ms: P(HOPS, 0) encoding not supported on 5.3] +Acked-by: Michal Suchanek +--- + arch/powerpc/perf/isa207-common.c | 26 +++++++++++++++++++++----- + arch/powerpc/perf/isa207-common.h | 2 ++ + 2 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -238,11 +238,27 @@ static inline u64 isa207_find_source(u64 idx, u32 sub_idx) + ret |= P(SNOOP, HIT); + break; + case 5: +- ret = PH(LVL, REM_CCE1); +- if ((sub_idx == 0) || (sub_idx == 2) || (sub_idx == 4)) +- ret |= P(SNOOP, HIT); +- else if ((sub_idx == 1) || (sub_idx == 3) || (sub_idx == 5)) +- ret |= P(SNOOP, HITM); ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) { ++ ret = REM; ++ ++ if (sub_idx == 0 || sub_idx == 4) ++ ret |= PH(LVL, L2) | LEVEL(L2) | P(SNOOP, HIT); ++ else if (sub_idx == 1 || sub_idx == 5) ++ ret |= PH(LVL, L2) | LEVEL(L2) | P(SNOOP, HITM); ++ else if (sub_idx == 2 || sub_idx == 6) ++ ret |= PH(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT); ++ else if (sub_idx == 3 || sub_idx == 7) ++ ret |= PH(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM); ++ } else { ++ if (sub_idx == 0) ++ ret = PH(LVL, L2) | LEVEL(L2) | REM | P(SNOOP, HIT); ++ else if (sub_idx == 1) ++ ret = PH(LVL, L2) | LEVEL(L2) | REM | P(SNOOP, HITM); ++ else if (sub_idx == 2 || sub_idx == 4) ++ ret = PH(LVL, L3) | LEVEL(L3) | REM | P(SNOOP, HIT); ++ else if (sub_idx == 3 || sub_idx == 5) ++ ret = PH(LVL, L3) | LEVEL(L3) | REM | P(SNOOP, HITM); ++ } + break; + case 6: + ret = PH(LVL, REM_CCE2); +diff --git a/arch/powerpc/perf/isa207-common.h b/arch/powerpc/perf/isa207-common.h +--- a/arch/powerpc/perf/isa207-common.h ++++ b/arch/powerpc/perf/isa207-common.h +@@ -273,6 +273,8 @@ + #define P(a, b) PERF_MEM_S(a, b) + #define PH(a, b) (P(LVL, HIT) | P(a, b)) + #define PM(a, b) (P(LVL, MISS) | P(a, b)) ++#define LEVEL(x) P(LVLNUM, x) ++#define REM P(REMOTE, REMOTE) + + int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp); + int isa207_compute_mmcr(u64 event[], int n_ev, +-- +2.31.1 + diff --git a/patches.suse/powerpc-prom_init-Fix-improper-check-of-prom_getprop.patch b/patches.suse/powerpc-prom_init-Fix-improper-check-of-prom_getprop.patch new file mode 100644 index 0000000..accd5cb --- /dev/null +++ b/patches.suse/powerpc-prom_init-Fix-improper-check-of-prom_getprop.patch @@ -0,0 +1,37 @@ +From 869fb7e5aecbc163003f93f36dcc26d0554319f6 Mon Sep 17 00:00:00 2001 +From: Peiwei Hu +Date: Fri, 19 Nov 2021 17:12:18 +0800 +Subject: [PATCH] powerpc/prom_init: Fix improper check of prom_getprop() + +References: bsc#1065729 +Patch-mainline: v5.17-rc1 +Git-commit: 869fb7e5aecbc163003f93f36dcc26d0554319f6 + +prom_getprop() can return PROM_ERROR. Binary operator can not identify +it. + +Fixes: 94d2dde738a5 ("[POWERPC] Efika: prune fixups and make them more carefull") +Signed-off-by: Peiwei Hu +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/tencent_BA28CC6897B7C95A92EB8C580B5D18589105@qq.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 18b04b08b983..f845065c860e 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2991,7 +2991,7 @@ static void __init fixup_device_tree_efika_add_phy(void) + + /* Check if the phy-handle property exists - bail if it does */ + rv = prom_getprop(node, "phy-handle", prop, sizeof(prop)); +- if (!rv) ++ if (rv <= 0) + return; + + /* +-- +2.31.1 + diff --git a/patches.suse/powerpc-pseries-cpuhp-cache-node-corrections.patch b/patches.suse/powerpc-pseries-cpuhp-cache-node-corrections.patch new file mode 100644 index 0000000..1096c0d --- /dev/null +++ b/patches.suse/powerpc-pseries-cpuhp-cache-node-corrections.patch @@ -0,0 +1,257 @@ +From 7edd5c9a8820bedb22870b34a809d45f2a86a35a Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Mon, 27 Sep 2021 15:19:30 -0500 +Subject: [PATCH] powerpc/pseries/cpuhp: cache node corrections + +References: bsc#1065729 +Patch-mainline: v5.16-rc1 +Git-commit: 7edd5c9a8820bedb22870b34a809d45f2a86a35a + +On pseries, cache nodes in the device tree can be added and removed by the +CPU DLPAR code as well as the partition migration (mobility) code. PowerVM +partitions in dedicated processor mode typically have L2 and L3 cache +nodes. + +The CPU DLPAR code has the following shortcomings: + +* Cache nodes returned as siblings of a new CPU node by + ibm,configure-connector are silently discarded; only the CPU node is + added to the device tree. + +* Cache nodes which become unreferenced in the processor removal path are + not removed from the device tree. This can lead to duplicate nodes when + the post-migration device tree update code replaces cache nodes. + +This is long-standing behavior. Presumably it has gone mostly unnoticed +because the two bugs have the property of obscuring each other in common +simple scenarios (e.g. remove a CPU and add it back). Likely you'd notice +only if you cared to inspect the device tree or the sysfs cacheinfo +information. + +Booted with two processors: + + $ pwd + /sys/firmware/devicetree/base/cpus + $ ls -1d */ + l2-cache@2010/ + l2-cache@2011/ + l3-cache@3110/ + l3-cache@3111/ + PowerPC,POWER9@0/ + PowerPC,POWER9@8/ + $ lsprop */l2-cache + l2-cache@2010/l2-cache + 00003110 (12560) + l2-cache@2011/l2-cache + 00003111 (12561) + PowerPC,POWER9@0/l2-cache + 00002010 (8208) + PowerPC,POWER9@8/l2-cache + 00002011 (8209) + $ ls /sys/devices/system/cpu/cpu0/cache/ + index0 index1 index2 index3 + +After DLPAR-adding PowerPC,POWER9@10, we see that its associated cache +nodes are absent, its threads' L2+L3 cacheinfo is unpopulated, and it is +missing a cache level in its sched domain hierarchy: + + $ ls -1d */ + l2-cache@2010/ + l2-cache@2011/ + l3-cache@3110/ + l3-cache@3111/ + PowerPC,POWER9@0/ + PowerPC,POWER9@10/ + PowerPC,POWER9@8/ + $ lsprop PowerPC\,POWER9@10/l2-cache + PowerPC,POWER9@10/l2-cache + 00002012 (8210) + $ ls /sys/devices/system/cpu/cpu16/cache/ + index0 index1 + $ grep . /sys/kernel/debug/sched/domains/cpu{0,8,16}/domain*/name + /sys/kernel/debug/sched/domains/cpu0/domain0/name:SMT + /sys/kernel/debug/sched/domains/cpu0/domain1/name:CACHE + /sys/kernel/debug/sched/domains/cpu0/domain2/name:DIE + /sys/kernel/debug/sched/domains/cpu8/domain0/name:SMT + /sys/kernel/debug/sched/domains/cpu8/domain1/name:CACHE + /sys/kernel/debug/sched/domains/cpu8/domain2/name:DIE + /sys/kernel/debug/sched/domains/cpu16/domain0/name:SMT + /sys/kernel/debug/sched/domains/cpu16/domain1/name:DIE + +When removing PowerPC,POWER9@8, we see that its cache nodes are left +behind: + + $ ls -1d */ + l2-cache@2010/ + l2-cache@2011/ + l3-cache@3110/ + l3-cache@3111/ + PowerPC,POWER9@0/ + +When DLPAR is combined with VM migration, we can get duplicate nodes. E.g. +removing one processor, then migrating, adding a processor, and then +migrating again can result in warnings from the OF core during +post-migration device tree updates: + + Duplicate name in cpus, renamed to "l2-cache@2011#1" + Duplicate name in cpus, renamed to "l3-cache@3111#1" + +and nodes with duplicated phandles in the tree, making lookup behavior +unpredictable: + + $ lsprop l[23]-cache@*/ibm,phandle + l2-cache@2010/ibm,phandle + 00002010 (8208) + l2-cache@2011#1/ibm,phandle + 00002011 (8209) + l2-cache@2011/ibm,phandle + 00002011 (8209) + l3-cache@3110/ibm,phandle + 00003110 (12560) + l3-cache@3111#1/ibm,phandle + 00003111 (12561) + l3-cache@3111/ibm,phandle + 00003111 (12561) + +Address these issues by: + +* Correctly processing siblings of the node returned from + dlpar_configure_connector(). +* Removing cache nodes in the CPU remove path when it can be determined + that they are not associated with other CPUs or caches. + +Use the of_changeset API in both cases, which allows us to keep the error +handling in this code from becoming more complex while ensuring that the +device tree cannot become inconsistent. + +Fixes: ac71380071d1 ("powerpc/pseries: Add CPU dlpar remove functionality") +Fixes: 90edf184b9b7 ("powerpc/pseries: Add CPU dlpar add functionality") +Signed-off-by: Nathan Lynch +Tested-by: Daniel Henrique Barboza +Reviewed-by: Daniel Henrique Barboza +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210927201933.76786-2-nathanl@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 75 ++++++++++++++++++-- + 1 file changed, 71 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index d646c22e94ab..00ac7d7e63e5 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -521,6 +521,27 @@ static bool valid_cpu_drc_index(struct device_node *parent, u32 drc_index) + return found; + } + ++static int pseries_cpuhp_attach_nodes(struct device_node *dn) ++{ ++ struct of_changeset cs; ++ int ret; ++ ++ /* ++ * This device node is unattached but may have siblings; open-code the ++ * traversal. ++ */ ++ for (of_changeset_init(&cs); dn != NULL; dn = dn->sibling) { ++ ret = of_changeset_attach_node(&cs, dn); ++ if (ret) ++ goto out; ++ } ++ ++ ret = of_changeset_apply(&cs); ++out: ++ of_changeset_destroy(&cs); ++ return ret; ++} ++ + static ssize_t dlpar_cpu_add(u32 drc_index) + { + struct device_node *dn, *parent; +@@ -563,7 +584,7 @@ static ssize_t dlpar_cpu_add(u32 drc_index) + return -EINVAL; + } + +- rc = dlpar_attach_node(dn, parent); ++ rc = pseries_cpuhp_attach_nodes(dn); + + /* Regardless we are done with parent now */ + of_node_put(parent); +@@ -600,6 +621,53 @@ static ssize_t dlpar_cpu_add(u32 drc_index) + return rc; + } + ++static unsigned int pseries_cpuhp_cache_use_count(const struct device_node *cachedn) ++{ ++ unsigned int use_count = 0; ++ struct device_node *dn; ++ ++ WARN_ON(!of_node_is_type(cachedn, "cache")); ++ ++ for_each_of_cpu_node(dn) { ++ if (of_find_next_cache_node(dn) == cachedn) ++ use_count++; ++ } ++ ++ for_each_node_by_type(dn, "cache") { ++ if (of_find_next_cache_node(dn) == cachedn) ++ use_count++; ++ } ++ ++ return use_count; ++} ++ ++static int pseries_cpuhp_detach_nodes(struct device_node *cpudn) ++{ ++ struct device_node *dn; ++ struct of_changeset cs; ++ int ret = 0; ++ ++ of_changeset_init(&cs); ++ ret = of_changeset_detach_node(&cs, cpudn); ++ if (ret) ++ goto out; ++ ++ dn = cpudn; ++ while ((dn = of_find_next_cache_node(dn))) { ++ if (pseries_cpuhp_cache_use_count(dn) > 1) ++ break; ++ ++ ret = of_changeset_detach_node(&cs, dn); ++ if (ret) ++ goto out; ++ } ++ ++ ret = of_changeset_apply(&cs); ++out: ++ of_changeset_destroy(&cs); ++ return ret; ++} ++ + static ssize_t dlpar_cpu_remove(struct device_node *dn, u32 drc_index) + { + int rc; +@@ -621,7 +689,7 @@ static ssize_t dlpar_cpu_remove(struct device_node *dn, u32 drc_index) + return rc; + } + +- rc = dlpar_detach_node(dn); ++ rc = pseries_cpuhp_detach_nodes(dn); + if (rc) { + int saved_rc = rc; + +@@ -885,10 +953,9 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add) + + int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + { +- u32 count, drc_index; ++ u32 drc_index; + int rc; + +- count = hp_elog->_drc_u.drc_count; + drc_index = hp_elog->_drc_u.drc_index; + + lock_device_hotplug(); +-- +2.31.1 + diff --git a/patches.suse/powerpc-pseries-cpuhp-delete-add-remove_by_count-cod.patch b/patches.suse/powerpc-pseries-cpuhp-delete-add-remove_by_count-cod.patch new file mode 100644 index 0000000..c430c64 --- /dev/null +++ b/patches.suse/powerpc-pseries-cpuhp-delete-add-remove_by_count-cod.patch @@ -0,0 +1,323 @@ +From fa2a5dfe2ddd0e7c77e5f608e1fa374192e5be97 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Mon, 27 Sep 2021 15:19:32 -0500 +Subject: [PATCH] powerpc/pseries/cpuhp: delete add/remove_by_count code + +References: bsc#1065729 +Patch-mainline: v5.16-rc1 +Git-commit: fa2a5dfe2ddd0e7c77e5f608e1fa374192e5be97 + +The core DLPAR code supports two actions (add and remove) and three +subtypes of action: + +* By DRC index: the action is attempted on a single specified resource. + This is the usual case for processors. +* By indexed count: the action is attempted on a range of resources + beginning at the specified index. This is implemented only by the memory + DLPAR code. +* By count: the lower layer (CPU or memory) is responsible for locating the + specified number of resources to which the action can be applied. + +I cannot find any evidence of the "by count" subtype being used by drmgr or +qemu for processors. And when I try to exercise this code, the add case +does not work: + + $ ppc64_cpu --smt ; nproc + SMT=8 + 24 + $ printf "cpu remove count 2" > /sys/kernel/dlpar + $ nproc + 8 + $ printf "cpu add count 2" > /sys/kernel/dlpar + -bash: printf: write error: Invalid argument + $ dmesg | tail -2 + pseries-hotplug-cpu: Failed to find enough CPUs (1 of 2) to add + dlpar: Could not handle DLPAR request "cpu add count 2" + $ nproc + 8 + $ drmgr -c cpu -a -q 2 # this uses the by-index method + Validating CPU DLPAR capability...yes. + CPU 1 + CPU 17 + $ nproc + 24 + +This is because find_drc_info_cpus_to_add() does not increment drc_index +appropriately during its search. + +This is not hard to fix. But the _by_count() functions also have the +property that they attempt to roll back all prior operations if the entire +request cannot be satisfied, even though the rollback itself can encounter +errors. It's not possible to provide transaction-like behavior at this +level, and it's undesirable to have code that can only pretend to do that. +Any users of these functions cannot know what the state of the system is in +the error case. And the error paths are, to my knowledge, impossible to +test without adding custom error injection code. + +Summary: + +* This code has not worked reliably since its introduction. +* There is no evidence that it is used. +* It contains questionable rollback behaviors in error paths which are + difficult to test. + +So let's remove it. + +Fixes: ac71380071d1 ("powerpc/pseries: Add CPU dlpar remove functionality") +Fixes: 90edf184b9b7 ("powerpc/pseries: Add CPU dlpar add functionality") +Fixes: b015f6bc9547 ("powerpc/pseries: Add cpu DLPAR support for drc-info property") +Signed-off-by: Nathan Lynch +Tested-by: Daniel Henrique Barboza +Reviewed-by: Daniel Henrique Barboza +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210927201933.76786-4-nathanl@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 218 +------------------ + 1 file changed, 2 insertions(+), 216 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -741,216 +741,6 @@ static int dlpar_cpu_remove_by_index(u32 drc_index) + return rc; + } + +-static int find_dlpar_cpus_to_remove(u32 *cpu_drcs, int cpus_to_remove) +-{ +- struct device_node *dn; +- int cpus_found = 0; +- int rc; +- +- /* We want to find cpus_to_remove + 1 CPUs to ensure we do not +- * remove the last CPU. +- */ +- for_each_node_by_type(dn, "cpu") { +- cpus_found++; +- +- if (cpus_found > cpus_to_remove) { +- of_node_put(dn); +- break; +- } +- +- /* Note that cpus_found is always 1 ahead of the index +- * into the cpu_drcs array, so we use cpus_found - 1 +- */ +- rc = of_property_read_u32(dn, "ibm,my-drc-index", +- &cpu_drcs[cpus_found - 1]); +- if (rc) { +- pr_warn("Error occurred getting drc-index for %pOFn\n", +- dn); +- of_node_put(dn); +- return -1; +- } +- } +- +- if (cpus_found < cpus_to_remove) { +- pr_warn("Failed to find enough CPUs (%d of %d) to remove\n", +- cpus_found, cpus_to_remove); +- } else if (cpus_found == cpus_to_remove) { +- pr_warn("Cannot remove all CPUs\n"); +- } +- +- return cpus_found; +-} +- +-static int dlpar_cpu_remove_by_count(u32 cpus_to_remove) +-{ +- u32 *cpu_drcs; +- int cpus_found; +- int cpus_removed = 0; +- int i, rc; +- +- pr_debug("Attempting to hot-remove %d CPUs\n", cpus_to_remove); +- +- cpu_drcs = kcalloc(cpus_to_remove, sizeof(*cpu_drcs), GFP_KERNEL); +- if (!cpu_drcs) +- return -EINVAL; +- +- cpus_found = find_dlpar_cpus_to_remove(cpu_drcs, cpus_to_remove); +- if (cpus_found <= cpus_to_remove) { +- kfree(cpu_drcs); +- return -EINVAL; +- } +- +- for (i = 0; i < cpus_to_remove; i++) { +- rc = dlpar_cpu_remove_by_index(cpu_drcs[i]); +- if (rc) +- break; +- +- cpus_removed++; +- } +- +- if (cpus_removed != cpus_to_remove) { +- pr_warn("CPU hot-remove failed, adding back removed CPUs\n"); +- +- for (i = 0; i < cpus_removed; i++) +- dlpar_cpu_add(cpu_drcs[i]); +- +- rc = -EINVAL; +- } else { +- rc = 0; +- } +- +- kfree(cpu_drcs); +- return rc; +-} +- +-static int find_drc_info_cpus_to_add(struct device_node *cpus, +- struct property *info, +- u32 *cpu_drcs, u32 cpus_to_add) +-{ +- struct of_drc_info drc; +- const __be32 *value; +- u32 count, drc_index; +- int cpus_found = 0; +- int i, j; +- +- if (!info) +- return -1; +- +- value = of_prop_next_u32(info, NULL, &count); +- if (value) +- value++; +- +- for (i = 0; i < count; i++) { +- of_read_drc_info_cell(&info, &value, &drc); +- if (strncmp(drc.drc_type, "CPU", 3)) +- break; +- +- drc_index = drc.drc_index_start; +- for (j = 0; j < drc.num_sequential_elems; j++) { +- if (dlpar_cpu_exists(cpus, drc_index)) +- continue; +- +- cpu_drcs[cpus_found++] = drc_index; +- +- if (cpus_found == cpus_to_add) +- return cpus_found; +- +- drc_index += drc.sequential_inc; +- } +- } +- +- return cpus_found; +-} +- +-static int find_drc_index_cpus_to_add(struct device_node *cpus, +- u32 *cpu_drcs, u32 cpus_to_add) +-{ +- int cpus_found = 0; +- int index, rc; +- u32 drc_index; +- +- /* Search the ibm,drc-indexes array for possible CPU drcs to +- * add. Note that the format of the ibm,drc-indexes array is +- * the number of entries in the array followed by the array +- * of drc values so we start looking at index = 1. +- */ +- index = 1; +- while (cpus_found < cpus_to_add) { +- rc = of_property_read_u32_index(cpus, "ibm,drc-indexes", +- index++, &drc_index); +- +- if (rc) +- break; +- +- if (dlpar_cpu_exists(cpus, drc_index)) +- continue; +- +- cpu_drcs[cpus_found++] = drc_index; +- } +- +- return cpus_found; +-} +- +-static int dlpar_cpu_add_by_count(u32 cpus_to_add) +-{ +- struct device_node *parent; +- struct property *info; +- u32 *cpu_drcs; +- int cpus_added = 0; +- int cpus_found; +- int i, rc; +- +- pr_debug("Attempting to hot-add %d CPUs\n", cpus_to_add); +- +- cpu_drcs = kcalloc(cpus_to_add, sizeof(*cpu_drcs), GFP_KERNEL); +- if (!cpu_drcs) +- return -EINVAL; +- +- parent = of_find_node_by_path("/cpus"); +- if (!parent) { +- pr_warn("Could not find CPU root node in device tree\n"); +- kfree(cpu_drcs); +- return -1; +- } +- +- info = of_find_property(parent, "ibm,drc-info", NULL); +- if (info) +- cpus_found = find_drc_info_cpus_to_add(parent, info, cpu_drcs, cpus_to_add); +- else +- cpus_found = find_drc_index_cpus_to_add(parent, cpu_drcs, cpus_to_add); +- +- of_node_put(parent); +- +- if (cpus_found < cpus_to_add) { +- pr_warn("Failed to find enough CPUs (%d of %d) to add\n", +- cpus_found, cpus_to_add); +- kfree(cpu_drcs); +- return -EINVAL; +- } +- +- for (i = 0; i < cpus_to_add; i++) { +- rc = dlpar_cpu_add(cpu_drcs[i]); +- if (rc) +- break; +- +- cpus_added++; +- } +- +- if (cpus_added < cpus_to_add) { +- pr_warn("CPU hot-add failed, removing any added CPUs\n"); +- +- for (i = 0; i < cpus_added; i++) +- dlpar_cpu_remove_by_index(cpu_drcs[i]); +- +- rc = -EINVAL; +- } else { +- rc = 0; +- } +- +- kfree(cpu_drcs); +- return rc; +-} +- + int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + { + u32 drc_index; +@@ -962,9 +752,7 @@ int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + + switch (hp_elog->action) { + case PSERIES_HP_ELOG_ACTION_REMOVE: +- if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_COUNT) +- rc = dlpar_cpu_remove_by_count(count); +- else if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_INDEX) ++ if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_INDEX) + rc = dlpar_cpu_remove_by_index(drc_index); + else + rc = -EINVAL; +@@ -978,9 +766,7 @@ int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + rc = -EINVAL; + break; + case PSERIES_HP_ELOG_ACTION_ADD: +- if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_COUNT) +- rc = dlpar_cpu_add_by_count(count); +- else if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_INDEX) ++ if (hp_elog->id_type == PSERIES_HP_ELOG_ID_DRC_INDEX) + rc = dlpar_cpu_add(drc_index); + else + rc = -EINVAL; +-- +2.31.1 + diff --git a/patches.suse/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch b/patches.suse/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch new file mode 100644 index 0000000..e00ded0 --- /dev/null +++ b/patches.suse/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch @@ -0,0 +1,182 @@ +From 319fa1a52e438a6e028329187783a25ad498c4e6 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Wed, 20 Oct 2021 14:47:03 -0500 +Subject: [PATCH] powerpc/pseries/mobility: ignore ibm, platform-facilities + updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: bsc#1065729 +Patch-mainline: v5.16-rc1 +Git-commit: 319fa1a52e438a6e028329187783a25ad498c4e6 + +On VMs with NX encryption, compression, and/or RNG offload, these +capabilities are described by nodes in the ibm,platform-facilities device +tree hierarchy: + + $ tree -d /sys/firmware/devicetree/base/ibm,platform-facilities/ + /sys/firmware/devicetree/base/ibm,platform-facilities/ + ├── ibm,compression-v1 + ├── ibm,random-v1 + └── ibm,sym-encryption-v1 + + 3 directories + +The acceleration functions that these nodes describe are not disrupted by +live migration, not even temporarily. + +But the post-migration ibm,update-nodes sequence firmware always sends +"delete" messages for this hierarchy, followed by an "add" directive to +reconstruct it via ibm,configure-connector (log with debugging statements +enabled in mobility.c): + + mobility: removing node /ibm,platform-facilities/ibm,random-v1:4294967285 + mobility: removing node /ibm,platform-facilities/ibm,compression-v1:4294967284 + mobility: removing node /ibm,platform-facilities/ibm,sym-encryption-v1:4294967283 + mobility: removing node /ibm,platform-facilities:4294967286 + ... + mobility: added node /ibm,platform-facilities:4294967286 + +Note we receive a single "add" message for the entire hierarchy, and what +we receive from the ibm,configure-connector sequence is the top-level +platform-facilities node along with its three children. The debug message +simply reports the parent node and not the whole subtree. + +Also, significantly, the nodes added are almost completely equivalent to +the ones removed; even phandles are unchanged. ibm,shared-interrupt-pool in +the leaf nodes is the only property I've observed to differ, and Linux does +not use that. So in practice, the sum of update messages Linux receives for +this hierarchy is equivalent to minor property updates. + +We succeed in removing the original hierarchy from the device tree. But the +vio bus code is ignorant of this, and does not unbind or relinquish its +references. The leaf nodes, still reachable through sysfs, of course still +refer to the now-freed ibm,platform-facilities parent node, which makes +use-after-free possible: + + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 3 PID: 1706 at lib/refcount.c:25 refcount_warn_saturate+0x164/0x1f0 + refcount_warn_saturate+0x160/0x1f0 (unreliable) + kobject_get+0xf0/0x100 + of_node_get+0x30/0x50 + of_get_parent+0x50/0xb0 + of_fwnode_get_parent+0x54/0x90 + fwnode_count_parents+0x50/0x150 + fwnode_full_name_string+0x30/0x110 + device_node_string+0x49c/0x790 + vsnprintf+0x1c0/0x4c0 + sprintf+0x44/0x60 + devspec_show+0x34/0x50 + dev_attr_show+0x40/0xa0 + sysfs_kf_seq_show+0xbc/0x200 + kernfs_seq_show+0x44/0x60 + seq_read_iter+0x2a4/0x740 + kernfs_fop_read_iter+0x254/0x2e0 + new_sync_read+0x120/0x190 + vfs_read+0x1d0/0x240 + +Moreover, the "new" replacement subtree is not correctly added to the +device tree, resulting in ibm,platform-facilities parent node without the +appropriate leaf nodes, and broken symlinks in the sysfs device hierarchy: + + $ tree -d /sys/firmware/devicetree/base/ibm,platform-facilities/ + /sys/firmware/devicetree/base/ibm,platform-facilities/ + + 0 directories + + $ cd /sys/devices/vio ; find . -xtype l -exec file {} + + ./ibm,sym-encryption-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,sym-encryption-v1 + ./ibm,random-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,random-v1 + ./ibm,compression-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,compression-v1 + +This is because add_dt_node() -> dlpar_attach_node() attaches only the +parent node returned from configure-connector, ignoring any children. This +should be corrected for the general case, but fixing that won't help with +the stale OF node references, which is the more urgent problem. + +One way to address that would be to make the drivers respond to node +removal notifications, so that node references can be dropped +appropriately. But this would likely force the drivers to disrupt active +clients for no useful purpose: equivalent nodes are immediately re-added. +And recall that the acceleration capabilities described by the nodes remain +available throughout the whole process. + +The solution I believe to be robust for this situation is to convert +remove+add of a node with an unchanged phandle to an update of the node's +properties in the Linux device tree structure. That would involve changing +and adding a fair amount of code, and may take several iterations to land. + +Until that can be realized we have a confirmed use-after-free and the +possibility of memory corruption. So add a limited workaround that +discriminates on the node type, ignoring adds and removes. This should be +amenable to backporting in the meantime. + +Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211020194703.2613093-1-nathanl@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/mobility.c | 34 +++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index e83e0891272d..210a37a065fb 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -63,6 +63,27 @@ static int mobility_rtas_call(int token, char *buf, s32 scope) + + static int delete_dt_node(struct device_node *dn) + { ++ struct device_node *pdn; ++ bool is_platfac; ++ ++ pdn = of_get_parent(dn); ++ is_platfac = of_node_is_type(dn, "ibm,platform-facilities") || ++ of_node_is_type(pdn, "ibm,platform-facilities"); ++ of_node_put(pdn); ++ ++ /* ++ * The drivers that bind to nodes in the platform-facilities ++ * hierarchy don't support node removal, and the removal directive ++ * from firmware is always followed by an add of an equivalent ++ * node. The capability (e.g. RNG, encryption, compression) ++ * represented by the node is never interrupted by the migration. ++ * So ignore changes to this part of the tree. ++ */ ++ if (is_platfac) { ++ pr_notice("ignoring remove operation for %pOFfp\n", dn); ++ return 0; ++ } ++ + pr_debug("removing node %pOFfp\n", dn); + dlpar_detach_node(dn); + return 0; +@@ -222,6 +243,19 @@ static int add_dt_node(struct device_node *parent_dn, __be32 drc_index) + if (!dn) + return -ENOENT; + ++ /* ++ * Since delete_dt_node() ignores this node type, this is the ++ * necessary counterpart. We also know that a platform-facilities ++ * node returned from dlpar_configure_connector() has children ++ * attached, and dlpar_attach_node() only adds the parent, leaking ++ * the children. So ignore these on the add side for now. ++ */ ++ if (of_node_is_type(dn, "ibm,platform-facilities")) { ++ pr_notice("ignoring add operation for %pOF\n", dn); ++ dlpar_free_cc_nodes(dn); ++ return 0; ++ } ++ + rc = dlpar_attach_node(dn, parent_dn); + if (rc) + dlpar_free_cc_nodes(dn); +-- +2.31.1 + diff --git a/patches.suse/powerpc-traps-do-not-enable-irqs-in-_exception.patch b/patches.suse/powerpc-traps-do-not-enable-irqs-in-_exception.patch new file mode 100644 index 0000000..78238d5 --- /dev/null +++ b/patches.suse/powerpc-traps-do-not-enable-irqs-in-_exception.patch @@ -0,0 +1,59 @@ +From d0afd44c05f8f4e4c91487c02d43c87a31552462 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 5 Oct 2021 00:56:39 +1000 +Subject: [PATCH] powerpc/traps: do not enable irqs in _exception + +References: bsc#1065729 +Patch-mainline: v5.15-rc5 +Git-commit: d0afd44c05f8f4e4c91487c02d43c87a31552462 + +_exception can be called by machine check handlers when the MCE hits +user code (e.g., pseries and powernv). This will enable local irqs +because, which is a dicey thing to do in NMI or hard irq context. + +This seemed to worked out okay because a userspace MCE can basically be +treated like a synchronous interrupt (after async / imprecise MCEs are +filtered out). Since NMI and hard irq handlers have started growing +nmi_enter / irq_enter, and more irq state sanity checks, this has +started to cause problems (or at least trigger warnings). + +The Fixes tag to the commit which introduced this rather than try to +work out exactly which commit was the first that could possibly cause a +problem because that may be difficult to prove. + +Fixes: 9f2f79e3a3c1 ("powerpc: Disable interrupts in 64-bit kernel FP and vector faults") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211004145642.1331214-3-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/traps.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index aac8c0412ff9..e453b666613b 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -340,10 +340,16 @@ static bool exception_common(int signr, struct pt_regs *regs, int code, + return false; + } + +- show_signal_msg(signr, regs, code, addr); ++ /* ++ * Must not enable interrupts even for user-mode exception, because ++ * this can be called from machine check, which may be a NMI or IRQ ++ * which don't like interrupts being enabled. Could check for ++ * in_hardirq || in_nmi perhaps, but there doesn't seem to be a good ++ * reason why _exception() should enable irqs for an exception handler, ++ * the handlers themselves do that directly. ++ */ + +- if (arch_irqs_disabled()) +- interrupt_cond_local_irq_enable(regs); ++ show_signal_msg(signr, regs, code, addr); + + current->thread.trap_nr = code; + +-- +2.31.1 + diff --git a/patches.suse/powerpc-xive-Add-missing-null-check-after-calling-km.patch b/patches.suse/powerpc-xive-Add-missing-null-check-after-calling-km.patch new file mode 100644 index 0000000..8ac8236 --- /dev/null +++ b/patches.suse/powerpc-xive-Add-missing-null-check-after-calling-km.patch @@ -0,0 +1,44 @@ +From 18dbfcdedc802f9500b2c29794f22a31d27639c0 Mon Sep 17 00:00:00 2001 +From: Ammar Faizi +Date: Sun, 26 Dec 2021 20:54:02 +0700 +Subject: [PATCH] powerpc/xive: Add missing null check after calling kmalloc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: bsc#1177437 ltc#188522 jsc#SLE-13294 git-fixes +Patch-mainline: v5.17-rc1 +Git-commit: 18dbfcdedc802f9500b2c29794f22a31d27639c0 + +Commit 930914b7d528fc ("powerpc/xive: Add a debugfs file to dump +internal XIVE state") forgot to add a null check. + +Add it. + +Fixes: 930914b7d528fc6b0249bffc00564100bcf6ef75 ("powerpc/xive: Add a debugfs file to dump internal XIVE state") +Signed-off-by: Ammar Faizi +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211226135314.251221-1-ammar.faizi@intel.com +Acked-by: Michal Suchanek +--- + arch/powerpc/sysdev/xive/spapr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c +index dfc4634335cc..928f95004501 100644 +--- a/arch/powerpc/sysdev/xive/spapr.c ++++ b/arch/powerpc/sysdev/xive/spapr.c +@@ -653,6 +653,9 @@ static int xive_spapr_debug_show(struct seq_file *m, void *private) + struct xive_irq_bitmap *xibm; + char *buf = kmalloc(PAGE_SIZE, GFP_KERNEL); + ++ if (!buf) ++ return -ENOMEM; ++ + list_for_each_entry(xibm, &xive_irq_bitmaps, list) { + memset(buf, 0, PAGE_SIZE); + bitmap_print_to_pagebuf(true, buf, xibm->bitmap, xibm->count); +-- +2.31.1 + diff --git a/patches.suse/rpmsg-core-Clean-up-resources-on-announce_create-fai.patch b/patches.suse/rpmsg-core-Clean-up-resources-on-announce_create-fai.patch new file mode 100644 index 0000000..178e417 --- /dev/null +++ b/patches.suse/rpmsg-core-Clean-up-resources-on-announce_create-fai.patch @@ -0,0 +1,62 @@ +From 8066c615cb69b7da8a94f59379847b037b3a5e46 Mon Sep 17 00:00:00 2001 +From: Arnaud Pouliquen +Date: Mon, 6 Dec 2021 20:07:58 +0100 +Subject: [PATCH] rpmsg: core: Clean up resources on announce_create failure. +Git-commit: 8066c615cb69b7da8a94f59379847b037b3a5e46 +Patch-mainline: v5.17-rc1 +References: git-fixes + +During the rpmsg_dev_probe, if rpdev->ops->announce_create returns an +error, the rpmsg device and default endpoint should be freed before +exiting the function. + +Fixes: 5e619b48677c ("rpmsg: Split rpmsg core and virtio backend") +Suggested-by: Bjorn Andersson +Signed-off-by: Arnaud Pouliquen +Reviewed-by: Bjorn Andersson +Cc: stable +Link: https://lore.kernel.org/r/20211206190758.10004-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Mathieu Poirier +Acked-by: Takashi Iwai + +--- + drivers/rpmsg/rpmsg_core.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/rpmsg/rpmsg_core.c b/drivers/rpmsg/rpmsg_core.c +index f031b2b1b21c..d9e612f4f0f2 100644 +--- a/drivers/rpmsg/rpmsg_core.c ++++ b/drivers/rpmsg/rpmsg_core.c +@@ -540,13 +540,25 @@ static int rpmsg_dev_probe(struct device *dev) + err = rpdrv->probe(rpdev); + if (err) { + dev_err(dev, "%s: failed: %d\n", __func__, err); +- if (ept) +- rpmsg_destroy_ept(ept); +- goto out; ++ goto destroy_ept; + } + +- if (ept && rpdev->ops->announce_create) ++ if (ept && rpdev->ops->announce_create) { + err = rpdev->ops->announce_create(rpdev); ++ if (err) { ++ dev_err(dev, "failed to announce creation\n"); ++ goto remove_rpdev; ++ } ++ } ++ ++ return 0; ++ ++remove_rpdev: ++ if (rpdrv->remove) ++ rpdrv->remove(rpdev); ++destroy_ept: ++ if (ept) ++ rpmsg_destroy_ept(ept); + out: + return err; + } +-- +2.31.1 + diff --git a/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch b/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch new file mode 100644 index 0000000..1fd3657 --- /dev/null +++ b/patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch @@ -0,0 +1,42 @@ +From: Eiichi Tsukata +Date: Wed, 13 Oct 2021 17:27:29 -0300 +Subject: sctp: account stream padding length for reconf chunk +Patch-mainline: v5.15-rc6 +Git-commit: a2d859e3fc97e79d907761550dbc03ff1b36479c +References: bsc#1194985 CVE-2022-0322 + +sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk() +which will automatically account for padding on each call. inreq and +outreq are already 4 bytes aligned, but the payload is not and doing +SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is +different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to +possible attempt to use more buffer than it was allocated and triggered +a BUG_ON. + +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Greg KH +Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk") +Reported-by: Eiichi Tsukata +Signed-off-by: Eiichi Tsukata +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/b97c1f8b0c7ff79ac4ed206fc2c49d3612e0850c.1634156849.git.mleitner@redhat.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3647,7 +3647,7 @@ struct sctp_chunk *sctp_make_strreset_re + outlen = (sizeof(outreq) + stream_len) * out; + inlen = (sizeof(inreq) + stream_len) * in; + +- retval = sctp_make_reconf(asoc, outlen + inlen); ++ retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen)); + if (!retval) + return NULL; + diff --git a/patches.suse/tee-don-t-assign-shm-id-for-private-shms.patch b/patches.suse/tee-don-t-assign-shm-id-for-private-shms.patch new file mode 100644 index 0000000..107a52d --- /dev/null +++ b/patches.suse/tee-don-t-assign-shm-id-for-private-shms.patch @@ -0,0 +1,93 @@ +From: Jens Wiklander +Date: Thu, 7 Nov 2019 11:42:56 +0100 +Subject: tee: don't assign shm id for private shms +Git-commit: f1bbacedb0af640a93e47799203e556be2825da3 +Patch-mainline: v5.7-rc1 +References: bsc#1193767 CVE-2021-44733 + +Private shared memory object must not be referenced from user space. To +guarantee that, don't assign an id to shared memory objects which are +driver private. + +Signed-off-by: Jens Wiklander +Acked-by: Borislav Petkov +--- + drivers/tee/tee_private.h | 3 ++- + drivers/tee/tee_shm.c | 31 ++++++++++++++++++------------- + 2 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/tee/tee_private.h b/drivers/tee/tee_private.h +index f797171f0434..e55204df31ce 100644 +--- a/drivers/tee/tee_private.h ++++ b/drivers/tee/tee_private.h +@@ -37,7 +37,8 @@ struct tee_shm_pool { + * @num_users: number of active users of this device + * @c_no_user: completion used when unregistering the device + * @mutex: mutex protecting @num_users and @idr +- * @idr: register of shared memory object allocated on this device ++ * @idr: register of user space shared memory objects allocated or ++ * registered on this device + * @pool: shared memory pool + */ + struct tee_device { +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index b666854c2491..02210f179ae3 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -15,9 +15,11 @@ static void tee_shm_release(struct tee_shm *shm) + { + struct tee_device *teedev = shm->teedev; + +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); ++ if (shm->flags & TEE_SHM_DMA_BUF) { ++ mutex_lock(&teedev->mutex); ++ idr_remove(&teedev->idr, shm->id); ++ mutex_unlock(&teedev->mutex); ++ } + + if (shm->flags & TEE_SHM_POOL) { + struct tee_shm_pool_mgr *poolm; +@@ -137,17 +139,18 @@ struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + goto err_kfree; + } + +- mutex_lock(&teedev->mutex); +- shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); +- mutex_unlock(&teedev->mutex); +- if (shm->id < 0) { +- ret = ERR_PTR(shm->id); +- goto err_pool_free; +- } + + if (flags & TEE_SHM_DMA_BUF) { + DEFINE_DMA_BUF_EXPORT_INFO(exp_info); + ++ mutex_lock(&teedev->mutex); ++ shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); ++ mutex_unlock(&teedev->mutex); ++ if (shm->id < 0) { ++ ret = ERR_PTR(shm->id); ++ goto err_pool_free; ++ } ++ + exp_info.ops = &tee_shm_dma_buf_ops; + exp_info.size = shm->size; + exp_info.flags = O_RDWR; +@@ -165,9 +168,11 @@ struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + + return shm; + err_rem: +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); ++ if (flags & TEE_SHM_DMA_BUF) { ++ mutex_lock(&teedev->mutex); ++ idr_remove(&teedev->idr, shm->id); ++ mutex_unlock(&teedev->mutex); ++ } + err_pool_free: + poolm->ops->free(poolm, shm); + err_kfree: + diff --git a/patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch b/patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch new file mode 100644 index 0000000..a40e0ab --- /dev/null +++ b/patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch @@ -0,0 +1,333 @@ +From: Jens Wiklander +Date: Thu, 9 Dec 2021 15:59:37 +0100 +Subject: tee: handle lookup of shm with reference count 0 +Git-commit: dfd0743f1d9ea76931510ed150334d571fbab49d +Patch-mainline: v5.16-rc7 +References: bsc#1193767 CVE-2021-44733 + +Since the tee subsystem does not keep a strong reference to its idle +shared memory buffers, it races with other threads that try to destroy a +shared memory through a close of its dma-buf fd or by unmapping the +memory. + +In tee_shm_get_from_id() when a lookup in teedev->idr has been +successful, it is possible that the tee_shm is in the dma-buf teardown +path, but that path is blocked by the teedev mutex. Since we don't have +an API to tell if the tee_shm is in the dma-buf teardown path or not we +must find another way of detecting this condition. + +Fix this by doing the reference counting directly on the tee_shm using a +new refcount_t refcount field. dma-buf is replaced by using +anon_inode_getfd() instead, this separates the life-cycle of the +underlying file from the tee_shm. tee_shm_put() is updated to hold the +mutex when decreasing the refcount to 0 and then remove the tee_shm from +teedev->idr before releasing the mutex. This means that the tee_shm can +never be found unless it has a refcount larger than 0. + +Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Lars Persson +Reviewed-by: Sumit Garg +Reported-by: Patrik Lantz +Signed-off-by: Jens Wiklander +Acked-by: Borislav Petkov +--- + drivers/tee/tee_shm.c | 177 +++++++++++++++++------------------------------- + include/linux/tee_drv.h | 4 - + 2 files changed, 68 insertions(+), 113 deletions(-) + +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -1,26 +1,18 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2015-2016, Linaro Limited ++ * Copyright (c) 2015-2017, 2019-2021 Linaro Limited + */ ++#include + #include +-#include +-#include + #include ++#include + #include + #include + #include + #include "tee_private.h" + +-static void tee_shm_release(struct tee_shm *shm) ++static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) + { +- struct tee_device *teedev = shm->teedev; +- +- if (shm->flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } +- + if (shm->flags & TEE_SHM_POOL) { + struct tee_shm_pool_mgr *poolm; + +@@ -52,45 +52,6 @@ static void tee_shm_release(struct tee_s + tee_device_put(teedev); + } + +-static struct sg_table *tee_shm_op_map_dma_buf(struct dma_buf_attachment +- *attach, enum dma_data_direction dir) +-{ +- return NULL; +-} +- +-static void tee_shm_op_unmap_dma_buf(struct dma_buf_attachment *attach, +- struct sg_table *table, +- enum dma_data_direction dir) +-{ +-} +- +-static void tee_shm_op_release(struct dma_buf *dmabuf) +-{ +- struct tee_shm *shm = dmabuf->priv; +- +- tee_shm_release(shm); +-} +- +-static int tee_shm_op_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) +-{ +- struct tee_shm *shm = dmabuf->priv; +- size_t size = vma->vm_end - vma->vm_start; +- +- /* Refuse sharing shared memory provided by application */ +- if (shm->flags & TEE_SHM_REGISTER) +- return -EINVAL; +- +- return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, +- size, vma->vm_page_prot); +-} +- +-static const struct dma_buf_ops tee_shm_dma_buf_ops = { +- .map_dma_buf = tee_shm_op_map_dma_buf, +- .unmap_dma_buf = tee_shm_op_unmap_dma_buf, +- .release = tee_shm_op_release, +- .mmap = tee_shm_op_mmap, +-}; +- + static struct tee_shm *__tee_shm_alloc(struct tee_context *ctx, + struct tee_device *teedev, + size_t size, u32 flags) +@@ -137,6 +84,7 @@ static struct tee_shm *__tee_shm_alloc(s + goto err_dev_put; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_POOL; + shm->teedev = teedev; + shm->ctx = ctx; +@@ -151,10 +99,7 @@ static struct tee_shm *__tee_shm_alloc(s + goto err_kfree; + } + +- + if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- + mutex_lock(&teedev->mutex); + shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); + mutex_unlock(&teedev->mutex); +@@ -162,29 +107,12 @@ static struct tee_shm *__tee_shm_alloc(s + ret = ERR_PTR(shm->id); + goto err_pool_free; + } +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- goto err_rem; +- } + } + + if (ctx) + teedev_ctx_get(ctx); + + return shm; +-err_rem: +- if (flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } + err_pool_free: + poolm->ops->free(poolm, shm); + err_kfree: +@@ -249,6 +177,7 @@ struct tee_shm *tee_shm_register(struct + goto err; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_REGISTER; + shm->teedev = teedev; + shm->ctx = ctx; +@@ -289,22 +218,6 @@ struct tee_shm *tee_shm_register(struct + goto err; + } + +- if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- teedev->desc->ops->shm_unregister(ctx, shm); +- goto err; +- } +- } +- + return shm; + err: + if (shm) { +@@ -328,6 +241,35 @@ err: + } + EXPORT_SYMBOL_GPL(tee_shm_register); + ++static int tee_shm_fop_release(struct inode *inode, struct file *filp) ++{ ++ tee_shm_put(filp->private_data); ++ return 0; ++} ++ ++static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma) ++{ ++ struct tee_shm *shm = filp->private_data; ++ size_t size = vma->vm_end - vma->vm_start; ++ ++ /* Refuse sharing shared memory provided by application */ ++ if (shm->flags & TEE_SHM_USER_MAPPED) ++ return -EINVAL; ++ ++ /* check for overflowing the buffer's size */ ++ if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT) ++ return -EINVAL; ++ ++ return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, ++ size, vma->vm_page_prot); ++} ++ ++static const struct file_operations tee_shm_fops = { ++ .owner = THIS_MODULE, ++ .release = tee_shm_fop_release, ++ .mmap = tee_shm_fop_mmap, ++}; ++ + /** + * tee_shm_get_fd() - Increase reference count and return file descriptor + * @shm: Shared memory handle +@@ -340,10 +282,11 @@ int tee_shm_get_fd(struct tee_shm *shm) + if (!(shm->flags & TEE_SHM_DMA_BUF)) + return -EINVAL; + +- get_dma_buf(shm->dmabuf); +- fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); ++ /* matched by tee_shm_put() in tee_shm_op_release() */ ++ refcount_inc(&shm->refcount); ++ fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR); + if (fd < 0) +- dma_buf_put(shm->dmabuf); ++ tee_shm_put(shm); + return fd; + } + +@@ -353,17 +296,7 @@ int tee_shm_get_fd(struct tee_shm *shm) + */ + void tee_shm_free(struct tee_shm *shm) + { +- /* +- * dma_buf_put() decreases the dmabuf reference counter and will +- * call tee_shm_release() when the last reference is gone. +- * +- * In the case of driver private memory we call tee_shm_release +- * directly instead as it doesn't have a reference counter. +- */ +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); +- else +- tee_shm_release(shm); ++ tee_shm_put(shm); + } + EXPORT_SYMBOL_GPL(tee_shm_free); + +@@ -470,10 +403,15 @@ struct tee_shm *tee_shm_get_from_id(stru + teedev = ctx->teedev; + mutex_lock(&teedev->mutex); + shm = idr_find(&teedev->idr, id); ++ /* ++ * If the tee_shm was found in the IDR it must have a refcount ++ * larger than 0 due to the guarantee in tee_shm_put() below. So ++ * it's safe to use refcount_inc(). ++ */ + if (!shm || shm->ctx != ctx) + shm = ERR_PTR(-EINVAL); +- else if (shm->flags & TEE_SHM_DMA_BUF) +- get_dma_buf(shm->dmabuf); ++ else ++ refcount_inc(&shm->refcount); + mutex_unlock(&teedev->mutex); + return shm; + } +@@ -485,7 +423,24 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); + */ + void tee_shm_put(struct tee_shm *shm) + { +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); ++ struct tee_device *teedev = shm->ctx->teedev; ++ bool do_release = false; ++ ++ mutex_lock(&teedev->mutex); ++ if (refcount_dec_and_test(&shm->refcount)) { ++ /* ++ * refcount has reached 0, we must now remove it from the ++ * IDR before releasing the mutex. This will guarantee that ++ * the refcount_inc() in tee_shm_get_from_id() never starts ++ * from 0. ++ */ ++ if (shm->flags & TEE_SHM_DMA_BUF) ++ idr_remove(&teedev->idr, shm->id); ++ do_release = true; ++ } ++ mutex_unlock(&teedev->mutex); ++ ++ if (do_release) ++ tee_shm_release(teedev, shm); + } + EXPORT_SYMBOL_GPL(tee_shm_put); +--- a/include/linux/tee_drv.h ++++ b/include/linux/tee_drv.h +@@ -177,7 +177,7 @@ void tee_device_unregister(struct tee_de + * @offset: offset of buffer in user space + * @pages: locked pages from userspace + * @num_pages: number of locked pages +- * @dmabuf: dmabuf used to for exporting to user space ++ * @refcount: reference counter + * @flags: defined by TEE_SHM_* in tee_drv.h + * @id: unique id of a shared memory object on this device + * +@@ -194,7 +194,7 @@ struct tee_shm { + unsigned int offset; + struct page **pages; + size_t num_pages; +- struct dma_buf *dmabuf; ++ refcount_t refcount; + u32 flags; + int id; + }; diff --git a/patches.suse/tee-remove-linked-list-of-struct-tee_shm.patch b/patches.suse/tee-remove-linked-list-of-struct-tee_shm.patch new file mode 100644 index 0000000..b04d474 --- /dev/null +++ b/patches.suse/tee-remove-linked-list-of-struct-tee_shm.patch @@ -0,0 +1,64 @@ +From: Jens Wiklander +Date: Thu, 7 Nov 2019 11:42:49 +0100 +Subject: tee: remove linked list of struct tee_shm +Git-commit: 59a135f6fb669f4f79f43160c7b8c8d6bfb37f75 +Patch-mainline: v5.7-rc1 +References: bsc#1193767 CVE-2021-44733 + +Removes list_shm from struct tee_context since the linked list isn't used +any longer. + +Signed-off-by: Jens Wiklander + [ bp: Drop the include/linux/tee_drv.h hunk to avoid kABI breakage ] +Acked-by: Borislav Petkov +--- + drivers/tee/tee_core.c | 1 - + drivers/tee/tee_shm.c | 12 +----------- + 2 files changed, 1 insertion(+), 12 deletions(-) + +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -44,7 +44,6 @@ static struct tee_context *teedev_open(s + + kref_init(&ctx->refcount); + ctx->teedev = teedev; +- INIT_LIST_HEAD(&ctx->list_shm); + rc = teedev->desc->ops->open(ctx); + if (rc) + goto err; +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -17,8 +17,6 @@ static void tee_shm_release(struct tee_s + + mutex_lock(&teedev->mutex); + idr_remove(&teedev->idr, shm->id); +- if (shm->ctx) +- list_del(&shm->link); + mutex_unlock(&teedev->mutex); + + if (shm->flags & TEE_SHM_POOL) { +@@ -174,12 +172,8 @@ static struct tee_shm *__tee_shm_alloc(s + } + } + +- if (ctx) { ++ if (ctx) + teedev_ctx_get(ctx); +- mutex_lock(&teedev->mutex); +- list_add_tail(&shm->link, &ctx->list_shm); +- mutex_unlock(&teedev->mutex); +- } + + return shm; + err_rem: +@@ -306,10 +300,6 @@ struct tee_shm *tee_shm_register(struct + } + } + +- mutex_lock(&teedev->mutex); +- list_add_tail(&shm->link, &ctx->list_shm); +- mutex_unlock(&teedev->mutex); +- + return shm; + err: + if (shm) { diff --git a/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch b/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch index 5fa23de..2d88342 100644 --- a/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch +++ b/patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Dec 2021 16:06:35 +0100 Subject: [PATCH] tpm: fix potential NULL pointer access in tpm_del_char_device Git-commit: eabad7ba2c752392ae50f24a795093fb115b686d Patch-mainline: v5.17-rc1 -References: git-fixes +References: git-fixes bsc#1193660 ltc#195634 Some SPI controller drivers unregister the controller in the shutdown handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave diff --git a/patches.suse/tracing-Add-test-for-user-space-strings-when-filtering-on-string-pointers.patch b/patches.suse/tracing-Add-test-for-user-space-strings-when-filtering-on-string-pointers.patch new file mode 100644 index 0000000..25ad5ea --- /dev/null +++ b/patches.suse/tracing-Add-test-for-user-space-strings-when-filtering-on-string-pointers.patch @@ -0,0 +1,212 @@ +From: Steven Rostedt +Date: Mon, 10 Jan 2022 11:55:32 -0500 +Subject: tracing: Add test for user space strings when filtering on string + pointers +Git-commit: 77360f9bbc7e5e2ab7a2c8b4c0244fbbfcfc6f62 +Patch-mainline: v5.16 or v5.16-rc9 (next release) +References: git-fixes + +Pingfan reported that the following causes a fault: + + echo "filename ~ \"cpu\"" > events/syscalls/sys_enter_openat/filter + echo 1 > events/syscalls/sys_enter_at/enable + +The reason is that trace event filter treats the user space pointer +defined by "filename" as a normal pointer to compare against the "cpu" +string. The following bug happened: + + kvm-03-guest16 login: [72198.026181] BUG: unable to handle page fault for address: 00007fffaae8ef60 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0001) - permissions violation + PGD 80000001008b7067 P4D 80000001008b7067 PUD 2393f1067 PMD 2393ec067 PTE 8000000108f47867 + Oops: 0001 [#1] PREEMPT SMP PTI + CPU: 1 PID: 1 Comm: systemd Kdump: loaded Not tainted 5.14.0-32.el9.x86_64 #1 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:strlen+0x0/0x20 + Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 + 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 + 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31 + RSP: 0018:ffffb5b900013e48 EFLAGS: 00010246 + RAX: 0000000000000018 RBX: ffff8fc1c49ede00 RCX: 0000000000000000 + RDX: 0000000000000020 RSI: ffff8fc1c02d601c RDI: 00007fffaae8ef60 + RBP: 00007fffaae8ef60 R08: 0005034f4ddb8ea4 R09: 0000000000000000 + R10: ffff8fc1c02d601c R11: 0000000000000000 R12: ffff8fc1c8a6e380 + R13: 0000000000000000 R14: ffff8fc1c02d6010 R15: ffff8fc1c00453c0 + FS: 00007fa86123db40(0000) GS:ffff8fc2ffd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fffaae8ef60 CR3: 0000000102880001 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + filter_pred_pchar+0x18/0x40 + filter_match_preds+0x31/0x70 + ftrace_syscall_enter+0x27a/0x2c0 + syscall_trace_enter.constprop.0+0x1aa/0x1d0 + do_syscall_64+0x16/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7fa861d88664 + +The above happened because the kernel tried to access user space directly +and triggered a "supervisor read access in kernel mode" fault. Worse yet, +the memory could not even be loaded yet, and a SEGFAULT could happen as +well. This could be true for kernel space accessing as well. + +To be even more robust, test both kernel and user space strings. If the +string fails to read, then simply have the filter fail. + +Note, TASK_SIZE is used to determine if the pointer is user or kernel space +and the appropriate strncpy_from_kernel/user_nofault() function is used to +copy the memory. For some architectures, the compare to TASK_SIZE may always +pick user space or kernel space. If it gets it wrong, the only thing is that +the filter will fail to match. In the future, this needs to be fixed to have +the event denote which should be used. But failing a filter is much better +than panicing the machine, and that can be solved later. + +Link: https://lore.kernel.org/all/20220107044951.22080-1-kernelfans@gmail.com/ +Link: https://lkml.kernel.org/r/20220110115532.536088fd@gandalf.local.home + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Andrew Morton +Cc: Masami Hiramatsu +Cc: Tom Zanussi +Reported-by: Pingfan Liu +Tested-by: Pingfan Liu +Fixes: 87a342f5db69d ("tracing/filters: Support filtering for char * strings") +Signed-off-by: Steven Rostedt +[ mb: + s/strncpy_from_kernel_nofault/strncpy_from_unsafe_strict/ + s/strncpy_from_user_nofault/strncpy_from_unsafe_user/ +] +Acked-by: Miroslav Benes +--- + Documentation/trace/events.rst | 10 +++++ + kernel/trace/trace_events_filter.c | 66 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 73 insertions(+), 3 deletions(-) + +--- a/Documentation/trace/events.rst ++++ b/Documentation/trace/events.rst +@@ -230,6 +230,16 @@ Currently the caret ('^') for an error a + the filter string; the error message should still be useful though + even without more accurate position info. + ++5.2.1 Filter limitations ++------------------------ ++ ++If a filter is placed on a string pointer ``(char *)`` that does not point ++to a string on the ring buffer, but instead points to kernel or user space ++memory, then, for safety reasons, at most 1024 bytes of the content is ++copied onto a temporary buffer to do the compare. If the copy of the memory ++faults (the pointer points to memory that should not be accessed), then the ++string compare will be treated as not matching. ++ + 5.3 Clearing filters + -------------------- + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -5,6 +5,7 @@ + * Copyright (C) 2009 Tom Zanussi + */ + ++#include + #include + #include + #include +@@ -654,6 +655,47 @@ DEFINE_EQUALITY_PRED(32); + DEFINE_EQUALITY_PRED(16); + DEFINE_EQUALITY_PRED(8); + ++/* user space strings temp buffer */ ++#define USTRING_BUF_SIZE 1024 ++ ++struct ustring_buffer { ++ char buffer[USTRING_BUF_SIZE]; ++}; ++ ++static __percpu struct ustring_buffer *ustring_per_cpu; ++ ++static __always_inline char *test_string(char *str) ++{ ++ struct ustring_buffer *ubuf; ++ char __user *ustr; ++ char *kstr; ++ ++ if (!ustring_per_cpu) ++ return NULL; ++ ++ ubuf = this_cpu_ptr(ustring_per_cpu); ++ kstr = ubuf->buffer; ++ ++ /* ++ * We use TASK_SIZE to denote user or kernel space, but this will ++ * not work for all architectures. If it picks the wrong one, it may ++ * just fail the filter (but will not bug). ++ * ++ * TODO: Have a way to properly denote which one this is for. ++ */ ++ if (likely((unsigned long)str >= TASK_SIZE)) { ++ /* For safety, do not trust the string pointer */ ++ if (!strncpy_from_unsafe_strict(kstr, str, USTRING_BUF_SIZE)) ++ return NULL; ++ } else { ++ /* user space address? */ ++ ustr = (char __user *)str; ++ if (!strncpy_from_unsafe_user(kstr, ustr, USTRING_BUF_SIZE)) ++ return NULL; ++ } ++ return kstr; ++} ++ + /* Filter predicate for fixed sized arrays of characters */ + static int filter_pred_string(struct filter_pred *pred, void *event) + { +@@ -671,10 +713,16 @@ static int filter_pred_string(struct fil + static int filter_pred_pchar(struct filter_pred *pred, void *event) + { + char **addr = (char **)(event + pred->offset); ++ char *str; + int cmp, match; +- int len = strlen(*addr) + 1; /* including tailing '\0' */ ++ int len; ++ ++ str = test_string(*addr); ++ if (!str) ++ return 0; + +- cmp = pred->regex.match(*addr, &pred->regex, len); ++ len = strlen(str) + 1; /* including tailing '\0' */ ++ cmp = pred->regex.match(str, &pred->regex, len); + + match = cmp ^ pred->not; + +@@ -1320,8 +1368,17 @@ static int parse_pred(const char *str, v + + } else if (field->filter_type == FILTER_DYN_STRING) + pred->fn = filter_pred_strloc; +- else ++ else { ++ ++ if (!ustring_per_cpu) { ++ /* Once allocated, keep it around for good */ ++ ustring_per_cpu = alloc_percpu(struct ustring_buffer); ++ if (!ustring_per_cpu) ++ goto err_mem; ++ } ++ + pred->fn = filter_pred_pchar; ++ } + /* go past the last quote */ + i++; + +@@ -1387,6 +1444,9 @@ static int parse_pred(const char *str, v + err_free: + kfree(pred); + return -EINVAL; ++err_mem: ++ kfree(pred); ++ return -ENOMEM; + } + + enum { diff --git a/patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch b/patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch new file mode 100644 index 0000000..b62a641 --- /dev/null +++ b/patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch @@ -0,0 +1,61 @@ +From: "Naveen N. Rao" +Date: Thu, 23 Dec 2021 16:04:38 +0530 +Subject: tracing: Fix check for trace_percpu_buffer validity in + get_trace_buf() +Git-commit: 823e670f7ed616d0ce993075c8afe0217885f79d +Patch-mainline: v5.16 +References: git-fixes + +With the new osnoise tracer, we are seeing the below splat: + Kernel attempted to read user page (c7d880000) - exploit attempt? (uid: 0) + BUG: Unable to handle kernel data access on read at 0xc7d880000 + Faulting instruction address: 0xc0000000002ffa10 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + ... + NIP [c0000000002ffa10] __trace_array_vprintk.part.0+0x70/0x2f0 + LR [c0000000002ff9fc] __trace_array_vprintk.part.0+0x5c/0x2f0 + Call Trace: + [c0000008bdd73b80] [c0000000001c49cc] put_prev_task_fair+0x3c/0x60 (unreliable) + [c0000008bdd73be0] [c000000000301430] trace_array_printk_buf+0x70/0x90 + [c0000008bdd73c00] [c0000000003178b0] trace_sched_switch_callback+0x250/0x290 + [c0000008bdd73c90] [c000000000e70d60] __schedule+0x410/0x710 + [c0000008bdd73d40] [c000000000e710c0] schedule+0x60/0x130 + [c0000008bdd73d70] [c000000000030614] interrupt_exit_user_prepare_main+0x264/0x270 + [c0000008bdd73de0] [c000000000030a70] syscall_exit_prepare+0x150/0x180 + [c0000008bdd73e10] [c00000000000c174] system_call_vectored_common+0xf4/0x278 + +osnoise tracer on ppc64le is triggering osnoise_taint() for negative +duration in get_int_safe_duration() called from +trace_sched_switch_callback()->thread_exit(). + +The problem though is that the check for a valid trace_percpu_buffer is +incorrect in get_trace_buf(). The check is being done after calculating +the pointer for the current cpu, rather than on the main percpu pointer. +Fix the check to be against trace_percpu_buffer. + +Link: https://lkml.kernel.org/r/a920e4272e0b0635cf20c444707cbce1b2c8973d.1640255304.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: e2ace001176dc9 ("tracing: Choose static tp_printk buffer by explicit nesting count") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt +Acked-by: Miroslav Benes +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 88de94da596b..e1f55851e53f 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3217,7 +3217,7 @@ static char *get_trace_buf(void) + { + struct trace_buffer_struct *buffer = this_cpu_ptr(trace_percpu_buffer); + +- if (!buffer || buffer->nesting >= 4) ++ if (!trace_percpu_buffer || buffer->nesting >= 4) + return NULL; + + buffer->nesting++; + diff --git a/patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch b/patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch new file mode 100644 index 0000000..603f985 --- /dev/null +++ b/patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch @@ -0,0 +1,49 @@ +From: Xiangyang Zhang +Date: Fri, 7 Jan 2022 23:02:42 +0800 +Subject: tracing/kprobes: 'nmissed' not showed correctly for kretprobe +Git-commit: dfea08a2116fe327f79d8f4d4b2cf6e0c88be11f +Patch-mainline: v5.16 or v5.16-rc9 (next release) +References: git-fixes + +The 'nmissed' column of the 'kprobe_profile' file for kretprobe is +not showed correctly, kretprobe can be skipped by two reasons, +shortage of kretprobe_instance which is counted by tk->rp.nmissed, +and kprobe itself is missed by some reason, so to show the sum. + +Link: https://lkml.kernel.org/r/20220107150242.5019-1-xyz.sun.ok@gmail.com + +Cc: stable@vger.kernel.org +Fixes: 4a846b443b4e ("tracing/kprobes: Cleanup kprobe tracer code") +Acked-by: Masami Hiramatsu +Signed-off-by: Xiangyang Zhang +Signed-off-by: Steven Rostedt +Acked-by: Miroslav Benes +--- + kernel/trace/trace_kprobe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index f8c26ee72de3..3d85323278ed 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1170,15 +1170,18 @@ static int probes_profile_seq_show(struct seq_file *m, void *v) + { + struct dyn_event *ev = v; + struct trace_kprobe *tk; ++ unsigned long nmissed; + + if (!is_trace_kprobe(ev)) + return 0; + + tk = to_trace_kprobe(ev); ++ nmissed = trace_kprobe_is_return(tk) ? ++ tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed; + seq_printf(m, " %-44s %15lu %15lu\n", + trace_probe_name(&tk->tp), + trace_kprobe_nhit(tk), +- tk->rp.kp.nmissed); ++ nmissed); + + return 0; + } + diff --git a/patches.suse/tracing-uprobes-Check-the-return-value-of-kstrdup-for-tu-filename.patch b/patches.suse/tracing-uprobes-Check-the-return-value-of-kstrdup-for-tu-filename.patch new file mode 100644 index 0000000..454b81b --- /dev/null +++ b/patches.suse/tracing-uprobes-Check-the-return-value-of-kstrdup-for-tu-filename.patch @@ -0,0 +1,36 @@ +From: Xiaoke Wang +Date: Tue, 14 Dec 2021 09:28:02 +0800 +Subject: tracing/uprobes: Check the return value of kstrdup() for tu->filename +Git-commit: 8c7224245557707c613f130431cafbaaa4889615 +Patch-mainline: v5.16 or v5.16-rc9 (next release) +References: git-fixes + +kstrdup() returns NULL when some internal memory errors happen, it is +better to check the return value of it so to catch the memory error in +time. + +Link: https://lkml.kernel.org/r/tencent_3C2E330722056D7891D2C83F29C802734B06@qq.com + +Acked-by: Masami Hiramatsu +Fixes: 33ea4b24277b ("perf/core: Implement the 'perf_uprobe' PMU") +Signed-off-by: Xiaoke Wang +Signed-off-by: Steven Rostedt +Acked-by: Miroslav Benes +--- + kernel/trace/trace_uprobe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1389,6 +1389,11 @@ create_local_trace_uprobe(char *name, un + tu->path = path; + tu->ref_ctr_offset = ref_ctr_offset; + tu->filename = kstrdup(name, GFP_KERNEL); ++ if (!tu->filename) { ++ ret = -ENOMEM; ++ goto error; ++ } ++ + init_trace_event_call(tu); + + if (traceprobe_set_print_fmt(&tu->tp, is_ret_probe(tu)) < 0) { diff --git a/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch b/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch new file mode 100644 index 0000000..1089523 --- /dev/null +++ b/patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch @@ -0,0 +1,46 @@ +From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox (Oracle) +Date: Mon Oct 18 15:16:12 2021 -0700 +Subject: [PATCH] vfs: check fd has read access in kernel_read_file_from_fd() +Git-commit: 032146cda85566abcd1c4884d9d23e4e30a07e9a +References: bsc#1194888 +Patch-mainline: v5.15-rc7 + + +If we open a file without read access and then pass the fd to a syscall +whose implementation calls kernel_read_file_from_fd(), we get a warning +from __kernel_read(): + + if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) + +This currently affects both finit_module() and kexec_file_load(), but it +could affect other syscalls in the future. + +Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org +Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: Hao Sun +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Cc: Al Viro +Cc: Mimi Zohar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Goldwyn Rodrigues + +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -988,7 +988,7 @@ + struct fd f = fdget(fd); + int ret = -EBADF; + +- if (!f.file) ++ if (!f.file || !(f.file->f_mode & FMODE_READ)) + goto out; + + ret = kernel_read_file(f.file, buf, size, max_size, id); diff --git a/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch b/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch new file mode 100644 index 0000000..dc6cb95 --- /dev/null +++ b/patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch @@ -0,0 +1,43 @@ +From 722d94847de29310e8aa03fcbdb41fc92c521756 Mon Sep 17 00:00:00 2001 +From: Jamie Hill-Daniel +Date: Tue, 18 Jan 2022 08:06:04 +0100 +Subject: [PATCH] vfs: fs_context: fix up param length parsing in + legacy_parse_param +References: CVE-2022-0185 bsc#1194517 +Patch-mainline: v5.17-rc1 +Git-commit: 722d94847de29310e8aa03fcbdb41fc92c521756 + +The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an +unsigned type so a large value of "size" results in a high positive +value instead of a negative value as expected. Fix this by getting rid +of the subtraction. + +Signed-off-by: Jamie Hill-Daniel +Signed-off-by: William Liu +Tested-by: Salvatore Bonaccorso +Tested-by: Thadeu Lima de Souza Cascardo +Acked-by: Dan Carpenter +Acked-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Acked-by: David Disseldorp +--- + fs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fs_context.c b/fs/fs_context.c +index b7e43a780a62..24ce12f0db32 100644 +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) + param->key); + } + +- if (len > PAGE_SIZE - 2 - size) ++ if (size + len + 2 > PAGE_SIZE) + return invalf(fc, "VFS: Legacy: Cumulative options too large"); + if (strchr(param->key, ',') || + (param->type == fs_value_is_string && +-- +2.31.1 + diff --git a/patches.suse/workqueue-Fix-unbind_workers-VS-wq_worker_running-ra.patch b/patches.suse/workqueue-Fix-unbind_workers-VS-wq_worker_running-ra.patch new file mode 100644 index 0000000..685eec6 --- /dev/null +++ b/patches.suse/workqueue-Fix-unbind_workers-VS-wq_worker_running-ra.patch @@ -0,0 +1,106 @@ +From 07edfece8bcb0580a1828d939e6f8d91a8603eb2 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Wed, 1 Dec 2021 16:19:44 +0100 +Subject: [PATCH] workqueue: Fix unbind_workers() VS wq_worker_running() race +Git-commit: 07edfece8bcb0580a1828d939e6f8d91a8603eb2 +Patch-mainline: v5.17-rc1 +References: bsc#1195062 + +At CPU-hotplug time, unbind_worker() may preempt a worker while it is +waking up. In that case the following scenario can happen: + + unbind_workers() wq_worker_running() + -------------- ------------------- + if (!(worker->flags & WORKER_NOT_RUNNING)) + //PREEMPTED by unbind_workers + worker->flags |= WORKER_UNBOUND; + [...] + atomic_set(&pool->nr_running, 0); + //resume to worker + atomic_inc(&worker->pool->nr_running); + +After unbind_worker() resets pool->nr_running, the value is expected to +remain 0 until the pool ever gets rebound in case cpu_up() is called on +the target CPU in the future. But here the race leaves pool->nr_running +with a value of 1, triggering the following warning when the worker goes +idle: + + WARNING: CPU: 3 PID: 34 at kernel/workqueue.c:1823 worker_enter_idle+0x95/0xc0 + Modules linked in: + CPU: 3 PID: 34 Comm: kworker/3:0 Not tainted 5.16.0-rc1+ #34 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 + Workqueue: 0x0 (rcu_par_gp) + RIP: 0010:worker_enter_idle+0x95/0xc0 + Code: 04 85 f8 ff ff ff 39 c1 7f 09 48 8b 43 50 48 85 c0 74 1b 83 e2 04 75 99 8b 43 34 39 43 30 75 91 8b 83 00 03 00 00 85 c0 74 87 <0f> 0b 5b c3 48 8b 35 70 f1 37 01 48 8d 7b 48 48 81 c6 e0 93 0 + RSP: 0000:ffff9b7680277ed0 EFLAGS: 00010086 + RAX: 00000000ffffffff RBX: ffff93465eae9c00 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9346418a0000 RDI: ffff934641057140 + RBP: ffff934641057170 R08: 0000000000000001 R09: ffff9346418a0080 + R10: ffff9b768027fdf0 R11: 0000000000002400 R12: ffff93465eae9c20 + R13: ffff93465eae9c20 R14: ffff93465eae9c70 R15: ffff934641057140 + FS: 0000000000000000(0000) GS:ffff93465eac0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000001cc0c000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + worker_thread+0x89/0x3d0 + ? process_one_work+0x400/0x400 + kthread+0x162/0x190 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x22/0x30 + + +Also due to this incorrect "nr_running == 1", further queued work may +end up not being served, because no worker is awaken at work insert time. +This raises rcutorture writer stalls for example. + +Fix this with disabling preemption in the right place in +wq_worker_running(). + +It's worth noting that if the worker migrates and runs concurrently with +unbind_workers(), it is guaranteed to see the WORKER_UNBOUND flag update +due to set_cpus_allowed_ptr() acquiring/releasing rq->lock. + +Fixes: 6d25be5782e4 ("sched/core, workqueues: Distangle worker accounting from rq lock") +Reviewed-by: Lai Jiangshan +Tested-by: Paul E. McKenney +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Frederic Weisbecker +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Sebastian Andrzej Siewior +Cc: Daniel Bristot de Oliveira +Signed-off-by: Tejun Heo +Acked-by: Petr Mladek + +--- + kernel/workqueue.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 332361cf215f..5094573e8b45 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -868,8 +868,17 @@ void wq_worker_running(struct task_struct *task) + + if (!worker->sleeping) + return; ++ ++ /* ++ * If preempted by unbind_workers() between the WORKER_NOT_RUNNING check ++ * and the nr_running increment below, we may ruin the nr_running reset ++ * and leave with an unexpected pool->nr_running == 1 on the newly unbound ++ * pool. Protect against such race. ++ */ ++ preempt_disable(); + if (!(worker->flags & WORKER_NOT_RUNNING)) + atomic_inc(&worker->pool->nr_running); ++ preempt_enable(); + worker->sleeping = 0; + } + +-- +2.26.2 + diff --git a/series.conf b/series.conf index ea95754..19d9fc7 100644 --- a/series.conf +++ b/series.conf @@ -9183,6 +9183,7 @@ patches.suse/arm64-kpti-Add-NVIDIA-s-Carmel-core-to-the-KPTI-whit.patch patches.suse/arm64-kaslr-Announce-KASLR-status-on-boot.patch patches.suse/arm64-kaslr-Check-command-line-before-looking-for-a-.patch + patches.suse/arm64-Kconfig-add-a-choice-for-endianness.patch patches.suse/s390-qdio-use-qdio_bufnr patches.suse/s390-qdio-reduce-log-level-for-eqbs-partial patches.suse/s390-qdio-remove-a-forward-declaration @@ -28118,6 +28119,8 @@ patches.suse/soc-fsl-qe-fix-sparse-warnings-for-qe_ic.c.patch patches.suse/soc-fsl-qe-ucc_slow-remove-0-assignment-for-kzalloc-.patch patches.suse/soc-fsl-qe-fix-sparse-warnings-for-ucc_slow.c.patch + patches.suse/tee-remove-linked-list-of-struct-tee_shm.patch + patches.suse/tee-don-t-assign-shm-id-for-private-shms.patch patches.suse/ARM-dts-sunxi-Fix-DE2-clocks-register-range.patch patches.suse/arm64-dts-allwinner-a64-Fix-display-clock-register-r.patch patches.suse/arm64-tegra-Fix-Tegra194-PCIe-compatible-string.patch @@ -37271,7 +37274,7 @@ patches.suse/cpuidle-psci-Fix-error-path-via-converting-to-a-plat.patch patches.suse/cpuidle-psci-Convert-PM-domain-to-platform-driver.patch patches.suse/cpuidle-psci-Prevent-domain-idlestates-until-consume.patch - patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch + patches.suse/intel_idle-Customize-IceLake-server-support.patch patches.suse/powercap-intel_rapl-add-support-for-Sapphire-Rapids.patch patches.suse/powercap-Add-Power-Limit4-support.patch patches.suse/ACPICA-Replace-one-element-array-with-flexible-array.patch @@ -43099,6 +43102,7 @@ patches.suse/0004-dm-fix-bio-splitting-and-its-bio-completion-order-fo.patch patches.suse/0031-dm-fix-comment-in-dm_process_bio.patch patches.suse/0001-dm-crypt-document-new-no_workqueue-flags.patch + patches.suse/dm-crypt-document-encrypted-keyring-key-option.patch patches.suse/ALSA-asihpi-fix-iounmap-in-error-handler.patch patches.suse/ALSA-hda-realtek-Couldn-t-detect-Mic-if-booting-with.patch patches.suse/ALSA-hda-realtek-Enable-front-panel-headset-LED-on-L.patch @@ -43273,6 +43277,7 @@ patches.suse/r8169-consider-that-PHY-reset-may-still-be-in-progre.patch patches.suse/macsec-avoid-use-after-free-in-macsec_handle_frame.patch patches.suse/net-usb-qmi_wwan-add-Cellient-MPL200-card.patch + patches.suse/block-scsi-ioctl-Fix-kernel-infoleak-in-scsi_put_cdr.patch patches.suse/partitions-ibm-fix-non-dasd-devices patches.suse/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch patches.suse/1918-drm-amdgpu-fix-NULL-pointer-dereference-for-Renoir.patch @@ -46380,6 +46385,7 @@ patches.suse/drm-rockchip-Avoid-uninitialized-use-of-endpoint-id-.patch patches.suse/drm-panel-sony-acx565akm-Fix-race-condition-in-probe.patch patches.suse/drm-omap-sdi-fix-bridge-enable-disable.patch + patches.suse/dm-writecache-advance-the-number-of-arguments-when-r.patch patches.suse/0007-dm-writecache-fix-the-maximum-number-of-arguments.patch patches.suse/0008-Revert-dm-cache-fix-arm-link-errors-with-inline.patch patches.suse/0009-dm-fix-bug-with-RCU-locking-in-dm_blk_report_zones.patch @@ -47972,6 +47978,7 @@ patches.suse/0005-dm-crypt-do-not-call-bio_endio-from-the-dm-crypt-tas.patch patches.suse/0006-dm-crypt-defer-decryption-to-a-tasklet-if-interrupts.patch patches.suse/nvme-tcp-Fix-warning-with-CONFIG_DEBUG_PREEMPT.patch + patches.suse/nvme-tcp-fix-possible-data-corruption-with-bio-merge.patch patches.suse/nvme-don-t-intialize-hwmon-for-discovery-controllers.patch patches.suse/scsi-qedi-correct-max-length-of-chap-secret patches.suse/powerpc-Fix-alignment-bug-within-the-init-sections.patch @@ -48489,6 +48496,9 @@ patches.suse/bfq-Avoid-false-bfq-queue-merging.patch patches.suse/bfq-Use-ttime-local-variable.patch patches.suse/bfq-Use-only-idle-IO-periods-for-think-time-calculat.patch + patches.suse/nvme-tcp-fix-wrong-setting-of-request-iov_iter.patch + patches.suse/nvme-tcp-get-rid-of-unused-helper-function.patch + patches.suse/nvme-tcp-pass-multipage-bvec-to-request-iov_iter.patch patches.suse/nvme-core-add-cancel-tagset-helpers.patch patches.suse/nvme-tcp-add-clean-action-for-failed-reconnection.patch patches.suse/nvme-tcp-use-cancel-tagset-helper-for-tear-down.patch @@ -48500,6 +48510,7 @@ patches.suse/0032-bcache-Move-journal-work-to-new-flush-wq.patch patches.suse/0033-bcache-Avoid-comma-separated-statements.patch patches.suse/nvme-hwmon-rework-to-avoid-devm-allocation.patch + patches.suse/nvme-tcp-fix-crash-triggered-with-a-dataless-request.patch patches.suse/irqchip-ls-extirq-add-IRQCHIP_SKIP_SET_WAKE-to-the-i.patch patches.suse/futex-Change-utime-parameter-to-be-const.patch patches.suse/mm-proc-Invalidate-TLB-after-clearing-soft-dirty-pag.patch @@ -48725,6 +48736,7 @@ patches.suse/rtc-s5m-select-REGMAP_I2C.patch patches.suse/rtc-pcf2127-properly-set-flag-WD_CD-for-rtc-chips-pc.patch patches.suse/gpio-pcf857x-Fix-missing-first-interrupt.patch + patches.suse/dm-writecache-fix-performance-degradation-in-ssd-mod.patch patches.suse/0020-dm-era-Recover-committed-writeset-after-crash.patch patches.suse/0021-dm-era-Update-in-core-bitset-after-committing-the-me.patch patches.suse/0022-dm-era-Reinitialize-bitset-cache-before-digesting-a-.patch @@ -48840,6 +48852,7 @@ patches.suse/powerpc-prom-Fix-ibm-arch-vec-5-platform-support-sca.patch patches.suse/powerpc-time-Enable-sched-clock-for-irqtime.patch patches.suse/powerpc-Fix-build-error-in-paravirt.h.patch + patches.suse/powerpc-add-interrupt_cond_local_irq_enable-helper.patch patches.suse/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch patches.suse/powerpc-sstep-Fix-load-store-and-update-emulation.patch patches.suse/powerpc-sstep-Fix-darn-emulation.patch @@ -48870,6 +48883,7 @@ patches.suse/dmaengine-owl-dma-Fix-a-resource-leak-in-the-remove-.patch patches.suse/dmaengine-hsu-disable-spurious-interrupt.patch patches.suse/dmaengine-idxd-set-DMA-channel-to-be-private.patch + patches.suse/dmaengine-idxd-add-module-parameter-to-force-disable.patch patches.suse/keys-Remove-outdated-__user-annotations.patch patches.suse/certs-Fix-blacklist-flag-type-confusion.patch patches.suse/0001-device-dax-Fix-default-return-code-of-range_parse.patch @@ -49268,6 +49282,7 @@ patches.suse/nvme-fabrics-only-reserve-a-single-tag.patch patches.suse/nvme-merge-nvme_keep_alive-into-nvme_keep_alive_work.patch patches.suse/nvme-allocate-the-keep-alive-request-using-BLK_MQ_RE.patch + patches.suse/nvme-tcp-fix-a-NULL-deref-when-receiving-a-0-length-.patch patches.suse/nvme-tcp-fix-misuse-of-__smp_processor_id-with-preem.patch patches.suse/0001-nvme-tcp-fix-possible-hang-when-failing-to-set-io-qu.patch patches.suse/scsi-ibmvfc-Free-channel_setup_buf-during-device-tea.patch @@ -49949,6 +49964,8 @@ patches.suse/nvme-mark-nvme_setup_passsthru-inline.patch patches.suse/nvme-don-t-check-nvme_req-flags-for-new-req.patch patches.suse/nvme-add-new-line-after-variable-declatation.patch + patches.suse/nvme-tcp-block-BH-in-sk-state_change-sk-callback.patch + patches.suse/nvme-tcp-check-sgl-supported-by-target.patch patches.suse/nvme-fc-check-sgl-supported-by-target.patch patches.suse/nvme-remove-superfluous-else-in-nvme_ctrl_loss_tmo_s.patch patches.suse/nvme-retrigger-ANA-log-update-if-group-descriptor-is.patch @@ -50405,6 +50422,7 @@ patches.suse/dmaengine-idxd-cleanup-pci-interrupt-vector-allocati.patch patches.suse/dmaengine-idxd-removal-of-pcim-managed-mmio-mapping.patch patches.suse/dmaengine-idxd-fix-cdev-setup-and-free-device-lifeti.patch + patches.suse/dmaengine-idxd-enable-SVA-feature-for-IOMMU.patch patches.suse/ubifs-Only-check-replay-with-inode-type-to-judge-if-.patch patches.suse/docs-kernel-parameters-Move-gpio-mockup-for-alphabet.patch patches.suse/docs-kernel-parameters-Add-gpio_mockup_named_lines.patch @@ -50751,6 +50769,7 @@ patches.suse/s390-dasd-add-missing-discipline-function patches.suse/nvme-fc-short-circuit-reconnect-retries.patch patches.suse/nvme-fabrics-decode-host-pathing-error-for-connect.patch + patches.suse/nvme-tcp-remove-incorrect-Kconfig-dep-in-BLK_DEV_NVM.patch patches.suse/scsi-libsas-Use-_safe-loop-in-sas_resume_port patches.suse/scsi-target-qla2xxx-Wait-for-stop_phase1-at-WWN-remo.patch patches.suse/USB-usbfs-Don-t-WARN-about-excessively-large-memory-.patch @@ -51193,6 +51212,7 @@ patches.suse/blk-Fix-lock-inversion-between-ioc-lock-and-bfqd-loc.patch patches.suse/0002-md-revert-io-stats-accounting.patch patches.suse/nvme-verify-MNAN-value-if-ANA-is-enabled.patch + patches.suse/nvme-tcp-fix-error-codes-in-nvme_tcp_setup_ctrl.patch patches.suse/nvmet-use-NVMET_MAX_NAMESPACES-to-set-nn-value.patch patches.suse/qemu_fw_cfg-Make-fw_cfg_rev_attr-a-proper-kobj_attri.patch patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch @@ -51317,6 +51337,8 @@ patches.suse/sctp-add-size-validation-when-walking-chunks.patch patches.suse/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch patches.suse/sctp-add-param-size-validation-for-SCTP_PARAM_SET_PR.patch + patches.suse/dm-writecache-flush-origin-device-when-writing-and-c.patch + patches.suse/dm-writecache-add-cleaner-and-max_age-to-Documentati.patch patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch patches.suse/ext4-cleanup-in-core-orphan-list-if-ext4_truncate-fa.patch patches.suse/ext4-return-error-code-when-ext4_fill_flex_info-fail.patch @@ -51739,6 +51761,7 @@ patches.suse/ALSA-hda-realtek-fix-mute-led-of-the-HP-Pavilion-15-.patch patches.suse/ALSA-isa-Fix-error-return-code-in-snd_cmi8330_probe.patch patches.suse/ALSA-intel8x0-Fix-breakage-at-ac97-clock-measurement.patch + patches.suse/nvme-tcp-can-t-set-sk_user_data-without-write_lock.patch patches.suse/ARM-exynos-add-missing-of_node_put-for-loop-iteration.patch patches.suse/soc-tegra-fuse-Fix-Tegra234-only-builds.patch patches.suse/ARM-dts-gemini-rut1xx-remove-duplicate-ethernet-node.patch @@ -52190,6 +52213,8 @@ patches.suse/nvme-pci-limit-maximum-queue-depth-to-4095.patch patches.suse/nvme-tcp-don-t-check-blk_mq_tag_to_rq-when-receiving.patch patches.suse/nvme-code-command_id-with-a-genctr-for-use-after-fre.patch + patches.suse/nvme-tcp-pair-send_mutex-init-with-destroy.patch + patches.suse/nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch patches.suse/0008-md-raid10-Remove-unnecessary-rcu_dereference-in-raid.patch patches.suse/ata-sata_dwc_460ex-No-need-to-call-phy_exit-befre-ph.patch patches.suse/libata-fix-ata_host_start.patch @@ -52669,6 +52694,7 @@ patches.suse/xen-reset-legacy-rtc-flag-for-PV-domU.patch patches.suse/swiotlb-xen-avoid-double-free.patch patches.suse/nvme-avoid-race-in-shutdown-namespace-removal.patch + patches.suse/nvme-tcp-fix-io_work-priority-inversion.patch patches.suse/PCI-Add-AMD-GPU-multi-function-power-dependencies.patch patches.suse/spi-Fix-tegra20-build-with-CONFIG_PM-n.patch patches.suse/KVM-PPC-Book3S-HV-Tolerate-treclaim.-in-fake-suspend.patch @@ -52830,6 +52856,8 @@ patches.suse/powerpc-bpf-Fix-BPF_SUB-when-imm-0x80000000.patch patches.suse/powerpc-security-Add-a-helper-to-query-stf_barrier-t.patch patches.suse/powerpc-bpf-Emit-stf-barrier-instruction-sequences-f.patch + patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch + patches.suse/powerpc-traps-do-not-enable-irqs-in-_exception.patch patches.suse/pseries-eeh-Fix-the-kdump-kernel-crash-during-eeh_ps.patch patches.suse/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch patches.suse/cgroup-cpuset-Change-references-of-cpuset_mutex-to-c.patch @@ -52863,6 +52891,7 @@ patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch + patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch patches.suse/drm-msm-Avoid-potential-overflow-in-timeout_to_jiffi.patch patches.suse/drm-msm-mdp5-fix-cursor-related-warnings.patch patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch @@ -52902,6 +52931,7 @@ patches.suse/ata-ahci_platform-fix-null-ptr-deref-in-ahci_platfor.patch patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch patches.suse/elfcore-correct-reference-to-CONFIG_UML.patch + patches.suse/vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch patches.suse/ALSA-usb-audio-Add-Schiit-Hel-device-to-mixer-map-qu.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-PC50HS.patch @@ -52959,6 +52989,7 @@ patches.suse/mmc-winbond-don-t-build-on-M68K.patch patches.suse/mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch patches.suse/mmc-vub300-fix-control-message-timeouts.patch + patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch patches.suse/scsi-ibmvfc-Fix-up-duplicate-response-detection.patch patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch @@ -52968,6 +52999,7 @@ patches.suse/btrfs-update-comments-for-chunk-allocation-ENOSPC-ca.patch patches.suse/perf-x86-intel-uncore-Support-extra-IMC-channel-on-Ice-Lake-server.patch patches.suse/perf-x86-intel-uncore-Fix-Intel-ICX-IIO-event-constraints.patch + patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch patches.suse/x86-xen-Mark-cpu_bringup_and_idle-as-dead_end_functi.patch patches.suse/edac-amd64-handle-three-rank-interleaving-mode.patch patches.suse/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch @@ -53122,6 +53154,7 @@ patches.suse/drm-v3d-fix-wait-for-TMU-write-combiner-flush.patch patches.suse/virtio-gpu-fix-possible-memory-allocation-failure.patch patches.suse/drm-amdgpu-fix-warning-for-overflow-check.patch + patches.suse/drm-amdgpu-revert-Add-autodump-debugfs-node-for-gpu-.patch patches.suse/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch patches.suse/drm-msm-prevent-NULL-dereference-in-msm_gpu_crashsta.patch patches.suse/drm-msm-potential-error-pointer-dereference-in-init.patch @@ -53201,7 +53234,10 @@ patches.suse/powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch patches.suse/powerpc-paravirt-vcpu_is_preempted-commentary.patch patches.suse/powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch + patches.suse/powerpc-pseries-cpuhp-cache-node-corrections.patch + patches.suse/powerpc-pseries-cpuhp-delete-add-remove_by_count-cod.patch patches.suse/powerpc-perf-Fix-cycles-instructions-as-PM_CYC-PM_IN.patch + patches.suse/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch patches.suse/pinctrl-core-fix-possible-memory-leak-in-pinctrl_ena.patch patches.suse/HID-u2fzero-clarify-error-check-and-length-calculati.patch patches.suse/HID-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch @@ -53317,6 +53353,7 @@ patches.suse/Input-elantench-fix-misreporting-trackpoint-coordina.patch patches.suse/Input-iforce-fix-control-message-timeout.patch patches.suse/drm-plane-helper-fix-uninitialized-variable-referenc.patch + patches.suse/drm-i915-fb-Fix-rounding-error-in-subsampled-plane-s.patch patches.suse/drm-nouveau-svm-Fix-refcount-leak-bug-and-missing-ch.patch patches.suse/drm-nouveau-use-drm_dev_unplug-during-device-removal.patch patches.suse/drm-nouveau-Add-a-dedicated-mutex-for-the-clients-li.patch @@ -53567,6 +53604,7 @@ patches.suse/USB-gadget-zero-allocate-endpoint-0-buffers.patch patches.suse/usb-core-config-fix-validation-of-wMaxPacketValue-en.patch patches.suse/usb-core-config-using-bit-mask-instead-of-individual.patch + patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch patches.suse/clk-Don-t-parent-clks-until-the-parent-is-fully-regi.patch patches.suse/firmware-tegra-Fix-error-application-of-sizeof-to-po.patch @@ -53608,6 +53646,7 @@ patches.suse/xen-netback-don-t-queue-unlimited-number-of-packages.patch patches.suse/spi-change-clk_disable_unprepare-to-clk_unprepare.patch patches.suse/RDMA-hns-Replace-kfree-with-kvfree.patch + patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch patches.suse/mmc-sdhci-tegra-Fix-switch-to-HS400ES-mode.patch patches.suse/ALSA-drivers-opl3-Fix-incorrect-use-of-vp-state.patch patches.suse/ALSA-jack-Check-the-return-value-of-kstrdup.patch @@ -53662,6 +53701,7 @@ patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch + patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch @@ -53753,6 +53793,7 @@ patches.suse/device-property-Fix-documentation-for-FWNODE_GRAPH_D.patch patches.suse/Documentation-ACPI-Fix-data-node-reference-documenta.patch patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch + patches.suse/workqueue-Fix-unbind_workers-VS-wq_worker_running-ra.patch patches.suse/Documentation-refer-to-config-RANDOMIZE_BASE-for-ker.patch patches.suse/crypto-caam-replace-this_cpu_ptr-with-raw_cpu_ptr.patch patches.suse/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch @@ -53783,6 +53824,7 @@ patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch patches.suse/floppy-Fix-hang-in-watchdog-when-disk-is-ejected.patch + patches.suse/debugfs-lockdown-Allow-reading-debugfs-files-that-ar.patch patches.suse/staging-rtl8192e-return-error-code-from-rtllib_softm.patch patches.suse/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch patches.suse/tty-serial-atmel-Check-return-code-of-dmaengine_subm.patch @@ -53791,6 +53833,7 @@ patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch + patches.suse/fuse-Pass-correct-lend-value-to-filemap_write_and_wait_range.patch patches.suse/clk-imx-pllv1-fix-kernel-doc-notation-for-struct-clk.patch patches.suse/clk-Gemini-fix-struct-name-in-kernel-doc.patch patches.suse/clk-stm32-Fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch @@ -53824,13 +53867,16 @@ patches.suse/ASoC-samsung-idma-Check-of-ioremap-return-value.patch patches.suse/ASoC-fsl_mqs-fix-MODULE_ALIAS.patch patches.suse/ASoC-fsl_asrc-refine-the-check-of-available-clock-di.patch + patches.suse/powerpc-prom_init-Fix-improper-check-of-prom_getprop.patch patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch patches.suse/powerpc-watchdog-read-TB-close-to-where-it-is-used.patch patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch + patches.suse/powerpc-perf-Fix-PMU-callbacks-to-clear-pending-PMI-.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/powerpc-xive-Add-missing-null-check-after-calling-km.patch patches.suse/char-mwave-Adjust-io-port-register-size.patch patches.suse/uio-uio_dmem_genirq-Catch-the-Exception.patch patches.suse/firmware-Update-Kconfig-help-text-for-Google-firmwar.patch @@ -53852,6 +53898,23 @@ patches.suse/PCI-xgene-Fix-IB-window-setup.patch patches.suse/PCI-pci-bridge-emul-Properly-mark-reserved-PCIe-bits.patch patches.suse/PCI-pci-bridge-emul-Set-PCI_STATUS_CAP_LIST-for-PCIe.patch + patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch + patches.suse/tracing-uprobes-Check-the-return-value-of-kstrdup-for-tu-filename.patch + patches.suse/tracing-Add-test-for-user-space-strings-when-filtering-on-string-pointers.patch + patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch + patches.suse/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch + patches.suse/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch + patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch + patches.suse/Input-ti_am335x_tsc-fix-STEPCONFIG-setup-for-Z2.patch + patches.suse/ACPI-APD-Check-for-NULL-pointer-after-calling-devm_i.patch + patches.suse/vfs-fs_context-fix-up-param-length-parsing-in-legacy.patch + patches.suse/rpmsg-core-Clean-up-resources-on-announce_create-fai.patch + patches.suse/Documentation-dmaengine-Correctly-describe-dmatest-w.patch + patches.suse/dmaengine-at_xdmac-Don-t-start-transactions-at-tx_su.patch + patches.suse/dmaengine-at_xdmac-Print-debug-message-after-realeas.patch + patches.suse/dmaengine-at_xdmac-Fix-concurrency-over-xfers_list.patch + patches.suse/dmaengine-at_xdmac-Fix-lld-view-setting.patch + patches.suse/dmaengine-at_xdmac-Fix-at_xdmac_lld-struct-definitio.patch # out-of-tree patches patches.suse/ibmvfc-disable-MQ-channelization-by-default.patch @@ -53892,6 +53955,7 @@ patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch + patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch ######################################################## # kbuild/module infrastructure fixes