diff --git a/blacklist.conf b/blacklist.conf index ec5341c..7715d40 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1155,3 +1155,6 @@ d5aa6b22e2258f05317313ecc02efbb988ed6d38 # minor bug, major kabi breakage e45122893a9870813f9bd7b4add4f613e6f29008 # not needed ATM. Also, kABI conflict. 56c91a18432b631ca18438841fd1831ef756cabf # CONFIG_KEXEC_JUMP is not set anywhere e82080e1f456467cc185fe65ee69fe9f9bd0b576 # user-visible change and kABI breakage +50fe7ebb6475711c15b3397467e6424e20026d94 # 32-bit only +5ca1ca01fae1e90f8d010eb1d83374f28dc11ee6 # 32-bit only +678799194a5311765263b6aa940910ab232767eb # hso: already applied diff --git a/patches.suse/Input-i8042-unbreak-Pegatron-C15B.patch b/patches.suse/Input-i8042-unbreak-Pegatron-C15B.patch new file mode 100644 index 0000000..a1c551e --- /dev/null +++ b/patches.suse/Input-i8042-unbreak-Pegatron-C15B.patch @@ -0,0 +1,45 @@ +From a3a9060ecad030e2c7903b2b258383d2c716b56c Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Sun, 3 Jan 2021 17:59:51 -0800 +Subject: [PATCH] Input: i8042 - unbreak Pegatron C15B +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: a3a9060ecad030e2c7903b2b258383d2c716b56c +Patch-mainline: v5.11-rc7 +References: git-fixes + +g++ reports + + drivers/input/serio/i8042-x86ia64io.h:225:3: error: ‘.matches’ designator used multiple times in the same initializer list + +C99 semantics is that last duplicated initialiser wins, +so DMI entry gets overwritten. + +Fixes: a48491c65b51 ("Input: i8042 - add ByteSpeed touchpad to noloop table") +Signed-off-by: Alexey Dobriyan +Acked-by: Po-Hsu Lin +Link: https://lore.kernel.org/r/20201228072335.GA27766@localhost.localdomain +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/serio/i8042-x86ia64io.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 3a2dcf0805f1..c74b020796a9 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -219,6 +219,8 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"), + DMI_MATCH(DMI_PRODUCT_NAME, "C15B"), + }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"), + DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"), +-- +2.26.2 + diff --git a/patches.suse/Revert-RDMA-mlx5-Fix-devlink-deadlock-on-net-namespa.patch b/patches.suse/Revert-RDMA-mlx5-Fix-devlink-deadlock-on-net-namespa.patch new file mode 100644 index 0000000..4e2c550 --- /dev/null +++ b/patches.suse/Revert-RDMA-mlx5-Fix-devlink-deadlock-on-net-namespa.patch @@ -0,0 +1,91 @@ +From: Parav Pandit +Date: Sun, 17 Jan 2021 11:26:33 +0200 +Subject: Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" +Patch-mainline: v5.11-rc6 +Git-commit: de641d74fb00f5b32f054ee154e31fb037e0db88 +References: jsc#SLE-8464 + +This reverts commit fbdd0049d98d44914fc57d4b91f867f4996c787b. + +Due to commit in fixes tag, netdevice events were received only in one net +namespace of mlx5_core_dev. Due to this when netdevice events arrive in +net namespace other than net namespace of mlx5_core_dev, they are missed. + +This results in empty GID table due to RDMA device being detached from its +net device. + +Hence, revert back to receive netdevice events in all net namespaces to +restore back RDMA functionality in non init_net net namespace. The +deadlock will have to be addressed in another patch. + +Fixes: fbdd0049d98d ("RDMA/mlx5: Fix devlink deadlock on net namespace deletion") +Link: https://lore.kernel.org/r/20210117092633.10690-1-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/mlx5/main.c | 6 ++---- + drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 5 +++++ + include/linux/mlx5/driver.h | 18 ------------------ + 3 files changed, 7 insertions(+), 22 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3318,8 +3318,7 @@ static int mlx5_add_netdev_notifier(stru + int err; + + dev->port[port_num].roce.nb.notifier_call = mlx5_netdev_event; +- err = register_netdevice_notifier_net(mlx5_core_net(dev->mdev), +- &dev->port[port_num].roce.nb); ++ err = register_netdevice_notifier(&dev->port[port_num].roce.nb); + if (err) { + dev->port[port_num].roce.nb.notifier_call = NULL; + return err; +@@ -3331,8 +3330,7 @@ static int mlx5_add_netdev_notifier(stru + static void mlx5_remove_netdev_notifier(struct mlx5_ib_dev *dev, u8 port_num) + { + if (dev->port[port_num].roce.nb.notifier_call) { +- unregister_netdevice_notifier_net(mlx5_core_net(dev->mdev), +- &dev->port[port_num].roce.nb); ++ unregister_netdevice_notifier(&dev->port[port_num].roce.nb); + dev->port[port_num].roce.nb.notifier_call = NULL; + } + } +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +@@ -90,4 +90,9 @@ int mlx5_create_encryption_key(struct ml + u32 key_type, u32 *p_key_id); + void mlx5_destroy_encryption_key(struct mlx5_core_dev *mdev, u32 key_id); + ++static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) ++{ ++ return devlink_net(priv_to_devlink(dev)); ++} ++ + #endif +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1212,22 +1212,4 @@ static inline bool mlx5_is_roce_enabled( + return val.vbool; + } + +-/** +- * mlx5_core_net - Provide net namespace of the mlx5_core_dev +- * @dev: mlx5 core device +- * +- * mlx5_core_net() returns the net namespace of mlx5 core device. +- * This can be called only in below described limited context. +- * (a) When a devlink instance for mlx5_core is registered and +- * when devlink reload operation is disabled. +- * or +- * (b) during devlink reload reload_down() and reload_up callbacks +- * where it is ensured that devlink instance's net namespace is +- * stable. +- */ +-static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) +-{ +- return devlink_net(priv_to_devlink(dev)); +-} +- + #endif /* MLX5_DRIVER_H */ diff --git a/patches.suse/USB-gadget-legacy-fix-an-error-code-in-eth_bind.patch b/patches.suse/USB-gadget-legacy-fix-an-error-code-in-eth_bind.patch new file mode 100644 index 0000000..6acdc15 --- /dev/null +++ b/patches.suse/USB-gadget-legacy-fix-an-error-code-in-eth_bind.patch @@ -0,0 +1,41 @@ +From 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 28 Jan 2021 12:33:42 +0300 +Subject: [PATCH] USB: gadget: legacy: fix an error code in eth_bind() +Git-commit: 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 +Patch-mainline: v5.11-rc7 +References: git-fixes + +This code should return -ENOMEM if the allocation fails but it currently +returns success. + +Fixes: 9b95236eebdb ("usb: gadget: ether: allocate and init otg descriptor by otg capabilities") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YBKE9rqVuJEOUWpW@mwanda +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/legacy/ether.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/legacy/ether.c b/drivers/usb/gadget/legacy/ether.c +index 30313b233680..99c7fc0d1d59 100644 +--- a/drivers/usb/gadget/legacy/ether.c ++++ b/drivers/usb/gadget/legacy/ether.c +@@ -403,8 +403,10 @@ static int eth_bind(struct usb_composite_dev *cdev) + struct usb_descriptor_header *usb_desc; + + usb_desc = usb_otg_descriptor_alloc(gadget); +- if (!usb_desc) ++ if (!usb_desc) { ++ status = -ENOMEM; + goto fail1; ++ } + usb_otg_descriptor_init(gadget, usb_desc); + otg_desc[0] = usb_desc; + otg_desc[1] = NULL; +-- +2.26.2 + diff --git a/patches.suse/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch b/patches.suse/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch new file mode 100644 index 0000000..1d7a996 --- /dev/null +++ b/patches.suse/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch @@ -0,0 +1,64 @@ +From: Eric Dumazet +Date: Fri, 25 Sep 2020 06:38:07 -0700 +Subject: bonding: set dev->needed_headroom in bond_setup_by_slave() +Patch-mainline: v5.9 +Git-commit: f32f19339596b214c208c0dba716f4b6cc4f6958 +References: git-fixes + +syzbot managed to crash a host by creating a bond +with a GRE device. + +For non Ethernet device, bonding calls bond_setup_by_slave() +instead of ether_setup(), and unfortunately dev->needed_headroom +was not copied from the new added member. + +[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0 +[ 171.243111] ------------[ cut here ]------------ +[ 171.243112] kernel BUG at net/core/skbuff.c:112! +[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 171.243469] gsmi: Log Shutdown Reason 0x03 +[ 171.243505] Call Trace: +[ 171.243506] +[ 171.243512] [] skb_push+0x49/0x50 +[ 171.243516] [] ipgre_header+0x2a/0xf0 +[ 171.243520] [] neigh_connected_output+0xb7/0x100 +[ 171.243524] [] ip6_finish_output2+0x383/0x490 +[ 171.243528] [] __ip6_finish_output+0xa2/0x110 +[ 171.243531] [] ip6_finish_output+0x2c/0xa0 +[ 171.243534] [] ip6_output+0x69/0x110 +[ 171.243537] [] ? ip6_output+0x110/0x110 +[ 171.243541] [] mld_sendpack+0x1b2/0x2d0 +[ 171.243544] [] ? mld_send_report+0xf0/0xf0 +[ 171.243548] [] mld_ifc_timer_expire+0x2d7/0x3b0 +[ 171.243551] [] ? mld_gq_timer_expire+0x50/0x50 +[ 171.243556] [] call_timer_fn+0x30/0x130 +[ 171.243559] [] expire_timers+0x4c/0x110 +[ 171.243563] [] __run_timers+0x213/0x260 +[ 171.243566] [] ? ktime_get+0x3d/0xa0 +[ 171.243570] [] ? clockevents_program_event+0x7e/0xe0 +[ 171.243574] [] ? sched_clock_cpu+0x15/0x190 +[ 171.243577] [] run_timer_softirq+0x1d/0x40 +[ 171.243581] [] __do_softirq+0x152/0x2f0 +[ 171.243585] [] irq_exit+0x9f/0xb0 +[ 171.243588] [] smp_apic_timer_interrupt+0xfd/0x1a0 +[ 171.243591] [] apic_timer_interrupt+0x86/0x90 + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1195,6 +1195,7 @@ static void bond_setup_by_slave(struct n + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; ++ bond_dev->needed_headroom = slave_dev->needed_headroom; + bond_dev->addr_len = slave_dev->addr_len; + + memcpy(bond_dev->broadcast, slave_dev->broadcast, diff --git a/patches.suse/bonding-wait-for-sysfs-kobject-destruction-before-fr.patch b/patches.suse/bonding-wait-for-sysfs-kobject-destruction-before-fr.patch new file mode 100644 index 0000000..356c9c5 --- /dev/null +++ b/patches.suse/bonding-wait-for-sysfs-kobject-destruction-before-fr.patch @@ -0,0 +1,270 @@ +From: Jamie Iles +Date: Fri, 20 Nov 2020 14:28:27 +0000 +Subject: bonding: wait for sysfs kobject destruction before freeing struct + slave +Patch-mainline: v5.10-rc6 +Git-commit: b9ad3e9f5a7a760ab068e33e1f18d240ba32ce92 +References: git-fixes + +syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, releasing a +struct slave device could result in the following splat: + + kobject: 'bonding_slave' (00000000cecdd4fe): kobject_release, parent 0000000074ceb2b2 (delayed 1000) + bond0 (unregistering): (slave bond_slave_1): Releasing backup interface + ------------[ cut here ]------------ + ODEBUG: free active (active state 0) object type: timer_list hint: workqueue_select_cpu_near kernel/workqueue.c:1549 [inline] + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 kernel/workqueue.c:1600 + WARNING: CPU: 1 PID: 842 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 lib/debugobjects.c:485 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 1 PID: 842 Comm: kworker/u4:4 Tainted: G S 5.9.0-rc8+ #96 + Hardware name: linux,dummy-virt (DT) + Workqueue: netns cleanup_net + Call trace: + dump_backtrace+0x0/0x4d8 include/linux/bitmap.h:239 + show_stack+0x34/0x48 arch/arm64/kernel/traps.c:142 + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x174/0x1f8 lib/dump_stack.c:118 + panic+0x360/0x7a0 kernel/panic.c:231 + __warn+0x244/0x2ec kernel/panic.c:600 + report_bug+0x240/0x398 lib/bug.c:198 + bug_handler+0x50/0xc0 arch/arm64/kernel/traps.c:974 + call_break_hook+0x160/0x1d8 arch/arm64/kernel/debug-monitors.c:322 + brk_handler+0x30/0xc0 arch/arm64/kernel/debug-monitors.c:329 + do_debug_exception+0x184/0x340 arch/arm64/mm/fault.c:864 + el1_dbg+0x48/0xb0 arch/arm64/kernel/entry-common.c:65 + el1_sync_handler+0x170/0x1c8 arch/arm64/kernel/entry-common.c:93 + el1_sync+0x80/0x100 arch/arm64/kernel/entry.S:594 + debug_print_object+0x180/0x240 lib/debugobjects.c:485 + __debug_check_no_obj_freed lib/debugobjects.c:967 [inline] + debug_check_no_obj_freed+0x200/0x430 lib/debugobjects.c:998 + slab_free_hook mm/slub.c:1536 [inline] + slab_free_freelist_hook+0x190/0x210 mm/slub.c:1577 + slab_free mm/slub.c:3138 [inline] + kfree+0x13c/0x460 mm/slub.c:4119 + bond_free_slave+0x8c/0xf8 drivers/net/bonding/bond_main.c:1492 + __bond_release_one+0xe0c/0xec8 drivers/net/bonding/bond_main.c:2190 + bond_slave_netdev_event drivers/net/bonding/bond_main.c:3309 [inline] + bond_netdev_event+0x8f0/0xa70 drivers/net/bonding/bond_main.c:3420 + notifier_call_chain+0xf0/0x200 kernel/notifier.c:83 + __raw_notifier_call_chain kernel/notifier.c:361 [inline] + raw_notifier_call_chain+0x44/0x58 kernel/notifier.c:368 + call_netdevice_notifiers_info+0xbc/0x150 net/core/dev.c:2033 + call_netdevice_notifiers_extack net/core/dev.c:2045 [inline] + call_netdevice_notifiers net/core/dev.c:2059 [inline] + rollback_registered_many+0x6a4/0xec0 net/core/dev.c:9347 + unregister_netdevice_many.part.0+0x2c/0x1c0 net/core/dev.c:10509 + unregister_netdevice_many net/core/dev.c:10508 [inline] + default_device_exit_batch+0x294/0x338 net/core/dev.c:10992 + ops_exit_list.isra.0+0xec/0x150 net/core/net_namespace.c:189 + cleanup_net+0x44c/0x888 net/core/net_namespace.c:603 + process_one_work+0x96c/0x18c0 kernel/workqueue.c:2269 + worker_thread+0x3f0/0xc30 kernel/workqueue.c:2415 + kthread+0x390/0x498 kernel/kthread.c:292 + ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:925 + +This is a potential use-after-free if the sysfs nodes are being accessed +whilst removing the struct slave, so wait for the object destruction to +complete before freeing the struct slave itself. + +Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.") +Fixes: a068aab42258 ("bonding: Fix reference count leak in bond_sysfs_slave_add.") +Cc: Qiushi Wu +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: Jamie Iles +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20201120142827.879226-1-jamie@nuviainc.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/bonding/bond_main.c | 61 +++++++++++++++++++++++---------- + drivers/net/bonding/bond_sysfs_slave.c | 18 --------- + include/net/bonding.h | 8 ++++ + 3 files changed, 52 insertions(+), 35 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1460,7 +1460,39 @@ static void bond_upper_dev_unlink(struct + slave->dev->flags &= ~IFF_SLAVE; + } + +-static struct slave *bond_alloc_slave(struct bonding *bond) ++static void slave_kobj_release(struct kobject *kobj) ++{ ++ struct slave *slave = to_slave(kobj); ++ struct bonding *bond = bond_get_bond_by_slave(slave); ++ ++ cancel_delayed_work_sync(&slave->notify_work); ++ if (BOND_MODE(bond) == BOND_MODE_8023AD) ++ kfree(SLAVE_AD_INFO(slave)); ++ ++ kfree(slave); ++} ++ ++static struct kobj_type slave_ktype = { ++ .release = slave_kobj_release, ++#ifdef CONFIG_SYSFS ++ .sysfs_ops = &slave_sysfs_ops, ++#endif ++}; ++ ++static int bond_kobj_init(struct slave *slave) ++{ ++ int err; ++ ++ err = kobject_init_and_add(&slave->kobj, &slave_ktype, ++ &(slave->dev->dev.kobj), "bonding_slave"); ++ if (err) ++ kobject_put(&slave->kobj); ++ ++ return err; ++} ++ ++static struct slave *bond_alloc_slave(struct bonding *bond, ++ struct net_device *slave_dev) + { + struct slave *slave = NULL; + +@@ -1468,11 +1500,17 @@ static struct slave *bond_alloc_slave(st + if (!slave) + return NULL; + ++ slave->bond = bond; ++ slave->dev = slave_dev; ++ ++ if (bond_kobj_init(slave)) ++ return NULL; ++ + if (BOND_MODE(bond) == BOND_MODE_8023AD) { + SLAVE_AD_INFO(slave) = kzalloc(sizeof(struct ad_slave_info), + GFP_KERNEL); + if (!SLAVE_AD_INFO(slave)) { +- kfree(slave); ++ kobject_put(&slave->kobj); + return NULL; + } + } +@@ -1481,17 +1519,6 @@ static struct slave *bond_alloc_slave(st + return slave; + } + +-static void bond_free_slave(struct slave *slave) +-{ +- struct bonding *bond = bond_get_bond_by_slave(slave); +- +- cancel_delayed_work_sync(&slave->notify_work); +- if (BOND_MODE(bond) == BOND_MODE_8023AD) +- kfree(SLAVE_AD_INFO(slave)); +- +- kfree(slave); +-} +- + static void bond_fill_ifbond(struct bonding *bond, struct ifbond *info) + { + info->bond_mode = BOND_MODE(bond); +@@ -1678,14 +1705,12 @@ int bond_enslave(struct net_device *bond + goto err_undo_flags; + } + +- new_slave = bond_alloc_slave(bond); ++ new_slave = bond_alloc_slave(bond, slave_dev); + if (!new_slave) { + res = -ENOMEM; + goto err_undo_flags; + } + +- new_slave->bond = bond; +- new_slave->dev = slave_dev; + /* Set the new_slave's queue_id to be zero. Queue ID mapping + * is set via sysfs or module option if desired. + */ +@@ -2007,7 +2032,7 @@ err_restore_mtu: + dev_set_mtu(slave_dev, new_slave->original_mtu); + + err_free: +- bond_free_slave(new_slave); ++ kobject_put(&new_slave->kobj); + + err_undo_flags: + /* Enslave of first slave has failed and we need to fix master's mac */ +@@ -2187,7 +2212,7 @@ static int __bond_release_one(struct net + if (!netif_is_bond_master(slave_dev)) + slave_dev->priv_flags &= ~IFF_BONDING; + +- bond_free_slave(slave); ++ kobject_put(&slave->kobj); + + return 0; + } +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -121,7 +121,6 @@ static const struct slave_attribute *sla + }; + + #define to_slave_attr(_at) container_of(_at, struct slave_attribute, attr) +-#define to_slave(obj) container_of(obj, struct slave, kobj) + + static ssize_t slave_show(struct kobject *kobj, + struct attribute *attr, char *buf) +@@ -132,28 +131,15 @@ static ssize_t slave_show(struct kobject + return slave_attr->show(slave, buf); + } + +-static const struct sysfs_ops slave_sysfs_ops = { ++const struct sysfs_ops slave_sysfs_ops = { + .show = slave_show, + }; + +-static struct kobj_type slave_ktype = { +-#ifdef CONFIG_SYSFS +- .sysfs_ops = &slave_sysfs_ops, +-#endif +-}; +- + int bond_sysfs_slave_add(struct slave *slave) + { + const struct slave_attribute **a; + int err; + +- err = kobject_init_and_add(&slave->kobj, &slave_ktype, +- &(slave->dev->dev.kobj), "bonding_slave"); +- if (err) { +- kobject_put(&slave->kobj); +- return err; +- } +- + for (a = slave_attrs; *a; ++a) { + err = sysfs_create_file(&slave->kobj, &((*a)->attr)); + if (err) { +@@ -171,6 +157,4 @@ void bond_sysfs_slave_del(struct slave * + + for (a = slave_attrs; *a; ++a) + sysfs_remove_file(&slave->kobj, &((*a)->attr)); +- +- kobject_put(&slave->kobj); + } +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -185,6 +185,11 @@ struct slave { + struct rtnl_link_stats64 slave_stats; + }; + ++static inline struct slave *to_slave(struct kobject *kobj) ++{ ++ return container_of(kobj, struct slave, kobj); ++} ++ + struct bond_up_slave { + unsigned int count; + struct rcu_head rcu; +@@ -750,6 +755,9 @@ extern struct bond_parm_tbl ad_select_tb + /* exported from bond_netlink.c */ + extern struct rtnl_link_ops bond_link_ops; + ++/* exported from bond_sysfs_slave.c */ ++extern const struct sysfs_ops slave_sysfs_ops; ++ + static inline netdev_tx_t bond_tx_drop(struct net_device *dev, struct sk_buff *skb) + { + atomic_long_inc(&dev->tx_dropped); diff --git a/patches.suse/bpf-cgroup-Fix-optlen-WARN_ON_ONCE-toctou.patch b/patches.suse/bpf-cgroup-Fix-optlen-WARN_ON_ONCE-toctou.patch new file mode 100644 index 0000000..5a9c4e2 --- /dev/null +++ b/patches.suse/bpf-cgroup-Fix-optlen-WARN_ON_ONCE-toctou.patch @@ -0,0 +1,40 @@ +From: Loris Reiff +Date: Fri, 22 Jan 2021 17:42:31 +0100 +Subject: bpf, cgroup: Fix optlen WARN_ON_ONCE toctou +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git +Git-commit: bb8b81e396f7afbe7c50d789e2107512274d2a35 +References: bsc#1155518 + +A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a +WARN_ON_ONCE in a check of `copy_from_user`. + +`*optlen` is checked to be non-negative in the individual getsockopt +functions beforehand. Changing `*optlen` in a race to a negative value +will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with +`ctx.optlen` being a negative integer. + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Signed-off-by: Loris Reiff +Signed-off-by: Daniel Borkmann +Reviewed-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch +Acked-by: Gary Lin +--- + kernel/bpf/cgroup.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1109,6 +1109,11 @@ int __cgroup_bpf_run_filter_getsockopt(s + goto out; + } + ++ if (ctx.optlen < 0) { ++ ret = -EFAULT; ++ goto out; ++ } ++ + if (copy_from_user(ctx.optval, optval, + min(ctx.optlen, max_optlen)) != 0) { + ret = -EFAULT; diff --git a/patches.suse/bpf-cgroup-Fix-problematic-bounds-check.patch b/patches.suse/bpf-cgroup-Fix-problematic-bounds-check.patch new file mode 100644 index 0000000..374da40 --- /dev/null +++ b/patches.suse/bpf-cgroup-Fix-problematic-bounds-check.patch @@ -0,0 +1,33 @@ +From: Loris Reiff +Date: Fri, 22 Jan 2021 17:42:32 +0100 +Subject: bpf, cgroup: Fix problematic bounds check +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git +Git-commit: f4a2da755a7e1f5d845c52aee71336cee289935a +References: bsc#1155518 + +Since ctx.optlen is signed, a larger value than max_value could be +passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE +in the copy_to_user. + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Signed-off-by: Loris Reiff +Signed-off-by: Daniel Borkmann +Reviewed-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20210122164232.61770-2-loris.reiff@liblor.ch +Acked-by: Gary Lin +--- + kernel/bpf/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1131,7 +1131,7 @@ int __cgroup_bpf_run_filter_getsockopt(s + goto out; + } + +- if (ctx.optlen > max_optlen) { ++ if (ctx.optlen > max_optlen || ctx.optlen < 0) { + ret = -EFAULT; + goto out; + } diff --git a/patches.suse/cirrus-cs89x0-remove-set-but-not-used-variable-lp.patch b/patches.suse/cirrus-cs89x0-remove-set-but-not-used-variable-lp.patch new file mode 100644 index 0000000..92d5098 --- /dev/null +++ b/patches.suse/cirrus-cs89x0-remove-set-but-not-used-variable-lp.patch @@ -0,0 +1,46 @@ +From e97643e38589e58849fdfe5c22760d20df497f2d Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 26 Aug 2019 02:49:15 +0000 +Subject: [PATCH 02/11] cirrus: cs89x0: remove set but not used variable 'lp' +Patch-mainline: v5.4-rc1 +Git-commit: 0846e1616f0f3365cea732e82e2383932fe644e5 +References: git-fixes + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/net/ethernet/cirrus/cs89x0.c: In function 'cs89x0_platform_probe': +drivers/net/ethernet/cirrus/cs89x0.c:1847:20: warning: + variable 'lp' set but not used [-Wunused-but-set-variable] + +Reported-by: Hulk Robot +Fixes: 6751edeb8700 ("cirrus: cs89x0: Use managed interfaces") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/cirrus/cs89x0.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c +index 2d30972df06b..c9aebcde403a 100644 +--- a/drivers/net/ethernet/cirrus/cs89x0.c ++++ b/drivers/net/ethernet/cirrus/cs89x0.c +@@ -1844,15 +1844,12 @@ cleanup_module(void) + static int __init cs89x0_platform_probe(struct platform_device *pdev) + { + struct net_device *dev = alloc_etherdev(sizeof(struct net_local)); +- struct net_local *lp; + void __iomem *virt_addr; + int err; + + if (!dev) + return -ENOMEM; + +- lp = netdev_priv(dev); +- + dev->irq = platform_get_irq(pdev, 0); + if (dev->irq <= 0) { + dev_warn(&dev->dev, "interrupt resource missing\n"); +-- +2.16.4 + diff --git a/patches.suse/cirrus-cs89x0-use-devm_platform_ioremap_resource-to-.patch b/patches.suse/cirrus-cs89x0-use-devm_platform_ioremap_resource-to-.patch new file mode 100644 index 0000000..d81b588 --- /dev/null +++ b/patches.suse/cirrus-cs89x0-use-devm_platform_ioremap_resource-to-.patch @@ -0,0 +1,45 @@ +From e555aaa0bb9300328815f2cd4a708a5b39905cd3 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 21 Aug 2019 21:02:41 +0800 +Subject: [PATCH 01/11] cirrus: cs89x0: use devm_platform_ioremap_resource() to + simplify code +Patch-mainline: v5.4-rc1 +Git-commit: 1a1ba7118807e82fab7d44ccf0910d3bb0015b0b +References: git-fixes + +Use devm_platform_ioremap_resource() to simplify the code a bit. +This is detected by coccinelle. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/cirrus/cs89x0.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c +index b3e7fafee3df..2d30972df06b 100644 +--- a/drivers/net/ethernet/cirrus/cs89x0.c ++++ b/drivers/net/ethernet/cirrus/cs89x0.c +@@ -1845,7 +1845,6 @@ static int __init cs89x0_platform_probe(struct platform_device *pdev) + { + struct net_device *dev = alloc_etherdev(sizeof(struct net_local)); + struct net_local *lp; +- struct resource *mem_res; + void __iomem *virt_addr; + int err; + +@@ -1861,8 +1860,7 @@ static int __init cs89x0_platform_probe(struct platform_device *pdev) + goto free; + } + +- mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- virt_addr = devm_ioremap_resource(&pdev->dev, mem_res); ++ virt_addr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(virt_addr)) { + err = PTR_ERR(virt_addr); + goto free; +-- +2.16.4 + diff --git a/patches.suse/i40e-Fix-MAC-address-setting-for-a-VF-via-Host-VM.patch b/patches.suse/i40e-Fix-MAC-address-setting-for-a-VF-via-Host-VM.patch new file mode 100644 index 0000000..b2bec5b --- /dev/null +++ b/patches.suse/i40e-Fix-MAC-address-setting-for-a-VF-via-Host-VM.patch @@ -0,0 +1,97 @@ +From: Slawomir Laba +Date: Wed, 14 Oct 2020 08:54:09 +0000 +Subject: i40e: Fix MAC address setting for a VF via Host/VM +Patch-mainline: v5.10-rc4 +Git-commit: 3a7001788fed0311d6fb77ed0dabe7bed3567bc0 +References: git-fixes + +Fix MAC setting flow for the PF driver. + +Update the unicast VF's MAC address in VF structure if it is +a new setting in i40e_vc_add_mac_addr_msg. + +When unicast MAC address gets deleted, record that and +set the new unicast MAC address that is already waiting in the filter +list. This logic is based on the order of messages arriving to +the PF driver. + +Without this change the MAC address setting was interpreted +incorrectly in the following use cases: +1) Print incorrect VF MAC or zero MAC +ip link show dev $pf +2) Don't preserve MAC between driver reload +rmmod iavf; modprobe iavf +3) Update VF MAC when macvlan was set +ip link add link $vf address $mac $vf.1 type macvlan +4) Failed to update mac address when VF was trusted +ip link set dev $vf address $mac + +This includes all other configurations including above commands. + +Fixes: f657a6e1313b ("i40e: Fix VF driver MAC address configuration") +Signed-off-by: Slawomir Laba +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 26 +++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -2662,6 +2662,10 @@ static int i40e_vc_add_mac_addr_msg(stru + spin_unlock_bh(&vsi->mac_filter_hash_lock); + goto error_param; + } ++ if (is_valid_ether_addr(al->list[i].addr) && ++ is_zero_ether_addr(vf->default_lan_addr.addr)) ++ ether_addr_copy(vf->default_lan_addr.addr, ++ al->list[i].addr); + } + } + spin_unlock_bh(&vsi->mac_filter_hash_lock); +@@ -2689,6 +2693,7 @@ static int i40e_vc_del_mac_addr_msg(stru + { + struct virtchnl_ether_addr_list *al = + (struct virtchnl_ether_addr_list *)msg; ++ bool was_unimac_deleted = false; + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = NULL; + i40e_status ret = 0; +@@ -2708,6 +2713,8 @@ static int i40e_vc_del_mac_addr_msg(stru + ret = I40E_ERR_INVALID_MAC_ADDR; + goto error_param; + } ++ if (ether_addr_equal(al->list[i].addr, vf->default_lan_addr.addr)) ++ was_unimac_deleted = true; + } + vsi = pf->vsi[vf->lan_vsi_idx]; + +@@ -2728,10 +2735,25 @@ static int i40e_vc_del_mac_addr_msg(stru + dev_err(&pf->pdev->dev, "Unable to program VF %d MAC filters, error %d\n", + vf->vf_id, ret); + ++ if (vf->trusted && was_unimac_deleted) { ++ struct i40e_mac_filter *f; ++ struct hlist_node *h; ++ u8 *macaddr = NULL; ++ int bkt; ++ ++ /* set last unicast mac address as default */ ++ spin_lock_bh(&vsi->mac_filter_hash_lock); ++ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) { ++ if (is_valid_ether_addr(f->macaddr)) ++ macaddr = f->macaddr; ++ } ++ if (macaddr) ++ ether_addr_copy(vf->default_lan_addr.addr, macaddr); ++ spin_unlock_bh(&vsi->mac_filter_hash_lock); ++ } + error_param: + /* send the response to the VF */ +- return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_DEL_ETH_ADDR, +- ret); ++ return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_DEL_ETH_ADDR, ret); + } + + /** diff --git a/patches.suse/i40e-Revert-i40e-don-t-report-link-up-for-a-VF-who-h.patch b/patches.suse/i40e-Revert-i40e-don-t-report-link-up-for-a-VF-who-h.patch new file mode 100644 index 0000000..019e9a5 --- /dev/null +++ b/patches.suse/i40e-Revert-i40e-don-t-report-link-up-for-a-VF-who-h.patch @@ -0,0 +1,91 @@ +From: Aleksandr Loktionov +Date: Sat, 23 Jan 2021 00:22:23 +0000 +Subject: i40e: Revert "i40e: don't report link up for a VF who hasn't enabled + queues" +Git-commit: f559a356043a55bab25a4c00505ea65c50a956fb +Patch-mainline: v5.11-rc7 +References: jsc#SLE-8025 + +This reverts commit 2ad1274fa35ace5c6360762ba48d33b63da2396c + +VF queues were not brought up when PF was brought up after being +downed if the VF driver disabled VFs queues during PF down. +This could happen in some older or external VF driver implementations. +The problem was that PF driver used vf->queues_enabled as a condition +to decide what link-state it would send out which caused the issue. + +Remove the check for vf->queues_enabled in the VF link notify. +Now VF will always be notified of the current link status. +Also remove the queues_enabled member from i40e_vf structure as it is +not used anymore. Otherwise VNF implementation was broken and caused +a link flap. + +The original commit was a workaround to avoid breaking existing VFs though +it's really a fault of the VF code not the PF. The commit should be safe to +revert as all of the VFs we know of have been fixed. Also, since we now +know there is a related bug in the workaround, removing it is preferred. + +Fixes: 2ad1274fa35a ("i40e: don't report link up for a VF who hasn't enabled") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 13 +------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 - + 2 files changed, 1 insertion(+), 13 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -55,12 +55,7 @@ static void i40e_vc_notify_vf_link_state + + pfe.event = VIRTCHNL_EVENT_LINK_CHANGE; + pfe.severity = PF_EVENT_SEVERITY_INFO; +- +- /* Always report link is down if the VF queues aren't enabled */ +- if (!vf->queues_enabled) { +- pfe.event_data.link_event.link_status = false; +- pfe.event_data.link_event.link_speed = 0; +- } else if (vf->link_forced) { ++ if (vf->link_forced) { + pfe.event_data.link_event.link_status = vf->link_up; + pfe.event_data.link_event.link_speed = + (vf->link_up ? VIRTCHNL_LINK_SPEED_40GB : 0); +@@ -70,7 +65,6 @@ static void i40e_vc_notify_vf_link_state + pfe.event_data.link_event.link_speed = + i40e_virtchnl_link_speed(ls->link_speed); + } +- + i40e_aq_send_msg_to_vf(hw, abs_vf_id, VIRTCHNL_OP_EVENT, + 0, (u8 *)&pfe, sizeof(pfe), NULL); + } +@@ -2388,8 +2382,6 @@ static int i40e_vc_enable_queues_msg(str + } + } + +- vf->queues_enabled = true; +- + error_param: + /* send the response to the VF */ + return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ENABLE_QUEUES, +@@ -2411,9 +2403,6 @@ static int i40e_vc_disable_queues_msg(st + struct i40e_pf *pf = vf->pf; + i40e_status aq_ret = 0; + +- /* Immediately mark queues as disabled */ +- vf->queues_enabled = false; +- + if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) { + aq_ret = I40E_ERR_PARAM; + goto error_param; +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +@@ -99,7 +99,6 @@ struct i40e_vf { + unsigned int tx_rate; /* Tx bandwidth limit in Mbps */ + bool link_forced; + bool link_up; /* only valid if VF link is forced */ +- bool queues_enabled; /* true if the VF queues are enabled */ + bool spoofchk; + u16 num_vlan; + diff --git a/patches.suse/i40e-acquire-VSI-pointer-only-after-VF-is-initialize.patch b/patches.suse/i40e-acquire-VSI-pointer-only-after-VF-is-initialize.patch new file mode 100644 index 0000000..90a618e --- /dev/null +++ b/patches.suse/i40e-acquire-VSI-pointer-only-after-VF-is-initialize.patch @@ -0,0 +1,57 @@ +From: Stefan Assmann +Date: Mon, 30 Nov 2020 14:12:57 +0100 +Subject: i40e: acquire VSI pointer only after VF is initialized +Patch-mainline: v5.11-rc6 +Git-commit: 67a3c6b3cc40bb217c3ff947a55053151a00fea0 +References: jsc#SLE-8025 + +This change simplifies the VF initialization check and also minimizes +the delay between acquiring the VSI pointer and using it. As known by +the commit being fixed, there is a risk of the VSI pointer getting +changed. Therefore minimize the delay between getting and using the +pointer. + +Fixes: 9889707b06ac ("i40e: Fix crash caused by stress setting of VF MAC addresses") +Signed-off-by: Stefan Assmann +Reviewed-by: Jacob Keller +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3969,20 +3969,16 @@ int i40e_ndo_set_vf_mac(struct net_devic + goto error_param; + + vf = &pf->vf[vf_id]; +- vsi = pf->vsi[vf->lan_vsi_idx]; + + /* When the VF is resetting wait until it is done. + * It can take up to 200 milliseconds, + * but wait for up to 300 milliseconds to be safe. +- * If the VF is indeed in reset, the vsi pointer has +- * to show on the newly loaded vsi under pf->vsi[id]. ++ * Acquire the VSI pointer only after the VF has been ++ * properly initialized. + */ + for (i = 0; i < 15; i++) { +- if (test_bit(I40E_VF_STATE_INIT, &vf->vf_states)) { +- if (i > 0) +- vsi = pf->vsi[vf->lan_vsi_idx]; ++ if (test_bit(I40E_VF_STATE_INIT, &vf->vf_states)) + break; +- } + msleep(20); + } + if (!test_bit(I40E_VF_STATE_INIT, &vf->vf_states)) { +@@ -3991,6 +3987,7 @@ int i40e_ndo_set_vf_mac(struct net_devic + ret = -EAGAIN; + goto error_param; + } ++ vsi = pf->vsi[vf->lan_vsi_idx]; + + if (is_multicast_ether_addr(mac)) { + dev_err(&pf->pdev->dev, diff --git a/patches.suse/igc-Fix-returning-wrong-statistics.patch b/patches.suse/igc-Fix-returning-wrong-statistics.patch new file mode 100644 index 0000000..3081c12 --- /dev/null +++ b/patches.suse/igc-Fix-returning-wrong-statistics.patch @@ -0,0 +1,66 @@ +From: Vinicius Costa Gomes +Date: Fri, 25 Sep 2020 11:35:37 -0700 +Subject: igc: Fix returning wrong statistics +Patch-mainline: v5.10-rc4 +Git-commit: 6b7ed22ae4c96a415001f0c3116ebee15bb8491a +References: git-fixes + +'igc_update_stats()' was not updating 'netdev->stats', so the returned +statistics, for example, requested by: + +$ ip -s link show dev enp3s0 + +were not being updated and were always zero. + +Fix by returning a set of statistics that are actually being +updated (adapter->stats64). + +Fixes: c9a11c23ceb6 ("igc: Add netdev") +Signed-off-by: Vinicius Costa Gomes +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igc/igc_main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -3590,21 +3590,23 @@ static int igc_change_mtu(struct net_dev + } + + /** +- * igc_get_stats - Get System Network Statistics ++ * igc_get_stats64 - Get System Network Statistics + * @netdev: network interface device structure ++ * @stats: rtnl_link_stats64 pointer + * + * Returns the address of the device statistics structure. + * The statistics are updated here and also from the timer callback. + */ +-static struct net_device_stats *igc_get_stats(struct net_device *netdev) ++static void igc_get_stats64(struct net_device *netdev, ++ struct rtnl_link_stats64 *stats) + { + struct igc_adapter *adapter = netdev_priv(netdev); + ++ spin_lock(&adapter->stats64_lock); + if (!test_bit(__IGC_RESETTING, &adapter->state)) + igc_update_stats(adapter); +- +- /* only return the current stats */ +- return &netdev->stats; ++ memcpy(stats, &adapter->stats64, sizeof(*stats)); ++ spin_unlock(&adapter->stats64_lock); + } + + static netdev_features_t igc_fix_features(struct net_device *netdev, +@@ -4475,7 +4477,7 @@ static const struct net_device_ops igc_n + .ndo_set_rx_mode = igc_set_rx_mode, + .ndo_set_mac_address = igc_set_mac, + .ndo_change_mtu = igc_change_mtu, +- .ndo_get_stats = igc_get_stats, ++ .ndo_get_stats64 = igc_get_stats64, + .ndo_fix_features = igc_fix_features, + .ndo_set_features = igc_set_features, + .ndo_features_check = igc_features_check, diff --git a/patches.suse/mlxsw-core-Fix-memory-leak-on-module-removal.patch b/patches.suse/mlxsw-core-Fix-memory-leak-on-module-removal.patch new file mode 100644 index 0000000..860252e --- /dev/null +++ b/patches.suse/mlxsw-core-Fix-memory-leak-on-module-removal.patch @@ -0,0 +1,54 @@ +From: Ido Schimmel +Date: Sat, 24 Oct 2020 16:37:32 +0300 +Subject: mlxsw: core: Fix memory leak on module removal +Patch-mainline: v5.10-rc2 +Git-commit: adc80b6cfedff6dad8b93d46a5ea2775fd5af9ec +References: git-fixes + +Free the devlink instance during the teardown sequence in the non-reload +case to avoid the following memory leak. + +unreferenced object 0xffff888232895000 (size 2048): + comm "modprobe", pid 1073, jiffies 4295568857 (age 164.871s) + hex dump (first 32 bytes): + 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... + 10 50 89 32 82 88 ff ff 10 50 89 32 82 88 ff ff .P.2.....P.2.... + backtrace: + [<00000000c704e9a6>] __kmalloc+0x13a/0x2a0 + [<00000000ee30129d>] devlink_alloc+0xff/0x760 + [<0000000092ab3e5d>] 0xffffffffa042e5b0 + [<000000004f3f8a31>] 0xffffffffa042f6ad + [<0000000092800b4b>] 0xffffffffa0491df3 + [<00000000c4843903>] local_pci_probe+0xcb/0x170 + [<000000006993ded7>] pci_device_probe+0x2c2/0x4e0 + [<00000000a8e0de75>] really_probe+0x2c5/0xf90 + [<00000000d42ba75d>] driver_probe_device+0x1eb/0x340 + [<00000000bcc95e05>] device_driver_attach+0x294/0x300 + [<000000000e2bc177>] __driver_attach+0x167/0x2f0 + [<000000007d44cd6e>] bus_for_each_dev+0x148/0x1f0 + [<000000003cd5a91e>] driver_attach+0x45/0x60 + [<000000000041ce51>] bus_add_driver+0x3b8/0x720 + [<00000000f5215476>] driver_register+0x230/0x4e0 + [<00000000d79356f5>] __pci_register_driver+0x190/0x200 + +Fixes: a22712a96291 ("mlxsw: core: Fix devlink unregister flow") +Signed-off-by: Ido Schimmel +Reported-by: Vadim Pasternak +Tested-by: Oleksandr Shamray +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1414,6 +1414,8 @@ void mlxsw_core_bus_device_unregister(st + if (!reload) + devlink_resources_unregister(devlink, NULL); + mlxsw_core->bus->fini(mlxsw_core->bus_priv); ++ if (!reload) ++ devlink_free(devlink); + + return; + diff --git a/patches.suse/mlxsw-core-Fix-use-after-free-in-mlxsw_emad_trans_fi.patch b/patches.suse/mlxsw-core-Fix-use-after-free-in-mlxsw_emad_trans_fi.patch new file mode 100644 index 0000000..82ca3ff --- /dev/null +++ b/patches.suse/mlxsw-core-Fix-use-after-free-in-mlxsw_emad_trans_fi.patch @@ -0,0 +1,159 @@ +From: Amit Cohen +Date: Sat, 24 Oct 2020 16:37:33 +0300 +Subject: mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() +Patch-mainline: v5.10-rc2 +Git-commit: 0daf2bf5a2dcf33d446b76360908f109816e2e21 +References: git-fixes + +Each EMAD transaction stores the skb used to issue the EMAD request +('trans->tx_skb') so that the request could be retried in case of a +timeout. The skb can be freed when a corresponding response is received +or as part of the retry logic (e.g., failed retransmit, exceeded maximum +number of retries). + +The two tasks (i.e., response processing and retransmits) are +synchronized by the atomic 'trans->active' field which ensures that +responses to inactive transactions are ignored. + +In case of a failed retransmit the transaction is finished and all of +its resources are freed. However, the current code does not mark it as +inactive. Syzkaller was able to hit a race condition in which a +concurrent response is processed while the transaction's resources are +being freed, resulting in a use-after-free [1]. + +Fix the issue by making sure to mark the transaction as inactive after a +failed retransmit and free its resources only if a concurrent task did +not already do that. + +[1] +BUG: KASAN: use-after-free in consume_skb+0x30/0x370 +net/core/skbuff.c:833 +Read of size 4 at addr ffff88804f570494 by task syz-executor.0/1004 + +CPU: 0 PID: 1004 Comm: syz-executor.0 Not tainted 5.8.0-rc7+ #68 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 +mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + instrument_atomic_read include/linux/instrumented.h:56 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_read include/linux/refcount.h:147 [inline] + skb_unref include/linux/skbuff.h:1044 [inline] + consume_skb+0x30/0x370 net/core/skbuff.c:833 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_process_response drivers/net/ethernet/mellanox/mlxsw/core.c:651 [inline] + mlxsw_emad_rx_listener_func+0x5c9/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:672 + mlxsw_core_skb_receive+0x4df/0x770 drivers/net/ethernet/mellanox/mlxsw/core.c:2063 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + +Allocated by task 1006: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + slab_post_alloc_hook mm/slab.h:586 [inline] + slab_alloc_node mm/slub.c:2824 [inline] + slab_alloc mm/slub.c:2832 [inline] + kmem_cache_alloc+0xcd/0x2e0 mm/slub.c:2837 + __build_skb+0x21/0x60 net/core/skbuff.c:311 + __netdev_alloc_skb+0x1e2/0x360 net/core/skbuff.c:464 + netdev_alloc_skb include/linux/skbuff.h:2810 [inline] + mlxsw_emad_alloc drivers/net/ethernet/mellanox/mlxsw/core.c:756 [inline] + mlxsw_emad_reg_access drivers/net/ethernet/mellanox/mlxsw/core.c:787 [inline] + mlxsw_core_reg_access_emad+0x1ab/0x1420 drivers/net/ethernet/mellanox/mlxsw/core.c:1817 + mlxsw_reg_trans_query+0x39/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:1831 + mlxsw_sp_sb_pm_occ_clear drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:260 [inline] + mlxsw_sp_sb_occ_max_clear+0xbff/0x10a0 drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:1365 + mlxsw_devlink_sb_occ_max_clear+0x76/0xb0 drivers/net/ethernet/mellanox/mlxsw/core.c:1037 + devlink_nl_cmd_sb_occ_max_clear_doit+0x1ec/0x280 net/core/devlink.c:1765 + genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:714 [inline] + genl_rcv_msg+0x617/0x980 net/netlink/genetlink.c:731 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2470 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:742 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:671 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2359 + ___sys_sendmsg+0xff/0x170 net/socket.c:2413 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2446 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 73: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kmem_cache_free+0xbe/0x380 mm/slub.c:3088 + kfree_skbmem net/core/skbuff.c:622 [inline] + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:837 [inline] + consume_skb+0xe1/0x370 net/core/skbuff.c:831 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_transmit_retry.isra.0+0x9d/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:613 + mlxsw_emad_trans_timeout_work+0x43/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:625 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88804f5703c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 212 bytes inside of + 224-byte region [ffff88804f5703c0, ffff88804f5704a0) +The buggy address belongs to the page: +page:ffffea00013d5c00 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 +flags: 0x100000000000200(slab) +raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806c625400 +raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88804f570380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff88804f570400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88804f570480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88804f570500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88804f570580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc + +Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Amit Cohen +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -606,6 +606,9 @@ static void mlxsw_emad_transmit_retry(st + err = mlxsw_emad_transmit(trans->core, trans); + if (err == 0) + return; ++ ++ if (!atomic_dec_and_test(&trans->active)) ++ return; + } else { + err = -EIO; + } diff --git a/patches.suse/net-ethernet-mlx4-Avoid-assigning-a-value-to-ring_co.patch b/patches.suse/net-ethernet-mlx4-Avoid-assigning-a-value-to-ring_co.patch new file mode 100644 index 0000000..5bb2d5c --- /dev/null +++ b/patches.suse/net-ethernet-mlx4-Avoid-assigning-a-value-to-ring_co.patch @@ -0,0 +1,33 @@ +From: Luo Jiaxing +Date: Sat, 12 Sep 2020 16:08:15 +0800 +Subject: net: ethernet: mlx4: Avoid assigning a value to ring_cons but not + used it anymore in mlx4_en_xmit() +Patch-mainline: v5.10-rc1 +Git-commit: e5e252ba21d243689a8e8bf2af5bf5579dabfea7 +References: git-fixes + +We found a set but not used variable 'ring_cons' in mlx4_en_xmit(), it will +cause a warning when build the kernel. And after checking the commit record +of this function, we found that it was introduced by a previous patch. + +So, We delete this redundant assignment code. + +Fixes: 488a9b48e398 ("net/mlx4_en: Wake TX queues only when there's enough room") + +Signed-off-by: Luo Jiaxing +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx4/en_tx.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -1075,7 +1075,6 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff + */ + smp_rmb(); + +- ring_cons = READ_ONCE(ring->cons); + if (unlikely(!mlx4_en_is_tx_ring_full(ring))) { + netif_tx_wake_queue(ring->tx_queue); + ring->wake_queue++; diff --git a/patches.suse/net-liquidio-Delete-non-working-LIQUIDIO_PACKAGE-che.patch b/patches.suse/net-liquidio-Delete-non-working-LIQUIDIO_PACKAGE-che.patch new file mode 100644 index 0000000..da91a9a --- /dev/null +++ b/patches.suse/net-liquidio-Delete-non-working-LIQUIDIO_PACKAGE-che.patch @@ -0,0 +1,60 @@ +From: Leon Romanovsky +Date: Sun, 1 Mar 2020 16:44:38 +0200 +Subject: net/liquidio: Delete non-working LIQUIDIO_PACKAGE check +Patch-mainline: v5.7-rc1 +Git-commit: d4bb38156fe60288064d8a3a16d67ad18a9e62f8 +References: git-fixes + +Size of LIQUIDIO_PACKAGE is 0 and it means that checks of package +version never worked, delete dead code. + +Fixes: 3258124534f6 ("liquidio: Consolidate common functionality") +Signed-off-by: Leon Romanovsky +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/cavium/liquidio/liquidio_common.h | 4 +--- + drivers/net/ethernet/cavium/liquidio/octeon_console.c | 10 ++-------- + 2 files changed, 3 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/cavium/liquidio/liquidio_common.h ++++ b/drivers/net/ethernet/cavium/liquidio/liquidio_common.h +@@ -25,15 +25,13 @@ + + #include "octeon_config.h" + +-#define LIQUIDIO_PACKAGE "" + #define LIQUIDIO_BASE_MAJOR_VERSION 1 + #define LIQUIDIO_BASE_MINOR_VERSION 7 + #define LIQUIDIO_BASE_MICRO_VERSION 2 + #define LIQUIDIO_BASE_VERSION __stringify(LIQUIDIO_BASE_MAJOR_VERSION) "." \ + __stringify(LIQUIDIO_BASE_MINOR_VERSION) + #define LIQUIDIO_MICRO_VERSION "." __stringify(LIQUIDIO_BASE_MICRO_VERSION) +-#define LIQUIDIO_VERSION LIQUIDIO_PACKAGE \ +- __stringify(LIQUIDIO_BASE_MAJOR_VERSION) "." \ ++#define LIQUIDIO_VERSION __stringify(LIQUIDIO_BASE_MAJOR_VERSION) "." \ + __stringify(LIQUIDIO_BASE_MINOR_VERSION) \ + "." __stringify(LIQUIDIO_BASE_MICRO_VERSION) + +--- a/drivers/net/ethernet/cavium/liquidio/octeon_console.c ++++ b/drivers/net/ethernet/cavium/liquidio/octeon_console.c +@@ -840,17 +840,11 @@ int octeon_download_firmware(struct octe + return -EINVAL; + } + +- if (strncmp(LIQUIDIO_PACKAGE, h->version, strlen(LIQUIDIO_PACKAGE))) { +- dev_err(&oct->pci_dev->dev, "Unmatched firmware package type. Expected %s, got %s.\n", +- LIQUIDIO_PACKAGE, h->version); +- return -EINVAL; +- } +- +- if (memcmp(LIQUIDIO_BASE_VERSION, h->version + strlen(LIQUIDIO_PACKAGE), ++ if (memcmp(LIQUIDIO_BASE_VERSION, h->version, + strlen(LIQUIDIO_BASE_VERSION))) { + dev_err(&oct->pci_dev->dev, "Unmatched firmware version. Expected %s.x, got %s.\n", + LIQUIDIO_BASE_VERSION, +- h->version + strlen(LIQUIDIO_PACKAGE)); ++ h->version); + return -EINVAL; + } + diff --git a/patches.suse/net-mlx5-Don-t-call-timecounter-cyc2time-directly-fr.patch b/patches.suse/net-mlx5-Don-t-call-timecounter-cyc2time-directly-fr.patch new file mode 100644 index 0000000..151553a --- /dev/null +++ b/patches.suse/net-mlx5-Don-t-call-timecounter-cyc2time-directly-fr.patch @@ -0,0 +1,31 @@ +From: Eran Ben Elisha +Date: Tue, 16 Jun 2020 12:07:10 +0300 +Subject: net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow +Patch-mainline: v5.10-rc1 +Git-commit: 0d2ffdc8d4002a62de31ff7aa3bef28c843c3cbe +References: git-fixes + +Before calling timecounter_cyc2time(), clock->lock must be taken. +Use mlx5_timecounter_cyc2time instead which guarantees a safe access. + +Fixes: afc98a0b46d8 ("net/mlx5: Update ptp_clock_event foreach PPS event") +Signed-off-by: Eran Ben Elisha +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -512,8 +512,9 @@ static int mlx5_pps_event(struct notifie + switch (clock->ptp_info.pin_config[pin].func) { + case PTP_PF_EXTTS: + ptp_event.index = pin; +- ptp_event.timestamp = timecounter_cyc2time(&clock->tc, +- be64_to_cpu(eqe->data.pps.time_stamp)); ++ ptp_event.timestamp = ++ mlx5_timecounter_cyc2time(clock, ++ be64_to_cpu(eqe->data.pps.time_stamp)); + if (clock->pps_info.enabled) { + ptp_event.type = PTP_CLOCK_PPSUSR; + ptp_event.pps_times.ts_real = diff --git a/patches.suse/net-mlx5e-E-switch-Fix-rate-calculation-for-overflow.patch b/patches.suse/net-mlx5e-E-switch-Fix-rate-calculation-for-overflow.patch new file mode 100644 index 0000000..58d80d8 --- /dev/null +++ b/patches.suse/net-mlx5e-E-switch-Fix-rate-calculation-for-overflow.patch @@ -0,0 +1,62 @@ +From: Parav Pandit +Date: Tue, 12 Jan 2021 16:13:22 +0200 +Subject: net/mlx5e: E-switch, Fix rate calculation for overflow +Patch-mainline: v5.11-rc6 +Git-commit: 1fe3e3166b35240615ab7f8276af2bbf2e51f559 +References: jsc#SLE-8464 + +rate_bytes_ps is a 64-bit field. It passed as 32-bit field to +apply_police_params(). Due to this when police rate is higher +than 4Gbps, 32-bit calculation ignores the carry. This results +in incorrect rate configurationn the device. + +Fix it by performing 64-bit calculation. + +Fixes: fcb64c0f5640 ("net/mlx5: E-Switch, add ingress rate support") +Signed-off-by: Parav Pandit +Reviewed-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -67,6 +67,7 @@ + #include "lib/devcom.h" + #include "lib/geneve.h" + #include "diag/en_tc_tracepoint.h" ++#include + + #define MLX5_MH_ACT_SZ MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto) + +@@ -4770,13 +4771,13 @@ errout: + return err; + } + +-static int apply_police_params(struct mlx5e_priv *priv, u32 rate, ++static int apply_police_params(struct mlx5e_priv *priv, u64 rate, + struct netlink_ext_ack *extack) + { + struct mlx5e_rep_priv *rpriv = priv->ppriv; + struct mlx5_eswitch *esw; ++ u32 rate_mbps = 0; + u16 vport_num; +- u32 rate_mbps; + int err; + + vport_num = rpriv->rep->vport; +@@ -4793,7 +4794,11 @@ static int apply_police_params(struct ml + * Moreover, if rate is non zero we choose to configure to a minimum of + * 1 mbit/sec. + */ +- rate_mbps = rate ? max_t(u32, (rate * 8 + 500000) / 1000000, 1) : 0; ++ if (rate) { ++ rate = (rate * BITS_PER_BYTE) + 500000; ++ rate_mbps = max_t(u32, do_div(rate, 1000000), 1); ++ } ++ + err = mlx5_esw_modify_vport_rate(esw, vport_num, rate_mbps); + if (err) + NL_SET_ERR_MSG_MOD(extack, "failed applying action to hardware"); diff --git a/patches.suse/net-mvpp2-fix-memory-leak-in-mvpp2_rx.patch b/patches.suse/net-mvpp2-fix-memory-leak-in-mvpp2_rx.patch new file mode 100644 index 0000000..2c608ca --- /dev/null +++ b/patches.suse/net-mvpp2-fix-memory-leak-in-mvpp2_rx.patch @@ -0,0 +1,28 @@ +From: Lorenzo Bianconi +Date: Fri, 31 Jul 2020 10:38:32 +0200 +Subject: net: mvpp2: fix memory leak in mvpp2_rx +Patch-mainline: v5.9-rc1 +Git-commit: d6526926de7397a97308780911565e31a6b67b59 +References: git-fixes + +Release skb memory in mvpp2_rx() if mvpp2_rx_refill routine fails + +Fixes: b5015854674b ("net: mvpp2: fix refilling BM pools in RX path") +Signed-off-by: Lorenzo Bianconi +Acked-by: Matteo Croce +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -2978,6 +2978,7 @@ static int mvpp2_rx(struct mvpp2_port *p + err = mvpp2_rx_refill(port, bm_pool, pool); + if (err) { + netdev_err(port->dev, "failed to refill BM pools\n"); ++ dev_kfree_skb_any(skb); + goto err_drop_frame; + } + diff --git a/patches.suse/net-phy-at803x-use-operating-parameters-from-PHY-spe.patch b/patches.suse/net-phy-at803x-use-operating-parameters-from-PHY-spe.patch new file mode 100644 index 0000000..7a6c53b --- /dev/null +++ b/patches.suse/net-phy-at803x-use-operating-parameters-from-PHY-spe.patch @@ -0,0 +1,138 @@ +From baa84c9044dd87be289538b2107ff8d9da5eeb0c Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 4 Oct 2019 17:06:14 +0100 +Subject: [PATCH 07/11] net: phy: at803x: use operating parameters from + PHY-specific status +Patch-mainline: v5.4-rc2 +Git-commit: 06d5f3441b2e80eeb6deb0885aefa00589e463c1 +References: git-fixes + +Read the PHY-specific status register for the current operating mode +(speed and duplex) of the PHY. This register reflects the actual +mode that the PHY has resolved depending on either the advertisements +of autoneg is enabled, or the forced mode if autoneg is disabled. + +This ensures that phylib's software state always tracks the hardware +state. + +It seems both AR8033 (which uses the AR8031 ID) and AR8035 support +this status register. AR8030 is not known at the present time. + +This patch depends on "net: phy: extract pause mode" and "net: phy: +extract link partner advertisement reading". + +Reported-by: tinywrkb +Reviewed-by: Andrew Lunn +Tested-by: tinywrkb +Fixes: 5502b218e001 ("net: phy: use phy_resolve_aneg_linkmode in genphy_read_status") +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/phy/at803x.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c +index 6ad8b1c63c34..3b7f46b46111 100644 +--- a/drivers/net/phy/at803x.c ++++ b/drivers/net/phy/at803x.c +@@ -15,6 +15,15 @@ + #include + #include + ++#define AT803X_SPECIFIC_STATUS 0x11 ++#define AT803X_SS_SPEED_MASK (3 << 14) ++#define AT803X_SS_SPEED_1000 (2 << 14) ++#define AT803X_SS_SPEED_100 (1 << 14) ++#define AT803X_SS_SPEED_10 (0 << 14) ++#define AT803X_SS_DUPLEX BIT(13) ++#define AT803X_SS_SPEED_DUPLEX_RESOLVED BIT(11) ++#define AT803X_SS_MDIX BIT(6) ++ + #define AT803X_INTR_ENABLE 0x12 + #define AT803X_INTR_ENABLE_AUTONEG_ERR BIT(15) + #define AT803X_INTR_ENABLE_SPEED_CHANGED BIT(14) +@@ -361,6 +370,64 @@ static int at803x_aneg_done(struct phy_device *phydev) + return aneg_done; + } + ++static int at803x_read_status(struct phy_device *phydev) ++{ ++ int ss, err, old_link = phydev->link; ++ ++ /* Update the link, but return if there was an error */ ++ err = genphy_update_link(phydev); ++ if (err) ++ return err; ++ ++ /* why bother the PHY if nothing can have changed */ ++ if (phydev->autoneg == AUTONEG_ENABLE && old_link && phydev->link) ++ return 0; ++ ++ phydev->speed = SPEED_UNKNOWN; ++ phydev->duplex = DUPLEX_UNKNOWN; ++ phydev->pause = 0; ++ phydev->asym_pause = 0; ++ ++ err = genphy_read_lpa(phydev); ++ if (err < 0) ++ return err; ++ ++ /* Read the AT8035 PHY-Specific Status register, which indicates the ++ * speed and duplex that the PHY is actually using, irrespective of ++ * whether we are in autoneg mode or not. ++ */ ++ ss = phy_read(phydev, AT803X_SPECIFIC_STATUS); ++ if (ss < 0) ++ return ss; ++ ++ if (ss & AT803X_SS_SPEED_DUPLEX_RESOLVED) { ++ switch (ss & AT803X_SS_SPEED_MASK) { ++ case AT803X_SS_SPEED_10: ++ phydev->speed = SPEED_10; ++ break; ++ case AT803X_SS_SPEED_100: ++ phydev->speed = SPEED_100; ++ break; ++ case AT803X_SS_SPEED_1000: ++ phydev->speed = SPEED_1000; ++ break; ++ } ++ if (ss & AT803X_SS_DUPLEX) ++ phydev->duplex = DUPLEX_FULL; ++ else ++ phydev->duplex = DUPLEX_HALF; ++ if (ss & AT803X_SS_MDIX) ++ phydev->mdix = ETH_TP_MDI_X; ++ else ++ phydev->mdix = ETH_TP_MDI; ++ } ++ ++ if (phydev->autoneg == AUTONEG_ENABLE && phydev->autoneg_complete) ++ phy_resolve_aneg_pause(phydev); ++ ++ return 0; ++} ++ + static struct phy_driver at803x_driver[] = { + { + /* ATHEROS 8035 */ +@@ -374,6 +441,7 @@ static struct phy_driver at803x_driver[] = { + .suspend = at803x_suspend, + .resume = at803x_resume, + /* PHY_GBIT_FEATURES */ ++ .read_status = at803x_read_status, + .ack_interrupt = at803x_ack_interrupt, + .config_intr = at803x_config_intr, + }, { +@@ -403,6 +471,7 @@ static struct phy_driver at803x_driver[] = { + .suspend = at803x_suspend, + .resume = at803x_resume, + /* PHY_GBIT_FEATURES */ ++ .read_status = at803x_read_status, + .aneg_done = at803x_aneg_done, + .ack_interrupt = &at803x_ack_interrupt, + .config_intr = &at803x_config_intr, +-- +2.16.4 + diff --git a/patches.suse/net-qca_spi-Move-reset_count-to-struct-qcaspi.patch b/patches.suse/net-qca_spi-Move-reset_count-to-struct-qcaspi.patch new file mode 100644 index 0000000..c42d3f6 --- /dev/null +++ b/patches.suse/net-qca_spi-Move-reset_count-to-struct-qcaspi.patch @@ -0,0 +1,67 @@ +From d9a5d1e7754bbe1acb6048b3cf748cf7ea3f6364 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 20 Nov 2019 18:29:13 +0100 +Subject: [PATCH 11/11] net: qca_spi: Move reset_count to struct qcaspi +Patch-mainline: v5.4 +Git-commit: bc19c32904e36548335b35fdce6ce734e20afc0a +References: git-fixes + +The reset counter is specific for every QCA700x chip. So move this +into the private driver struct. Otherwise we get unpredictable reset +behavior in setups with multiple QCA700x chips. + +Fixes: 291ab06ecf67 (net: qualcomm: new Ethernet over SPI driver for QCA7000) +Signed-off-by: Stefan Wahren +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 9 ++++----- + drivers/net/ethernet/qualcomm/qca_spi.h | 1 + + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 351f24ff4ca5..baac016f3ec0 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -496,7 +496,6 @@ qcaspi_qca7k_sync(struct qcaspi *qca, int event) + u16 signature = 0; + u16 spi_config; + u16 wrbuf_space = 0; +- static u16 reset_count; + + if (event == QCASPI_EVENT_CPUON) { + /* Read signature twice, if not valid +@@ -549,13 +548,13 @@ qcaspi_qca7k_sync(struct qcaspi *qca, int event) + + qca->sync = QCASPI_SYNC_RESET; + qca->stats.trig_reset++; +- reset_count = 0; ++ qca->reset_count = 0; + break; + case QCASPI_SYNC_RESET: +- reset_count++; ++ qca->reset_count++; + netdev_dbg(qca->net_dev, "sync: waiting for CPU on, count %u.\n", +- reset_count); +- if (reset_count >= QCASPI_RESET_TIMEOUT) { ++ qca->reset_count); ++ if (qca->reset_count >= QCASPI_RESET_TIMEOUT) { + /* reset did not seem to take place, try again */ + qca->sync = QCASPI_SYNC_UNKNOWN; + qca->stats.reset_timeout++; +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h +index eb9af45fcc5e..d13a67e20d65 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.h ++++ b/drivers/net/ethernet/qualcomm/qca_spi.h +@@ -94,6 +94,7 @@ struct qcaspi { + + unsigned int intr_req; + unsigned int intr_svc; ++ u16 reset_count; + + #ifdef CONFIG_DEBUG_FS + struct dentry *device_root; +-- +2.16.4 + diff --git a/patches.suse/net-qca_spi-fix-receive-buffer-size-check.patch b/patches.suse/net-qca_spi-fix-receive-buffer-size-check.patch new file mode 100644 index 0000000..fdd1044 --- /dev/null +++ b/patches.suse/net-qca_spi-fix-receive-buffer-size-check.patch @@ -0,0 +1,43 @@ +From 22030e7fc0b14dd6a9ea59a7fb3aa7af803d0cd7 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold +Date: Wed, 20 Nov 2019 18:29:12 +0100 +Subject: [PATCH 10/11] net: qca_spi: fix receive buffer size check +Patch-mainline: v5.4 +Git-commit: 3e7e676c8196efbdedf6e12e895356f073f39abd +References: git-fixes + +When receiving many or larger packets, e.g. when doing a file download, +it was observed that the read buffer size register reports up to 4 bytes +more than the current define allows in the check. +If this is the case, then no data transfer is initiated to receive the +packets (and thus to empty the buffer) which results in a stall of the +interface. + +These 4 bytes are a hardware generated frame length which is prepended +to the actual frame, thus we have to respect it during our check. + +Fixes: 026b907d58c4 ("net: qca_spi: Add available buffer space verification") +Signed-off-by: Michael Heimpold +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 5ecf61df78bd..351f24ff4ca5 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -363,7 +363,7 @@ qcaspi_receive(struct qcaspi *qca) + netdev_dbg(net_dev, "qcaspi_receive: SPI_REG_RDBUF_BYTE_AVA: Value: %08x\n", + available); + +- if (available > QCASPI_HW_BUF_LEN) { ++ if (available > QCASPI_HW_BUF_LEN + QCASPI_HW_PKT_LEN) { + /* This could only happen by interferences on the SPI line. + * So retry later ... + */ +-- +2.16.4 + diff --git a/patches.suse/net-sctp-filter-remap-copy_from_user-failure-error.patch b/patches.suse/net-sctp-filter-remap-copy_from_user-failure-error.patch new file mode 100644 index 0000000..3ab3a70 --- /dev/null +++ b/patches.suse/net-sctp-filter-remap-copy_from_user-failure-error.patch @@ -0,0 +1,65 @@ +From: Daniel Borkmann +Date: Fri, 22 Jan 2021 01:08:31 +0100 +Subject: net, sctp, filter: remap copy_from_user failure error +Patch-mainline: Never, issue disappeared in 5.10-rc1 as side effect of set_fs() removal +References: bsc#1181637 + +SLE15-SP2: backported from stable-5.4.y commit 55bac51762c39ef033b488dd09b60d48908d317f + +[ no upstream commit ] + +Fix a potential kernel address leakage for the prerequisite where there is +a BPF program attached to the cgroup/setsockopt hook. The latter can only +be attached under root, however, if the attached program returns 1 to then +run the related kernel handler, an unprivileged program could probe for +kernel addresses that way. The reason this is possible is that we're under +set_fs(KERNEL_DS) when running the kernel setsockopt handler. Aside from +old cBPF there is also SCTP's struct sctp_getaddrs_old which contains +pointers in the uapi struct that further need copy_from_user() inside the +handler. In the normal case this would just return -EFAULT, but under a +temporary KERNEL_DS setting the memory would be copied and we'd end up at +a different error code, that is, -EINVAL, for both cases given subsequent +validations fail, which then allows the app to distinguish and make use of +this fact for probing the address space. In case of later kernel versions +this issue won't work anymore thanks to Christoph Hellwig's work that got +rid of the various temporary set_fs() address space overrides altogether. +One potential option for 5.4 as the only affected stable kernel with the +least complexity would be to remap those affected -EFAULT copy_from_user() +error codes with -EINVAL such that they cannot be probed anymore. Risk of +breakage should be rather low for this particular error case. + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Reported-by: Ryota Shiga (Flatt Security) +Signed-off-by: Daniel Borkmann +Cc: Stanislav Fomichev +Cc: Eric Dumazet +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Greg Kroah-Hartman +Acked-by: Gary Lin +--- + net/core/filter.c | 2 +- + net/sctp/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1475,7 +1475,7 @@ struct bpf_prog *__get_filter(struct soc + + if (copy_from_user(prog->insns, fprog->filter, fsize)) { + __bpf_prog_free(prog); +- return ERR_PTR(-EFAULT); ++ return ERR_PTR(-EINVAL); + } + + prog->len = fprog->len; +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1332,7 +1332,7 @@ static int __sctp_setsockopt_connectx(st + + kaddrs = memdup_user(addrs, addrs_size); + if (IS_ERR(kaddrs)) +- return PTR_ERR(kaddrs); ++ return PTR_ERR(kaddrs) == -EFAULT ? -EINVAL : PTR_ERR(kaddrs); + + /* Allow security module to validate connectx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX, diff --git a/patches.suse/net-stmmac-fix-disabling-flexible-PPS-output.patch b/patches.suse/net-stmmac-fix-disabling-flexible-PPS-output.patch new file mode 100644 index 0000000..7f3bd43 --- /dev/null +++ b/patches.suse/net-stmmac-fix-disabling-flexible-PPS-output.patch @@ -0,0 +1,46 @@ +From 67ac0ee3961e5942edb5dfa8227de5490780490f Mon Sep 17 00:00:00 2001 +From: Antonio Borneo +Date: Mon, 7 Oct 2019 17:43:05 +0200 +Subject: [PATCH 09/11] net: stmmac: fix disabling flexible PPS output +Patch-mainline: v5.4-rc4 +Git-commit: 520cf6002147281d1e7b522bb338416b623dcb93 +References: git-fixes + +Accordingly to Synopsys documentation [1] and [2], when bit PPSEN0 +in register MAC_PPS_CONTROL is set it selects the functionality +command in the same register, otherwise selects the functionality +control. +Command functionality is required to either enable (command 0x2) +and disable (command 0x5) the flexible PPS output, but the bit +PPSEN0 is currently set only for enabling. + +Set the bit PPSEN0 to properly disable flexible PPS output. + +Tested on STM32MP15x, based on dwmac 4.10a. + +[1] DWC Ethernet QoS Databook 4.10a October 2014 +[2] DWC Ethernet QoS Databook 5.00a September 2017 + +Signed-off-by: Antonio Borneo +Fixes: 9a8a02c9d46d ("net: stmmac: Add Flexible PPS support") +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +index 3f4f3132e16b..e436fa160c7d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +@@ -515,6 +515,7 @@ int dwmac5_flex_pps_config(void __iomem *ioaddr, int index, + + if (!enable) { + val |= PPSCMDx(index, 0x5); ++ val |= PPSEN0; + writel(val, ioaddr + MAC_PPS_CONTROL); + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-fix-length-of-PTP-clock-s-name-string.patch b/patches.suse/net-stmmac-fix-length-of-PTP-clock-s-name-string.patch new file mode 100644 index 0000000..81a9c41 --- /dev/null +++ b/patches.suse/net-stmmac-fix-length-of-PTP-clock-s-name-string.patch @@ -0,0 +1,50 @@ +From 625e3f6bd9926fa86438d55b04f2bfbff729e653 Mon Sep 17 00:00:00 2001 +From: Antonio Borneo +Date: Mon, 7 Oct 2019 17:43:04 +0200 +Subject: [PATCH 08/11] net: stmmac: fix length of PTP clock's name string +Patch-mainline: v5.4-rc4 +Git-commit: 5da202c88f8c355ad79bc2e8eb582e6d433060e7 +References: git-fixes + +The field "name" in struct ptp_clock_info has a fixed size of 16 +chars and is used as zero terminated string by clock_name_show() +in drivers/ptp/ptp_sysfs.c +The current initialization value requires 17 chars to fit also the +null termination, and this causes overflow to the next bytes in +the struct when the string is read as null terminated: + hexdump -C /sys/class/ptp/ptp0/clock_name + 00000000 73 74 6d 6d 61 63 5f 70 74 70 5f 63 6c 6f 63 6b |stmmac_ptp_clock| + 00000010 a0 ac b9 03 0a |.....| +where the extra 4 bytes (excluding the newline) after the string +represent the integer 0x03b9aca0 = 62500000 assigned to the field +"max_adj" that follows "name" in the same struct. + +There is no strict requirement for the "name" content and in the +comment in ptp_clock_kernel.h it's reported it should just be 'A +short "friendly name" to identify the clock'. +Replace it with "stmmac ptp". + +Signed-off-by: Antonio Borneo +Fixes: 92ba6888510c ("stmmac: add the support for PTP hw clock driver") +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index c48224973a37..3b6b38bb9dda 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -164,7 +164,7 @@ static int stmmac_enable(struct ptp_clock_info *ptp, + /* structure describing a PTP hardware clock */ + static struct ptp_clock_info stmmac_ptp_clock_ops = { + .owner = THIS_MODULE, +- .name = "stmmac_ptp_clock", ++ .name = "stmmac ptp", + .max_adj = 62500000, + .n_alarm = 0, + .n_ext_ts = 0, +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-selftests-Flow-Control-test-can-also-run-.patch b/patches.suse/net-stmmac-selftests-Flow-Control-test-can-also-run-.patch new file mode 100644 index 0000000..2487741 --- /dev/null +++ b/patches.suse/net-stmmac-selftests-Flow-Control-test-can-also-run-.patch @@ -0,0 +1,36 @@ +From e40fe9350895c3d610950f4edb6a44a85471edc9 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Mon, 23 Sep 2019 09:49:08 +0200 +Subject: [PATCH 03/11] net: stmmac: selftests: Flow Control test can also run + with ASYM Pause +Patch-mainline: v5.4-rc1 +Git-commit: b0ce902febef24f917c33d5a5982030dac53141d +References: git-fixes + +The Flow Control selftest is also available with ASYM Pause. Lets add +this check to the test and fix eventual false positive failures. + +Fixes: 091810dbded9 ("net: stmmac: Introduce selftests support") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c +index e14743a3c0bf..46664ef21afc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c +@@ -691,7 +691,7 @@ static int stmmac_test_flowctrl(struct stmmac_priv *priv) + unsigned int pkt_count; + int i, ret = 0; + +- if (!phydev || !phydev->pause) ++ if (!phydev || (!phydev->pause && !phydev->asym_pause)) + return -EOPNOTSUPP; + + tpriv = kzalloc(sizeof(*tpriv), GFP_KERNEL); +-- +2.16.4 + diff --git a/patches.suse/net-team-fix-memory-leak-in-__team_options_register.patch b/patches.suse/net-team-fix-memory-leak-in-__team_options_register.patch new file mode 100644 index 0000000..134e707 --- /dev/null +++ b/patches.suse/net-team-fix-memory-leak-in-__team_options_register.patch @@ -0,0 +1,45 @@ +From: Anant Thazhemadam +Date: Mon, 5 Oct 2020 02:25:36 +0530 +Subject: net: team: fix memory leak in __team_options_register +Patch-mainline: v5.9 +Git-commit: 9a9e77495958c7382b2438bc19746dd3aaaabb8e +References: git-fixes + +The variable "i" isn't initialized back correctly after the first loop +under the label inst_rollback gets executed. + +The value of "i" is assigned to be option_count - 1, and the ensuing +loop (under alloc_rollback) begins by initializing i--. +Thus, the value of i when the loop begins execution will now become +i = option_count - 2. + +Thus, when kfree(dst_opts[i]) is called in the second loop in this +order, (i.e., inst_rollback followed by alloc_rollback), +dst_optsp[option_count - 2] is the first element freed, and +dst_opts[option_count - 1] does not get freed, and thus, a memory +leak is caused. + +This memory leak can be fixed, by assigning i = option_count (instead of +option_count - 1). + +Fixes: 80f7c6683fe0 ("team: add support for per-port options") +Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com +Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -287,7 +287,7 @@ inst_rollback: + for (i--; i >= 0; i--) + __team_option_inst_del_option(team, dst_opts[i]); + +- i = option_count - 1; ++ i = option_count; + alloc_rollback: + for (i--; i >= 0; i--) + kfree(dst_opts[i]); diff --git a/patches.suse/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch b/patches.suse/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch new file mode 100644 index 0000000..13bf85f --- /dev/null +++ b/patches.suse/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch @@ -0,0 +1,97 @@ +From: Dean Nelson +Date: Wed, 5 Aug 2020 13:18:48 -0500 +Subject: net: thunderx: initialize VF's mailbox mutex before first usage +Patch-mainline: v5.9-rc1 +Git-commit: c1055b76ad00aed0e8b79417080f212d736246b6 +References: git-fixes + +A VF's mailbox mutex is not getting initialized by nicvf_probe() until after +it is first used. And such usage is resulting in... + +[ 28.270927] ------------[ cut here ]------------ +[ 28.270934] DEBUG_LOCKS_WARN_ON(lock->magic != lock) +[ 28.270980] WARNING: CPU: 9 PID: 675 at kernel/locking/mutex.c:938 __mutex_lock+0xdac/0x12f0 +[ 28.270985] Modules linked in: ast(+) nicvf(+) i2c_algo_bit drm_vram_helper drm_ttm_helper ttm nicpf(+) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ixgbe(+) sg thunder_bgx mdio i2c_thunderx mdio_thunder thunder_xcv mdio_cavium dm_mirror dm_region_hash dm_log dm_mod +[ 28.271064] CPU: 9 PID: 675 Comm: systemd-udevd Not tainted 4.18.0+ #1 +[ 28.271070] Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS F02 08/06/2019 +[ 28.271078] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 28.271086] pc : __mutex_lock+0xdac/0x12f0 +[ 28.271092] lr : __mutex_lock+0xdac/0x12f0 +[ 28.271097] sp : ffff800d42146fb0 +[ 28.271103] x29: ffff800d42146fb0 x28: 0000000000000000 +[ 28.271113] x27: ffff800d24361180 x26: dfff200000000000 +[ 28.271122] x25: 0000000000000000 x24: 0000000000000002 +[ 28.271132] x23: ffff20001597cc80 x22: ffff2000139e9848 +[ 28.271141] x21: 0000000000000000 x20: 1ffff001a8428e0c +[ 28.271151] x19: ffff200015d5d000 x18: 1ffff001ae0f2184 +[ 28.271160] x17: 0000000000000000 x16: 0000000000000000 +[ 28.271170] x15: ffff800d70790c38 x14: ffff20001597c000 +[ 28.271179] x13: ffff20001597cc80 x12: ffff040002b2f779 +[ 28.271189] x11: 1fffe40002b2f778 x10: ffff040002b2f778 +[ 28.271199] x9 : 0000000000000000 x8 : 00000000f1f1f1f1 +[ 28.271208] x7 : 00000000f2f2f2f2 x6 : 0000000000000000 +[ 28.271217] x5 : 1ffff001ae0f2186 x4 : 1fffe400027eb03c +[ 28.271227] x3 : dfff200000000000 x2 : ffff1001a8428dbe +[ 28.271237] x1 : c87fdfac7ea11d00 x0 : 0000000000000000 +[ 28.271246] Call trace: +[ 28.271254] __mutex_lock+0xdac/0x12f0 +[ 28.271261] mutex_lock_nested+0x3c/0x50 +[ 28.271297] nicvf_send_msg_to_pf+0x40/0x3a0 [nicvf] +[ 28.271316] nicvf_register_misc_interrupt+0x20c/0x328 [nicvf] +[ 28.271334] nicvf_probe+0x508/0xda0 [nicvf] +[ 28.271344] local_pci_probe+0xc4/0x180 +[ 28.271352] pci_device_probe+0x3ec/0x528 +[ 28.271363] driver_probe_device+0x21c/0xb98 +[ 28.271371] device_driver_attach+0xe8/0x120 +[ 28.271379] __driver_attach+0xe0/0x2a0 +[ 28.271386] bus_for_each_dev+0x118/0x190 +[ 28.271394] driver_attach+0x48/0x60 +[ 28.271401] bus_add_driver+0x328/0x558 +[ 28.271409] driver_register+0x148/0x398 +[ 28.271416] __pci_register_driver+0x14c/0x1b0 +[ 28.271437] nicvf_init_module+0x54/0x10000 [nicvf] +[ 28.271447] do_one_initcall+0x18c/0xc18 +[ 28.271457] do_init_module+0x18c/0x618 +[ 28.271464] load_module+0x2bc0/0x4088 +[ 28.271472] __se_sys_finit_module+0x110/0x188 +[ 28.271479] __arm64_sys_finit_module+0x70/0xa0 +[ 28.271490] el0_svc_handler+0x15c/0x380 +[ 28.271496] el0_svc+0x8/0xc +[ 28.271502] irq event stamp: 52649 +[ 28.271513] hardirqs last enabled at (52649): [] _raw_spin_unlock_irqrestore+0xc0/0xd8 +[ 28.271522] hardirqs last disabled at (52648): [] _raw_spin_lock_irqsave+0x3c/0xf0 +[ 28.271530] softirqs last enabled at (52330): [] __do_softirq+0xacc/0x117c +[ 28.271540] softirqs last disabled at (52313): [] irq_exit+0x3cc/0x500 +[ 28.271545] ---[ end trace a9b90324c8a0d4ee ]--- + +This problem is resolved by moving the call to mutex_init() up earlier +in nicvf_probe(). + +Fixes: 609ea65c65a0 ("net: thunderx: add mutex to protect mailbox from concurrent calls for same VF") +Signed-off-by: Dean Nelson +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -2180,6 +2180,9 @@ static int nicvf_probe(struct pci_dev *p + nic->max_queues *= 2; + nic->ptp_clock = ptp_clock; + ++ /* Initialize mutex that serializes usage of VF's mailbox */ ++ mutex_init(&nic->rx_mode_mtx); ++ + /* MAP VF's configuration registers */ + nic->reg_base = pcim_iomap(pdev, PCI_CFG_REG_BAR_NUM, 0); + if (!nic->reg_base) { +@@ -2256,7 +2259,6 @@ static int nicvf_probe(struct pci_dev *p + + INIT_WORK(&nic->rx_mode_work.work, nicvf_set_rx_mode_task); + spin_lock_init(&nic->rx_mode_wq_lock); +- mutex_init(&nic->rx_mode_mtx); + + err = register_netdev(netdev); + if (err) { diff --git a/patches.suse/rxrpc-Fix-memory-leak-in-rxrpc_lookup_local.patch b/patches.suse/rxrpc-Fix-memory-leak-in-rxrpc_lookup_local.patch new file mode 100644 index 0000000..589add3 --- /dev/null +++ b/patches.suse/rxrpc-Fix-memory-leak-in-rxrpc_lookup_local.patch @@ -0,0 +1,64 @@ +From: Takeshi Misawa +Date: Thu, 28 Jan 2021 10:48:36 +0000 +Subject: rxrpc: Fix memory leak in rxrpc_lookup_local +Patch-mainline: v5.11-rc6 +Git-commit: b8323f7288abd71794cd7b11a4c0a38b8637c8b5 +References: bsc#1154353 bnc#1151927 5.3.9 + +Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked. + + struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp) + - peer->local = local; + + peer->local = rxrpc_get_local(local); + +rxrpc_discard_prealloc also need ref release in discarding. + +syzbot report: +BUG: memory leak +unreferenced object 0xffff8881080ddc00 (size 256): + comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff ................ + backtrace: + [<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline] + [<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline] + [<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] + [<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 + [<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 + [<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 + [<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 + [<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 + [<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342 + [<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483 + [<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110 + [<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226 + [<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957 + [<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline] + [<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline] + [<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023 + [<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + [<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Signed-off-by: Takeshi Misawa +Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + net/rxrpc/call_accept.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -202,6 +202,7 @@ void rxrpc_discard_prealloc(struct rxrpc + tail = b->peer_backlog_tail; + while (CIRC_CNT(head, tail, size) > 0) { + struct rxrpc_peer *peer = b->peer_backlog[tail]; ++ rxrpc_put_local(peer->local); + kfree(peer); + tail = (tail + 1) & (size - 1); + } diff --git a/patches.suse/team-set-dev-needed_headroom-in-team_setup_by_port.patch b/patches.suse/team-set-dev-needed_headroom-in-team_setup_by_port.patch new file mode 100644 index 0000000..8b62ec8 --- /dev/null +++ b/patches.suse/team-set-dev-needed_headroom-in-team_setup_by_port.patch @@ -0,0 +1,29 @@ +From: Eric Dumazet +Date: Fri, 25 Sep 2020 06:38:08 -0700 +Subject: team: set dev->needed_headroom in team_setup_by_port() +Patch-mainline: v5.9 +Git-commit: 89d01748b2354e210b5d4ea47bc25a42a1b42c82 +References: git-fixes + +Some devices set needed_headroom. If we ignore it, we might +end up crashing in various skb_push() for example in ipgre_header() +since some layers assume enough headroom has been reserved. + +Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/team/team.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2111,6 +2111,7 @@ static void team_setup_by_port(struct ne + dev->header_ops = port_dev->header_ops; + dev->type = port_dev->type; + dev->hard_header_len = port_dev->hard_header_len; ++ dev->needed_headroom = port_dev->needed_headroom; + dev->addr_len = port_dev->addr_len; + dev->mtu = port_dev->mtu; + memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len); diff --git a/patches.suse/usb-dwc2-Fix-endpoint-direction-check-in-ep_from_win.patch b/patches.suse/usb-dwc2-Fix-endpoint-direction-check-in-ep_from_win.patch new file mode 100644 index 0000000..9692ef0 --- /dev/null +++ b/patches.suse/usb-dwc2-Fix-endpoint-direction-check-in-ep_from_win.patch @@ -0,0 +1,80 @@ +From f670e9f9c8cac716c3506c6bac9e997b27ad441a Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner +Date: Wed, 27 Jan 2021 11:39:19 +0100 +Subject: [PATCH] usb: dwc2: Fix endpoint direction check in ep_from_windex +Git-commit: f670e9f9c8cac716c3506c6bac9e997b27ad441a +Patch-mainline: v5.11-rc7 +References: git-fixes + +dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve +the endpoint for the index provided in the wIndex request param. + +In a test-case with a rndis gadget running and sending a malformed +packet to it like: + dev.ctrl_transfer( + 0x82, # bmRequestType + 0x00, # bRequest + 0x0000, # wValue + 0x0001, # wIndex + 0x00 # wLength + ) +it is possible to cause a crash: + +[ 217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS +[ 217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088 +... +[ 218.313189] Call trace: +[ 218.330217] ep_from_windex+0x3c/0x54 +[ 218.348565] usb_gadget_giveback_request+0x10/0x20 +[ 218.368056] dwc2_hsotg_complete_request+0x144/0x184 + +This happens because ep_from_windex wants to compare the endpoint +direction even if index_to_ep() didn't return an endpoint due to +the direction not matching. + +The fix is easy insofar that the actual direction check is already +happening when calling index_to_ep() which will return NULL if there +is no endpoint for the targeted direction, so the offending check +can go away completely. + +Fixes: c6f5c050e2a7 ("usb: dwc2: gadget: add bi-directional endpoint support") +Cc: stable@vger.kernel.org +Reported-by: Gerhard Klostermeier +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20210127103919.58215-1-heiko@sntech.de +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc2/gadget.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 0a0d11151cfb..ad4c94366dad 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -1543,7 +1543,6 @@ static void dwc2_hsotg_complete_oursetup(struct usb_ep *ep, + static struct dwc2_hsotg_ep *ep_from_windex(struct dwc2_hsotg *hsotg, + u32 windex) + { +- struct dwc2_hsotg_ep *ep; + int dir = (windex & USB_DIR_IN) ? 1 : 0; + int idx = windex & 0x7F; + +@@ -1553,12 +1552,7 @@ static struct dwc2_hsotg_ep *ep_from_windex(struct dwc2_hsotg *hsotg, + if (idx > hsotg->num_of_eps) + return NULL; + +- ep = index_to_ep(hsotg, idx, dir); +- +- if (idx && ep->dir_in != dir) +- return NULL; +- +- return ep; ++ return index_to_ep(hsotg, idx, dir); + } + + /** +-- +2.26.2 + diff --git a/patches.suse/usb-dwc3-fix-clock-issue-during-resume-in-OTG-mode.patch b/patches.suse/usb-dwc3-fix-clock-issue-during-resume-in-OTG-mode.patch new file mode 100644 index 0000000..5b8c6dc --- /dev/null +++ b/patches.suse/usb-dwc3-fix-clock-issue-during-resume-in-OTG-mode.patch @@ -0,0 +1,47 @@ +From 0e5a3c8284a30f4c43fd81d7285528ece74563b5 Mon Sep 17 00:00:00 2001 +From: Gary Bisson +Date: Mon, 25 Jan 2021 17:19:34 +0100 +Subject: [PATCH] usb: dwc3: fix clock issue during resume in OTG mode +Git-commit: 0e5a3c8284a30f4c43fd81d7285528ece74563b5 +Patch-mainline: v5.11-rc7 +References: git-fixes + +Commit fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3 +core") introduced clock support and a new function named +dwc3_core_init_for_resume() which enables the clock before calling +dwc3_core_init() during resume as clocks get disabled during suspend. + +Unfortunately in this commit the DWC3_GCTL_PRTCAP_OTG case was forgotten +and therefore during resume, a platform could call dwc3_core_init() +without re-enabling the clocks first, preventing to resume properly. + +So update the resume path to call dwc3_core_init_for_resume() as it +should. + +Fixes: fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3 core") +Cc: stable@vger.kernel.org +Signed-off-by: Gary Bisson +Link: https://lore.kernel.org/r/20210125161934.527820-1-gary.bisson@boundarydevices.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 841daec70b6e..3101f0dcf6ae 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1758,7 +1758,7 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) + if (PMSG_IS_AUTO(msg)) + break; + +- ret = dwc3_core_init(dwc); ++ ret = dwc3_core_init_for_resume(dwc); + if (ret) + return ret; + +-- +2.26.2 + diff --git a/patches.suse/usb-renesas_usbhs-Clear-pipe-running-flag-in-usbhs_p.patch b/patches.suse/usb-renesas_usbhs-Clear-pipe-running-flag-in-usbhs_p.patch new file mode 100644 index 0000000..6e878e3 --- /dev/null +++ b/patches.suse/usb-renesas_usbhs-Clear-pipe-running-flag-in-usbhs_p.patch @@ -0,0 +1,39 @@ +From 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 1 Feb 2021 21:47:20 +0900 +Subject: [PATCH] usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() +Git-commit: 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 +Patch-mainline: v5.11-rc7 +References: git-fixes + +Should clear the pipe running flag in usbhs_pkt_pop(). Otherwise, +we cannot use this pipe after dequeue was called while the pipe was +running. + +Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle") +Reported-by: Tho Vu +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1612183640-8898-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/renesas_usbhs/fifo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c +index ac9a81ae8216..e6fa13701808 100644 +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -126,6 +126,7 @@ struct usbhs_pkt *usbhs_pkt_pop(struct usbhs_pipe *pipe, struct usbhs_pkt *pkt) + } + + usbhs_pipe_clear_without_sequence(pipe, 0, 0); ++ usbhs_pipe_running(pipe, 0); + + __usbhsf_pkt_del(pkt); + } +-- +2.26.2 + diff --git a/patches.suse/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch b/patches.suse/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch new file mode 100644 index 0000000..25c663b --- /dev/null +++ b/patches.suse/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch @@ -0,0 +1,87 @@ +From d4a610635400ccc382792f6be69427078541c678 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 3 Feb 2021 13:37:02 +0200 +Subject: [PATCH] xhci: fix bounce buffer usage for non-sg list case +Git-commit: d4a610635400ccc382792f6be69427078541c678 +Patch-mainline: v5.11-rc7 +References: git-fixes + +xhci driver may in some special cases need to copy small amounts +of payload data to a bounce buffer in order to meet the boundary +and alignment restrictions set by the xHCI specification. + +In the majority of these cases the data is in a sg list, and +driver incorrectly assumed data is always in urb->sg when using +the bounce buffer. + +If data instead is contiguous, and in urb->transfer_buffer, we may still +need to bounce buffer a small part if data starts very close (less than +packet size) to a 64k boundary. + +Check if sg list is used before copying data to/from it. + +Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") +Cc: stable@vger.kernel.org +Reported-by: Andreas Hartmann +Tested-by: Andreas Hartmann +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210203113702.436762-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-ring.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index cf0c93a90200..89c3be9917f6 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -699,11 +699,16 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci, + dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len, + DMA_FROM_DEVICE); + /* for in tranfers we need to copy the data from bounce to sg */ +- len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf, +- seg->bounce_len, seg->bounce_offs); +- if (len != seg->bounce_len) +- xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n", +- len, seg->bounce_len); ++ if (urb->num_sgs) { ++ len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf, ++ seg->bounce_len, seg->bounce_offs); ++ if (len != seg->bounce_len) ++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n", ++ len, seg->bounce_len); ++ } else { ++ memcpy(urb->transfer_buffer + seg->bounce_offs, seg->bounce_buf, ++ seg->bounce_len); ++ } + seg->bounce_len = 0; + seg->bounce_offs = 0; + } +@@ -3277,12 +3282,16 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len, + + /* create a max max_pkt sized bounce buffer pointed to by last trb */ + if (usb_urb_dir_out(urb)) { +- len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs, +- seg->bounce_buf, new_buff_len, enqd_len); +- if (len != new_buff_len) +- xhci_warn(xhci, +- "WARN Wrong bounce buffer write length: %zu != %d\n", +- len, new_buff_len); ++ if (urb->num_sgs) { ++ len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs, ++ seg->bounce_buf, new_buff_len, enqd_len); ++ if (len != new_buff_len) ++ xhci_warn(xhci, "WARN Wrong bounce buffer write length: %zu != %d\n", ++ len, new_buff_len); ++ } else { ++ memcpy(seg->bounce_buf, urb->transfer_buffer + enqd_len, new_buff_len); ++ } ++ + seg->bounce_dma = dma_map_single(dev, seg->bounce_buf, + max_pkt, DMA_TO_DEVICE); + } else { +-- +2.26.2 + diff --git a/series.conf b/series.conf index 2ddf7af..c89884b 100644 --- a/series.conf +++ b/series.conf @@ -2643,6 +2643,7 @@ patches.suse/mac80211-minstrel_ht-reduce-unnecessary-rate-probing.patch patches.suse/mac80211-minstrel_ht-fix-default-max-throughput-rate.patch patches.suse/mac80211-minstrel_ht-improve-rate-probing-for-device.patch + patches.suse/cirrus-cs89x0-use-devm_platform_ioremap_resource-to-.patch patches.suse/net-fec-use-devm_platform_ioremap_resource-to-simplify-code.patch patches.suse/net-bcmgenet-use-devm_platform_ioremap_resource-to-s.patch patches.suse/net-mlx5e-Extract-code-that-queues-neigh-update-work.patch @@ -2707,6 +2708,7 @@ patches.suse/ice-Fix-issues-updating-VSI-MAC-filters.patch patches.suse/ice-Don-t-allow-VSI-to-remove-unassociated-ucast-fil.patch patches.suse/net-phy-sfp-Add-labels-to-hwmon-sensors.patch + patches.suse/cirrus-cs89x0-remove-set-but-not-used-variable-lp.patch patches.suse/net-sched-protect-block-offload-related-fields-with-.patch patches.suse/net-sched-change-tcf-block-offload-counter-type-to-a.patch patches.suse/net-sched-refactor-block-offloads-counter-usage.patch @@ -7012,6 +7014,7 @@ patches.suse/net-ibmvnic-prevent-more-than-one-thread-from-runnin.patch patches.suse/ppp-Fix-memory-leak-in-ppp_write.patch patches.suse/gianfar-Make-reset_gfar-static.patch + patches.suse/net-stmmac-selftests-Flow-Control-test-can-also-run-.patch patches.suse/net-macb-Remove-dead-code.patch patches.suse/net-sched-cbs-Fix-not-adding-cbs-instance-to-list.patch patches.suse/net-mlx5-DR-Fix-SW-steering-HW-bits-and-definitions.patch @@ -7270,6 +7273,7 @@ patches.suse/net-phy-fix-write-to-mii-ctrl1000-register.patch patches.suse/net-phy-extract-link-partner-advertisement-reading.patch patches.suse/net-phy-extract-pause-mode.patch + patches.suse/net-phy-at803x-use-operating-parameters-from-PHY-spe.patch patches.suse/sch_dsmark-fix-potential-NULL-deref-in-dsmark_init.patch patches.suse/nfc-fix-memory-leak-in-llcp_sock_bind.patch patches.suse/net-qlogic-Fix-memory-leak-in-ql_alloc_large_buffers.patch @@ -7725,6 +7729,8 @@ patches.suse/mac80211-accept-deauth-frames-in-IBSS-mode.patch patches.suse/mac80211-fix-scan-when-operating-on-DFS-channels-in-.patch patches.suse/ip6erspan-remove-the-incorrect-mtu-limit-for-ip6ersp.patch + patches.suse/net-stmmac-fix-length-of-PTP-clock-s-name-string.patch + patches.suse/net-stmmac-fix-disabling-flexible-PPS-output.patch patches.suse/bonding-fix-potential-NULL-deref-in-bond_update_slav.patch patches.suse/sctp-add-chunks-to-sk_backlog-when-the-newsk-sk_sock.patch patches.suse/phylink-fix-kernel-doc-warnings.patch @@ -8723,6 +8729,8 @@ patches.suse/s390-qeth-fix-potential-deadlock-on-workqueue-flush patches.suse/s390-qeth-return-proper-errno-on-io-error patches.suse/net-ibmvnic-Ignore-H_FUNCTION-return-from-H_EOI-to-t.patch + patches.suse/net-qca_spi-fix-receive-buffer-size-check.patch + patches.suse/net-qca_spi-Move-reset_count-to-struct-qcaspi.patch patches.suse/r8152-Re-order-napi_disable-in-rtl8152_close.patch patches.suse/net-mlx5e-Fix-error-flow-cleanup-in-mlx5e_tc_tun_cre.patch patches.suse/net-mlx5e-Fix-ingress-rate-configuration-for-represe.patch @@ -24166,6 +24174,7 @@ patches.suse/selftests-forwarding-Convert-until_counter_is-to-tak.patch patches.suse/selftests-mlxsw-qos_defprio-Use-until_counter_is.patch patches.suse/net-mlxfw-Replace-zero-length-array-with-flexible-ar.patch + patches.suse/net-liquidio-Delete-non-working-LIQUIDIO_PACKAGE-che.patch patches.suse/net-chelsio-Don-t-set-N-A-for-not-available-FW.patch patches.suse/net-freescale-Clean-drivers-from-static-versions.patch patches.suse/net-freescale-Don-t-set-zero-if-FW-not-available-in-.patch @@ -39714,6 +39723,7 @@ patches.suse/net-sched-act_ct-fix-miss-set-mru-for-ovs-after-defr.patch patches.suse/openvswitch-Prevent-kernel-infoleak-in-ovs_ct_put_ke.patch patches.suse/ethtool-ethnl_set_linkmodes-remove-redundant-null-ch.patch + patches.suse/net-mvpp2-fix-memory-leak-in-mvpp2_rx.patch patches.suse/net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch patches.suse/ionic-use-fewer-firmware-doorbells-on-rx-fill.patch patches.suse/ionic-tx-separate-servicing.patch @@ -39972,6 +39982,7 @@ patches.suse/Revert-vxlan-fix-tos-value-before-xmit.patch patches.suse/selftests-net-relax-cpu-affinity-requirement-in-msg_.patch patches.suse/ip_tunnel_core-Fix-build-for-archs-without-_HAVE_ARC.patch + patches.suse/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch patches.suse/msft-hv-2105-Drivers-hv-vmbus-Remove-the-target_vp-field-from-the.patch patches.suse/msft-hv-2106-Drivers-hv-vmbus-Remove-the-numa_node-field-from-the.patch patches.suse/msft-hv-2107-Drivers-hv-vmbus-Replace-cpumask_test_cpu-cpu_online.patch @@ -42425,6 +42436,8 @@ patches.suse/ice-fix-memory-leak-if-register_netdev_fails.patch patches.suse/ice-fix-memory-leak-in-ice_vsi_setup.patch patches.suse/vmxnet3-fix-cksum-offload-issues-for-non-udp-tunnels.patch + patches.suse/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch + patches.suse/team-set-dev-needed_headroom-in-team_setup_by_port.patch patches.suse/dpaa2-eth-fix-command-version-for-Tx-shaping.patch patches.suse/mlxsw-spectrum_acl-Fix-mlxsw_sp_acl_tcam_group_add-s.patch patches.suse/r8169-fix-RTL8168f-RTL8411-EPHY-config.patch @@ -42467,6 +42480,7 @@ patches.suse/net-mlx5e-Fix-VLAN-create-flow.patch patches.suse/net-mlx5e-Fix-race-condition-on-nhe-n-pointer-in-nei.patch patches.suse/net-hinic-fix-DEVLINK-build-errors.patch + patches.suse/net-team-fix-memory-leak-in-__team_options_register.patch patches.suse/net-core-check-length-before-updating-Ethertype-in-s.patch patches.suse/Platform-OLPC-Fix-memleak-in-olpc_ec_probe.patch patches.suse/platform-x86-thinkpad_acpi-initialize-tp_nvram_state.patch @@ -43781,6 +43795,7 @@ patches.suse/mwifiex-remove-function-pointer-check.patch patches.suse/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch patches.suse/crypto-chcr-move-nic-TLS-functionality-to-drivers-ne.patch + patches.suse/net-ethernet-mlx4-Avoid-assigning-a-value-to-ring_co.patch patches.suse/net-fec-ptp-remove-unused-variable-ns-in-fec_time_keep.patch patches.suse/hinic-add-vxlan-segmentation-and-cs-offload-support.patch patches.suse/i40e-not-compute-affinity_mask-for-IRQ.patch @@ -43803,6 +43818,7 @@ patches.suse/devlink-introduce-the-health-reporter-test-command.patch patches.suse/chelsio-chtls-Re-add-dependencies-on-CHELSIO_T4-to-f.patch patches.suse/net-mlx5-Fix-uninitialized-variable-warning.patch + patches.suse/net-mlx5-Don-t-call-timecounter-cyc2time-directly-fr.patch patches.suse/net-mlx5-E-Switch-Check-and-enable-metadata-support-.patch patches.suse/net-mlx5-E-Switch-Dedicated-metadata-for-uplink-vpor.patch patches.suse/net-mlx5-E-Switch-Setup-all-vports-metadata-to-suppo.patch @@ -44483,6 +44499,8 @@ patches.suse/net-smc-fix-null-pointer-dereference-in-smc_listen_decline patches.suse/net-smc-fix-suppressed-return-code patches.suse/s390-ism-fix-incorrect-system-eid + patches.suse/mlxsw-core-Fix-memory-leak-on-module-removal.patch + patches.suse/mlxsw-core-Fix-use-after-free-in-mlxsw_emad_trans_fi.patch patches.suse/bnxt_en-Fix-regression-in-workqueue-cleanup-logic-in.patch patches.suse/bnxt_en-Invoke-cancel_delayed_work_sync-for-PFs-also.patch patches.suse/bnxt_en-Re-write-PCI-BARs-after-PCI-fatal-error.patch @@ -44718,7 +44736,9 @@ patches.suse/ch_ktls-stop-the-txq-if-reaches-threshold.patch patches.suse/cosa-Add-missing-kfree-in-error-path-of-cosa_write.patch patches.suse/devlink-Avoid-overwriting-port-attributes-of-registe.patch + patches.suse/i40e-Fix-MAC-address-setting-for-a-VF-via-Host-VM.patch patches.suse/i40e-xsk-uninitialized-variable-in-i40e_clean_rx_irq.patch + patches.suse/igc-Fix-returning-wrong-statistics.patch patches.suse/ext4-handle-dax-mount-option-collision.patch patches.suse/msft-hv-2170-video-hyperv_fb-include-vmalloc.h.patch patches.suse/drm-gma500-Fix-out-of-bounds-access-to-struct-drm_de.patch @@ -44951,6 +44971,7 @@ patches.suse/s390-qeth-make-af_iucv-tx-notification-call-more-robust patches.suse/s390-qeth-fix-af_iucv-notification-race patches.suse/s390-qeth-fix-tear-down-of-async-tx-buffers + patches.suse/bonding-wait-for-sysfs-kobject-destruction-before-fr.patch patches.suse/cxgb4-Fix-build-failure-when-CONFIG_TLS-m.patch patches.suse/usbnet-ipheth-fix-connectivity-with-iOS-14.patch patches.suse/net-af_iucv-set-correct-sk_protocol-for-child-sockets @@ -46289,6 +46310,7 @@ patches.suse/media-rc-ensure-that-uevent-can-be-read-directly-aft.patch patches.suse/HID-multitouch-Apply-MT_QUIRK_CONFIDENCE-quirk-for-m.patch patches.suse/HID-wacom-Correct-NULL-dereference-on-AES-pen-proxim.patch + patches.suse/Revert-RDMA-mlx5-Fix-devlink-deadlock-on-net-namespa.patch patches.suse/arm-imx-fix-imx8m-dependencies.patch patches.suse/drivers-soc-atmel-Avoid-calling-at91_soc_init-on-non.patch patches.suse/drivers-soc-atmel-add-null-entry-at-the-end-of-at91_.patch @@ -46319,7 +46341,9 @@ patches.suse/ice-update-dev_addr-in-ice_set_mac_address-even-if-H.patch patches.suse/ice-Don-t-allow-more-channels-than-LAN-MSI-X-availab.patch patches.suse/ice-Fix-MSI-X-vector-fallback-logic.patch + patches.suse/i40e-acquire-VSI-pointer-only-after-VF-is-initialize.patch patches.suse/can-dev-prevent-potential-information-leak-in-can_fi.patch + patches.suse/net-mlx5e-E-switch-Fix-rate-calculation-for-overflow.patch patches.suse/net-mlx5e-free-page-before-return.patch patches.suse/net-mlx5e-Fix-IPSEC-stats.patch patches.suse/net-mlx5-Maintain-separate-page-trees-for-ECPF-and-P.patch @@ -46329,6 +46353,7 @@ patches.suse/net-mlx5e-Revert-parameters-on-errors-when-changing-.patch patches.suse/net-mlx5-CT-Fix-incorrect-removal-of-tuple_nat_node-.patch patches.suse/mlxsw-spectrum_span-Do-not-overwrite-policer-configu.patch + patches.suse/rxrpc-Fix-memory-leak-in-rxrpc_lookup_local.patch patches.suse/drm-nouveau-dispnv50-Restore-pushing-of-all-data.patch patches.suse/drm-nouveau-svm-fail-NOUVEAU_SVM_INIT-ioctl-on-unsup.patch patches.suse/drivers-nouveau-kms-nv50-Reject-format-modifiers-for.patch @@ -46351,13 +46376,22 @@ patches.suse/scsi-qla2xxx-Fix-description-for-parameter-ql2xenfor.patch patches.suse/leds-trigger-fix-potential-deadlock-with-libata.patch patches.suse/efi-apple-properties-Reinstate-support-for-boolean-p.patch + patches.suse/bpf-cgroup-Fix-optlen-WARN_ON_ONCE-toctou.patch + patches.suse/bpf-cgroup-Fix-problematic-bounds-check.patch patches.suse/r8169-work-around-RTL8125-UDP-hw-bug.patch + patches.suse/i40e-Revert-i40e-don-t-report-link-up-for-a-VF-who-h.patch patches.suse/r8169-fix-WoL-on-shutdown-if-CONFIG_DEBUG_SHIRQ-is-s.patch patches.suse/net-mlx5-Fix-function-calculation-for-page-trees.patch patches.suse/gpio-gpiolib-remove-shadowed-variable.patch + patches.suse/Input-i8042-unbreak-Pegatron-C15B.patch patches.suse/usb-xhci-mtk-fix-unreleased-bandwidth-data.patch + patches.suse/USB-gadget-legacy-fix-an-error-code-in-eth_bind.patch + patches.suse/usb-renesas_usbhs-Clear-pipe-running-flag-in-usbhs_p.patch patches.suse/usb-xhci-mtk-skip-dropping-bandwidth-of-unchecked-en.patch patches.suse/usb-xhci-mtk-break-loop-when-find-the-endpoint-to-dr.patch + patches.suse/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch + patches.suse/usb-dwc3-fix-clock-issue-during-resume-in-OTG-mode.patch + patches.suse/usb-dwc2-Fix-endpoint-direction-check-in-ep_from_win.patch # jejb/scsi for-next patches.suse/scsi-ibmvfc-Define-generic-queue-structure-for-CRQs.patch @@ -46663,6 +46697,7 @@ # Networking core ######################################################## patches.suse/Revert-netfilter-conntrack-remove-helper-hook-again.patch + patches.suse/net-sctp-filter-remap-copy_from_user-failure-error.patch ######################################################## # Security