diff --git a/blacklist.conf b/blacklist.conf index 2a3eb7d..7d33eac 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2111,3 +2111,22 @@ cb8fac6d2727f79f211e745b16c9abbf4d8be652 # cosmetic 4d9226fd9a0d747030575d7cb184b30c6e64f155 # Change in unused aarch64 defconfig file 1dbd11ca75fe664d3e54607547771d021f531f59 # cleanup breaking kABI 57b8b57516c5108b0078051a31c68dc9dfcbf68f # depends on 17f1de56df051229988aab37e01971c9713c4a31, which would massively break kABI +460a79e18842caca6fa0c415de4a3ac1e671ac50 # not a real bug, mostly refactoring +6e4d56db30a5feb83ba233a68841ba79483e7731 # depends on updates in tipd driver +e8a62f363661d824495737427d59ba3fce91ae34 # cosmetic +313bbd1990b6ddfdaa7da098d0c56b098a833572 # misattributed, introduced in 77dcc6233e0def71e104d728ab5a39c2fca51127 we do not have +a5359ddd052860bacf957e65fe819c63e974b3a6 # only needed for GCC 10+ which we do not have +7f0f1f3ef62ed7a40e30aff28115bd94c4211d1d # we don't have ARCH_NOMADIK +117b4e96c7f362eb6459543883fc07f77662472c # no gadget mode in SLE12 +14073ce951b5919da450022c050772902f24f054 # optimization that breaks kABI +393dcd1f2b75e50783c805814a96bf6c8e11fe03 # optimization that breaks kABI +a08ad6339e0441ca12533969ed94a87e3655426e # cleanup, no code change +5d4fa2c50125c9cda9e380d89268757cc5fa743d # duplicate of 27c3943683f74e35e1d390ceb2e3639eff616ad6 +e4625044d656f3c33ece0cc9da22577bc10ca5d3 # build fix irrelevant in our config +44870a9e7a3c24acbb3f888b2a7cc22c9bdf7e7f # misattributed, bug introduced in 8572211842afc53c8450fb470f2b8d02ba7592e0 which we don't have +e9ba4032a2568ef5b360de95eb6e09195a1b2efd # cleanup, not a bugfix +09fdc98577120d4f47601c3127efde726a2300c6 # irrelevant in our configs +4ebd47037027c4beae99680bff3b20fdee5d7c1e # cleanup breaking kABI +860dafa902595fb5f1d23bbcce1215188c3341e6 # does not apply: vt: Fix character height handling with VT_RESIZEX +3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b # does not apply: vgacon: Propagate console boot parameters before calling `vc_resize' +5ada78b26f935f8751852dffa24f6b545b1d2517 # patched code does not exist: backlight: qcom-wled: Fix off-by-one maximum with default num_strings diff --git a/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race-FIX.patch b/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race-FIX.patch index a2f85fd..942a544 100644 --- a/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race-FIX.patch +++ b/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race-FIX.patch @@ -17,7 +17,7 @@ Signed-off-by: NeilBrown --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c -@@ -1516,6 +1516,7 @@ static void nfs_clear_open_stateid(struc +@@ -1502,6 +1502,7 @@ static void nfs_clear_open_stateid(struc static void nfs_set_open_stateid_locked(struct nfs4_state *state, const nfs4_stateid *stateid, nfs4_stateid *freeme) { @@ -25,10 +25,10 @@ Signed-off-by: NeilBrown DEFINE_WAIT(wait); struct wait_queue_head *wq_head = bit_waitqueue(&state->flags, NFS_STATE_CHANGE_WAIT); -@@ -1542,7 +1543,8 @@ static void nfs_set_open_stateid_locked( - spin_unlock(&state->owner->so_lock); +@@ -1529,7 +1530,8 @@ static void nfs_set_open_stateid_locked( rcu_read_unlock(); - if (!signal_pending(current)) { + + if (!fatal_signal_pending(current)) { - if (schedule_timeout(5*HZ) == 0) + if (schedule_timeout(5*HZ) == 0 || + time_after(jiffies, deadline)) diff --git a/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch b/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch index d149051..e1381a6 100644 --- a/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch +++ b/patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch @@ -27,7 +27,7 @@ Signed-off-by: NeilBrown --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c -@@ -1397,7 +1397,7 @@ static bool nfs_open_stateid_recover_ope +@@ -1396,7 +1396,7 @@ static bool nfs_open_stateid_recover_ope static void nfs_state_log_update_open_stateid(struct nfs4_state *state) { if (test_and_clear_bit(NFS_STATE_CHANGE_WAIT, &state->flags)) @@ -35,8 +35,8 @@ Signed-off-by: NeilBrown + wake_up_bit(&state->flags, NFS_STATE_CHANGE_WAIT); } - static void nfs_state_log_out_of_order_open_stateid(struct nfs4_state *state, -@@ -1518,6 +1518,8 @@ static void nfs_set_open_stateid_locked( + static void nfs_test_and_clear_all_open_stateid(struct nfs4_state *state) +@@ -1502,6 +1502,8 @@ static void nfs_set_open_stateid_locked( const nfs4_stateid *stateid, nfs4_stateid *freeme) { DEFINE_WAIT(wait); @@ -45,16 +45,16 @@ Signed-off-by: NeilBrown int status = 0; for (;;) { -@@ -1531,7 +1533,7 @@ static void nfs_set_open_stateid_locked( - if (!nfs4_has_session(NFS_SERVER(state->inode)->nfs_client)) +@@ -1515,7 +1517,7 @@ static void nfs_set_open_stateid_locked( break; + set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); - prepare_to_wait(&state->waitq, &wait, TASK_KILLABLE); + prepare_to_wait(wq_head, &wait, TASK_KILLABLE); /* * Ensure we process the state changes in the same order * in which the server processed them by delaying the -@@ -1547,7 +1549,7 @@ static void nfs_set_open_stateid_locked( +@@ -1532,7 +1534,7 @@ static void nfs_set_open_stateid_locked( status = 0; } else status = -EINTR; @@ -63,15 +63,9 @@ Signed-off-by: NeilBrown rcu_read_lock(); spin_lock(&state->owner->so_lock); write_seqlock(&state->seqlock); - } -- finish_wait(&state->waitq, &wait); -+ finish_wait(wq_head, &wbq_entry.wq_entry); - - if (!nfs4_stateid_match_other(stateid, &state->open_stateid)) { - nfs4_stateid_copy(freeme, &state->open_stateid); --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c -@@ -656,7 +656,6 @@ nfs4_alloc_open_state(void) +@@ -664,7 +664,6 @@ nfs4_alloc_open_state(void) INIT_LIST_HEAD(&state->lock_states); spin_lock_init(&state->state_lock); seqlock_init(&state->seqlock); diff --git a/patches.kabi/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN_kabi.patch b/patches.kabi/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN_kabi.patch new file mode 100644 index 0000000..d19a177 --- /dev/null +++ b/patches.kabi/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN_kabi.patch @@ -0,0 +1,42 @@ +From: NeilBrown +Subject: kabi fix for NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE +Patch-mainline: Never, kabi +References: bsc#1196247 + +We cannot add waitq to state, so use a bit waitqueue. + +Signed-off-by: Neil Brown + +--- + fs/nfs/nfs4proc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3154,6 +3154,8 @@ static bool nfs4_refresh_open_old_statei + u32 dst_seqid; + bool ret; + int seq, status = -EAGAIN; ++ struct wait_queue_head *wq_head = bit_waitqueue(&state->flags, ++ NFS_STATE_CHANGE_WAIT); + DEFINE_WAIT(wait); + + for (;;) { +@@ -3182,7 +3184,7 @@ static bool nfs4_refresh_open_old_statei + + /* server says we're behind but we haven't seen the update yet */ + set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); +- prepare_to_wait(&state->waitq, &wait, TASK_KILLABLE); ++ prepare_to_wait(wq_head, &wait, TASK_KILLABLE); + write_sequnlock(&state->seqlock); + trace_nfs4_close_stateid_update_wait(state->inode, dst, 0); + +@@ -3192,7 +3194,7 @@ static bool nfs4_refresh_open_old_statei + if (schedule_timeout(5*HZ) != 0) + status = 0; + +- finish_wait(&state->waitq, &wait); ++ finish_wait(wq_head, &wait); + + if (!status) + continue; diff --git a/patches.kabi/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.kabi b/patches.kabi/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.kabi new file mode 100644 index 0000000..6a94697 --- /dev/null +++ b/patches.kabi/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.kabi @@ -0,0 +1,22 @@ +From: NeilBrown +Subject: Report kabi after Revert "NFSv4: Handle the special Linux file open access mode" +Patch-mainline: Never, kabi +References: git-fixes + +Restore the export + +Signed-off-by: NeilBrown +--- + fs/nfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1002,6 +1002,7 @@ int nfs_open(struct inode *inode, struct + nfs_fscache_open_file(inode, filp); + return 0; + } ++EXPORT_SYMBOL_GPL(nfs_open); + + /* + * This function is called whenever some part of NFS notices that diff --git a/patches.kabi/drm-drm_file-kabi-workaround.patch b/patches.kabi/drm-drm_file-kabi-workaround.patch new file mode 100644 index 0000000..cf53020 --- /dev/null +++ b/patches.kabi/drm-drm_file-kabi-workaround.patch @@ -0,0 +1,41 @@ +From: Takashi Iwai +Subject: drm: drm_file struct kABI compatibility workaround +Patch-mainline: Never, kABI workaround +References: CVE-2022-1280 bsc#1197914 + +The recent fix for DRM core + patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch +introduced a new field in struct drm_file. +Apply the standard workaround to move it at the tail with __GENKSYMS__ +for keeping the kABI compatibility; drm_file isn't embedded, so it +should be safe to do that. + +Signed-off-by: Takashi Iwai + +--- + include/drm/drm_file.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/include/drm/drm_file.h ++++ b/include/drm/drm_file.h +@@ -231,9 +231,6 @@ struct drm_file { + */ + struct drm_master *master; + +- /** @master_lock: Serializes @master. */ +- spinlock_t master_lookup_lock; +- + /** @pid: Process that opened this file. */ + struct pid *pid; + +@@ -347,6 +344,10 @@ struct drm_file { + + /* private: */ + unsigned long lock_count; /* DRI1 legacy lock count */ ++#ifndef __GENKSYMS__ ++ /** @master_lock: Serializes @master. */ ++ spinlock_t master_lookup_lock; ++#endif + }; + + /** diff --git a/patches.kabi/fuse-handle-kabi-change-in-struct-fuse_req.patch b/patches.kabi/fuse-handle-kabi-change-in-struct-fuse_req.patch new file mode 100644 index 0000000..6f51cbd --- /dev/null +++ b/patches.kabi/fuse-handle-kabi-change-in-struct-fuse_req.patch @@ -0,0 +1,39 @@ +From: Luís Henriques +Subject: fuse: handle kABI change in struct fuse_req +Patch-mainline: Never, kABI fix +References: bsc#1197343 CVE-2022-1011 + +The backport of commit 0c4bcfdecb1a ("fuse: fix pipe buffer lifetime for +direct_io") requires a kABI fix as it adds a field to struct fuse_reg. +Fortunately, that struct has a hole immediately after the count field, so +using the __GENKSYMS__ magic seems appropriate. Here's the pahole output: + +pahole -C fuse_req fs/fuse/fuse.ko +struct fuse_req { + struct list_head list; /* 0 16 */ + struct list_head intr_entry; /* 16 16 */ + refcount_t count; /* 32 4 */ + + /* XXX 4 bytes hole, try to pack */ + + u64 intr_unique; /* 40 8 */ +... + +Signed-off-by: Luís Henriques + +--- + fs/fuse/fuse_i.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -312,7 +312,9 @@ struct fuse_req { + /** refcount */ + refcount_t count; + ++#ifndef __GENKSYMS__ + bool user_pages; ++#endif + + /** Unique ID for the interrupt request */ + u64 intr_unique; diff --git a/patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch b/patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch new file mode 100644 index 0000000..b11f480 --- /dev/null +++ b/patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch @@ -0,0 +1,128 @@ +From: João Silva +Subject: kABI fix for tcp: fix race condition when creating child sockets from + syncookies +References: bsc#1197075 +Patch-mainline: Never, kABI breakage workaround +--- + include/net/inet_hashtables.h | 5 +++-- + net/dccp/ipv4.c | 2 +- + net/dccp/ipv6.c | 2 +- + net/ipv4/inet_hashtables.c | 15 ++++++++++----- + net/ipv4/tcp_ipv4.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 4 ++-- + 6 files changed, 19 insertions(+), 13 deletions(-) + +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -210,8 +210,9 @@ void inet_put_port(struct sock *sk); + void inet_hashinfo_init(struct inet_hashinfo *h); + + bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk); +-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, +- bool *found_dup_sk); ++bool inet_ehash_nolisten(struct sock *sk, struct sock *osk); ++bool inet_ehash_nolisten3(struct sock *sk, struct sock *osk, ++ bool *found_dup_sk); + int __inet_hash(struct sock *sk, struct sock *osk); + int inet_hash(struct sock *sk); + void inet_unhash(struct sock *sk); +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -428,7 +428,7 @@ struct sock *dccp_v4_request_recv_sock(c + + if (__inet_inherit_port(sk, newsk) < 0) + goto put_and_exit; +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); + if (*own_req) + ireq->ireq_opt = NULL; + else +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -530,7 +530,7 @@ static struct sock *dccp_v6_request_recv + dccp_done(newsk); + goto out; + } +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); + /* Clone pktoptions received with SYN, if we own the req */ + if (*own_req && ireq->pktopts) { + newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC); +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -478,7 +478,13 @@ bool inet_ehash_insert(struct sock *sk, + return ret; + } + +-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, bool *found_dup_sk) ++bool inet_ehash_nolisten(struct sock *sk, struct sock *osk) ++{ ++ return inet_ehash_nolisten3(sk, osk, NULL); ++} ++EXPORT_SYMBOL_GPL(inet_ehash_nolisten); ++ ++bool inet_ehash_nolisten3(struct sock *sk, struct sock *osk, bool *found_dup_sk) + { + bool ok = inet_ehash_insert(sk, osk, found_dup_sk); + +@@ -492,7 +498,6 @@ bool inet_ehash_nolisten(struct sock *sk + } + return ok; + } +-EXPORT_SYMBOL_GPL(inet_ehash_nolisten); + + static int inet_reuseport_add_sock(struct sock *sk, + struct inet_listen_hashbucket *ilb) +@@ -522,7 +527,7 @@ int __inet_hash(struct sock *sk, struct + int err = 0; + + if (sk->sk_state != TCP_LISTEN) { +- inet_ehash_nolisten(sk, osk, NULL); ++ inet_ehash_nolisten(sk, osk); + return 0; + } + WARN_ON(!sk_unhashed(sk)); +@@ -612,7 +617,7 @@ int __inet_hash_connect(struct inet_time + tb = inet_csk(sk)->icsk_bind_hash; + spin_lock_bh(&head->lock); + if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) { +- inet_ehash_nolisten(sk, NULL, NULL); ++ inet_ehash_nolisten(sk, NULL); + spin_unlock_bh(&head->lock); + return 0; + } +@@ -688,7 +693,7 @@ ok: + inet_bind_hash(sk, tb, port); + if (sk_unhashed(sk)) { + inet_sk(sk)->inet_sport = htons(port); +- inet_ehash_nolisten(sk, (struct sock *)tw, NULL); ++ inet_ehash_nolisten(sk, (struct sock *)tw); + } + if (tw) + inet_twsk_bind_unhash(tw, hinfo); +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1376,8 +1376,8 @@ struct sock *tcp_v4_syn_recv_sock(const + + if (__inet_inherit_port(sk, newsk) < 0) + goto put_and_exit; +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), +- &found_dup_sk); ++ *own_req = inet_ehash_nolisten3(newsk, req_to_sk(req_unhash), ++ &found_dup_sk); + if (likely(*own_req)) { + tcp_move_syn(newtp, req); + ireq->ireq_opt = NULL; +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1211,8 +1211,8 @@ static struct sock *tcp_v6_syn_recv_sock + tcp_done(newsk); + goto out; + } +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), +- &found_dup_sk); ++ *own_req = inet_ehash_nolisten3(newsk, req_to_sk(req_unhash), ++ &found_dup_sk); + if (*own_req) { + tcp_move_syn(newtp, req); + diff --git a/patches.suse/0001-arm64-entry.S-Add-ventry-overflow-sanity-checks.patch b/patches.suse/0001-arm64-entry.S-Add-ventry-overflow-sanity-checks.patch new file mode 100644 index 0000000..cc40a6c --- /dev/null +++ b/patches.suse/0001-arm64-entry.S-Add-ventry-overflow-sanity-checks.patch @@ -0,0 +1,52 @@ +From 8759616c72bddeca62fbdf454b438b8686f488ab Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 17 Nov 2021 16:15:00 +0100 +Subject: [PATCH 01/22] arm64: entry.S: Add ventry overflow sanity checks + +Git-commit: 4330e2c5c04c27bebf89d34e0bc14e6943413067 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +Subsequent patches add even more code to the ventry slots. +Ensure kernels that overflow a ventry slot don't get built. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index ec2f53c8907a1..2b67d16192297 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -73,6 +73,7 @@ + + .macro kernel_ventry, el, label, regsize = 64 + .align 7 ++.Lventry_start\@: + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + alternative_if ARM64_UNMAP_KERNEL_AT_EL0 + .if \el == 0 +@@ -130,6 +131,7 @@ alternative_else_nop_endif + mrs x0, tpidrro_el0 + #endif + b el\()\el\()_\label ++.org .Lventry_start\@ + 128 // Did we overflow the ventry slot? + .endm + + .macro tramp_alias, dst, sym +@@ -1111,6 +1113,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + add x30, x30, #(1b - tramp_vectors) + isb + ret ++.org 1b + 128 // Did we overflow the ventry slot? + .endm + + .macro tramp_exit, regsize = 64 +-- +2.34.1 + diff --git a/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch b/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch new file mode 100644 index 0000000..1b0e01b --- /dev/null +++ b/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch @@ -0,0 +1,70 @@ +From 4b848f20eda5974020f043ca14bacf7a7e634fc8 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sun, 2 Feb 2020 14:21:33 +0100 +Subject: drm/vgem: Close use-after-free race in vgem_gem_create +Git-commit: 4b848f20eda5974020f043ca14bacf7a7e634fc8 +Patch-mainline: v5.6-rc2 +References: CVE-2022-1419 bsc#1198742 + +There's two references floating around here (for the object reference, +not the handle_count reference, that's a different thing): + +- The temporary reference held by vgem_gem_create, acquired by + creating the object and released by calling + drm_gem_object_put_unlocked. + +- The reference held by the object handle, created by + drm_gem_handle_create. This one generally outlives the function, + except if a 2nd thread races with a GEM_CLOSE ioctl call. + +So usually everything is correct, except in that race case, where the +access to gem_object->size could be looking at freed data already. +Which again isn't a real problem (userspace shot its feet off already +with the race, we could return garbage), but maybe someone can exploit +this as an information leak. + +Cc: Dan Carpenter +Cc: Hillf Danton +Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Cc: Emil Velikov +Cc: Daniel Vetter +Cc: Sean Paul +Cc: Chris Wilson +Cc: Eric Anholt +Cc: Sam Ravnborg +Cc: Rob Clark +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200202132133.1891846-1-daniel.vetter@ffwll.ch +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vgem/vgem_drv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/vgem/vgem_drv.c ++++ b/drivers/gpu/drm/vgem/vgem_drv.c +@@ -190,9 +190,10 @@ static struct drm_gem_object *vgem_gem_c + return ERR_CAST(obj); + + ret = drm_gem_handle_create(file, &obj->base, handle); +- drm_gem_object_put_unlocked(&obj->base); +- if (ret) ++ if (ret) { ++ drm_gem_object_put_unlocked(&obj->base); + return ERR_PTR(ret); ++ } + + return &obj->base; + } +@@ -215,7 +216,9 @@ static int vgem_gem_dumb_create(struct d + args->size = gem_object->size; + args->pitch = pitch; + +- DRM_DEBUG_DRIVER("Created object of size %lld\n", size); ++ drm_gem_object_put_unlocked(gem_object); ++ ++ DRM_DEBUG_DRIVER("Created object of size %llu\n", args->size); + + return 0; + } diff --git a/patches.suse/0002-arm64-entry-Make-the-trampoline-cleanup-optional.patch b/patches.suse/0002-arm64-entry-Make-the-trampoline-cleanup-optional.patch new file mode 100644 index 0000000..1804c45 --- /dev/null +++ b/patches.suse/0002-arm64-entry-Make-the-trampoline-cleanup-optional.patch @@ -0,0 +1,72 @@ +From 338576dfd1a952a20ec93973ba65de281c84e009 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 24 Nov 2021 16:36:00 +0100 +Subject: [PATCH 02/22] arm64: entry: Make the trampoline cleanup optional + +Git-commit: d739da1694a0eaef0358a42b76904b611539b77b +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +Subsequent patches will add additional sets of vectors that use +the same tricks as the kpti vectors to reach the full-fat vectors. +The full-fat vectors contain some cleanup for kpti that is patched +in by alternatives when kpti is in use. Once there are additional +vectors, the cleanup will be needed in more cases. + +But on big/little systems, the cleanup would be harmful if no +trampoline vector were in use. Instead of forcing CPUs that don't +need a trampoline vector to use one, make the trampoline cleanup +optional. + +Entry at the top of the vectors will skip the cleanup. The trampoline +vectors can then skip the first instruction, triggering the cleanup +to run. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 2b67d16192297..d30f413f9eb10 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -75,16 +75,20 @@ + .align 7 + .Lventry_start\@: + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +-alternative_if ARM64_UNMAP_KERNEL_AT_EL0 + .if \el == 0 ++ /* ++ * This must be the first instruction of the EL0 vector entries. It is ++ * skipped by the trampoline vectors, to trigger the cleanup. ++ */ ++ b .Lskip_tramp_vectors_cleanup\@ + .if \regsize == 64 + mrs x30, tpidrro_el0 + msr tpidrro_el0, xzr + .else + mov x30, xzr + .endif ++.Lskip_tramp_vectors_cleanup\@: + .endif +-alternative_else_nop_endif + #endif + + sub sp, sp, #S_FRAME_SIZE +@@ -1110,7 +1114,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + #endif + prfm plil1strm, [x30, #(1b - tramp_vectors)] + msr vbar_el1, x30 +- add x30, x30, #(1b - tramp_vectors) ++ add x30, x30, #(1b - tramp_vectors + 4) + isb + ret + .org 1b + 128 // Did we overflow the ventry slot? +-- +2.34.1 + diff --git a/patches.suse/0002-backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch b/patches.suse/0002-backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch new file mode 100644 index 0000000..0852e60 --- /dev/null +++ b/patches.suse/0002-backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch @@ -0,0 +1,113 @@ +From 79fad92f2e596f5a8dd085788a24f540263ef887 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Thu, 22 Jul 2021 15:46:23 +0100 +Subject: backlight: pwm_bl: Improve bootloader/kernel device handover +Git-commit: 79fad92f2e596f5a8dd085788a24f540263ef887 +Patch-mainline: v5.15-rc1 +References: bsc#1129770 + +Currently there are (at least) two problems in the way pwm_bl starts +managing the enable_gpio pin. Both occur when the backlight is initially +off and the driver finds the pin not already in output mode and, as a +result, unconditionally switches it to output-mode and asserts the signal. + +Problem 1: This could cause the backlight to flicker since, at this stage +in driver initialisation, we have no idea what the PWM and regulator are +doing (an unconfigured PWM could easily "rest" at 100% duty cycle). + +Problem 2: This will cause us not to correctly honour the +post_pwm_on_delay (which also risks flickers). + +Fix this by moving the code to configure the GPIO output mode until after +we have examines the handover state. That allows us to initialize +enable_gpio to off if the backlight is currently off and on if the +backlight is on. + +Cc: stable@vger.kernel.org +Reported-by: Marek Vasut +Signed-off-by: Daniel Thompson +Acked-by: Marek Vasut +Tested-by: Marek Vasut +Signed-off-by: Lee Jones +Acked-by: Thomas Zimmermann +--- + drivers/video/backlight/pwm_bl.c | 54 ++++++++++++++++++++------------------- + 1 file changed, 28 insertions(+), 26 deletions(-) + +--- a/drivers/video/backlight/pwm_bl.c ++++ b/drivers/video/backlight/pwm_bl.c +@@ -199,6 +199,33 @@ static int pwm_backlight_parse_dt(struct + static int pwm_backlight_initial_power_state(const struct pwm_bl_data *pb) + { + struct device_node *node = pb->dev->of_node; ++ bool active = true; ++ ++ /* ++ * If the enable GPIO is present, observable (either as input ++ * or output) and off then the backlight is not currently active. ++ * */ ++ if (pb->enable_gpio && gpiod_get_value_cansleep(pb->enable_gpio) == 0) ++ active = false; ++ ++ if (!regulator_is_enabled(pb->power_supply)) ++ active = false; ++ ++ if (!pwm_is_enabled(pb->pwm)) ++ active = false; ++ ++ /* ++ * Synchronize the enable_gpio with the observed state of the ++ * hardware. ++ */ ++ if (pb->enable_gpio) ++ gpiod_direction_output(pb->enable_gpio, active); ++ ++ /* ++ * Do not change pb->enabled here! pb->enabled essentially ++ * tells us if we own one of the regulator's use counts and ++ * right now we do not. ++ */ + + /* Not booted with device tree or no phandle link to the node */ + if (!node || !node->phandle) +@@ -210,20 +237,7 @@ static int pwm_backlight_initial_power_s + * assume that another driver will enable the backlight at the + * appropriate time. Therefore, if it is disabled, keep it so. + */ +- +- /* if the enable GPIO is disabled, do not enable the backlight */ +- if (pb->enable_gpio && gpiod_get_value_cansleep(pb->enable_gpio) == 0) +- return FB_BLANK_POWERDOWN; +- +- /* The regulator is disabled, do not enable the backlight */ +- if (!regulator_is_enabled(pb->power_supply)) +- return FB_BLANK_POWERDOWN; +- +- /* The PWM is disabled, keep it like this */ +- if (!pwm_is_enabled(pb->pwm)) +- return FB_BLANK_POWERDOWN; +- +- return FB_BLANK_UNBLANK; ++ return active ? FB_BLANK_UNBLANK: FB_BLANK_POWERDOWN; + } + + static int pwm_backlight_probe(struct platform_device *pdev) +@@ -300,18 +314,6 @@ static int pwm_backlight_probe(struct pl + pb->enable_gpio = gpio_to_desc(data->enable_gpio); + } + +- /* +- * If the GPIO is not known to be already configured as output, that +- * is, if gpiod_get_direction returns either 1 or -EINVAL, change the +- * direction to output and set the GPIO as active. +- * Do not force the GPIO to active when it was already output as it +- * could cause backlight flickering or we would enable the backlight too +- * early. Leave the decision of the initial backlight state for later. +- */ +- if (pb->enable_gpio && +- gpiod_get_direction(pb->enable_gpio) != 0) +- gpiod_direction_output(pb->enable_gpio, 1); +- + pb->power_supply = devm_regulator_get(&pdev->dev, "power"); + if (IS_ERR(pb->power_supply)) { + ret = PTR_ERR(pb->power_supply); diff --git a/patches.suse/0003-arm64-entry-Free-up-another-register-on-kpti-s-tramp.patch b/patches.suse/0003-arm64-entry-Free-up-another-register-on-kpti-s-tramp.patch new file mode 100644 index 0000000..fa93f86 --- /dev/null +++ b/patches.suse/0003-arm64-entry-Free-up-another-register-on-kpti-s-tramp.patch @@ -0,0 +1,79 @@ +From 9c764b0da45489e51c843a5ad38af0ca01984015 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:22:00 +0100 +Subject: [PATCH 03/22] arm64: entry: Free up another register on kpti's + tramp_exit path + +Git-commit: 03aff3a77a58b5b52a77e00537a42090ad57b80b +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +Kpti stashes x30 in far_el1 while it uses x30 for all its work. + +Making the vectors a per-cpu data structure will require a second +register. + +Allow tramp_exit two registers before it unmaps the kernel, by +leaving x30 on the stack, and stashing x29 in far_el1. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index d30f413f9eb10..8d3cb192e9a7b 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -372,14 +372,16 @@ alternative_else_nop_endif + ldp x24, x25, [sp, #16 * 12] + ldp x26, x27, [sp, #16 * 13] + ldp x28, x29, [sp, #16 * 14] +- ldr lr, [sp, #S_LR] +- add sp, sp, #S_FRAME_SIZE // restore sp + + .if \el == 0 +-alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 ++alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 ++ ldr lr, [sp, #S_LR] ++ add sp, sp, #S_FRAME_SIZE // restore sp ++ eret ++alternative_else_nop_endif + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + bne 5f +- msr far_el1, x30 ++ msr far_el1, x29 + tramp_alias x30, tramp_exit_native + br x30 + 5: +@@ -387,6 +389,8 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 + br x30 + #endif + .else ++ ldr lr, [sp, #S_LR] ++ add sp, sp, #S_FRAME_SIZE // restore sp + eret + .endif + .endm +@@ -1123,10 +1127,12 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + .macro tramp_exit, regsize = 64 + adr x30, tramp_vectors + msr vbar_el1, x30 +- tramp_unmap_kernel x30 ++ ldr lr, [sp, #S_LR] ++ tramp_unmap_kernel x29 + .if \regsize == 64 +- mrs x30, far_el1 ++ mrs x29, far_el1 + .endif ++ add sp, sp, #S_FRAME_SIZE // restore sp + eret + .endm + +-- +2.34.1 + diff --git a/patches.suse/0003-fbmem-don-t-allow-too-huge-resolutions.patch b/patches.suse/0003-fbmem-don-t-allow-too-huge-resolutions.patch new file mode 100644 index 0000000..21ca5cd --- /dev/null +++ b/patches.suse/0003-fbmem-don-t-allow-too-huge-resolutions.patch @@ -0,0 +1,63 @@ +From 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 8 Sep 2021 19:27:49 +0900 +Subject: fbmem: don't allow too huge resolutions +Git-commit: 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae +Patch-mainline: v5.15-rc1 +References: bsc#1129770 + +syzbot is reporting page fault at vga16fb_fillrect() [1], for +vga16fb_check_var() is failing to detect multiplication overflow. + + if (vxres * vyres > maxmem) { + vyres = maxmem / vxres; + if (vyres < yres) + return -ENOMEM; + } + +Since no module would accept too huge resolutions where multiplication +overflow happens, let's reject in the common path. + +Link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e [1] +Reported-by: syzbot +Debugged-by: Randy Dunlap +Signed-off-by: Tetsuo Handa +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/185175d6-227a-7b55-433d-b070929b262c@i-love.sakura.ne.jp +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/core/fbmem.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -954,6 +954,7 @@ fb_set_var(struct fb_info *info, struct + { + int flags = info->flags; + int ret = 0; ++ u32 unused; + + if (var->activate & FB_ACTIVATE_INV_MODE) { + struct fb_videomode mode1, mode2; +@@ -1006,6 +1007,11 @@ fb_set_var(struct fb_info *info, struct + if (var->xres < 8 || var->yres < 8) + return -EINVAL; + ++ /* Too huge resolution causes multiplication overflow. */ ++ if (check_mul_overflow(var->xres, var->yres, &unused) || ++ check_mul_overflow(var->xres_virtual, var->yres_virtual, &unused)) ++ return -EINVAL; ++ + ret = info->fbops->fb_check_var(var, info); + + if (ret) +@@ -1895,6 +1901,7 @@ EXPORT_SYMBOL(unregister_framebuffer); + void fb_set_suspend(struct fb_info *info, int state) + { + struct fb_event event; ++ u32 unused; + + event.info = info; + if (state) { diff --git a/patches.suse/0004-arm64-entry-Move-the-trampoline-data-page-before-the.patch b/patches.suse/0004-arm64-entry-Move-the-trampoline-data-page-before-the.patch new file mode 100644 index 0000000..6e40c27 --- /dev/null +++ b/patches.suse/0004-arm64-entry-Move-the-trampoline-data-page-before-the.patch @@ -0,0 +1,79 @@ +From df448f7e295526128a384695e55622ad9fb712e7 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:24:00 +0100 +Subject: [PATCH 04/22] arm64: entry: Move the trampoline data page before the + text page + +Git-commit: c091fb6ae059cda563b2a4d93fdbc548ef34e1d6 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +The trampoline code has a data page that holds the address of the vectors, +which is unmapped when running in user-space. This ensures that with +CONFIG_RANDOMIZE_BASE, the randomised address of the kernel can't be +discovered until after the kernel has been mapped. + +If the trampoline text page is extended to include multiple sets of +vectors, it will be larger than a single page, making it tricky to +find the data page without knowing the size of the trampoline text +pages, which will vary with PAGE_SIZE. + +Move the data page to appear before the text page. This allows the +data page to be found without knowing the size of the trampoline text +pages. 'tramp_vectors' is used to refer to the beginning of the +.entry.tramp.text section, do that explicitly. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +[ removed SDEI for backport ] +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/fixmap.h | 2 +- + arch/arm64/kernel/entry.S | 7 ++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h +index ec1e6d6fa14cc..c0cfc6d3bf9f8 100644 +--- a/arch/arm64/include/asm/fixmap.h ++++ b/arch/arm64/include/asm/fixmap.h +@@ -59,8 +59,8 @@ enum fixed_addresses { + #endif /* CONFIG_ACPI_APEI_GHES */ + + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +- FIX_ENTRY_TRAMP_DATA, + FIX_ENTRY_TRAMP_TEXT, ++ FIX_ENTRY_TRAMP_DATA, + #define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT)) + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + __end_of_permanent_fixed_addresses, +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 8d3cb192e9a7b..d7915e79778e0 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1094,6 +1094,11 @@ alternative_else_nop_endif + */ + .endm + ++ .macro tramp_data_page dst ++ adr \dst, .entry.tramp.text ++ sub \dst, \dst, PAGE_SIZE ++ .endm ++ + .macro tramp_ventry, regsize = 64 + .align 7 + 1: +@@ -1110,7 +1115,7 @@ alternative_else_nop_endif + 2: + tramp_map_kernel x30 + #ifdef CONFIG_RANDOMIZE_BASE +- adr x30, tramp_vectors + PAGE_SIZE ++ tramp_data_page x30 + alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + ldr x30, [x30] + #else +-- +2.34.1 + diff --git a/patches.suse/0004-video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch b/patches.suse/0004-video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch new file mode 100644 index 0000000..5edf577 --- /dev/null +++ b/patches.suse/0004-video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch @@ -0,0 +1,83 @@ +From f2719b26ae27282c145202ffd656d5ff1fe737cc Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 15 Sep 2021 15:34:35 +0200 +Subject: video: fbdev: chipsfb: use memset_io() instead of memset() +Git-commit: f2719b26ae27282c145202ffd656d5ff1fe737cc +Patch-mainline: v5.16-rc1 +References: bsc#1129770 + +While investigating a lockup at startup on Powerbook 3400C, it was +identified that the fbdev driver generates alignment exception at +startup: + + --- interrupt: 600 at memset+0x60/0xc0 + NIP: c0021414 LR: c03fc49c CTR: 00007fff + REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492) + MSR: 00009032 CR: 44008442 XER: 20000100 + DAR: cab80020 DSISR: 00017c07 + GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004 + GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000 + GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000 + GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c + NIP [c0021414] memset+0x60/0xc0 + LR [c03fc49c] chipsfb_pci_init+0x160/0x580 + --- interrupt: 600 + [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable) + [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8 + [ca021d50] [c043d584] really_probe.part.0+0xac/0x388 + [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170 + [ca021d90] [c043da18] driver_probe_device+0x48/0x144 + [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4 + [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0 + [ca021e10] [c043c724] bus_add_driver+0x190/0x22c + [ca021e40] [c043ee94] driver_register+0x9c/0x170 + [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec + [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270 + [ca021f10] [c0006fdc] kernel_init+0x28/0x11c + [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c + Instruction dump: + 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa + 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970 + +This is due to 'dcbz' instruction being used on non-cached memory. +'dcbz' instruction is used by memset() to zeroize a complete +cacheline at once, and memset() is not expected to be used on non +cached memory. + +When performing a 'sparse' check on fbdev driver, it also appears +that the use of memset() is unexpected: + + drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces) + drivers/video/fbdev/chipsfb.c:334:17: expected void * + drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base + drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576 + +Use fb_memset() instead of memset(). fb_memset() is defined as +memset_io() for powerpc. + +Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK") +Reported-by: Stan Johnson +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/chipsfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c +index 998067b701fa0..393894af26f84 100644 +--- a/drivers/video/fbdev/chipsfb.c ++++ b/drivers/video/fbdev/chipsfb.c +@@ -331,7 +331,7 @@ static const struct fb_var_screeninfo chipsfb_var = { + + static void init_chips(struct fb_info *p, unsigned long addr) + { +- memset(p->screen_base, 0, 0x100000); ++ fb_memset(p->screen_base, 0, 0x100000); + + p->fix = chipsfb_fix; + p->fix.smem_start = addr; +-- +2.36.0 + diff --git a/patches.suse/0005-arm64-entry-Allow-tramp_alias-to-access-symbols-afte.patch b/patches.suse/0005-arm64-entry-Allow-tramp_alias-to-access-symbols-afte.patch new file mode 100644 index 0000000..0baa77a --- /dev/null +++ b/patches.suse/0005-arm64-entry-Allow-tramp_alias-to-access-symbols-afte.patch @@ -0,0 +1,76 @@ +From ca9b0c7829a0f51beb1dd538274aaa72e5ff9ba3 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:25:00 +0100 +Subject: [PATCH 05/22] arm64: entry: Allow tramp_alias to access symbols after + the 4K boundary + +Git-commit: 6c5bf79b69f911560fbf82214c0971af6e58e682 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Systems using kpti enter and exit the kernel through a trampoline mapping +that is always mapped, even when the kernel is not. tramp_valias is a macro +to find the address of a symbol in the trampoline mapping. + +Adding extra sets of vectors will expand the size of the entry.tramp.text +section to beyond 4K. tramp_valias will be unable to generate addresses +for symbols beyond 4K as it uses the 12 bit immediate of the add +instruction. + +As there are now two registers available when tramp_alias is called, +use the extra register to avoid the 4K limit of the 12 bit immediate. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index d7915e79778e0..fbbbed75565dd 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -138,9 +138,12 @@ + .org .Lventry_start\@ + 128 // Did we overflow the ventry slot? + .endm + +- .macro tramp_alias, dst, sym ++ .macro tramp_alias, dst, sym, tmp + mov_q \dst, TRAMP_VALIAS +- add \dst, \dst, #(\sym - .entry.tramp.text) ++ adr_l \tmp, \sym ++ add \dst, \dst, \tmp ++ adr_l \tmp, .entry.tramp.text ++ sub \dst, \dst, \tmp + .endm + + // This macro corrupts x0-x3. It is the caller's duty +@@ -382,10 +385,10 @@ alternative_else_nop_endif + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + bne 5f + msr far_el1, x29 +- tramp_alias x30, tramp_exit_native ++ tramp_alias x30, tramp_exit_native, x29 + br x30 + 5: +- tramp_alias x30, tramp_exit_compat ++ tramp_alias x30, tramp_exit_compat, x29 + br x30 + #endif + .else +@@ -1400,7 +1403,7 @@ alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 + alternative_else_nop_endif + + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +- tramp_alias dst=x5, sym=__sdei_asm_exit_trampoline ++ tramp_alias dst=x5, sym=__sdei_asm_exit_trampoline, tmp=x3 + br x5 + #endif + ENDPROC(__sdei_asm_handler) +-- +2.34.1 + diff --git a/patches.suse/0005-parisc-sticon-fix-reverse-colors.patch b/patches.suse/0005-parisc-sticon-fix-reverse-colors.patch new file mode 100644 index 0000000..e803d3b --- /dev/null +++ b/patches.suse/0005-parisc-sticon-fix-reverse-colors.patch @@ -0,0 +1,44 @@ +From bec05f33ebc1006899c6d3e59a00c58881fe7626 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Sun, 14 Nov 2021 17:08:17 +0100 +Subject: parisc/sticon: fix reverse colors +Git-commit: bec05f33ebc1006899c6d3e59a00c58881fe7626 +Patch-mainline: v5.16-rc2 +References: bsc#1129770 + +sticon_build_attr() checked the reverse argument and flipped +background and foreground color, but returned the non-reverse +value afterwards. Fix this and also add two local variables +for foreground and background color to make the code easier +to read. + +Signed-off-by: Sven Schnelle +Cc: +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/console/sticon.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/console/sticon.c ++++ b/drivers/video/console/sticon.c +@@ -291,13 +291,13 @@ static unsigned long sticon_getxy(struct + static u8 sticon_build_attr(struct vc_data *conp, u8 color, u8 intens, + u8 blink, u8 underline, u8 reverse, u8 italic) + { +- u8 attr = ((color & 0x70) >> 1) | ((color & 7)); ++ u8 fg = color & 7; ++ u8 bg = (color & 0x70) >> 4; + +- if (reverse) { +- color = ((color >> 3) & 0x7) | ((color & 0x7) << 3); +- } +- +- return attr; ++ if (reverse) ++ return (fg << 3) | bg; ++ else ++ return (bg << 3) | fg; + } + + static void sticon_invert_region(struct vc_data *conp, u16 *p, int count) diff --git a/patches.suse/0006-arm64-entry-Don-t-assume-tramp_vectors-is-the-start-.patch b/patches.suse/0006-arm64-entry-Don-t-assume-tramp_vectors-is-the-start-.patch new file mode 100644 index 0000000..f0da33e --- /dev/null +++ b/patches.suse/0006-arm64-entry-Don-t-assume-tramp_vectors-is-the-start-.patch @@ -0,0 +1,89 @@ +From 4e9d42e63ad532371c2a889b279f86a1e80d3e04 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 24 Nov 2021 14:40:00 +0100 +Subject: [PATCH 06/22] arm64: entry: Don't assume tramp_vectors is the start + of the vectors + +Git-commit: ed50da7764535f1e24432ded289974f2bf2b0c5a +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +The tramp_ventry macro uses tramp_vectors as the address of the vectors +when calculating which ventry in the 'full fat' vectors to branch to. + +While there is one set of tramp_vectors, this will be true. +Adding multiple sets of vectors will break this assumption. + +Move the generation of the vectors to a macro, and pass the start +of the vectors as an argument to tramp_ventry. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index fbbbed75565dd..4428f778a6302 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1102,7 +1102,7 @@ alternative_else_nop_endif + sub \dst, \dst, PAGE_SIZE + .endm + +- .macro tramp_ventry, regsize = 64 ++ .macro tramp_ventry, vector_start, regsize + .align 7 + 1: + .if \regsize == 64 +@@ -1124,9 +1124,9 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + #else + ldr x30, =vectors + #endif +- prfm plil1strm, [x30, #(1b - tramp_vectors)] ++ prfm plil1strm, [x30, #(1b - \vector_start)] + msr vbar_el1, x30 +- add x30, x30, #(1b - tramp_vectors + 4) ++ add x30, x30, #(1b - \vector_start + 4) + isb + ret + .org 1b + 128 // Did we overflow the ventry slot? +@@ -1144,19 +1144,21 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + eret + .endm + +- .align 11 +-ENTRY(tramp_vectors) ++ .macro generate_tramp_vector ++.Lvector_start\@: + .space 0x400 + +- tramp_ventry +- tramp_ventry +- tramp_ventry +- tramp_ventry ++ .rept 4 ++ tramp_ventry .Lvector_start\@, 64 ++ .endr ++ .rept 4 ++ tramp_ventry .Lvector_start\@, 32 ++ .endr ++ .endm + +- tramp_ventry 32 +- tramp_ventry 32 +- tramp_ventry 32 +- tramp_ventry 32 ++ .align 11 ++ENTRY(tramp_vectors) ++ generate_tramp_vector + END(tramp_vectors) + + ENTRY(tramp_exit_native) +-- +2.34.1 + diff --git a/patches.suse/0007-arm64-entry-Move-trampoline-macros-out-of-ifdef-d-se.patch b/patches.suse/0007-arm64-entry-Move-trampoline-macros-out-of-ifdef-d-se.patch new file mode 100644 index 0000000..b314c23 --- /dev/null +++ b/patches.suse/0007-arm64-entry-Move-trampoline-macros-out-of-ifdef-d-se.patch @@ -0,0 +1,61 @@ +From 982a8d2ee1f63ad4cf4c0cc7456380e0addf49da Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 18 Nov 2021 15:02:00 +0100 +Subject: [PATCH 07/22] arm64: entry: Move trampoline macros out of ifdef'd + section + +Git-commit: 13d7a08352a83ef2252aeb464a5e08dfc06b5dfd +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +The macros for building the kpti trampoline are all behind +CONFIG_UNMAP_KERNEL_AT_EL0, and in a region that outputs to the +.entry.tramp.text section. + +Move the macros out so they can be used to generate other kinds of +trampoline. Only the symbols need to be guarded by +CONFIG_UNMAP_KERNEL_AT_EL0 and appear in the .entry.tramp.text section. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 4428f778a6302..9ae4890f6ad3d 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1060,12 +1060,7 @@ __ni_sys_trace: + + .popsection // .entry.text + +-#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +-/* +- * Exception vectors trampoline. +- */ +- .pushsection ".entry.tramp.text", "ax" +- ++ // Move from tramp_pg_dir to swapper_pg_dir + .macro tramp_map_kernel, tmp + mrs \tmp, ttbr1_el1 + sub \tmp, \tmp, #(SWAPPER_DIR_SIZE + RESERVED_TTBR0_SIZE) +@@ -1156,6 +1151,11 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + .endr + .endm + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++/* ++ * Exception vectors trampoline. ++ */ ++ .pushsection ".entry.tramp.text", "ax" + .align 11 + ENTRY(tramp_vectors) + generate_tramp_vector +-- +2.34.1 + diff --git a/patches.suse/0008-arm64-entry-Make-the-kpti-trampoline-s-kpti-sequence.patch b/patches.suse/0008-arm64-entry-Make-the-kpti-trampoline-s-kpti-sequence.patch new file mode 100644 index 0000000..2b6668b --- /dev/null +++ b/patches.suse/0008-arm64-entry-Make-the-kpti-trampoline-s-kpti-sequence.patch @@ -0,0 +1,91 @@ +From eb43eb4b15697246fac975693dab32bb6ae29633 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 18 Nov 2021 14:16:00 +0100 +Subject: [PATCH 08/22] arm64: entry: Make the kpti trampoline's kpti sequence + optional + +Git-commit: c47e4d04ba0f1ea17353d85d45f611277507e07a +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Spectre-BHB needs to add sequences to the vectors. Having one global +set of vectors is a problem for big/little systems where the sequence +is costly on cpus that are not vulnerable. + +Making the vectors per-cpu in the style of KVM's bh_harden_hyp_vecs +requires the vectors to be generated by macros. + +Make the kpti re-mapping of the kernel optional, so the macros can be +used without kpti. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 9ae4890f6ad3d..602c15a33fa8a 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1097,9 +1097,10 @@ alternative_else_nop_endif + sub \dst, \dst, PAGE_SIZE + .endm + +- .macro tramp_ventry, vector_start, regsize ++ .macro tramp_ventry, vector_start, regsize, kpti + .align 7 + 1: ++ .if \kpti == 1 + .if \regsize == 64 + msr tpidrro_el0, x30 // Restored in kernel_ventry + .endif +@@ -1121,8 +1122,12 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + #endif + prfm plil1strm, [x30, #(1b - \vector_start)] + msr vbar_el1, x30 +- add x30, x30, #(1b - \vector_start + 4) + isb ++ .else ++ ldr x30, =vectors ++ .endif // \kpti == 1 ++ ++ add x30, x30, #(1b - \vector_start + 4) + ret + .org 1b + 128 // Did we overflow the ventry slot? + .endm +@@ -1139,15 +1144,15 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + eret + .endm + +- .macro generate_tramp_vector ++ .macro generate_tramp_vector, kpti + .Lvector_start\@: + .space 0x400 + + .rept 4 +- tramp_ventry .Lvector_start\@, 64 ++ tramp_ventry .Lvector_start\@, 64, \kpti + .endr + .rept 4 +- tramp_ventry .Lvector_start\@, 32 ++ tramp_ventry .Lvector_start\@, 32, \kpti + .endr + .endm + +@@ -1158,7 +1163,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + .pushsection ".entry.tramp.text", "ax" + .align 11 + ENTRY(tramp_vectors) +- generate_tramp_vector ++ generate_tramp_vector kpti=1 + END(tramp_vectors) + + ENTRY(tramp_exit_native) +-- +2.34.1 + diff --git a/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch b/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch new file mode 100644 index 0000000..0cb6043 --- /dev/null +++ b/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch @@ -0,0 +1,61 @@ +From 1791f487f877a9e83d81c8677bd3e7b259e7cb27 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Thu, 14 Oct 2021 21:22:31 +0800 +Subject: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() +Git-commit: 1791f487f877a9e83d81c8677bd3e7b259e7cb27 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +I got a null-ptr-deref report: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +RIP: 0010:fb_destroy_modelist+0x38/0x100 +... +Call Trace: + ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] + usb_probe_interface+0x1aa/0x3c0 [usbcore] + really_probe+0x167/0x460 +... + ret_from_fork+0x1f/0x30 + +If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will +be called to destroy modelist in the error handling path. But modelist +has not been initialized yet, so it will result in null-ptr-deref. + +Initialize modelist before calling fb_alloc_cmap() to fix this bug. + +Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/smscufx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c +index bfac3ee4a6422..28768c272b73d 100644 +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -1656,6 +1656,7 @@ static int ufx_usb_probe(struct usb_interface *interface, + info->par = dev; + info->pseudo_palette = dev->pseudo_palette; + info->fbops = &ufx_ops; ++ INIT_LIST_HEAD(&info->modelist); + + retval = fb_alloc_cmap(&info->cmap, 256, 0); + if (retval < 0) { +@@ -1666,8 +1667,6 @@ static int ufx_usb_probe(struct usb_interface *interface, + INIT_DELAYED_WORK(&dev->free_framebuffer_work, + ufx_free_framebuffer_work); + +- INIT_LIST_HEAD(&info->modelist); +- + retval = ufx_reg_read(dev, 0x3000, &id_rev); + check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval); + dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev); +-- +2.36.0 + diff --git a/patches.suse/0009-arm64-entry-Allow-the-trampoline-text-to-occupy-mult.patch b/patches.suse/0009-arm64-entry-Allow-the-trampoline-text-to-occupy-mult.patch new file mode 100644 index 0000000..0befa6a --- /dev/null +++ b/patches.suse/0009-arm64-entry-Allow-the-trampoline-text-to-occupy-mult.patch @@ -0,0 +1,109 @@ +From 42241e78a503d0f7144baaac2a5266f4a82f4dca Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:27:00 +0100 +Subject: [PATCH 09/22] arm64: entry: Allow the trampoline text to occupy + multiple pages + +Git-commit: a9c406e6462ff14956d690de7bbe5131a5677dc9 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Adding a second set of vectors to .entry.tramp.text will make it +larger than a single 4K page. + +Allow the trampoline text to occupy up to three pages by adding two +more fixmap slots. Previous changes to tramp_valias allowed it to reach +beyond a single page. + +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/fixmap.h | 6 ++++-- + arch/arm64/include/asm/sections.h | 5 +++++ + arch/arm64/kernel/entry.S | 2 +- + arch/arm64/kernel/vmlinux.lds.S | 2 +- + arch/arm64/mm/mmu.c | 11 ++++++++--- + 5 files changed, 19 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/fixmap.h ++++ b/arch/arm64/include/asm/fixmap.h +@@ -59,9 +59,11 @@ enum fixed_addresses { + #endif /* CONFIG_ACPI_APEI_GHES */ + + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +- FIX_ENTRY_TRAMP_TEXT, ++ FIX_ENTRY_TRAMP_TEXT3, ++ FIX_ENTRY_TRAMP_TEXT2, ++ FIX_ENTRY_TRAMP_TEXT1, + FIX_ENTRY_TRAMP_DATA, +-#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT)) ++#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT1)) + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + __end_of_permanent_fixed_addresses, + +--- a/arch/arm64/include/asm/sections.h ++++ b/arch/arm64/include/asm/sections.h +@@ -30,4 +30,9 @@ extern char __irqentry_text_start[], __i + extern char __mmuoff_data_start[], __mmuoff_data_end[]; + extern char __entry_tramp_text_start[], __entry_tramp_text_end[]; + ++static inline size_t entry_tramp_text_size(void) ++{ ++ return __entry_tramp_text_end - __entry_tramp_text_start; ++} ++ + #endif /* __ASM_SECTIONS_H */ +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1093,7 +1093,7 @@ alternative_else_nop_endif + .endm + + .macro tramp_data_page dst +- adr \dst, .entry.tramp.text ++ adr_l \dst, .entry.tramp.text + sub \dst, \dst, PAGE_SIZE + .endm + +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -251,7 +251,7 @@ ASSERT(__hibernate_exit_text_end - (__hi + <= SZ_4K, "Hibernate exit text too big or misaligned") + #endif + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +-ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE, ++ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) <= 3*PAGE_SIZE, + "Entry trampoline text too big") + #endif + /* +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -529,6 +529,7 @@ early_param("rodata", parse_rodata); + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + static int __init map_entry_trampoline(void) + { ++ int i; + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); + +@@ -537,11 +538,15 @@ static int __init map_entry_trampoline(v + + /* Map only the text into the trampoline page table */ + memset(tramp_pg_dir, 0, PGD_SIZE); +- __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, +- prot, pgd_pgtable_alloc, 0); ++ __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, ++ entry_tramp_text_size(), prot, pgd_pgtable_alloc, ++ 0); + + /* Map both the text and data into the kernel page table */ +- __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot); ++ for (i = 0; i < DIV_ROUND_UP(entry_tramp_text_size(), PAGE_SIZE); i++) ++ __set_fixmap(FIX_ENTRY_TRAMP_TEXT1 - i, ++ pa_start + i * PAGE_SIZE, prot); ++ + if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { + extern char __entry_tramp_data_start[]; + diff --git a/patches.suse/0009-video-fbdev-atmel_lcdfb-fix-an-error-code-in-atmel_l.patch b/patches.suse/0009-video-fbdev-atmel_lcdfb-fix-an-error-code-in-atmel_l.patch new file mode 100644 index 0000000..31b07b4 --- /dev/null +++ b/patches.suse/0009-video-fbdev-atmel_lcdfb-fix-an-error-code-in-atmel_l.patch @@ -0,0 +1,30 @@ +From fee5c1e4b789e41719af9fee0e2dd397cd31988f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 Dec 2021 12:58:08 +0300 +Subject: video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() +Git-commit: fee5c1e4b789e41719af9fee0e2dd397cd31988f +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +If "sinfo->config" is not found, then return -ENODEV. Don't +return success. + +Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") +Signed-off-by: Dan Carpenter +Acked-by: Nicolas Ferre +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/atmel_lcdfb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/atmel_lcdfb.c ++++ b/drivers/video/fbdev/atmel_lcdfb.c +@@ -1211,6 +1211,7 @@ static int __init atmel_lcdfb_probe(stru + goto free_info; + } + ++ ret = -ENODEV; + if (!sinfo->config) + goto free_info; + diff --git a/patches.suse/0010-arm64-entry-Add-non-kpti-__bp_harden_el1_vectors-for.patch b/patches.suse/0010-arm64-entry-Add-non-kpti-__bp_harden_el1_vectors-for.patch new file mode 100644 index 0000000..8bd8f07 --- /dev/null +++ b/patches.suse/0010-arm64-entry-Add-non-kpti-__bp_harden_el1_vectors-for.patch @@ -0,0 +1,87 @@ +From 5295135bbeba8f5ffc80d31a148e4e62f2c940cd Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:29:00 +0100 +Subject: [PATCH 10/22] arm64: entry: Add non-kpti __bp_harden_el1_vectors for + mitigations + +Git-commit: aff65393fa1401e034656e349abd655cfe272de0 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +kpti is an optional feature, for systems not using kpti a set of +vectors for the spectre-bhb mitigations is needed. + +Add another set of vectors, __bp_harden_el1_vectors, that will be +used if a mitigation is needed and kpti is not in use. + +The EL1 ventries are repeated verbatim as there is no additional +work needed for entry from EL1. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 34 +++++++++++++++++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 26c15a90e5e70..53a1ca9faec55 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1100,10 +1100,11 @@ alternative_else_nop_endif + .macro tramp_ventry, vector_start, regsize, kpti + .align 7 + 1: +- .if \kpti == 1 + .if \regsize == 64 + msr tpidrro_el0, x30 // Restored in kernel_ventry + .endif ++ ++ .if \kpti == 1 + /* + * Defend against branch aliasing attacks by pushing a dummy + * entry onto the return stack and using a RET instruction to +@@ -1186,6 +1187,37 @@ __entry_tramp_data_start: + #endif /* CONFIG_RANDOMIZE_BASE */ + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + ++/* ++ * Exception vectors for spectre mitigations on entry from EL1 when ++ * kpti is not in use. ++ */ ++ .macro generate_el1_vector ++.Lvector_start\@: ++ kernel_ventry 1, sync_invalid // Synchronous EL1t ++ kernel_ventry 1, irq_invalid // IRQ EL1t ++ kernel_ventry 1, fiq_invalid // FIQ EL1t ++ kernel_ventry 1, error_invalid // Error EL1t ++ ++ kernel_ventry 1, sync // Synchronous EL1h ++ kernel_ventry 1, irq // IRQ EL1h ++ kernel_ventry 1, fiq_invalid // FIQ EL1h ++ kernel_ventry 1, error_invalid // Error EL1h ++ ++ .rept 4 ++ tramp_ventry .Lvector_start\@, 64, kpti=0 ++ .endr ++ .rept 4 ++ tramp_ventry .Lvector_start\@, 32, kpti=0 ++ .endr ++ .endm ++ ++ .pushsection ".entry.text", "ax" ++ .align 11 ++ENTRY(__bp_harden_el1_vectors) ++ generate_el1_vector ++END(__bp_harden_el1_vectors) ++ .popsection ++ + /* + * Special system call wrappers. + */ +-- +2.34.1 + diff --git a/patches.suse/0010-video-fbdev-fbcvt.c-fix-printing-in-fb_cvt_print_nam.patch b/patches.suse/0010-video-fbdev-fbcvt.c-fix-printing-in-fb_cvt_print_nam.patch new file mode 100644 index 0000000..fd4bdeb --- /dev/null +++ b/patches.suse/0010-video-fbdev-fbcvt.c-fix-printing-in-fb_cvt_print_nam.patch @@ -0,0 +1,110 @@ +From 78482af095abd9f4f29f1aa3fe575d25c6ae3028 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 16 Sep 2021 16:29:19 +0300 +Subject: video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() +Git-commit: 78482af095abd9f4f29f1aa3fe575d25c6ae3028 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +This code has two bugs: +1) "cnt" is 255 but the size of the buffer is 256 so the last byte is + not used. +2) If we try to print more than 255 characters then "cnt" will be + negative and that will trigger a WARN() in snprintf(). The fix for + this is to use scnprintf() instead of snprintf(). + +We can re-write this code to be cleaner: +1) Rename "offset" to "off" because that's shorter. +2) Get rid of the "cnt" variable and just use "size - off" directly. +3) Get rid of the "read" variable and just increment "off" directly. + +Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support") +Signed-off-by: Dan Carpenter +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/core/fbcvt.c | 53 +++++++++++++------------------- + 1 file changed, 21 insertions(+), 32 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c +index 55d2bd0ce5c02..64843464c6613 100644 +--- a/drivers/video/fbdev/core/fbcvt.c ++++ b/drivers/video/fbdev/core/fbcvt.c +@@ -214,9 +214,11 @@ static u32 fb_cvt_aspect_ratio(struct fb_cvt_data *cvt) + static void fb_cvt_print_name(struct fb_cvt_data *cvt) + { + u32 pixcount, pixcount_mod; +- int cnt = 255, offset = 0, read = 0; +- u8 *buf = kzalloc(256, GFP_KERNEL); ++ int size = 256; ++ int off = 0; ++ u8 *buf; + ++ buf = kzalloc(size, GFP_KERNEL); + if (!buf) + return; + +@@ -224,43 +226,30 @@ static void fb_cvt_print_name(struct fb_cvt_data *cvt) + pixcount_mod = (cvt->xres * (cvt->yres/cvt->interlace)) % 1000000; + pixcount_mod /= 1000; + +- read = snprintf(buf+offset, cnt, "fbcvt: %dx%d@%d: CVT Name - ", +- cvt->xres, cvt->yres, cvt->refresh); +- offset += read; +- cnt -= read; ++ off += scnprintf(buf + off, size - off, "fbcvt: %dx%d@%d: CVT Name - ", ++ cvt->xres, cvt->yres, cvt->refresh); + +- if (cvt->status) +- snprintf(buf+offset, cnt, "Not a CVT standard - %d.%03d Mega " +- "Pixel Image\n", pixcount, pixcount_mod); +- else { +- if (pixcount) { +- read = snprintf(buf+offset, cnt, "%d", pixcount); +- cnt -= read; +- offset += read; +- } ++ if (cvt->status) { ++ off += scnprintf(buf + off, size - off, ++ "Not a CVT standard - %d.%03d Mega Pixel Image\n", ++ pixcount, pixcount_mod); ++ } else { ++ if (pixcount) ++ off += scnprintf(buf + off, size - off, "%d", pixcount); + +- read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod); +- cnt -= read; +- offset += read; ++ off += scnprintf(buf + off, size - off, ".%03dM", pixcount_mod); + + if (cvt->aspect_ratio == 0) +- read = snprintf(buf+offset, cnt, "3"); ++ off += scnprintf(buf + off, size - off, "3"); + else if (cvt->aspect_ratio == 3) +- read = snprintf(buf+offset, cnt, "4"); ++ off += scnprintf(buf + off, size - off, "4"); + else if (cvt->aspect_ratio == 1 || cvt->aspect_ratio == 4) +- read = snprintf(buf+offset, cnt, "9"); ++ off += scnprintf(buf + off, size - off, "9"); + else if (cvt->aspect_ratio == 2) +- read = snprintf(buf+offset, cnt, "A"); +- else +- read = 0; +- cnt -= read; +- offset += read; +- +- if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) { +- read = snprintf(buf+offset, cnt, "-R"); +- cnt -= read; +- offset += read; +- } ++ off += scnprintf(buf + off, size - off, "A"); ++ ++ if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) ++ off += scnprintf(buf + off, size - off, "-R"); + } + + printk(KERN_INFO "%s\n", buf); +-- +2.36.0 + diff --git a/patches.suse/0011-arm64-entry-Add-vectors-that-have-the-bhb-mitigation.patch b/patches.suse/0011-arm64-entry-Add-vectors-that-have-the-bhb-mitigation.patch new file mode 100644 index 0000000..e5d9262 --- /dev/null +++ b/patches.suse/0011-arm64-entry-Add-vectors-that-have-the-bhb-mitigation.patch @@ -0,0 +1,259 @@ +From 5d0e3c2cb096b3d28a77609b7900d5bcd784bae0 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 18 Nov 2021 14:59:00 +0100 +Subject: [PATCH 11/22] arm64: entry: Add vectors that have the bhb mitigation + sequences + +Git-commit: ba2689234be92024e5635d30fe744f4853ad97db +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Some CPUs affected by Spectre-BHB need a sequence of branches, or a +firmware call to be run before any indirect branch. This needs to go +in the vectors. No CPU needs both. + +While this can be patched in, it would run on all CPUs as there is a +single set of vectors. If only one part of a big/little combination is +affected, the unaffected CPUs have to run the mitigation too. + +Create extra vectors that include the sequence. Subsequent patches will +allow affected CPUs to select this set of vectors. Later patches will +modify the loop count to match what the CPU requires. + +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/assembler.h | 25 ++++++++++++++ + arch/arm64/include/asm/vectors.h | 34 +++++++++++++++++++ + arch/arm64/kernel/entry.S | 53 +++++++++++++++++++++++++----- + include/linux/arm-smccc.h | 7 ++++ + 4 files changed, 110 insertions(+), 9 deletions(-) + create mode 100644 arch/arm64/include/asm/vectors.h + +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 057cd725824d1..5c50a5df8f6e9 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -574,4 +574,29 @@ USER(\label, ic ivau, \tmp2) // invalidate I line PoU + #endif + .endm + ++ .macro __mitigate_spectre_bhb_loop tmp ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ mov \tmp, #32 ++.Lspectre_bhb_loop\@: ++ b . + 4 ++ subs \tmp, \tmp, #1 ++ b.ne .Lspectre_bhb_loop\@ ++ dsb nsh ++ isb ++#endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ ++ .endm ++ ++ /* Save/restores x0-x3 to the stack */ ++ .macro __mitigate_spectre_bhb_fw ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ stp x0, x1, [sp, #-16]! ++ stp x2, x3, [sp, #-16]! ++ mov w0, #ARM_SMCCC_ARCH_WORKAROUND_3 ++alternative_cb arm64_update_smccc_conduit ++ nop // Patched to SMC/HVC #0 ++alternative_cb_end ++ ldp x2, x3, [sp], #16 ++ ldp x0, x1, [sp], #16 ++#endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ ++ .endm + #endif /* __ASM_ASSEMBLER_H */ +diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h +new file mode 100644 +index 0000000000000..bac53fad037dc +--- /dev/null ++++ b/arch/arm64/include/asm/vectors.h +@@ -0,0 +1,34 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Copyright (C) 2022 ARM Ltd. ++ */ ++#ifndef __ASM_VECTORS_H ++#define __ASM_VECTORS_H ++ ++/* ++ * Note: the order of this enum corresponds to two arrays in entry.S: ++ * tramp_vecs and __bp_harden_el1_vectors. By default the canonical ++ * 'full fat' vectors are used directly. ++ */ ++enum arm64_bp_harden_el1_vectors { ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ /* ++ * Perform the BHB loop mitigation, before branching to the canonical ++ * vectors. ++ */ ++ EL1_VECTOR_BHB_LOOP, ++ ++ /* ++ * Make the SMC call for firmware mitigation, before branching to the ++ * canonical vectors. ++ */ ++ EL1_VECTOR_BHB_FW, ++#endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ ++ ++ /* ++ * Remap the kernel before branching to the canonical vectors. ++ */ ++ EL1_VECTOR_KPTI, +++}; ++ ++#endif /* __ASM_VECTORS_H */ +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 53a1ca9faec55..b02d149d30cda 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1097,13 +1097,26 @@ alternative_else_nop_endif + sub \dst, \dst, PAGE_SIZE + .endm + +- .macro tramp_ventry, vector_start, regsize, kpti ++ ++#define BHB_MITIGATION_NONE 0 ++#define BHB_MITIGATION_LOOP 1 ++#define BHB_MITIGATION_FW 2 ++ ++ .macro tramp_ventry, vector_start, regsize, kpti, bhb + .align 7 + 1: + .if \regsize == 64 + msr tpidrro_el0, x30 // Restored in kernel_ventry + .endif + ++ .if \bhb == BHB_MITIGATION_LOOP ++ /* ++ * This sequence must appear before the first indirect branch. i.e. the ++ * ret out of tramp_ventry. It appears here because x30 is free. ++ */ ++ __mitigate_spectre_bhb_loop x30 ++ .endif // \bhb == BHB_MITIGATION_LOOP ++ + .if \kpti == 1 + /* + * Defend against branch aliasing attacks by pushing a dummy +@@ -1128,6 +1141,15 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + ldr x30, =vectors + .endif // \kpti == 1 + ++ .if \bhb == BHB_MITIGATION_FW ++ /* ++ * The firmware sequence must appear before the first indirect branch. ++ * i.e. the ret out of tramp_ventry. But it also needs the stack to be ++ * mapped to save/restore the registers the SMC clobbers. ++ */ ++ __mitigate_spectre_bhb_fw ++ .endif // \bhb == BHB_MITIGATION_FW ++ + add x30, x30, #(1b - \vector_start + 4) + ret + .org 1b + 128 // Did we overflow the ventry slot? +@@ -1135,6 +1157,9 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + + .macro tramp_exit, regsize = 64 + adr x30, tramp_vectors ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ add x30, x30, SZ_4K ++#endif + msr vbar_el1, x30 + ldr lr, [sp, #S_LR] + tramp_unmap_kernel x29 +@@ -1145,26 +1170,32 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + eret + .endm + +- .macro generate_tramp_vector, kpti ++ .macro generate_tramp_vector, kpti, bhb + .Lvector_start\@: + .space 0x400 + + .rept 4 +- tramp_ventry .Lvector_start\@, 64, \kpti ++ tramp_ventry .Lvector_start\@, 64, \kpti, \bhb + .endr + .rept 4 +- tramp_ventry .Lvector_start\@, 32, \kpti ++ tramp_ventry .Lvector_start\@, 32, \kpti, \bhb + .endr + .endm + + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + /* + * Exception vectors trampoline. ++ * The order must match __bp_harden_el1_vectors and the ++ * arm64_bp_harden_el1_vectors enum. + */ + .pushsection ".entry.tramp.text", "ax" + .align 11 + ENTRY(tramp_vectors) +- generate_tramp_vector kpti=1 ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_LOOP ++ generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_FW ++#endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ ++ generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_NONE + END(tramp_vectors) + + ENTRY(tramp_exit_native) +@@ -1191,7 +1222,7 @@ __entry_tramp_data_start: + * Exception vectors for spectre mitigations on entry from EL1 when + * kpti is not in use. + */ +- .macro generate_el1_vector ++ .macro generate_el1_vector, bhb + .Lvector_start\@: + kernel_ventry 1, sync_invalid // Synchronous EL1t + kernel_ventry 1, irq_invalid // IRQ EL1t +@@ -1204,17 +1235,21 @@ __entry_tramp_data_start: + kernel_ventry 1, error_invalid // Error EL1h + + .rept 4 +- tramp_ventry .Lvector_start\@, 64, kpti=0 ++ tramp_ventry .Lvector_start\@, 64, 0, \bhb + .endr + .rept 4 +- tramp_ventry .Lvector_start\@, 32, kpti=0 ++ tramp_ventry .Lvector_start\@, 32, 0, \bhb + .endr + .endm + ++/* The order must match tramp_vecs and the arm64_bp_harden_el1_vectors enum. */ + .pushsection ".entry.text", "ax" + .align 11 + ENTRY(__bp_harden_el1_vectors) +- generate_el1_vector ++#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++ generate_el1_vector bhb=BHB_MITIGATION_LOOP ++ generate_el1_vector bhb=BHB_MITIGATION_FW ++#endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ + END(__bp_harden_el1_vectors) + .popsection + +diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h +index ca1d2cc2cdfa0..6f354ab0e8755 100644 +--- a/include/linux/arm-smccc.h ++++ b/include/linux/arm-smccc.h +@@ -85,6 +85,13 @@ + ARM_SMCCC_SMC_32, \ + 0, 0x7fff) + ++#define ARM_SMCCC_ARCH_WORKAROUND_3 \ ++ ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, \ ++ ARM_SMCCC_SMC_32, \ ++ 0, 0x3fff) ++ ++#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED 1 ++ + #ifndef __ASSEMBLY__ + + #include +-- +2.34.1 + diff --git a/patches.suse/0011-video-fbdev-atari-Atari-2-bpp-STe-palette-bugfix.patch b/patches.suse/0011-video-fbdev-atari-Atari-2-bpp-STe-palette-bugfix.patch new file mode 100644 index 0000000..9d6bd9d --- /dev/null +++ b/patches.suse/0011-video-fbdev-atari-Atari-2-bpp-STe-palette-bugfix.patch @@ -0,0 +1,66 @@ +From c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 16 Feb 2022 20:26:25 +1300 +Subject: video: fbdev: atari: Atari 2 bpp (STe) palette bugfix +Git-commit: c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +The code to set the shifter STe palette registers has a long +standing operator precedence bug, manifesting as colors set +on a 2 bits per pixel frame buffer coming up with a distinctive +blue tint. + +Add parentheses around the calculation of the per-color palette +data before shifting those into their respective bit field position. + +This bug goes back a long way (2.4 days at the very least) so there +won't be a Fixes: tag. + +Tested on ARAnyM as well on Falcon030 hardware. + +Cc: stable@vger.kernel.org +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/all/CAMuHMdU3ievhXxKR_xi_v3aumnYW7UNUO6qMdhgfyWTyVSsCkQ@mail.gmail.com +Tested-by: Michael Schmitz +Tested-by: Geert Uytterhoeven +Signed-off-by: Michael Schmitz +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/atafb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/atafb.c b/drivers/video/fbdev/atafb.c +index e95333e004744..52a35b6616438 100644 +--- a/drivers/video/fbdev/atafb.c ++++ b/drivers/video/fbdev/atafb.c +@@ -1681,9 +1681,9 @@ static int falcon_setcolreg(unsigned int regno, unsigned int red, + ((blue & 0xfc00) >> 8)); + if (regno < 16) { + shifter_tt.color_reg[regno] = +- (((red & 0xe000) >> 13) | ((red & 0x1000) >> 12) << 8) | +- (((green & 0xe000) >> 13) | ((green & 0x1000) >> 12) << 4) | +- ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12); ++ ((((red & 0xe000) >> 13) | ((red & 0x1000) >> 12)) << 8) | ++ ((((green & 0xe000) >> 13) | ((green & 0x1000) >> 12)) << 4) | ++ ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12); + ((u32 *)info->pseudo_palette)[regno] = ((red & 0xf800) | + ((green & 0xfc00) >> 5) | + ((blue & 0xf800) >> 11)); +@@ -1969,9 +1969,9 @@ static int stste_setcolreg(unsigned int regno, unsigned int red, + green >>= 12; + if (ATARIHW_PRESENT(EXTD_SHIFTER)) + shifter_tt.color_reg[regno] = +- (((red & 0xe) >> 1) | ((red & 1) << 3) << 8) | +- (((green & 0xe) >> 1) | ((green & 1) << 3) << 4) | +- ((blue & 0xe) >> 1) | ((blue & 1) << 3); ++ ((((red & 0xe) >> 1) | ((red & 1) << 3)) << 8) | ++ ((((green & 0xe) >> 1) | ((green & 1) << 3)) << 4) | ++ ((blue & 0xe) >> 1) | ((blue & 1) << 3); + else + shifter_tt.color_reg[regno] = + ((red & 0xe) << 7) | +-- +2.36.0 + diff --git a/patches.suse/0012-arm64-entry-Add-macro-for-reading-symbol-addresses-f.patch b/patches.suse/0012-arm64-entry-Add-macro-for-reading-symbol-addresses-f.patch new file mode 100644 index 0000000..a7f6c49 --- /dev/null +++ b/patches.suse/0012-arm64-entry-Add-macro-for-reading-symbol-addresses-f.patch @@ -0,0 +1,83 @@ +From 72d5ed0cd9b7b89391596440f5b320dfda2aff33 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:30:00 +0100 +Subject: [PATCH 12/22] arm64: entry: Add macro for reading symbol addresses + from the trampoline + +Git-commit: b28a8eebe81c186fdb1a0078263b30576c8e1f42 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +The trampoline code needs to use the address of symbols in the wider +kernel, e.g. vectors. PC-relative addressing wouldn't work as the +trampoline code doesn't run at the address the linker expected. + +tramp_ventry uses a literal pool, unless CONFIG_RANDOMIZE_BASE is +set, in which case it uses the data page as a literal pool because +the data page can be unmapped when running in user-space, which is +required for CPUs vulnerable to meltdown. + +Pull this logic out as a macro, instead of adding a third copy +of it. + +Reviewed-by: Catalin Marinas +[ Removed SDEI for stable backport ] +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/kernel/entry.S | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index b02d149d30cda..20c90b65a3423 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1097,6 +1097,15 @@ alternative_else_nop_endif + sub \dst, \dst, PAGE_SIZE + .endm + ++ .macro tramp_data_read_var dst, var ++#ifdef CONFIG_RANDOMIZE_BASE ++ tramp_data_page \dst ++ add \dst, \dst, #:lo12:__entry_tramp_data_\var ++ ldr \dst, [\dst] ++#else ++ ldr \dst, =\var ++#endif ++ .endm + + #define BHB_MITIGATION_NONE 0 + #define BHB_MITIGATION_LOOP 1 +@@ -1127,13 +1136,8 @@ alternative_else_nop_endif + b . + 2: + tramp_map_kernel x30 +-#ifdef CONFIG_RANDOMIZE_BASE +- tramp_data_page x30 + alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 +- ldr x30, [x30] +-#else +- ldr x30, =vectors +-#endif ++ tramp_data_read_var x30, vectors + prfm plil1strm, [x30, #(1b - \vector_start)] + msr vbar_el1, x30 + isb +@@ -1213,7 +1217,12 @@ END(tramp_exit_compat) + .align PAGE_SHIFT + .globl __entry_tramp_data_start + __entry_tramp_data_start: ++__entry_tramp_data_vectors: + .quad vectors ++#ifdef CONFIG_ARM_SDE_INTERFACE ++__entry_tramp_data___sdei_asm_trampoline_next_handler: ++ .quad __sdei_asm_handler ++#endif /* CONFIG_ARM_SDE_INTERFACE */ + .popsection // .rodata + #endif /* CONFIG_RANDOMIZE_BASE */ + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ +-- +2.34.1 + diff --git a/patches.suse/0012-video-fbdev-sm712fb-Fix-crash-in-smtcfb_read.patch b/patches.suse/0012-video-fbdev-sm712fb-Fix-crash-in-smtcfb_read.patch new file mode 100644 index 0000000..7766415 --- /dev/null +++ b/patches.suse/0012-video-fbdev-sm712fb-Fix-crash-in-smtcfb_read.patch @@ -0,0 +1,79 @@ +From bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 27 Feb 2022 08:43:56 +0100 +Subject: video: fbdev: sm712fb: Fix crash in smtcfb_read() +Git-commit: bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +Zheyu Ma reported this crash in the sm712fb driver when reading +three bytes from the framebuffer: + + BUG: unable to handle page fault for address: ffffc90001ffffff + RIP: 0010:smtcfb_read+0x230/0x3e0 + Call Trace: + vfs_read+0x198/0xa00 + ? do_sys_openat2+0x27d/0x350 + ? __fget_light+0x54/0x340 + ksys_read+0xce/0x190 + do_syscall_64+0x43/0x90 + +Fix it by removing the open-coded endianess fixup-code and +by moving the pointer post decrement out the fb_readl() function. + +Reported-by: Zheyu Ma +Signed-off-by: Helge Deller +Tested-by: Zheyu Ma +Cc: stable@vger.kernel.org +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/sm712fb.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 0dbc6bf8268ac..b60a2730f0a8a 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf, + if (count + p > total_size) + count = total_size - p; + +- buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL); ++ buffer = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +@@ -1059,24 +1059,13 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf, + while (count) { + c = (count > PAGE_SIZE) ? PAGE_SIZE : count; + dst = buffer; +- for (i = c >> 2; i--;) { +- *dst = fb_readl(src++); +- *dst = big_swap(*dst); +- dst++; +- } +- if (c & 3) { +- u8 *dst8 = (u8 *)dst; +- u8 __iomem *src8 = (u8 __iomem *)src; ++ for (i = (c + 3) >> 2; i--;) { ++ u32 val; + +- for (i = c & 3; i--;) { +- if (i & 1) { +- *dst8++ = fb_readb(++src8); +- } else { +- *dst8++ = fb_readb(--src8); +- src8 += 2; +- } +- } +- src = (u32 __iomem *)src8; ++ val = fb_readl(src); ++ *dst = big_swap(val); ++ src++; ++ dst++; + } + + if (copy_to_user(buf, buffer, c)) { +-- +2.36.0 + diff --git a/patches.suse/0013-arm64-Add-percpu-vectors-for-EL1.patch b/patches.suse/0013-arm64-Add-percpu-vectors-for-EL1.patch new file mode 100644 index 0000000..c133d10 --- /dev/null +++ b/patches.suse/0013-arm64-Add-percpu-vectors-for-EL1.patch @@ -0,0 +1,222 @@ +From a0e18c8abcc03bbea045d7e1f9b5e010715c9e2b Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:33:00 +0100 +Subject: [PATCH 13/22] arm64: Add percpu vectors for EL1 + +Git-commit: bd09128d16fac3c34b80bd6a29088ac632e8ce09 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +The Spectre-BHB workaround adds a firmware call to the vectors. This +is needed on some CPUs, but not others. To avoid the unaffected CPU in +a big/little pair from making the firmware call, create per cpu vectors. + +The per-cpu vectors only apply when returning from EL0. + +Systems using KPTI can use the canonical 'full-fat' vectors directly at +EL1, the trampoline exit code will switch to this_cpu_vector on exit to +EL0. Systems not using KPTI should always use this_cpu_vector. + +this_cpu_vector will point at a vector in tramp_vecs or +__bp_harden_el1_vectors, depending on whether KPTI is in use. + +Reviewed-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/mmu.h | 2 +- + arch/arm64/include/asm/vectors.h | 29 ++++++++++++++++++++++++++++- + arch/arm64/kernel/cpufeature.c | 11 +++++++++++ + arch/arm64/kernel/entry.S | 16 ++++++++++------ + arch/arm64/kvm/hyp/switch.c | 9 +++++++-- + 5 files changed, 57 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h +index 2abfd62a021de..d31bab89efa42 100644 +--- a/arch/arm64/include/asm/mmu.h ++++ b/arch/arm64/include/asm/mmu.h +@@ -37,7 +37,7 @@ typedef struct { + */ + #define ASID(mm) ((mm)->context.id.counter & 0xffff) + +-static inline bool arm64_kernel_unmapped_at_el0(void) ++static __always_inline bool arm64_kernel_unmapped_at_el0(void) + { + return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0) && + cpus_have_const_cap(ARM64_UNMAP_KERNEL_AT_EL0); +diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h +index bac53fad037dc..3f76dfd9e0744 100644 +--- a/arch/arm64/include/asm/vectors.h ++++ b/arch/arm64/include/asm/vectors.h +@@ -5,6 +5,15 @@ + #ifndef __ASM_VECTORS_H + #define __ASM_VECTORS_H + ++#include ++#include ++ ++#include ++ ++extern char vectors[]; ++extern char tramp_vectors[]; ++extern char __bp_harden_el1_vectors[]; ++ + /* + * Note: the order of this enum corresponds to two arrays in entry.S: + * tramp_vecs and __bp_harden_el1_vectors. By default the canonical +@@ -29,6 +38,24 @@ enum arm64_bp_harden_el1_vectors { + * Remap the kernel before branching to the canonical vectors. + */ + EL1_VECTOR_KPTI, +-+}; ++}; ++ ++/* The vectors to use on return from EL0. e.g. to remap the kernel */ ++DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector); ++ ++#ifndef CONFIG_UNMAP_KERNEL_AT_EL0 ++#define TRAMP_VALIAS 0 ++#endif ++ ++static inline const char * ++arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot) ++{ ++ if (arm64_kernel_unmapped_at_el0()) ++ return (char *)TRAMP_VALIAS + SZ_2K * slot; ++ ++ WARN_ON_ONCE(slot == EL1_VECTOR_KPTI); ++ ++ return __bp_harden_el1_vectors + SZ_2K * slot; ++} + + #endif /* __ASM_VECTORS_H */ +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 1ce8c74f0aabb..0dfe9278656ff 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -20,12 +20,14 @@ + + #include + #include ++#include + #include + #include + #include + #include + #include + #include ++ + #include + #include + #include +@@ -34,6 +36,7 @@ + #include + #include + #include ++#include + #include + + unsigned long elf_hwcap __read_mostly; +@@ -54,6 +57,8 @@ unsigned int compat_elf_hwcap2 __read_mostly; + DECLARE_BITMAP(cpu_hwcaps, ARM64_NCAPS); + EXPORT_SYMBOL(cpu_hwcaps); + ++DEFINE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector) = vectors; ++ + static int dump_cpu_hwcaps(struct notifier_block *self, unsigned long v, void *p) + { + /* file-wide pr_fmt adds "CPU features: " prefix */ +@@ -998,6 +1003,12 @@ kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused) + static bool kpti_applied = false; + int cpu = smp_processor_id(); + ++ if (__this_cpu_read(this_cpu_vector) == vectors) { ++ const char *v = arm64_get_bp_hardening_vector(EL1_VECTOR_KPTI); ++ ++ __this_cpu_write(this_cpu_vector, v); ++ } ++ + /* + * We don't need to rewrite the page-tables if either we've done + * it already or we have KASLR enabled and therefore have not +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 20c90b65a3423..705134e7dddef 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -74,7 +74,6 @@ + .macro kernel_ventry, el, label, regsize = 64 + .align 7 + .Lventry_start\@: +-#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + .if \el == 0 + /* + * This must be the first instruction of the EL0 vector entries. It is +@@ -89,7 +88,6 @@ + .endif + .Lskip_tramp_vectors_cleanup\@: + .endif +-#endif + + sub sp, sp, #S_FRAME_SIZE + #ifdef CONFIG_VMAP_STACK +@@ -1160,10 +1158,14 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + .endm + + .macro tramp_exit, regsize = 64 +- adr x30, tramp_vectors +-#ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY +- add x30, x30, SZ_4K +-#endif ++ tramp_data_read_var x30, this_cpu_vector ++alternative_if_not ARM64_HAS_VIRT_HOST_EXTN ++ mrs x29, tpidr_el1 ++alternative_else ++ mrs x29, tpidr_el2 ++alternative_endif ++ ldr x30, [x30, x29] ++ + msr vbar_el1, x30 + ldr lr, [sp, #S_LR] + tramp_unmap_kernel x29 +@@ -1223,6 +1225,8 @@ __entry_tramp_data_vectors: + __entry_tramp_data___sdei_asm_trampoline_next_handler: + .quad __sdei_asm_handler + #endif /* CONFIG_ARM_SDE_INTERFACE */ ++__entry_tramp_data_this_cpu_vector: ++ .quad this_cpu_vector + .popsection // .rodata + #endif /* CONFIG_RANDOMIZE_BASE */ + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index 514a0afed00c2..13f07e9ce8e36 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + static bool __hyp_text __fpsimd_enabled_nvhe(void) + { +@@ -130,10 +131,14 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu) + + static void deactivate_traps_vhe(void) + { +- extern char vectors[]; /* kernel exception vectors */ ++ const char *host_vectors = vectors; + write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2); + write_sysreg(CPACR_EL1_DEFAULT, cpacr_el1); +- write_sysreg(vectors, vbar_el1); ++ ++ ++ if (!arm64_kernel_unmapped_at_el0()) ++ host_vectors = __this_cpu_read(this_cpu_vector); ++ write_sysreg(host_vectors, vbar_el1); + } + NOKPROBE_SYMBOL(deactivate_traps_vhe); + +-- +2.34.1 + diff --git a/patches.suse/0013-video-fbdev-omapfb-Add-missing-of_node_put-in-dvic_p.patch b/patches.suse/0013-video-fbdev-omapfb-Add-missing-of_node_put-in-dvic_p.patch new file mode 100644 index 0000000..303959e --- /dev/null +++ b/patches.suse/0013-video-fbdev-omapfb-Add-missing-of_node_put-in-dvic_p.patch @@ -0,0 +1,34 @@ +From a58c22cfbbf62fefca090334bbd35fd132e92a23 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 7 Mar 2022 12:38:12 +0000 +Subject: video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of +Git-commit: a58c22cfbbf62fefca090334bbd35fd132e92a23 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Signed-off-by: Miaoqian Lin +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/omap2/omapfb/displays/connector-dvi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/omap2/omapfb/displays/connector-dvi.c b/drivers/video/fbdev/omap2/omapfb/displays/connector-dvi.c +index 2fa436475b406..c8ad3ef42bd31 100644 +--- a/drivers/video/fbdev/omap2/omapfb/displays/connector-dvi.c ++++ b/drivers/video/fbdev/omap2/omapfb/displays/connector-dvi.c +@@ -246,6 +246,7 @@ static int dvic_probe_of(struct platform_device *pdev) + adapter_node = of_parse_phandle(node, "ddc-i2c-bus", 0); + if (adapter_node) { + adapter = of_get_i2c_adapter_by_node(adapter_node); ++ of_node_put(adapter_node); + if (adapter == NULL) { + dev_err(&pdev->dev, "failed to parse ddc-i2c-bus\n"); + omap_dss_put_device(ddata->in); +-- +2.36.0 + diff --git a/patches.suse/0014-arm64-proton-pack-Report-Spectre-BHB-vulnerabilities.patch b/patches.suse/0014-arm64-proton-pack-Report-Spectre-BHB-vulnerabilities.patch new file mode 100644 index 0000000..1047846 --- /dev/null +++ b/patches.suse/0014-arm64-proton-pack-Report-Spectre-BHB-vulnerabilities.patch @@ -0,0 +1,108 @@ +From ed9b4c8999f0046ecf8649ec24d503bded9cec12 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 21 Feb 2022 14:45:00 +0100 +Subject: [PATCH 14/22] arm64: proton-pack: Report Spectre-BHB vulnerabilities + as part of Spectre-v2 + +Git-commit: dee435be76f4117410bbd90573a881fd33488f37 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +Speculation attacks against some high-performance processors can +make use of branch history to influence future speculation as part of +a spectre-v2 attack. This is not mitigated by CSV2, meaning CPUs that +previously reported 'Not affected' are now moderately mitigated by CSV2. + +Update the value in /sys/devices/system/cpu/vulnerabilities/spectre_v2 +to also show the state of the BHB mitigation. + +Reviewed-by: Catalin Marinas +[ code move to cpu_errata.c for backport ] +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cpufeature.h | 8 ++++++ + arch/arm64/kernel/cpu_errata.c | 38 ++++++++++++++++++++++++++--- + 2 files changed, 43 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 749005df38e0f..695cea1349f4b 100644 +--- a/arch/arm64/include/asm/cpufeature.h ++++ b/arch/arm64/include/asm/cpufeature.h +@@ -561,6 +561,14 @@ static inline int arm64_get_ssbd_state(void) + + void arm64_set_ssbd_mitigation(bool state); + ++/* Watch out, ordering is important here. */ ++enum mitigation_state { ++ SPECTRE_UNAFFECTED, ++ SPECTRE_MITIGATED, ++ SPECTRE_VULNERABLE, ++}; ++ ++enum mitigation_state arm64_get_spectre_bhb_state(void); + #endif /* __ASSEMBLY__ */ + + #endif +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 858880c86c50f..64fc527f19654 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -843,14 +843,39 @@ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); + } + ++static const char *get_bhb_affected_string(enum mitigation_state bhb_state) ++{ ++ switch (bhb_state) { ++ case SPECTRE_UNAFFECTED: ++ return ""; ++ default: ++ case SPECTRE_VULNERABLE: ++ return ", but not BHB"; ++ case SPECTRE_MITIGATED: ++ return ", BHB"; ++ } ++} ++ + ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, + char *buf) + { +- if (__spectrev2_safe) +- return sprintf(buf, "Not affected\n"); ++ enum mitigation_state bhb_state = arm64_get_spectre_bhb_state(); ++ const char *bhb_str = get_bhb_affected_string(bhb_state); ++ const char *v2_str = "Branch predictor hardening"; ++ ++ if (__spectrev2_safe) { ++ if (bhb_state == SPECTRE_UNAFFECTED) ++ return sprintf(buf, "Not affected\n"); ++ ++ /* ++ * Platforms affected by Spectre-BHB can't report ++ * "Not affected" for Spectre-v2. ++ */ ++ v2_str = "CSV2"; ++ } + + if (__hardenbp_enab) +- return sprintf(buf, "Mitigation: Branch predictor hardening\n"); ++ return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str); + + return sprintf(buf, "Vulnerable\n"); + } +@@ -871,3 +896,10 @@ ssize_t cpu_show_spec_store_bypass(struct device *dev, + + return sprintf(buf, "Vulnerable\n"); + } ++ ++static enum mitigation_state spectre_bhb_state; ++ ++enum mitigation_state arm64_get_spectre_bhb_state(void) ++{ ++ return spectre_bhb_state; ++} +-- +2.34.1 + diff --git a/patches.suse/0014-video-fbdev-udlfb-properly-check-endpoint-type.patch b/patches.suse/0014-video-fbdev-udlfb-properly-check-endpoint-type.patch new file mode 100644 index 0000000..41cb9e7 --- /dev/null +++ b/patches.suse/0014-video-fbdev-udlfb-properly-check-endpoint-type.patch @@ -0,0 +1,71 @@ +From aaf7dbe07385e0b8deb7237eca2a79926bbc7091 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 22 Mar 2022 23:04:38 +0300 +Subject: video: fbdev: udlfb: properly check endpoint type +Git-commit: aaf7dbe07385e0b8deb7237eca2a79926bbc7091 +Patch-mainline: v5.18-rc5 +References: bsc#1129770 + +syzbot reported warning in usb_submit_urb, which is caused by wrong +endpoint type. + +This driver uses out bulk endpoint for communication, so +let's check if this endpoint is present and bail out early if not. + +Fail log: + +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 4822 at drivers/usb/core/urb.c:493 usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 +Modules linked in: +CPU: 0 PID: 4822 Comm: kworker/0:3 Tainted: G W 5.13.0-syzkaller #0 +... +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 +... +Call Trace: + dlfb_submit_urb+0x89/0x160 drivers/video/fbdev/udlfb.c:1969 + dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 + dlfb_ops_set_par+0x2a3/0x840 drivers/video/fbdev/udlfb.c:1110 + dlfb_usb_probe.cold+0x113e/0x1f4a drivers/video/fbdev/udlfb.c:1732 + usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 + +Fixes: 88e58b1a42f8 ("Staging: add udlfb driver") +Reported-and-tested-by: syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/udlfb.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1593,6 +1593,7 @@ static int dlfb_usb_probe(struct usb_int + struct usb_device *usbdev; + struct dlfb_data *dev; + int retval = -ENOMEM; ++ struct usb_endpoint_descriptor *out; + + /* usb initialization */ + +@@ -1610,6 +1611,12 @@ static int dlfb_usb_probe(struct usb_int + dev->gdev = &usbdev->dev; /* our generic struct device * */ + usb_set_intfdata(interface, dev); + ++ retval = usb_find_common_endpoints(intf->cur_altsetting, NULL, &out, NULL, NULL); ++ if (retval) { ++ dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n"); ++ goto error; ++ } ++ + pr_info("%s %s - serial #%s\n", + usbdev->manufacturer, usbdev->product, usbdev->serial); + pr_info("vid_%04x&pid_%04x&rev_%04x driver's dlfb_data struct at %p\n", +@@ -1624,6 +1631,7 @@ static int dlfb_usb_probe(struct usb_int + + if (!dlfb_parse_vendor_descriptor(dev, interface)) { + pr_err("firmware not recognized. Assume incompatible device\n"); ++ retval = -ENODEV; + goto error; + } + diff --git a/patches.suse/0015-arm64-Add-part-number-for-Arm-Cortex-A77.patch b/patches.suse/0015-arm64-Add-part-number-for-Arm-Cortex-A77.patch new file mode 100644 index 0000000..d52fd7f --- /dev/null +++ b/patches.suse/0015-arm64-Add-part-number-for-Arm-Cortex-A77.patch @@ -0,0 +1,48 @@ +From 3a141f3eba23cf0dadd984dd616708f67a834f5a Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 28 Oct 2020 19:28:00 +0100 +Subject: [PATCH 15/22] arm64: Add part number for Arm Cortex-A77 + +Git-commit: 8a6b88e66233f5f1779b0a1342aa9dc030dddcd5 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Add the MIDR part number info for the Arm Cortex-A77. + +Signed-off-by: Rob Herring +Acked-by: Catalin Marinas +Cc: Catalin Marinas +Cc: Will Deacon +Link: https://lore.kernel.org/r/20201028182839.166037-1-robh@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 16768f5517254..7137f217959c5 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -89,6 +89,7 @@ + #define ARM_CPU_PART_CORTEX_A55 0xD05 + #define ARM_CPU_PART_CORTEX_A76 0xD0B + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C ++#define ARM_CPU_PART_CORTEX_A77 0xD0D + + #define APM_CPU_PART_POTENZA 0x000 + +@@ -116,6 +117,7 @@ + #define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) + #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) ++#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) +-- +2.34.1 + diff --git a/patches.suse/0016-arm64-Add-Neoverse-N2-Cortex-A710-CPU-part-definitio.patch b/patches.suse/0016-arm64-Add-Neoverse-N2-Cortex-A710-CPU-part-definitio.patch new file mode 100644 index 0000000..57f42ec --- /dev/null +++ b/patches.suse/0016-arm64-Add-Neoverse-N2-Cortex-A710-CPU-part-definitio.patch @@ -0,0 +1,52 @@ +From b32d60019a6edf7c414ac00b142ebf87adda5c50 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Tue, 19 Oct 2021 18:31:00 +0200 +Subject: [PATCH 16/22] arm64: Add Neoverse-N2, Cortex-A710 CPU part definition + +Git-commit: 2d0d656700d67239a57afaf617439143d8dac9be +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Add the CPU Partnumbers for the new Arm designs. + +Cc: Catalin Marinas +Cc: Mark Rutland +Cc: Will Deacon +Acked-by: Catalin Marinas +Reviewed-by: Anshuman Khandual +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20211019163153.3692640-2-suzuki.poulose@arm.com +Signed-off-by: Will Deacon +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cputype.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 7137f217959c5..4138ed3e5234a 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -90,6 +90,8 @@ + #define ARM_CPU_PART_CORTEX_A76 0xD0B + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C + #define ARM_CPU_PART_CORTEX_A77 0xD0D ++#define ARM_CPU_PART_CORTEX_A710 0xD47 ++#define ARM_CPU_PART_NEOVERSE_N2 0xD49 + + #define APM_CPU_PART_POTENZA 0x000 + +@@ -118,6 +120,8 @@ + #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) ++#define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) ++#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) +-- +2.34.1 + diff --git a/patches.suse/0017-arm64-Add-Cortex-X2-CPU-part-definition.patch b/patches.suse/0017-arm64-Add-Cortex-X2-CPU-part-definition.patch new file mode 100644 index 0000000..7336e46 --- /dev/null +++ b/patches.suse/0017-arm64-Add-Cortex-X2-CPU-part-definition.patch @@ -0,0 +1,50 @@ +From 273a7a1d721597f9674d273a83ab28e89734927f Mon Sep 17 00:00:00 2001 +From: Anshuman Khandual +Date: Mon, 24 Jan 2022 04:15:00 +0100 +Subject: [PATCH 17/22] arm64: Add Cortex-X2 CPU part definition + +Git-commit: 72bb9dcb6c33cfac80282713c2b4f2b254cd24d1 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Add the CPU Partnumbers for the new Arm designs. + +Cc: Will Deacon +Cc: Suzuki Poulose +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Anshuman Khandual +Reviewed-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/1642994138-25887-2-git-send-email-anshuman.khandual@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 4138ed3e5234a..2eaec505a8d64 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -91,6 +91,7 @@ + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C + #define ARM_CPU_PART_CORTEX_A77 0xD0D + #define ARM_CPU_PART_CORTEX_A710 0xD47 ++#define ARM_CPU_PART_CORTEX_X2 0xD48 + #define ARM_CPU_PART_NEOVERSE_N2 0xD49 + + #define APM_CPU_PART_POTENZA 0x000 +@@ -121,6 +122,7 @@ + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) ++#define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) + #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) +-- +2.34.1 + diff --git a/patches.suse/0018-KVM-arm64-Add-templates-for-BHB-mitigation-sequences.patch b/patches.suse/0018-KVM-arm64-Add-templates-for-BHB-mitigation-sequences.patch new file mode 100644 index 0000000..24b1f1d --- /dev/null +++ b/patches.suse/0018-KVM-arm64-Add-templates-for-BHB-mitigation-sequences.patch @@ -0,0 +1,237 @@ +From b9f951828c41365ad2c927ad13d4885a72e4d6d0 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:46:00 +0100 +Subject: [PATCH 18/22] KVM: arm64: Add templates for BHB mitigation sequences + +Patch-mainline: Not yet, commit ID was missing in provided bundle +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +KVM writes the Spectre-v2 mitigation template at the beginning of each +vector when a CPU requires a specific sequence to run. + +Because the template is copied, it can not be modified by the alternatives +at runtime. As the KVM template code is intertwined with the bp-hardening +callbacks, all templates must have a bp-hardening callback. + +Add templates for calling ARCH_WORKAROUND_3 and one for each value of K +in the brancy-loop. Identify these sequences by a new parameter +template_start, and add a copy of install_bp_hardening_cb() that is able to +install them. + +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cpucaps.h | 1 + + arch/arm64/include/asm/kvm_mmu.h | 2 +- + arch/arm64/include/asm/mmu.h | 6 +++ + arch/arm64/kernel/bpi.S | 50 ++++++++++++++++++++++ + arch/arm64/kernel/cpu_errata.c | 71 +++++++++++++++++++++++++++++++- + 5 files changed, 127 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h +index 69c2957d1bf36..eb504c57f324d 100644 +--- a/arch/arm64/include/asm/cpucaps.h ++++ b/arch/arm64/include/asm/cpucaps.h +@@ -54,6 +54,7 @@ + #define ARM64_HAS_CACHE_DIC 33 + #define ARM64_MISMATCHED_CACHE_TYPE 34 + #define ARM64_WORKAROUND_1542419 35 ++#define ARM64_SPECTRE_BHB 28 + + /* kabi: reserve 36 - 40 for future cpu capabilities */ + #define ARM64_NCAPS 40 +diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h +index 77015f4cf2bfd..f30d18dbac48e 100644 +--- a/arch/arm64/include/asm/kvm_mmu.h ++++ b/arch/arm64/include/asm/kvm_mmu.h +@@ -434,7 +434,7 @@ static inline void *kvm_get_hyp_vector(void) + struct bp_hardening_data *data = arm64_get_bp_hardening_data(); + void *vect = kvm_ksym_ref(__kvm_hyp_vector); + +- if (data->fn) { ++ if (data->template_start) { + vect = __bp_harden_hyp_vecs_start + + data->hyp_vectors_slot * SZ_2K; + +diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h +index d31bab89efa42..9c53141993481 100644 +--- a/arch/arm64/include/asm/mmu.h ++++ b/arch/arm64/include/asm/mmu.h +@@ -90,6 +90,12 @@ typedef void (*bp_hardening_cb_t)(void); + struct bp_hardening_data { + int hyp_vectors_slot; + bp_hardening_cb_t fn; ++ ++ /* ++ * template_start is only used by the BHB mitigation to identify the ++ * hyp_vectors_slot sequence. ++ */ ++ const char *template_start; + }; + + #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR +diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S +index 5a64ff2740906..cdcf2197b72be 100644 +--- a/arch/arm64/kernel/bpi.S ++++ b/arch/arm64/kernel/bpi.S +@@ -65,3 +65,53 @@ ENTRY(__smccc_workaround_1_smc_start) + ldp x0, x1, [sp, #(8 * 2)] + add sp, sp, #(8 * 4) + ENTRY(__smccc_workaround_1_smc_end) ++ ++ENTRY(__smccc_workaround_3_smc_start) ++ sub sp, sp, #(8 * 4) ++ stp x2, x3, [sp, #(8 * 0)] ++ stp x0, x1, [sp, #(8 * 2)] ++ mov w0, #ARM_SMCCC_ARCH_WORKAROUND_3 ++ smc #0 ++ ldp x2, x3, [sp, #(8 * 0)] ++ ldp x0, x1, [sp, #(8 * 2)] ++ add sp, sp, #(8 * 4) ++ENTRY(__smccc_workaround_3_smc_end) ++ ++ENTRY(__spectre_bhb_loop_k8_start) ++ sub sp, sp, #(8 * 2) ++ stp x0, x1, [sp, #(8 * 0)] ++ mov x0, #8 ++2: b . + 4 ++ subs x0, x0, #1 ++ b.ne 2b ++ dsb nsh ++ isb ++ ldp x0, x1, [sp, #(8 * 0)] ++ add sp, sp, #(8 * 2) ++ENTRY(__spectre_bhb_loop_k8_end) ++ ++ENTRY(__spectre_bhb_loop_k24_start) ++ sub sp, sp, #(8 * 2) ++ stp x0, x1, [sp, #(8 * 0)] ++ mov x0, #8 ++2: b . + 4 ++ subs x0, x0, #1 ++ b.ne 2b ++ dsb nsh ++ isb ++ ldp x0, x1, [sp, #(8 * 0)] ++ add sp, sp, #(8 * 2) ++ENTRY(__spectre_bhb_loop_k24_end) ++ ++ENTRY(__spectre_bhb_loop_k32_start) ++ sub sp, sp, #(8 * 2) ++ stp x0, x1, [sp, #(8 * 0)] ++ mov x0, #8 ++2: b . + 4 ++ subs x0, x0, #1 ++ b.ne 2b ++ dsb nsh ++ isb ++ ldp x0, x1, [sp, #(8 * 0)] ++ add sp, sp, #(8 * 2) ++ENTRY(__spectre_bhb_loop_k32_end) +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 64fc527f19654..bce8e9b25f9d6 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -110,6 +110,14 @@ DEFINE_PER_CPU_READ_MOSTLY(struct bp_hardening_data, bp_hardening_data); + #ifdef CONFIG_KVM + extern char __smccc_workaround_1_smc_start[]; + extern char __smccc_workaround_1_smc_end[]; ++extern char __smccc_workaround_3_smc_start[]; ++extern char __smccc_workaround_3_smc_end[]; ++extern char __spectre_bhb_loop_k8_start[]; ++extern char __spectre_bhb_loop_k8_end[]; ++extern char __spectre_bhb_loop_k24_start[]; ++extern char __spectre_bhb_loop_k24_end[]; ++extern char __spectre_bhb_loop_k32_start[]; ++extern char __spectre_bhb_loop_k32_end[]; + + static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start, + const char *hyp_vecs_end) +@@ -123,12 +131,14 @@ static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start, + flush_icache_range((uintptr_t)dst, (uintptr_t)dst + SZ_2K); + } + ++static DEFINE_SPINLOCK(bp_lock); ++static int last_slot = -1; ++ + static void install_bp_hardening_cb(bp_hardening_cb_t fn, + const char *hyp_vecs_start, + const char *hyp_vecs_end) + { +- static int last_slot = -1; +- static DEFINE_SPINLOCK(bp_lock); ++ + int cpu, slot = -1; + + /* +@@ -158,6 +168,7 @@ static void install_bp_hardening_cb(bp_hardening_cb_t fn, + + __this_cpu_write(bp_hardening_data.hyp_vectors_slot, slot); + __this_cpu_write(bp_hardening_data.fn, fn); ++ __this_cpu_write(bp_hardening_data.template_start, hyp_vecs_start); + spin_unlock(&bp_lock); + } + #else +@@ -903,3 +914,59 @@ enum mitigation_state arm64_get_spectre_bhb_state(void) + { + return spectre_bhb_state; + } ++ ++#ifdef CONFIG_KVM ++static const char *kvm_bhb_get_vecs_end(const char *start) ++{ ++ if (start == __smccc_workaround_3_smc_start) ++ return __smccc_workaround_3_smc_end; ++ else if (start == __spectre_bhb_loop_k8_start) ++ return __spectre_bhb_loop_k8_end; ++ else if (start == __spectre_bhb_loop_k24_start) ++ return __spectre_bhb_loop_k24_end; ++ else if (start == __spectre_bhb_loop_k32_start) ++ return __spectre_bhb_loop_k32_end; ++ ++ return NULL; ++} ++ ++void kvm_setup_bhb_slot(const char *hyp_vecs_start) ++{ ++ int cpu, slot = -1; ++ const char *hyp_vecs_end; ++ ++ if (!IS_ENABLED(CONFIG_KVM) || !is_hyp_mode_available()) ++ return; ++ ++ hyp_vecs_end = kvm_bhb_get_vecs_end(hyp_vecs_start); ++ if (WARN_ON_ONCE(!hyp_vecs_start || !hyp_vecs_end)) ++ return; ++ ++ spin_lock(&bp_lock); ++ for_each_possible_cpu(cpu) { ++ if (per_cpu(bp_hardening_data.template_start, cpu) == hyp_vecs_start) { ++ slot = per_cpu(bp_hardening_data.hyp_vectors_slot, cpu); ++ break; ++ } ++ } ++ ++ if (slot == -1) { ++ last_slot++; ++ BUG_ON(((__bp_harden_hyp_vecs_end - __bp_harden_hyp_vecs_start) ++ / SZ_2K) <= last_slot); ++ slot = last_slot; ++ __copy_hyp_vect_bpi(slot, hyp_vecs_start, hyp_vecs_end); ++ } ++ ++ __this_cpu_write(bp_hardening_data.hyp_vectors_slot, slot); ++ __this_cpu_write(bp_hardening_data.template_start, hyp_vecs_start); ++ spin_unlock(&bp_lock); ++} ++#else ++#define __smccc_workaround_3_smc_start NULL ++#define __spectre_bhb_loop_k8_start NULL ++#define __spectre_bhb_loop_k24_start NULL ++#define __spectre_bhb_loop_k32_start NULL ++ ++void kvm_setup_bhb_slot(const char *hyp_vecs_start) { }; ++#endif +-- +2.34.1 + diff --git a/patches.suse/0019-arm64-Mitigate-spectre-style-branch-history-side-cha.patch b/patches.suse/0019-arm64-Mitigate-spectre-style-branch-history-side-cha.patch new file mode 100644 index 0000000..473aeed --- /dev/null +++ b/patches.suse/0019-arm64-Mitigate-spectre-style-branch-history-side-cha.patch @@ -0,0 +1,522 @@ +From b8f737adce6c3043120f61b338361ae7535e5f51 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 17:58:00 +0100 +Subject: [PATCH 19/22] arm64: Mitigate spectre style branch history side + channels + +Git-commit: 558c303c9734af5a813739cd284879227f7297d2 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Speculation attacks against some high-performance processors can +make use of branch history to influence future speculation. +When taking an exception from user-space, a sequence of branches +or a firmware call overwrites or invalidates the branch history. + +The sequence of branches is added to the vectors, and should appear +before the first indirect branch. For systems using KPTI the sequence +is added to the kpti trampoline where it has a free register as the exit +from the trampoline is via a 'ret'. For systems not using KPTI, the same +register tricks are used to free up a register in the vectors. + +For the firmware call, arch-workaround-3 clobbers 4 registers, so +there is no choice but to save them to the EL1 stack. This only happens +for entry from EL0, so if we take an exception due to the stack access, +it will not become re-entrant. + +For KVM, the existing branch-predictor-hardening vectors are used. +When a spectre version of these vectors is in use, the firmware call +is sufficient to mitigate against Spectre-BHB. For the non-spectre +versions, the sequence of branches is added to the indirect vector. + +Reviewed-by: Catalin Marinas +Cc: # # # +Signed-off-by: Matthias Brugger +--- + arch/arm64/Kconfig | 10 ++ + arch/arm64/include/asm/assembler.h | 4 +- + arch/arm64/include/asm/cpufeature.h | 18 ++ + arch/arm64/include/asm/cputype.h | 8 + + arch/arm64/include/asm/sysreg.h | 1 + + arch/arm64/include/asm/vectors.h | 6 + + arch/arm64/kernel/cpu_errata.c | 268 +++++++++++++++++++++++++++- + arch/arm64/kvm/hyp/hyp-entry.S | 4 + + 8 files changed, 316 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 3dd2cc31f0ff3..e3a29133eb69b 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -942,6 +942,16 @@ config ARM64_SSBD + + If unsure, say Y. + ++config MITIGATE_SPECTRE_BRANCH_HISTORY ++ bool "Mitigate Spectre style attacks against branch history" if EXPERT ++ default y ++ depends on HARDEN_BRANCH_PREDICTOR || !KVM ++ help ++ Speculation attacks against some high-performance processors can ++ make use of branch history to influence future speculation. ++ When taking an exception from user-space, a sequence of branches ++ or a firmware call overwrites the branch history. ++ + menuconfig ARMV8_DEPRECATED + bool "Emulate deprecated/obsolete ARMv8 instructions" + depends on COMPAT +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 5c50a5df8f6e9..73fc138067855 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -576,7 +576,9 @@ USER(\label, ic ivau, \tmp2) // invalidate I line PoU + + .macro __mitigate_spectre_bhb_loop tmp + #ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY +- mov \tmp, #32 ++alternative_cb spectre_bhb_patch_loop_iter ++ mov \tmp, #32 // Patched to correct the immediate ++alternative_cb_end + .Lspectre_bhb_loop\@: + b . + 4 + subs \tmp, \tmp, #1 +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 695cea1349f4b..43ee1b3183710 100644 +--- a/arch/arm64/include/asm/cpufeature.h ++++ b/arch/arm64/include/asm/cpufeature.h +@@ -483,6 +483,21 @@ static inline bool cpu_supports_mixed_endian_el0(void) + return id_aa64mmfr0_mixed_endian_el0(read_cpuid(ID_AA64MMFR0_EL1)); + } + ++static inline bool supports_csv2p3(int scope) ++{ ++ u64 pfr0; ++ u8 csv2_val; ++ ++ if (scope == SCOPE_LOCAL_CPU) ++ pfr0 = read_sysreg_s(SYS_ID_AA64PFR0_EL1); ++ else ++ pfr0 = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1); ++ ++ csv2_val = cpuid_feature_extract_unsigned_field(pfr0, ++ ID_AA64PFR0_CSV2_SHIFT); ++ return csv2_val == 3; ++} ++ + static inline bool system_supports_32bit_el0(void) + { + return cpus_have_const_cap(ARM64_HAS_32BIT_EL0); +@@ -569,6 +584,9 @@ enum mitigation_state { + }; + + enum mitigation_state arm64_get_spectre_bhb_state(void); ++bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); ++u8 spectre_bhb_loop_affected(int scope); ++void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); + #endif /* __ASSEMBLY__ */ + + #endif +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 2eaec505a8d64..e8c012f6dbf1b 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -90,9 +90,13 @@ + #define ARM_CPU_PART_CORTEX_A76 0xD0B + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C + #define ARM_CPU_PART_CORTEX_A77 0xD0D ++#define ARM_CPU_PART_NEOVERSE_V1 0xD40 ++#define ARM_CPU_PART_CORTEX_A78 0xD41 ++#define ARM_CPU_PART_CORTEX_X1 0xD44 + #define ARM_CPU_PART_CORTEX_A710 0xD47 + #define ARM_CPU_PART_CORTEX_X2 0xD48 + #define ARM_CPU_PART_NEOVERSE_N2 0xD49 ++#define ARM_CPU_PART_CORTEX_A78C 0xD4B + + #define APM_CPU_PART_POTENZA 0x000 + +@@ -121,9 +125,13 @@ + #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) ++#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) ++#define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) ++#define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) + #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) + #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) ++#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index cf6db298116ca..118d6ffcaba7d 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -578,6 +578,7 @@ + #endif + + /* id_aa64mmfr1 */ ++#define ID_AA64MMFR1_ECBHB_SHIFT 60 + #define ID_AA64MMFR1_PAN_SHIFT 20 + #define ID_AA64MMFR1_LOR_SHIFT 16 + #define ID_AA64MMFR1_HPD_SHIFT 12 +diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h +index 3f76dfd9e0744..f222d8e033b32 100644 +--- a/arch/arm64/include/asm/vectors.h ++++ b/arch/arm64/include/asm/vectors.h +@@ -9,6 +9,7 @@ + #include + + #include ++#include + + extern char vectors[]; + extern char tramp_vectors[]; +@@ -40,6 +41,11 @@ enum arm64_bp_harden_el1_vectors { + EL1_VECTOR_KPTI, + }; + ++#ifndef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY ++#define EL1_VECTOR_BHB_LOOP -1 ++#define EL1_VECTOR_BHB_FW -1 ++#endif /* !CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ ++ + /* The vectors to use on return from EL0. e.g. to remap the kernel */ + DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector); + +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index bce8e9b25f9d6..058b5ea86b0af 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + static bool __maybe_unused + is_affected_midr_range(const struct arm64_cpu_capabilities *entry, int scope) +@@ -820,6 +821,13 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + .matches = check_branch_predictor, + .cpu_enable = cpu_enable_branch_predictor_hardening, + }, ++ { ++ .desc = "Spectre-BHB", ++ .capability = ARM64_SPECTRE_BHB, ++ .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, ++ .matches = is_spectre_bhb_affected, ++ .cpu_enable = spectre_bhb_enable_mitigation, ++ }, + { + .desc = "Speculative Store Bypass Disable", + .capability = ARM64_SSBD, +@@ -908,6 +916,33 @@ ssize_t cpu_show_spec_store_bypass(struct device *dev, + return sprintf(buf, "Vulnerable\n"); + } + ++/* ++ * We try to ensure that the mitigation state can never change as the result of ++ * onlining a late CPU. ++ */ ++static void update_mitigation_state(enum mitigation_state *oldp, ++ enum mitigation_state new) ++{ ++ enum mitigation_state state; ++ ++ do { ++ state = READ_ONCE(*oldp); ++ if (new <= state) ++ break; ++ } while (cmpxchg_relaxed(oldp, state, new) != state); ++} ++ ++/* ++ * Spectre BHB. ++ * ++ * A CPU is either: ++ * - Mitigated by a branchy loop a CPU specific number of times, and listed ++ * in our "loop mitigated list". ++ * - Mitigated in software by the firmware Spectre v2 call. ++ * - Has the 'Exception Clears Branch History Buffer' (ECBHB) feature, so no ++ * software mitigation in the vectors is needed. ++ * - Has CSV2.3, so is unaffected. ++ */ + static enum mitigation_state spectre_bhb_state; + + enum mitigation_state arm64_get_spectre_bhb_state(void) +@@ -915,6 +950,163 @@ enum mitigation_state arm64_get_spectre_bhb_state(void) + return spectre_bhb_state; + } + ++/* ++ * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any ++ * SCOPE_SYSTEM call will give the right answer. ++ */ ++u8 spectre_bhb_loop_affected(int scope) ++{ ++ u8 k = 0; ++ static u8 max_bhb_k; ++ ++ if (scope == SCOPE_LOCAL_CPU) { ++ static const struct midr_range spectre_bhb_k32_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k24_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k8_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), ++ {}, ++ }; ++ ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) ++ k = 32; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) ++ k = 24; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) ++ k = 8; ++ ++ max_bhb_k = max(max_bhb_k, k); ++ } else { ++ k = max_bhb_k; ++ } ++ ++ return k; ++} ++ ++static enum mitigation_state spectre_bhb_get_cpu_fw_mitigation_state(void) ++{ ++ int ret; ++ struct arm_smccc_res res; ++ ++ if (psci_ops.smccc_version == SMCCC_VERSION_1_0) ++ return SPECTRE_VULNERABLE; ++ ++ switch (psci_ops.conduit) { ++ case PSCI_CONDUIT_HVC: ++ arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, ++ ARM_SMCCC_ARCH_WORKAROUND_3, &res); ++ break; ++ ++ case PSCI_CONDUIT_SMC: ++ arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, ++ ARM_SMCCC_ARCH_WORKAROUND_3, &res); ++ break; ++ ++ default: ++ return SPECTRE_VULNERABLE; ++ } ++ ++ ret = res.a0; ++ switch (ret) { ++ case SMCCC_RET_SUCCESS: ++ return SPECTRE_MITIGATED; ++ case SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED: ++ return SPECTRE_UNAFFECTED; ++ default: ++ case SMCCC_RET_NOT_SUPPORTED: ++ return SPECTRE_VULNERABLE; ++ } ++} ++ ++static bool is_spectre_bhb_fw_affected(int scope) ++{ ++ static bool system_affected; ++ enum mitigation_state fw_state; ++ bool has_smccc = (psci_ops.smccc_version >= SMCCC_VERSION_1_1); ++ static const struct midr_range spectre_bhb_firmware_mitigated_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A73), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A75), ++ {}, ++ }; ++ bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(), ++ spectre_bhb_firmware_mitigated_list); ++ ++ if (scope != SCOPE_LOCAL_CPU) ++ return system_affected; ++ ++ fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); ++ if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) { ++ system_affected = true; ++ return true; ++ } ++ ++ return false; ++} ++ ++static bool supports_ecbhb(int scope) ++{ ++ u64 mmfr1; ++ ++ if (scope == SCOPE_LOCAL_CPU) ++ mmfr1 = read_sysreg_s(SYS_ID_AA64MMFR1_EL1); ++ else ++ mmfr1 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1); ++ ++ return cpuid_feature_extract_unsigned_field(mmfr1, ++ ID_AA64MMFR1_ECBHB_SHIFT); ++} ++ ++bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, ++ int scope) ++{ ++ WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible()); ++ ++ if (supports_csv2p3(scope)) ++ return false; ++ ++ if (spectre_bhb_loop_affected(scope)) ++ return true; ++ ++ if (is_spectre_bhb_fw_affected(scope)) ++ return true; ++ ++ return false; ++} ++ ++static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot) ++{ ++ const char *v = arm64_get_bp_hardening_vector(slot); ++ ++ if (slot < 0) ++ return; ++ ++ __this_cpu_write(this_cpu_vector, v); ++ ++ /* ++ * When KPTI is in use, the vectors are switched when exiting to ++ * user-space. ++ */ ++ if (arm64_kernel_unmapped_at_el0()) ++ return; ++ ++ write_sysreg(v, vbar_el1); ++ isb(); ++} ++ + #ifdef CONFIG_KVM + static const char *kvm_bhb_get_vecs_end(const char *start) + { +@@ -930,7 +1122,7 @@ static const char *kvm_bhb_get_vecs_end(const char *start) + return NULL; + } + +-void kvm_setup_bhb_slot(const char *hyp_vecs_start) ++static void kvm_setup_bhb_slot(const char *hyp_vecs_start) + { + int cpu, slot = -1; + const char *hyp_vecs_end; +@@ -968,5 +1160,77 @@ void kvm_setup_bhb_slot(const char *hyp_vecs_start) + #define __spectre_bhb_loop_k24_start NULL + #define __spectre_bhb_loop_k32_start NULL + +-void kvm_setup_bhb_slot(const char *hyp_vecs_start) { }; ++static void kvm_setup_bhb_slot(const char *hyp_vecs_start) { }; + #endif ++ ++void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) ++{ ++ enum mitigation_state fw_state, state = SPECTRE_VULNERABLE; ++ ++ if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU)) ++ return; ++ ++ if (!__spectrev2_safe && !__hardenbp_enab) { ++ /* No point mitigating Spectre-BHB alone. */ ++ } else if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY)) { ++ pr_info_once("spectre-bhb mitigation disabled by compile time option\n"); ++ } else if (cpu_mitigations_off()) { ++ pr_info_once("spectre-bhb mitigation disabled by command line option\n"); ++ } else if (supports_ecbhb(SCOPE_LOCAL_CPU)) { ++ state = SPECTRE_MITIGATED; ++ } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) { ++ switch (spectre_bhb_loop_affected(SCOPE_SYSTEM)) { ++ case 8: ++ kvm_setup_bhb_slot(__spectre_bhb_loop_k8_start); ++ break; ++ case 24: ++ kvm_setup_bhb_slot(__spectre_bhb_loop_k24_start); ++ break; ++ case 32: ++ kvm_setup_bhb_slot(__spectre_bhb_loop_k32_start); ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ } ++ this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP); ++ ++ state = SPECTRE_MITIGATED; ++ } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) { ++ fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); ++ if (fw_state == SPECTRE_MITIGATED) { ++ kvm_setup_bhb_slot(__smccc_workaround_3_smc_start); ++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW); ++ ++ /* ++ * With WA3 in the vectors, the WA1 calls can be ++ * removed. ++ */ ++ __this_cpu_write(bp_hardening_data.fn, NULL); ++ ++ state = SPECTRE_MITIGATED; ++ } ++ } ++ ++ update_mitigation_state(&spectre_bhb_state, state); ++} ++ ++/* Patched to correct the immediate */ ++void __init spectre_bhb_patch_loop_iter(struct alt_instr *alt, ++ __le32 *origptr, __le32 *updptr, int nr_inst) ++{ ++ u8 rd; ++ u32 insn; ++ u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM); ++ ++ BUG_ON(nr_inst != 1); /* MOV -> MOV */ ++ ++ if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY)) ++ return; ++ ++ insn = le32_to_cpu(*origptr); ++ rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn); ++ insn = aarch64_insn_gen_movewide(rd, loop_count, 0, ++ AARCH64_INSN_VARIANT_64BIT, ++ AARCH64_INSN_MOVEWIDE_ZERO); ++ *updptr++ = cpu_to_le32(insn); ++} +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S +index 3c283fd8c8f5a..94007edacae3a 100644 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -111,6 +111,10 @@ el1_hvc_guest: + /* ARM_SMCCC_ARCH_WORKAROUND_2 handling */ + eor w1, w1, #(ARM_SMCCC_ARCH_WORKAROUND_1 ^ \ + ARM_SMCCC_ARCH_WORKAROUND_2) ++ cbz w1, wa_epilogue ++ ++ eor w1, w1, #(ARM_SMCCC_ARCH_WORKAROUND_2 ^ \ ++ ARM_SMCCC_ARCH_WORKAROUND_3) + cbnz w1, el1_trap + + #ifdef CONFIG_ARM64_SSBD +-- +2.34.1 + diff --git a/patches.suse/0020-KVM-arm64-Allow-SMCCC_ARCH_WORKAROUND_3-to-be-discov.patch b/patches.suse/0020-KVM-arm64-Allow-SMCCC_ARCH_WORKAROUND_3-to-be-discov.patch new file mode 100644 index 0000000..b9f03f1 --- /dev/null +++ b/patches.suse/0020-KVM-arm64-Allow-SMCCC_ARCH_WORKAROUND_3-to-be-discov.patch @@ -0,0 +1,110 @@ +From 0d6285b1bacbbaa940b0489b21c2143af37fb7c5 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Tue, 12 Oct 2021 12:16:00 +0200 +Subject: [PATCH 20/22] KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be + discovered and migrated + +Git-commit: a5905d6af492ee6a4a2205f0d550b3f931b03d03 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + +KVM allows the guest to discover whether the ARCH_WORKAROUND SMCCC are +implemented, and to preserve that state during migration through its +firmware register interface. + +Add the necessary boiler plate for SMCCC_ARCH_WORKAROUND_3. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +[ kvm code moved to virt/kvm/arm, removed fw regs ABI. Added 32bit stub ] +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm/include/asm/kvm_host.h | 6 ++++++ + arch/arm/include/asm/spectre.h | 12 ++++++++++++ + arch/arm64/include/asm/kvm_host.h | 5 +++++ + virt/kvm/arm/psci.c | 12 ++++++++++++ + 4 files changed, 35 insertions(+) + create mode 100644 arch/arm/include/asm/spectre.h + +diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h +index bafceaaa4cc33..ae17d957c1b6b 100644 +--- a/arch/arm/include/asm/kvm_host.h ++++ b/arch/arm/include/asm/kvm_host.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #define __KVM_HAVE_ARCH_INTC_INITIALIZED +@@ -350,4 +351,9 @@ static inline void kvm_vcpu_put_sysregs(struct kvm_vcpu *vcpu) {} + struct kvm *kvm_arch_alloc_vm(void); + void kvm_arch_free_vm(struct kvm *kvm); + ++static inline int kvm_arm_get_spectre_bhb_state(void) ++{ ++ /* 32bit guests don't need firmware for this */ ++ return SPECTRE_VULNERABLE; /* aka SMCCC_RET_NOT_SUPPORTED */ ++} + #endif /* __ARM_KVM_HOST_H__ */ +diff --git a/arch/arm/include/asm/spectre.h b/arch/arm/include/asm/spectre.h +new file mode 100644 +index 0000000000000..c672caa13fa24 +--- /dev/null ++++ b/arch/arm/include/asm/spectre.h +@@ -0,0 +1,12 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#ifndef __ASM_SPECTRE_H ++#define __ASM_SPECTRE_H ++ ++enum { ++ SPECTRE_UNAFFECTED, ++ SPECTRE_MITIGATED, ++ SPECTRE_VULNERABLE, ++}; ++ ++#endif +diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h +index 6dc9c67aebd4e..f4e810f5f4037 100644 +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -502,4 +502,9 @@ void kvm_vcpu_put_sysregs(struct kvm_vcpu *vcpu); + struct kvm *kvm_arch_alloc_vm(void); + void kvm_arch_free_vm(struct kvm *kvm); + ++static inline enum mitigation_state kvm_arm_get_spectre_bhb_state(void) ++{ ++ return arm64_get_spectre_bhb_state(); ++} ++ + #endif /* __ARM64_KVM_HOST_H__ */ +diff --git a/virt/kvm/arm/psci.c b/virt/kvm/arm/psci.c +index c95ab4c5a4751..129b755824e12 100644 +--- a/virt/kvm/arm/psci.c ++++ b/virt/kvm/arm/psci.c +@@ -433,6 +433,18 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu) + break; + } + break; ++ case ARM_SMCCC_ARCH_WORKAROUND_3: ++ switch (kvm_arm_get_spectre_bhb_state()) { ++ case SPECTRE_VULNERABLE: ++ break; ++ case SPECTRE_MITIGATED: ++ val = SMCCC_RET_SUCCESS; ++ break; ++ case SPECTRE_UNAFFECTED: ++ val = SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED; ++ break; ++ } ++ break; + } + break; + default: +-- +2.34.1 + diff --git a/patches.suse/0021-arm64-add-ID_AA64ISAR2_EL1-sys-register.patch b/patches.suse/0021-arm64-add-ID_AA64ISAR2_EL1-sys-register.patch new file mode 100644 index 0000000..a578f83 --- /dev/null +++ b/patches.suse/0021-arm64-add-ID_AA64ISAR2_EL1-sys-register.patch @@ -0,0 +1,119 @@ +From c7f1e9a45652cf3286e1fb9362e6d454cd46e2ac Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 18:40:00 +0100 +Subject: [PATCH 21/22] arm64: add ID_AA64ISAR2_EL1 sys register + +Git-commit: 9e45365f1469ef2b934f9d035975dbc9ad352116 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +This is a new ID register, introduced in 8.7. + +Signed-off-by: Joey Gouly +Cc: Will Deacon +Cc: Marc Zyngier +Cc: James Morse +Cc: Alexandru Elisei +Cc: Suzuki K Poulose +Cc: Reiji Watanabe +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211210165432.8106-3-joey.gouly@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/cpu.h | 1 + + arch/arm64/include/asm/sysreg.h | 1 + + arch/arm64/kernel/cpufeature.c | 9 +++++++++ + arch/arm64/kernel/cpuinfo.c | 1 + + 4 files changed, 12 insertions(+) + +diff --git a/arch/arm64/include/asm/cpu.h b/arch/arm64/include/asm/cpu.h +index 88392272250e8..3a9908a012190 100644 +--- a/arch/arm64/include/asm/cpu.h ++++ b/arch/arm64/include/asm/cpu.h +@@ -36,6 +36,7 @@ struct cpuinfo_arm64 { + u64 reg_id_aa64dfr1; + u64 reg_id_aa64isar0; + u64 reg_id_aa64isar1; ++ u64 reg_id_aa64isar2; + u64 reg_id_aa64mmfr0; + u64 reg_id_aa64mmfr1; + u64 reg_id_aa64mmfr2; +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index 118d6ffcaba7d..2ea85c600ae10 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -159,6 +159,7 @@ + + #define SYS_ID_AA64ISAR0_EL1 sys_reg(3, 0, 0, 6, 0) + #define SYS_ID_AA64ISAR1_EL1 sys_reg(3, 0, 0, 6, 1) ++#define SYS_ID_AA64ISAR2_EL1 sys_reg(3, 0, 0, 6, 2) + + #define SYS_ID_AA64MMFR0_EL1 sys_reg(3, 0, 0, 7, 0) + #define SYS_ID_AA64MMFR1_EL1 sys_reg(3, 0, 0, 7, 1) +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 0dfe9278656ff..9bba8c0b75e87 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -154,6 +154,10 @@ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = { + ARM64_FTR_END, + }; + ++static const struct arm64_ftr_bits ftr_id_aa64isar2[] = { ++ ARM64_FTR_END, ++}; ++ + static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = { + ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_CSV3_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_CSV2_SHIFT, 4, 0), +@@ -393,6 +397,7 @@ static const struct __ftr_reg_entry { + /* Op1 = 0, CRn = 0, CRm = 6 */ + ARM64_FTR_REG(SYS_ID_AA64ISAR0_EL1, ftr_id_aa64isar0), + ARM64_FTR_REG(SYS_ID_AA64ISAR1_EL1, ftr_id_aa64isar1), ++ ARM64_FTR_REG(SYS_ID_AA64ISAR2_EL1, ftr_id_aa64isar2), + + /* Op1 = 0, CRn = 0, CRm = 7 */ + ARM64_FTR_REG(SYS_ID_AA64MMFR0_EL1, ftr_id_aa64mmfr0), +@@ -537,6 +542,7 @@ void __init init_cpu_features(struct cpuinfo_arm64 *info) + init_cpu_ftr_reg(SYS_ID_AA64DFR1_EL1, info->reg_id_aa64dfr1); + init_cpu_ftr_reg(SYS_ID_AA64ISAR0_EL1, info->reg_id_aa64isar0); + init_cpu_ftr_reg(SYS_ID_AA64ISAR1_EL1, info->reg_id_aa64isar1); ++ init_cpu_ftr_reg(SYS_ID_AA64ISAR2_EL1, info->reg_id_aa64isar2); + init_cpu_ftr_reg(SYS_ID_AA64MMFR0_EL1, info->reg_id_aa64mmfr0); + init_cpu_ftr_reg(SYS_ID_AA64MMFR1_EL1, info->reg_id_aa64mmfr1); + init_cpu_ftr_reg(SYS_ID_AA64MMFR2_EL1, info->reg_id_aa64mmfr2); +@@ -654,6 +660,8 @@ void update_cpu_features(int cpu, + info->reg_id_aa64isar0, boot->reg_id_aa64isar0); + taint |= check_update_ftr_reg(SYS_ID_AA64ISAR1_EL1, cpu, + info->reg_id_aa64isar1, boot->reg_id_aa64isar1); ++ taint |= check_update_ftr_reg(SYS_ID_AA64ISAR2_EL1, cpu, ++ info->reg_id_aa64isar2, boot->reg_id_aa64isar2); + + /* + * Differing PARange support is fine as long as all peripherals and +@@ -790,6 +798,7 @@ static u64 __read_sysreg_by_encoding(u32 sys_id) + read_sysreg_case(SYS_ID_AA64MMFR2_EL1); + read_sysreg_case(SYS_ID_AA64ISAR0_EL1); + read_sysreg_case(SYS_ID_AA64ISAR1_EL1); ++ read_sysreg_case(SYS_ID_AA64ISAR2_EL1); + + read_sysreg_case(SYS_CNTFRQ_EL0); + read_sysreg_case(SYS_CTR_EL0); +diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c +index 984274f7e317b..875f9a82a9c40 100644 +--- a/arch/arm64/kernel/cpuinfo.c ++++ b/arch/arm64/kernel/cpuinfo.c +@@ -342,6 +342,7 @@ static void __cpuinfo_store_cpu(struct cpuinfo_arm64 *info) + info->reg_id_aa64dfr1 = read_cpuid(ID_AA64DFR1_EL1); + info->reg_id_aa64isar0 = read_cpuid(ID_AA64ISAR0_EL1); + info->reg_id_aa64isar1 = read_cpuid(ID_AA64ISAR1_EL1); ++ info->reg_id_aa64isar2 = read_cpuid(ID_AA64ISAR2_EL1); + info->reg_id_aa64mmfr0 = read_cpuid(ID_AA64MMFR0_EL1); + info->reg_id_aa64mmfr1 = read_cpuid(ID_AA64MMFR1_EL1); + info->reg_id_aa64mmfr2 = read_cpuid(ID_AA64MMFR2_EL1); +-- +2.34.1 + diff --git a/patches.suse/0022-arm64-Use-the-clearbhb-instruction-in-mitigations.patch b/patches.suse/0022-arm64-Use-the-clearbhb-instruction-in-mitigations.patch new file mode 100644 index 0000000..65185b0 --- /dev/null +++ b/patches.suse/0022-arm64-Use-the-clearbhb-instruction-in-mitigations.patch @@ -0,0 +1,244 @@ +From 955dd30fd47b0ff094532f11d6b83a7ddba0b582 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 28 Feb 2022 18:42:00 +0100 +Subject: [PATCH 22/22] arm64: Use the clearbhb instruction in mitigations + +Git-commit: 228a26b912287934789023b4132ba76065d9491c +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960 + + +Future CPUs may implement a clearbhb instruction that is sufficient +to mitigate SpectreBHB. CPUs that implement this instruction, but +not CSV2.3 must be affected by Spectre-BHB. + +Add support to use this instruction as the BHB mitigation on CPUs +that support it. The instruction is in the hint space, so it will +be treated by a NOP as older CPUs. + +Reviewed-by: Russell King (Oracle) +Reviewed-by: Catalin Marinas +[ modified for stable: Use a KVM vector template instead of alternatives ] +Signed-off-by: James Morse +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/assembler.h | 7 +++++++ + arch/arm64/include/asm/cpufeature.h | 13 +++++++++++++ + arch/arm64/include/asm/sysreg.h | 3 +++ + arch/arm64/include/asm/vectors.h | 7 +++++++ + arch/arm64/kernel/bpi.S | 5 +++++ + arch/arm64/kernel/cpu_errata.c | 14 ++++++++++++++ + arch/arm64/kernel/cpufeature.c | 1 + + arch/arm64/kernel/entry.S | 8 ++++++++ + 8 files changed, 58 insertions(+) + +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 73fc138067855..7f4e835ab05a3 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -121,6 +121,13 @@ + hint #20 + .endm + ++/* ++ * Clear Branch History instruction ++ */ ++ .macro clearbhb ++ hint #22 ++ .endm ++ + /* + * Sanitise a 64-bit bounded index wrt speculation, returning zero if out + * of bounds. +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 43ee1b3183710..2f04f1243fa71 100644 +--- a/arch/arm64/include/asm/cpufeature.h ++++ b/arch/arm64/include/asm/cpufeature.h +@@ -498,6 +498,19 @@ static inline bool supports_csv2p3(int scope) + return csv2_val == 3; + } + ++static inline bool supports_clearbhb(int scope) ++{ ++ u64 isar2; ++ ++ if (scope == SCOPE_LOCAL_CPU) ++ isar2 = read_sysreg_s(SYS_ID_AA64ISAR2_EL1); ++ else ++ isar2 = read_sanitised_ftr_reg(SYS_ID_AA64ISAR2_EL1); ++ ++ return cpuid_feature_extract_unsigned_field(isar2, ++ ID_AA64ISAR2_CLEARBHB_SHIFT); ++} ++ + static inline bool system_supports_32bit_el0(void) + { + return cpus_have_const_cap(ARM64_HAS_32BIT_EL0); +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index 2ea85c600ae10..e037171677730 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -522,6 +522,9 @@ + #define ID_AA64ISAR1_FCMA_SHIFT 16 + #define ID_AA64ISAR1_JSCVT_SHIFT 12 + ++/* id_aa64isar2 */ ++#define ID_AA64ISAR2_CLEARBHB_SHIFT 28 ++ + /* id_aa64pfr0 */ + #define ID_AA64PFR0_CSV3_SHIFT 60 + #define ID_AA64PFR0_CSV2_SHIFT 56 +diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h +index f222d8e033b32..695583b9a145b 100644 +--- a/arch/arm64/include/asm/vectors.h ++++ b/arch/arm64/include/asm/vectors.h +@@ -33,6 +33,12 @@ enum arm64_bp_harden_el1_vectors { + * canonical vectors. + */ + EL1_VECTOR_BHB_FW, ++ ++ /* ++ * Use the ClearBHB instruction, before branching to the canonical ++ * vectors. ++ */ ++ EL1_VECTOR_BHB_CLEAR_INSN, + #endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ + + /* +@@ -44,6 +50,7 @@ enum arm64_bp_harden_el1_vectors { + #ifndef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY + #define EL1_VECTOR_BHB_LOOP -1 + #define EL1_VECTOR_BHB_FW -1 ++#define EL1_VECTOR_BHB_CLEAR_INSN -1 + #endif /* !CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ + + /* The vectors to use on return from EL0. e.g. to remap the kernel */ +diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S +index cdcf2197b72be..7060ee8e411ad 100644 +--- a/arch/arm64/kernel/bpi.S ++++ b/arch/arm64/kernel/bpi.S +@@ -115,3 +115,8 @@ ENTRY(__spectre_bhb_loop_k32_start) + ldp x0, x1, [sp, #(8 * 0)] + add sp, sp, #(8 * 2) + ENTRY(__spectre_bhb_loop_k32_end) ++ ++ENTRY(__spectre_bhb_clearbhb_start) ++ hint #22 /* aka clearbhb */ ++ isb ++ENTRY(__spectre_bhb_clearbhb_end) +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 058b5ea86b0af..6305c10a877ee 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -119,6 +119,8 @@ extern char __spectre_bhb_loop_k24_start[]; + extern char __spectre_bhb_loop_k24_end[]; + extern char __spectre_bhb_loop_k32_start[]; + extern char __spectre_bhb_loop_k32_end[]; ++extern char __spectre_bhb_clearbhb_start[]; ++extern char __spectre_bhb_clearbhb_end[]; + + static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start, + const char *hyp_vecs_end) +@@ -939,6 +941,7 @@ static void update_mitigation_state(enum mitigation_state *oldp, + * - Mitigated by a branchy loop a CPU specific number of times, and listed + * in our "loop mitigated list". + * - Mitigated in software by the firmware Spectre v2 call. ++ * - Has the ClearBHB instruction to perform the mitigation. + * - Has the 'Exception Clears Branch History Buffer' (ECBHB) feature, so no + * software mitigation in the vectors is needed. + * - Has CSV2.3, so is unaffected. +@@ -1078,6 +1081,9 @@ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, + if (supports_csv2p3(scope)) + return false; + ++ if (supports_clearbhb(scope)) ++ return true; ++ + if (spectre_bhb_loop_affected(scope)) + return true; + +@@ -1118,6 +1124,8 @@ static const char *kvm_bhb_get_vecs_end(const char *start) + return __spectre_bhb_loop_k24_end; + else if (start == __spectre_bhb_loop_k32_start) + return __spectre_bhb_loop_k32_end; ++ else if (start == __spectre_bhb_clearbhb_start) ++ return __spectre_bhb_clearbhb_end; + + return NULL; + } +@@ -1159,6 +1167,7 @@ static void kvm_setup_bhb_slot(const char *hyp_vecs_start) + #define __spectre_bhb_loop_k8_start NULL + #define __spectre_bhb_loop_k24_start NULL + #define __spectre_bhb_loop_k32_start NULL ++#define __spectre_bhb_clearbhb_start NULL + + static void kvm_setup_bhb_slot(const char *hyp_vecs_start) { }; + #endif +@@ -1177,6 +1186,11 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) + } else if (cpu_mitigations_off()) { + pr_info_once("spectre-bhb mitigation disabled by command line option\n"); + } else if (supports_ecbhb(SCOPE_LOCAL_CPU)) { ++ state = SPECTRE_MITIGATED; ++ } else if (supports_clearbhb(SCOPE_LOCAL_CPU)) { ++ kvm_setup_bhb_slot(__spectre_bhb_clearbhb_start); ++ this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN); ++ + state = SPECTRE_MITIGATED; + } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) { + switch (spectre_bhb_loop_affected(SCOPE_SYSTEM)) { +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 9bba8c0b75e87..fa442d23120d1 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -155,6 +155,7 @@ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = { + }; + + static const struct arm64_ftr_bits ftr_id_aa64isar2[] = { ++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_HIGHER_SAFE, ID_AA64ISAR2_CLEARBHB_SHIFT, 4, 0), + ARM64_FTR_END, + }; + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 705134e7dddef..8de59778e79f8 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1108,6 +1108,7 @@ alternative_else_nop_endif + #define BHB_MITIGATION_NONE 0 + #define BHB_MITIGATION_LOOP 1 + #define BHB_MITIGATION_FW 2 ++#define BHB_MITIGATION_INSN 3 + + .macro tramp_ventry, vector_start, regsize, kpti, bhb + .align 7 +@@ -1124,6 +1125,11 @@ alternative_else_nop_endif + __mitigate_spectre_bhb_loop x30 + .endif // \bhb == BHB_MITIGATION_LOOP + ++ .if \bhb == BHB_MITIGATION_INSN ++ clearbhb ++ isb ++ .endif // \bhb == BHB_MITIGATION_INSN ++ + .if \kpti == 1 + /* + * Defend against branch aliasing attacks by pushing a dummy +@@ -1200,6 +1206,7 @@ ENTRY(tramp_vectors) + #ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY + generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_LOOP + generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_FW ++ generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_INSN + #endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ + generate_tramp_vector kpti=1, bhb=BHB_MITIGATION_NONE + END(tramp_vectors) +@@ -1262,6 +1269,7 @@ ENTRY(__bp_harden_el1_vectors) + #ifdef CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY + generate_el1_vector bhb=BHB_MITIGATION_LOOP + generate_el1_vector bhb=BHB_MITIGATION_FW ++ generate_el1_vector bhb=BHB_MITIGATION_INSN + #endif /* CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY */ + END(__bp_harden_el1_vectors) + .popsection +-- +2.34.1 + diff --git a/patches.suse/01-tcp-fix-race-condition-when-creating-child-sockets-from-syncookies.patch b/patches.suse/01-tcp-fix-race-condition-when-creating-child-sockets-from-syncookies.patch new file mode 100644 index 0000000..6dc1d9d --- /dev/null +++ b/patches.suse/01-tcp-fix-race-condition-when-creating-child-sockets-from-syncookies.patch @@ -0,0 +1,295 @@ +From 01770a166165738a6e05c3d911fb4609cc4eb416 Mon Sep 17 00:00:00 2001 +From: Ricardo Dias +Date: Fri, 20 Nov 2020 11:11:33 +0000 +Subject: [PATCH] tcp: fix race condition when creating child sockets from + syncookies +Patch-mainline: v5.10-rc6 +Git-commit: 01770a166165738a6e05c3d911fb4609cc4eb416 +References: bsc#1197075 + +When the TCP stack is in SYN flood mode, the server child socket is +created from the SYN cookie received in a TCP packet with the ACK flag +set. + +The child socket is created when the server receives the first TCP +packet with a valid SYN cookie from the client. Usually, this packet +corresponds to the final step of the TCP 3-way handshake, the ACK +packet. But is also possible to receive a valid SYN cookie from the +first TCP data packet sent by the client, and thus create a child socket +from that SYN cookie. + +Since a client socket is ready to send data as soon as it receives the +SYN+ACK packet from the server, the client can send the ACK packet (sent +by the TCP stack code), and the first data packet (sent by the userspace +program) almost at the same time, and thus the server will equally +receive the two TCP packets with valid SYN cookies almost at the same +instant. + +When such event happens, the TCP stack code has a race condition that +occurs between the momement a lookup is done to the established +connections hashtable to check for the existence of a connection for the +same client, and the moment that the child socket is added to the +established connections hashtable. As a consequence, this race condition +can lead to a situation where we add two child sockets to the +established connections hashtable and deliver two sockets to the +userspace program to the same client. + +This patch fixes the race condition by checking if an existing child +socket exists for the same client when we are adding the second child +socket to the established connections socket. If an existing child +socket exists, we drop the packet and discard the second child socket +to the same client. + +Signed-off-by: Ricardo Dias +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20201120111133.GA67501@rdias-suse-pc.lan +Signed-off-by: Jakub Kicinski +Acked-by: João Silva +--- + include/net/inet_hashtables.h | 5 +- + net/dccp/ipv4.c | 2 - + net/dccp/ipv6.c | 2 - + net/ipv4/inet_connection_sock.c | 2 - + net/ipv4/inet_hashtables.c | 67 +++++++++++++++++++++++++++++++++++----- + net/ipv4/tcp_ipv4.c | 15 +++++++- + net/ipv6/tcp_ipv6.c | 13 +++++++ + 7 files changed, 90 insertions(+), 16 deletions(-) + +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -209,8 +209,9 @@ void inet_put_port(struct sock *sk); + + void inet_hashinfo_init(struct inet_hashinfo *h); + +-bool inet_ehash_insert(struct sock *sk, struct sock *osk); +-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk); ++bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk); ++bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, ++ bool *found_dup_sk); + int __inet_hash(struct sock *sk, struct sock *osk); + int inet_hash(struct sock *sk); + void inet_unhash(struct sock *sk); +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -428,7 +428,7 @@ struct sock *dccp_v4_request_recv_sock(c + + if (__inet_inherit_port(sk, newsk) < 0) + goto put_and_exit; +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); + if (*own_req) + ireq->ireq_opt = NULL; + else +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -530,7 +530,7 @@ static struct sock *dccp_v6_request_recv + dccp_done(newsk); + goto out; + } +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); + /* Clone pktoptions received with SYN, if we own the req */ + if (*own_req && ireq->pktopts) { + newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC); +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -788,7 +788,7 @@ static void reqsk_queue_hash_req(struct + (unsigned long)req); + mod_timer(&req->rsk_timer, jiffies + timeout); + +- inet_ehash_insert(req_to_sk(req), NULL); ++ inet_ehash_insert(req_to_sk(req), NULL, NULL); + /* before letting lookups find us, make sure all req fields + * are committed to memory and refcnt initialized. + */ +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -23,6 +23,9 @@ + #include + #include + #include ++#if IS_ENABLED(CONFIG_IPV6) ++#include ++#endif + #include + #include + #include +@@ -398,10 +401,51 @@ static u32 inet_sk_port_offset(const str + inet->inet_dport); + } + +-/* insert a socket into ehash, and eventually remove another one +- * (The another one can be a SYN_RECV or TIMEWAIT ++/* Searches for an exsiting socket in the ehash bucket list. ++ * Returns true if found, false otherwise. + */ +-bool inet_ehash_insert(struct sock *sk, struct sock *osk) ++static bool inet_ehash_lookup_by_sk(struct sock *sk, ++ struct hlist_nulls_head *list) ++{ ++ const __portpair ports = INET_COMBINED_PORTS(sk->sk_dport, sk->sk_num); ++ const int dif = sk->sk_bound_dev_if; ++ const struct hlist_nulls_node *node; ++ struct net *net = sock_net(sk); ++ struct sock *esk; ++ ++ INET_ADDR_COOKIE(acookie, sk->sk_daddr, sk->sk_rcv_saddr); ++ ++ sk_nulls_for_each_rcu(esk, node, list) { ++ if (esk->sk_hash != sk->sk_hash) ++ continue; ++ if (sk->sk_family == AF_INET) { ++ if (unlikely(INET_MATCH(esk, net, acookie, ++ sk->sk_daddr, ++ sk->sk_rcv_saddr, ++ ports, dif))) { ++ return true; ++ } ++ } ++#if IS_ENABLED(CONFIG_IPV6) ++ else if (sk->sk_family == AF_INET6) { ++ if (unlikely(INET6_MATCH(esk, net, ++ &sk->sk_v6_daddr, ++ &sk->sk_v6_rcv_saddr, ++ ports, dif))) { ++ return true; ++ } ++ } ++#endif ++ } ++ return false; ++} ++ ++/* Insert a socket into ehash, and eventually remove another one ++ * (The another one can be a SYN_RECV or TIMEWAIT) ++ * If an existing socket already exists, socket sk is not inserted, ++ * and sets found_dup_sk parameter to true. ++ */ ++bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + { + struct inet_hashinfo *hashinfo = sk->sk_prot->h.hashinfo; + struct hlist_nulls_head *list; +@@ -420,16 +464,23 @@ bool inet_ehash_insert(struct sock *sk, + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); + ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { ++ *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); ++ if (*found_dup_sk) ++ ret = false; + } ++ + if (ret) + __sk_nulls_add_node_rcu(sk, list); ++ + spin_unlock(lock); ++ + return ret; + } + +-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk) ++bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, bool *found_dup_sk) + { +- bool ok = inet_ehash_insert(sk, osk); ++ bool ok = inet_ehash_insert(sk, osk, found_dup_sk); + + if (ok) { + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); +@@ -471,7 +522,7 @@ int __inet_hash(struct sock *sk, struct + int err = 0; + + if (sk->sk_state != TCP_LISTEN) { +- inet_ehash_nolisten(sk, osk); ++ inet_ehash_nolisten(sk, osk, NULL); + return 0; + } + WARN_ON(!sk_unhashed(sk)); +@@ -561,7 +612,7 @@ int __inet_hash_connect(struct inet_time + tb = inet_csk(sk)->icsk_bind_hash; + spin_lock_bh(&head->lock); + if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) { +- inet_ehash_nolisten(sk, NULL); ++ inet_ehash_nolisten(sk, NULL, NULL); + spin_unlock_bh(&head->lock); + return 0; + } +@@ -637,7 +688,7 @@ ok: + inet_bind_hash(sk, tb, port); + if (sk_unhashed(sk)) { + inet_sk(sk)->inet_sport = htons(port); +- inet_ehash_nolisten(sk, (struct sock *)tw); ++ inet_ehash_nolisten(sk, (struct sock *)tw, NULL); + } + if (tw) + inet_twsk_bind_unhash(tw, hinfo); +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1305,6 +1305,7 @@ struct sock *tcp_v4_syn_recv_sock(const + bool *own_req) + { + struct inet_request_sock *ireq; ++ bool found_dup_sk = false; + struct inet_sock *newinet; + struct tcp_sock *newtp; + struct sock *newsk; +@@ -1375,12 +1376,22 @@ struct sock *tcp_v4_syn_recv_sock(const + + if (__inet_inherit_port(sk, newsk) < 0) + goto put_and_exit; +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), ++ &found_dup_sk); + if (likely(*own_req)) { + tcp_move_syn(newtp, req); + ireq->ireq_opt = NULL; + } else { +- newinet->inet_opt = NULL; ++ if (!req_unhash && found_dup_sk) { ++ /* This code path should only be executed in the ++ * syncookie case only ++ */ ++ bh_unlock_sock(newsk); ++ sock_put(newsk); ++ newsk = NULL; ++ } else { ++ newinet->inet_opt = NULL; ++ } + } + return newsk; + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1042,6 +1042,7 @@ static struct sock *tcp_v6_syn_recv_sock + struct ipv6_txoptions *opt; + struct tcp6_sock *newtcp6sk; + struct inet_sock *newinet; ++ bool found_dup_sk = false; + struct tcp_sock *newtp; + struct sock *newsk; + #ifdef CONFIG_TCP_MD5SIG +@@ -1210,7 +1211,8 @@ static struct sock *tcp_v6_syn_recv_sock + tcp_done(newsk); + goto out; + } +- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); ++ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), ++ &found_dup_sk); + if (*own_req) { + tcp_move_syn(newtp, req); + +@@ -1225,6 +1227,15 @@ static struct sock *tcp_v6_syn_recv_sock + skb_set_owner_r(newnp->pktoptions, newsk); + } + } ++ } else { ++ if (!req_unhash && found_dup_sk) { ++ /* This code path should only be executed in the ++ * syncookie case only ++ */ ++ bh_unlock_sock(newsk); ++ sock_put(newsk); ++ newsk = NULL; ++ } + } + + return newsk; diff --git a/patches.suse/02-tcp-fix-potential-use-after-free-due-to-double-kfree.patch b/patches.suse/02-tcp-fix-potential-use-after-free-due-to-double-kfree.patch new file mode 100644 index 0000000..d8cc350 --- /dev/null +++ b/patches.suse/02-tcp-fix-potential-use-after-free-due-to-double-kfree.patch @@ -0,0 +1,75 @@ +From c89dffc70b340780e5b933832d8c3e045ef3791e Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 18 Jan 2021 14:59:20 +0900 +Subject: [PATCH] tcp: Fix potential use-after-free due to double kfree() +Patch-mainline: v5.11-rc5 +Git-commit: c89dffc70b340780e5b933832d8c3e045ef3791e +References: bsc#1197075 + +Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct +request_sock and then can allocate inet_rsk(req)->ireq_opt. After that, +tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to +inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full +socket into ehash and sets NULL to ireq_opt. Otherwise, +tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full +socket. + +The commit 01770a1661657 ("tcp: fix race condition when creating child +sockets from syncookies") added a new path, in which more than one cores +create full sockets for the same SYN cookie. Currently, the core which +loses the race frees the full socket without resetting inet_opt, resulting +in that both sock_put() and reqsk_put() call kfree() for the same memory: + + sock_put + sk_free + __sk_free + sk_destruct + __sk_destruct + sk->sk_destruct/inet_sock_destruct + kfree(rcu_dereference_protected(inet->inet_opt, 1)); + + reqsk_put + reqsk_free + __reqsk_free + req->rsk_ops->destructor/tcp_v4_reqsk_destructor + kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1)); + +Calling kmalloc() between the double kfree() can lead to use-after-free, so +this patch fixes it by setting NULL to inet_opt before sock_put(). + +As a side note, this kind of issue does not happen for IPv6. This is +because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which +correspond to ireq_opt in IPv4. + +Fixes: 01770a166165 ("tcp: fix race condition when creating child sockets from syncookies") +CC: Ricardo Dias +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Benjamin Herrenschmidt +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210118055920.82516-1-kuniyu@amazon.co.jp +Signed-off-by: Jakub Kicinski +Acked-by: João Silva +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1382,6 +1382,8 @@ struct sock *tcp_v4_syn_recv_sock(const + tcp_move_syn(newtp, req); + ireq->ireq_opt = NULL; + } else { ++ newinet->inet_opt = NULL; ++ + if (!req_unhash && found_dup_sk) { + /* This code path should only be executed in the + * syncookie case only +@@ -1389,8 +1391,6 @@ struct sock *tcp_v4_syn_recv_sock(const + bh_unlock_sock(newsk); + sock_put(newsk); + newsk = NULL; +- } else { +- newinet->inet_opt = NULL; + } + } + return newsk; diff --git a/patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch b/patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch new file mode 100644 index 0000000..748522c --- /dev/null +++ b/patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch @@ -0,0 +1,46 @@ +From: Dan Carpenter +Date: Tue, 15 Mar 2022 13:30:09 +0300 +Subject: [PATCH] NFSD: prevent underflow in nfssvc_decode_writeargs() +Git-commit: 184416d4b98509fb4c3d8fc3d6dc1437896cc159 +Patch-mainline: v5.18 +References: git-fixes + +Smatch complains: + + fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() + warn: no lower bound on 'args->len' + +Change the type to unsigned to prevent this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Acked-by: NeilBrown + +--- + fs/nfsd/nfsproc.c | 2 +- + fs/nfsd/xdr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -221,7 +221,7 @@ nfsd_proc_write(struct svc_rqst *rqstp, + unsigned long cnt = argp->len; + unsigned int nvecs; + +- dprintk("nfsd: WRITE %s %d bytes at %d\n", ++ dprintk("nfsd: WRITE %s %u bytes at %d\n", + SVCFH_fmt(&argp->fh), + argp->len, argp->offset); + +--- a/fs/nfsd/xdr.h ++++ b/fs/nfsd/xdr.h +@@ -32,7 +32,7 @@ struct nfsd_readargs { + struct nfsd_writeargs { + svc_fh fh; + __u32 offset; +- int len; ++ __u32 len; + struct kvec first; + }; + diff --git a/patches.suse/NFSv4-Don-t-try-to-CLOSE-if-the-stateid-other-field-.patch b/patches.suse/NFSv4-Don-t-try-to-CLOSE-if-the-stateid-other-field-.patch new file mode 100644 index 0000000..7138255 --- /dev/null +++ b/patches.suse/NFSv4-Don-t-try-to-CLOSE-if-the-stateid-other-field-.patch @@ -0,0 +1,106 @@ +From: Trond Myklebust +Date: Mon, 6 Nov 2017 15:28:06 -0500 +Subject: [PATCH] NFSv4: Don't try to CLOSE if the stateid 'other' field has + changed +Git-commit: c82bac6f4b2af18dcb392b10e80c809ee17b2b1b +Patch-mainline: v4.15 +References: bsc#1196247 + +If the stateid is no longer recognised on the server, either due to a +restart, or due to a competing CLOSE call, then we do not have to +retry. Any open contexts that triggered a reopen of the file, will +also act as triggers for any CLOSE for the updated stateids. + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/nfs4_fs.h | 2 ++ + fs/nfs/nfs4proc.c | 14 ++++---------- + fs/nfs/nfs4state.c | 9 +++++++-- + 3 files changed, 13 insertions(+), 12 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -459,6 +459,8 @@ extern int nfs4_select_rw_stateid(struct + struct rpc_cred **); + extern bool nfs4_refresh_open_stateid(nfs4_stateid *dst, + struct nfs4_state *state); ++extern bool nfs4_copy_open_stateid(nfs4_stateid *dst, ++ struct nfs4_state *state); + + extern struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter, gfp_t gfp_mask); + extern int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3227,14 +3227,7 @@ static void nfs4_close_done(struct rpc_t + task->tk_msg.rpc_cred); + /* Fallthrough */ + case -NFS4ERR_BAD_STATEID: +- if (!nfs4_stateid_match(&calldata->arg.stateid, +- &state->open_stateid)) { +- rpc_restart_call_prepare(task); +- goto out_release; +- } +- if (calldata->arg.fmode == 0) +- break; +- /* Fallthrough */ ++ break; + default: + if (nfs4_async_handle_error(task, server, state, NULL) == -EAGAIN) { + rpc_restart_call_prepare(task); +@@ -3266,7 +3259,6 @@ static void nfs4_close_prepare(struct rp + is_rdwr = test_bit(NFS_O_RDWR_STATE, &state->flags); + is_rdonly = test_bit(NFS_O_RDONLY_STATE, &state->flags); + is_wronly = test_bit(NFS_O_WRONLY_STATE, &state->flags); +- nfs4_stateid_copy(&calldata->arg.stateid, &state->open_stateid); + /* Calculate the change in open mode */ + calldata->arg.fmode = 0; + if (state->n_rdwr == 0) { +@@ -3284,7 +3276,7 @@ static void nfs4_close_prepare(struct rp + calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; + + if (!nfs4_valid_open_stateid(state) || +- test_bit(NFS_OPEN_STATE, &state->flags) == 0) ++ !nfs4_refresh_open_stateid(&calldata->arg.stateid, state)) + call_close = 0; + spin_unlock(&state->owner->so_lock); + +@@ -3378,6 +3370,8 @@ int nfs4_do_close(struct nfs4_state *sta + calldata->inode = state->inode; + calldata->state = state; + calldata->arg.fh = NFS_FH(state->inode); ++ if (!nfs4_copy_open_stateid(&calldata->arg.stateid, state)) ++ goto out_free_calldata; + /* Serialization for the sequence id */ + alloc_seqid = server->nfs_client->cl_mvops->alloc_seqid; + calldata->arg.seqid = alloc_seqid(&state->owner->so_seqid, gfp_mask); +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1020,18 +1020,23 @@ bool nfs4_refresh_open_stateid(nfs4_stat + return ret; + } + +-static void nfs4_copy_open_stateid(nfs4_stateid *dst, struct nfs4_state *state) ++bool nfs4_copy_open_stateid(nfs4_stateid *dst, struct nfs4_state *state) + { ++ bool ret; + const nfs4_stateid *src; + int seq; + + do { ++ ret = false; + src = &zero_stateid; + seq = read_seqbegin(&state->seqlock); +- if (test_bit(NFS_OPEN_STATE, &state->flags)) ++ if (test_bit(NFS_OPEN_STATE, &state->flags)) { + src = &state->open_stateid; ++ ret = true; ++ } + nfs4_stateid_copy(dst, src); + } while (read_seqretry(&state->seqlock, seq)); ++ return ret; + } + + /* diff --git a/patches.suse/NFSv4-Fix-a-regression-in-nfs_set_open_stateid_locke.patch b/patches.suse/NFSv4-Fix-a-regression-in-nfs_set_open_stateid_locke.patch new file mode 100644 index 0000000..ede319f --- /dev/null +++ b/patches.suse/NFSv4-Fix-a-regression-in-nfs_set_open_stateid_locke.patch @@ -0,0 +1,49 @@ +From: Trond Myklebust +Date: Tue, 26 Oct 2021 21:56:40 -0400 +Subject: [PATCH] NFSv4: Fix a regression in nfs_set_open_stateid_locked() +Git-commit: 01d29f87fcfef38d51ce2b473981a5c1e861ac0a +Patch-mainline: v5.16 +References: bsc#1196247 + +If we already hold open state on the client, yet the server gives us a +completely different stateid to the one we already hold, then we +currently treat it as if it were an out-of-sequence update, and wait for +5 seconds for other updates to come in. +This commit fixes the behaviour so that we immediately start processing +of the new stateid, and then leave it to the call to +nfs4_test_and_free_stateid() to decide what to do with the old stateid. + +Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs4proc.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1429,15 +1429,16 @@ static bool nfs_stateid_is_sequential(st + { + if (test_bit(NFS_OPEN_STATE, &state->flags)) { + /* The common case - we're updating to a new sequence number */ +- if (nfs4_stateid_match_other(stateid, &state->open_stateid) && +- nfs4_stateid_is_next(&state->open_stateid, stateid)) { +- return true; ++ if (nfs4_stateid_match_other(stateid, &state->open_stateid)) { ++ if (nfs4_stateid_is_next(&state->open_stateid, stateid)) ++ return true; ++ return false; + } +- } else { +- /* This is the first OPEN in this generation */ +- if (stateid->seqid == cpu_to_be32(1)) +- return true; ++ /* The server returned a new stateid */ + } ++ /* This is the first OPEN in this generation */ ++ if (stateid->seqid == cpu_to_be32(1)) ++ return true; + return false; + } + diff --git a/patches.suse/NFSv4-Handle-NFS4ERR_OLD_STATEID-in-CLOSE-OPEN_DOWNG.patch b/patches.suse/NFSv4-Handle-NFS4ERR_OLD_STATEID-in-CLOSE-OPEN_DOWNG.patch new file mode 100644 index 0000000..ae3cf6b --- /dev/null +++ b/patches.suse/NFSv4-Handle-NFS4ERR_OLD_STATEID-in-CLOSE-OPEN_DOWNG.patch @@ -0,0 +1,155 @@ +From: Trond Myklebust +Date: Fri, 20 Sep 2019 07:23:47 -0400 +Subject: [PATCH] NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE +Git-commit: 0e0cb35b417f505447694463694aff75fca32889 +Patch-mainline: v5.4 +References: bsc#1196247 + +If a CLOSE or OPEN_DOWNGRADE operation receives a NFS4ERR_OLD_STATEID +then bump the seqid before resending. Ensure we only bump the seqid +by 1. + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/nfs4_fs.h | 2 - + fs/nfs/nfs4proc.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++--- + fs/nfs/nfs4state.c | 16 ----------- + 3 files changed, 72 insertions(+), 21 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -457,8 +457,6 @@ extern int nfs4_set_lock_state(struct nf + extern int nfs4_select_rw_stateid(struct nfs4_state *, fmode_t, + const struct nfs_lock_context *, nfs4_stateid *, + struct rpc_cred **); +-extern bool nfs4_refresh_open_stateid(nfs4_stateid *dst, +- struct nfs4_state *state); + extern bool nfs4_copy_open_stateid(nfs4_stateid *dst, + struct nfs4_state *state); + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3124,6 +3124,75 @@ nfs4_wait_on_layoutreturn(struct inode * + return pnfs_wait_on_layoutreturn(inode, task); + } + ++/* ++ * Update the seqid of an open stateid ++ */ ++static void nfs4_sync_open_stateid(nfs4_stateid *dst, ++ struct nfs4_state *state) ++{ ++ __be32 seqid_open; ++ u32 dst_seqid; ++ int seq; ++ ++ for (;;) { ++ if (!nfs4_valid_open_stateid(state)) ++ break; ++ seq = read_seqbegin(&state->seqlock); ++ if (!nfs4_state_match_open_stateid_other(state, dst)) { ++ nfs4_stateid_copy(dst, &state->open_stateid); ++ if (read_seqretry(&state->seqlock, seq)) ++ continue; ++ break; ++ } ++ seqid_open = state->open_stateid.seqid; ++ if (read_seqretry(&state->seqlock, seq)) ++ continue; ++ ++ dst_seqid = be32_to_cpu(dst->seqid); ++ if ((s32)(dst_seqid - be32_to_cpu(seqid_open)) < 0) ++ dst->seqid = seqid_open; ++ break; ++ } ++} ++ ++/* ++ * Update the seqid of an open stateid after receiving ++ * NFS4ERR_OLD_STATEID ++ */ ++static bool nfs4_refresh_open_old_stateid(nfs4_stateid *dst, ++ struct nfs4_state *state) ++{ ++ __be32 seqid_open; ++ u32 dst_seqid; ++ bool ret; ++ int seq; ++ ++ for (;;) { ++ ret = false; ++ if (!nfs4_valid_open_stateid(state)) ++ break; ++ seq = read_seqbegin(&state->seqlock); ++ if (!nfs4_state_match_open_stateid_other(state, dst)) { ++ if (read_seqretry(&state->seqlock, seq)) ++ continue; ++ break; ++ } ++ seqid_open = state->open_stateid.seqid; ++ if (read_seqretry(&state->seqlock, seq)) ++ continue; ++ ++ dst_seqid = be32_to_cpu(dst->seqid); ++ if ((s32)(dst_seqid - be32_to_cpu(seqid_open)) >= 0) ++ dst->seqid = cpu_to_be32(dst_seqid + 1); ++ else ++ dst->seqid = seqid_open; ++ ret = true; ++ break; ++ } ++ ++ return ret; ++} ++ + struct nfs4_closedata { + struct inode *inode; + struct nfs4_state *state; +@@ -3213,7 +3282,7 @@ static void nfs4_close_done(struct rpc_t + break; + case -NFS4ERR_OLD_STATEID: + /* Did we race with OPEN? */ +- if (nfs4_refresh_open_stateid(&calldata->arg.stateid, ++ if (nfs4_refresh_open_old_stateid(&calldata->arg.stateid, + state)) { + task->tk_status = 0; + rpc_restart_call_prepare(task); +@@ -3275,8 +3344,8 @@ static void nfs4_close_prepare(struct rp + } else if (is_rdwr) + calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; + +- if (!nfs4_valid_open_stateid(state) || +- !nfs4_refresh_open_stateid(&calldata->arg.stateid, state)) ++ nfs4_sync_open_stateid(&calldata->arg.stateid, state); ++ if (!nfs4_valid_open_stateid(state)) + call_close = 0; + spin_unlock(&state->owner->so_lock); + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1004,22 +1004,6 @@ out: + return ret; + } + +-bool nfs4_refresh_open_stateid(nfs4_stateid *dst, struct nfs4_state *state) +-{ +- bool ret; +- int seq; +- +- do { +- ret = false; +- seq = read_seqbegin(&state->seqlock); +- if (nfs4_state_match_open_stateid_other(state, dst)) { +- dst->seqid = state->open_stateid.seqid; +- ret = true; +- } +- } while (read_seqretry(&state->seqlock, seq)); +- return ret; +-} +- + bool nfs4_copy_open_stateid(nfs4_stateid *dst, struct nfs4_state *state) + { + bool ret; diff --git a/patches.suse/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN.patch b/patches.suse/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN.patch new file mode 100644 index 0000000..ec5a1ee --- /dev/null +++ b/patches.suse/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN.patch @@ -0,0 +1,229 @@ +From: Benjamin Coddington +Date: Fri, 25 Sep 2020 15:48:39 -0400 +Subject: [PATCH] NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE +Git-commit: b4868b44c5628995fdd8ef2e24dda73cef963a75 +Patch-mainline: v5.10 +References: bsc#1196247 + +Since commit 0e0cb35b417f ("NFSv4: Handle NFS4ERR_OLD_STATEID in +CLOSE/OPEN_DOWNGRADE") the following livelock may occur if a CLOSE races +with the update of the nfs_state: + +Process 1 Process 2 Server +========= ========= ======== + OPEN file + OPEN file + Reply OPEN (1) + Reply OPEN (2) + Update state (1) + CLOSE file (1) + Reply OLD_STATEID (1) + CLOSE file (2) + Reply CLOSE (-1) + Update state (2) + wait for state change + OPEN file + wake + CLOSE file + OPEN file + wake + CLOSE file + ... + ... + +We can avoid this situation by not issuing an immediate retry with a bumped +seqid when CLOSE/OPEN_DOWNGRADE receives NFS4ERR_OLD_STATEID. Instead, +take the same approach used by OPEN and wait at least 5 seconds for +outstanding stateid updates to complete if we can detect that we're out of +sequence. + +Note that after this change it is still possible (though unlikely) that +CLOSE waits a full 5 seconds, bumps the seqid, and retries -- and that +attempt races with another OPEN at the same time. In order to avoid this +race (which would result in the livelock), update +nfs_need_update_open_stateid() to handle the case where: + - the state is NFS_OPEN_STATE, and + - the stateid doesn't match the current open stateid + +Finally, nfs_need_update_open_stateid() is modified to be idempotent and +renamed to better suit the purpose of signaling that the stateid passed +is the next stateid in sequence. + +Fixes: 0e0cb35b417f ("NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/nfs4_fs.h | 8 +++++ + fs/nfs/nfs4proc.c | 81 ++++++++++++++++++++++++++++++----------------------- + fs/nfs/nfs4trace.h | 1 + 3 files changed, 56 insertions(+), 34 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -540,6 +540,14 @@ static inline bool nfs4_stateid_is_newer + return (s32)(be32_to_cpu(s1->seqid) - be32_to_cpu(s2->seqid)) > 0; + } + ++static inline bool nfs4_stateid_is_next(const nfs4_stateid *s1, const nfs4_stateid *s2) ++{ ++ u32 seq1 = be32_to_cpu(s1->seqid); ++ u32 seq2 = be32_to_cpu(s2->seqid); ++ ++ return seq2 == seq1 + 1U || (seq2 == 1U && seq1 == 0xffffffffU); ++} ++ + static inline bool nfs4_valid_open_stateid(const struct nfs4_state *state) + { + return test_bit(NFS_STATE_RECOVERY_FAILED, &state->flags) == 0; +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1399,19 +1399,6 @@ static void nfs_state_log_update_open_st + wake_up_all(&state->waitq); + } + +-static void nfs_state_log_out_of_order_open_stateid(struct nfs4_state *state, +- const nfs4_stateid *stateid) +-{ +- u32 state_seqid = be32_to_cpu(state->open_stateid.seqid); +- u32 stateid_seqid = be32_to_cpu(stateid->seqid); +- +- if (stateid_seqid == state_seqid + 1U || +- (stateid_seqid == 1U && state_seqid == 0xffffffffU)) +- nfs_state_log_update_open_stateid(state); +- else +- set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); +-} +- + static void nfs_test_and_clear_all_open_stateid(struct nfs4_state *state) + { + struct nfs_client *clp = state->owner->so_server->nfs_client; +@@ -1437,21 +1424,19 @@ static void nfs_test_and_clear_all_open_ + * i.e. The stateid seqids have to be initialised to 1, and + * are then incremented on every state transition. + */ +-static bool nfs_need_update_open_stateid(struct nfs4_state *state, ++static bool nfs_stateid_is_sequential(struct nfs4_state *state, + const nfs4_stateid *stateid) + { +- if (test_bit(NFS_OPEN_STATE, &state->flags) == 0 || +- !nfs4_stateid_match_other(stateid, &state->open_stateid)) { ++ if (test_bit(NFS_OPEN_STATE, &state->flags)) { ++ /* The common case - we're updating to a new sequence number */ ++ if (nfs4_stateid_match_other(stateid, &state->open_stateid) && ++ nfs4_stateid_is_next(&state->open_stateid, stateid)) { ++ return true; ++ } ++ } else { ++ /* This is the first OPEN in this generation */ + if (stateid->seqid == cpu_to_be32(1)) +- nfs_state_log_update_open_stateid(state); +- else +- set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); +- return true; +- } +- +- if (nfs4_stateid_is_newer(stateid, &state->open_stateid)) { +- nfs_state_log_out_of_order_open_stateid(state, stateid); +- return true; ++ return true; + } + return false; + } +@@ -1520,16 +1505,16 @@ static void nfs_set_open_stateid_locked( + int status = 0; + for (;;) { + +- if (!nfs_need_update_open_stateid(state, stateid)) +- return; +- if (!test_bit(NFS_STATE_CHANGE_WAIT, &state->flags)) ++ if (nfs_stateid_is_sequential(state, stateid)) + break; ++ + if (status) + break; + /* Rely on seqids for serialisation with NFSv4.0 */ + if (!nfs4_has_session(NFS_SERVER(state->inode)->nfs_client)) + break; + ++ set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); + prepare_to_wait(&state->waitq, &wait, TASK_KILLABLE); + /* + * Ensure we process the state changes in the same order +@@ -1539,6 +1524,7 @@ static void nfs_set_open_stateid_locked( + write_sequnlock(&state->seqlock); + spin_unlock(&state->owner->so_lock); + rcu_read_unlock(); ++ + if (!signal_pending(current)) { + if (schedule_timeout(5*HZ) == 0) + status = -EAGAIN; +@@ -3163,7 +3149,8 @@ static bool nfs4_refresh_open_old_statei + __be32 seqid_open; + u32 dst_seqid; + bool ret; +- int seq; ++ int seq, status = -EAGAIN; ++ DEFINE_WAIT(wait); + + for (;;) { + ret = false; +@@ -3175,15 +3162,41 @@ static bool nfs4_refresh_open_old_statei + continue; + break; + } ++ ++ write_seqlock(&state->seqlock); + seqid_open = state->open_stateid.seqid; +- if (read_seqretry(&state->seqlock, seq)) +- continue; + + dst_seqid = be32_to_cpu(dst->seqid); +- if ((s32)(dst_seqid - be32_to_cpu(seqid_open)) >= 0) +- dst->seqid = cpu_to_be32(dst_seqid + 1); +- else ++ ++ /* Did another OPEN bump the state's seqid? try again: */ ++ if ((s32)(be32_to_cpu(seqid_open) - dst_seqid) > 0) { + dst->seqid = seqid_open; ++ write_sequnlock(&state->seqlock); ++ ret = true; ++ break; ++ } ++ ++ /* server says we're behind but we haven't seen the update yet */ ++ set_bit(NFS_STATE_CHANGE_WAIT, &state->flags); ++ prepare_to_wait(&state->waitq, &wait, TASK_KILLABLE); ++ write_sequnlock(&state->seqlock); ++ trace_nfs4_close_stateid_update_wait(state->inode, dst, 0); ++ ++ if (signal_pending(current)) ++ status = -EINTR; ++ else ++ if (schedule_timeout(5*HZ) != 0) ++ status = 0; ++ ++ finish_wait(&state->waitq, &wait); ++ ++ if (!status) ++ continue; ++ if (status == -EINTR) ++ break; ++ ++ /* we slept the whole 5 seconds, we must have lost a seqid */ ++ dst->seqid = cpu_to_be32(dst_seqid + 1); + ret = true; + break; + } +--- a/fs/nfs/nfs4trace.h ++++ b/fs/nfs/nfs4trace.h +@@ -1032,6 +1032,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_e + + DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_setattr); + DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_delegreturn); ++DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_close_stateid_update_wait); + + DECLARE_EVENT_CLASS(nfs4_getattr_event, + TP_PROTO( diff --git a/patches.suse/NFSv4-fix-open-failure-with-O_ACCMODE-flag.patch b/patches.suse/NFSv4-fix-open-failure-with-O_ACCMODE-flag.patch new file mode 100644 index 0000000..84cee8f --- /dev/null +++ b/patches.suse/NFSv4-fix-open-failure-with-O_ACCMODE-flag.patch @@ -0,0 +1,99 @@ +From: ChenXiaoSong +Date: Tue, 29 Mar 2022 19:32:08 +0800 +Subject: [PATCH] NFSv4: fix open failure with O_ACCMODE flag +Git-commit: b243874f6f9568b2daf1a00e9222cacdc15e159c +Patch-mainline: v5.18 +References: git-fixes + +open() with O_ACCMODE|O_DIRECT flags secondly will fail. + +Reproducer: 1. mount -t nfs -o vers=4.2 $server_ip:/ /mnt/ + 2. fd = open("/mnt/file", O_ACCMODE|O_DIRECT|O_CREAT) + 3. close(fd) + 4. fd = open("/mnt/file", O_ACCMODE|O_DIRECT) + +Server nfsd4_decode_share_access() will fail with error nfserr_bad_xdr when +client use incorrect share access mode of 0. + +Fix this by using NFS4_SHARE_ACCESS_BOTH share access mode in client, +just like firstly opening. + +Fixes: ce4ef7c0a8a05 ("NFS: Split out NFS v4 file operations") +Signed-off-by: ChenXiaoSong +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/dir.c | 10 ---------- + fs/nfs/internal.h | 10 ++++++++++ + fs/nfs/nfs4file.c | 6 ++++-- + 3 files changed, 14 insertions(+), 12 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1501,16 +1501,6 @@ const struct dentry_operations nfs4_dent + }; + EXPORT_SYMBOL_GPL(nfs4_dentry_operations); + +-static fmode_t flags_to_mode(int flags) +-{ +- fmode_t res = (__force fmode_t)flags & FMODE_EXEC; +- if ((flags & O_ACCMODE) != O_WRONLY) +- res |= FMODE_READ; +- if ((flags & O_ACCMODE) != O_RDONLY) +- res |= FMODE_WRITE; +- return res; +-} +- + static struct nfs_open_context *create_nfs_open_context(struct dentry *dentry, int open_flags, struct file *filp) + { + return alloc_nfs_open_context(dentry, flags_to_mode(open_flags), filp); +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -48,6 +48,16 @@ struct nfs_clone_mount { + rpc_authflavor_t authflavor; + }; + ++static inline fmode_t flags_to_mode(int flags) ++{ ++ fmode_t res = (__force fmode_t)flags & FMODE_EXEC; ++ if ((flags & O_ACCMODE) != O_WRONLY) ++ res |= FMODE_READ; ++ if ((flags & O_ACCMODE) != O_RDONLY) ++ res |= FMODE_WRITE; ++ return res; ++} ++ + /* + * Note: RFC 1813 doesn't limit the number of auth flavors that + * a server can return, so make something up. +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -30,6 +30,7 @@ nfs4_file_open(struct inode *inode, stru + struct dentry *parent = NULL; + struct inode *dir; + unsigned openflags = filp->f_flags; ++ fmode_t f_mode; + struct iattr attr; + int err; + +@@ -48,8 +49,9 @@ nfs4_file_open(struct inode *inode, stru + if (err) + return err; + ++ f_mode = filp->f_mode; + if ((openflags & O_ACCMODE) == 3) +- openflags--; ++ f_mode |= flags_to_mode(openflags); + + /* We can't create new files here */ + openflags &= ~(O_CREAT|O_EXCL); +@@ -57,7 +59,7 @@ nfs4_file_open(struct inode *inode, stru + parent = dget_parent(dentry); + dir = d_inode(parent); + +- ctx = alloc_nfs_open_context(file_dentry(filp), filp->f_mode, filp); ++ ctx = alloc_nfs_open_context(file_dentry(filp), f_mode, filp); + err = PTR_ERR(ctx); + if (IS_ERR(ctx)) + goto out; diff --git a/patches.suse/NFSv4.x-recover-from-pre-mature-loss-of-openstateid.patch b/patches.suse/NFSv4.x-recover-from-pre-mature-loss-of-openstateid.patch new file mode 100644 index 0000000..660e7cb --- /dev/null +++ b/patches.suse/NFSv4.x-recover-from-pre-mature-loss-of-openstateid.patch @@ -0,0 +1,114 @@ +From: Olga Kornievskaia +Date: Wed, 18 Dec 2019 16:50:42 -0500 +Subject: [PATCH] NFSv4.x recover from pre-mature loss of openstateid +Git-commit: d826e5b827641ae1bebb33d23a774f4e9bb8e94f +Patch-mainline: v5.6 +References: bsc#1196247 + +Ever since the commit 0e0cb35b417f, it's possible to lose an open stateid +while retrying a CLOSE due to ERR_OLD_STATEID. Once that happens, +operations that require openstateid fail with EAGAIN which is propagated +to the application then tests like generic/446 and generic/168 fail with +"Resource temporarily unavailable". + +Instead of returning this error, initiate state recovery when possible to +recover the open stateid and then try calling nfs4_select_rw_stateid() +again. + +Fixes: 0e0cb35b417f ("NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/nfs42proc.c | 31 ++++++++++++++++++++++++------- + fs/nfs/nfs4proc.c | 2 ++ + 2 files changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -38,8 +38,11 @@ static int _nfs42_proc_fallocate(struct + + status = nfs4_set_rw_stateid(&args.falloc_stateid, lock->open_context, + lock, FMODE_WRITE); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; ++ } + + res.falloc_fattr = nfs_alloc_fattr(); + if (!res.falloc_fattr) +@@ -178,8 +181,11 @@ static ssize_t _nfs42_proc_copy(struct f + + status = nfs4_set_rw_stateid(&args->src_stateid, src_lock->open_context, + src_lock, FMODE_READ); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; ++ } + + status = nfs_filemap_write_and_wait_range(file_inode(src)->i_mapping, + pos_src, pos_src + (loff_t)count - 1); +@@ -188,8 +194,11 @@ static ssize_t _nfs42_proc_copy(struct f + + status = nfs4_set_rw_stateid(&args->dst_stateid, dst_lock->open_context, + dst_lock, FMODE_WRITE); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; ++ } + + status = nfs_sync_inode(dst_inode); + if (status) +@@ -318,8 +327,11 @@ static loff_t _nfs42_proc_llseek(struct + + status = nfs4_set_rw_stateid(&args.sa_stateid, lock->open_context, + lock, FMODE_READ); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; ++ } + + status = nfs_filemap_write_and_wait_range(inode->i_mapping, + offset, LLONG_MAX); +@@ -529,13 +541,18 @@ static int _nfs42_proc_clone(struct rpc_ + + status = nfs4_set_rw_stateid(&args.src_stateid, src_lock->open_context, + src_lock, FMODE_READ); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; +- ++ } + status = nfs4_set_rw_stateid(&args.dst_stateid, dst_lock->open_context, + dst_lock, FMODE_WRITE); +- if (status) ++ if (status) { ++ if (status == -EAGAIN) ++ status = -NFS4ERR_BAD_STATEID; + return status; ++ } + + res.dst_fattr = nfs_alloc_fattr(); + if (!res.dst_fattr) +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3045,6 +3045,8 @@ static int _nfs4_do_setattr(struct inode + nfs_put_lock_context(l_ctx); + if (status == -EIO) + return -EBADF; ++ else if (status == -EAGAIN) ++ goto zero_stateid; + } else { + zero_stateid: + nfs4_stateid_copy(&arg->stateid, &zero_stateid); diff --git a/patches.suse/PCI-Add-device-even-if-driver-attach-failed.patch b/patches.suse/PCI-Add-device-even-if-driver-attach-failed.patch new file mode 100644 index 0000000..7196cab --- /dev/null +++ b/patches.suse/PCI-Add-device-even-if-driver-attach-failed.patch @@ -0,0 +1,43 @@ +From: Rajat Jain +Date: Mon, 6 Jul 2020 16:32:40 -0700 +Subject: PCI: Add device even if driver attach failed +Git-commit: 2194bc7c39610be7cabe7456c5f63a570604f015 +Patch-mainline: 5.9-rc1 +References: git-fixes + +device_attach() returning failure indicates a driver error while trying to +probe the device. In such a scenario, the PCI device should still be added +in the system and be visible to the user. + +When device_attach() fails, merely warn about it and keep the PCI device in +the system. + +This partially reverts ab1a187bba5c ("PCI: Check device_attach() return +value always"). + +Link: https://lore.kernel.org/r/20200706233240.3245512-1-rajatja@google.com +Signed-off-by: Rajat Jain +Signed-off-by: Bjorn Helgaas +Reviewed-by: Greg Kroah-Hartman +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Jiri Slaby +--- + drivers/pci/bus.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -324,12 +324,8 @@ void pci_bus_add_device(struct pci_dev * + + dev->match_driver = true; + retval = device_attach(&dev->dev); +- if (retval < 0 && retval != -EPROBE_DEFER) { ++ if (retval < 0 && retval != -EPROBE_DEFER) + pci_warn(dev, "device attach failed (%d)\n", retval); +- pci_proc_detach_device(dev); +- pci_remove_sysfs_dev_files(dev); +- return; +- } + + pci_dev_assign_added(dev, true); + } diff --git a/patches.suse/PCI-Fix-overflow-in-command-line-resource-alignment-.patch b/patches.suse/PCI-Fix-overflow-in-command-line-resource-alignment-.patch new file mode 100644 index 0000000..1769044 --- /dev/null +++ b/patches.suse/PCI-Fix-overflow-in-command-line-resource-alignment-.patch @@ -0,0 +1,44 @@ +From: Colin Ian King +Date: Sat, 14 Nov 2020 15:48:04 -0600 +Subject: PCI: Fix overflow in command-line resource alignment requests +Git-commit: cc73eb321d246776e5a9f7723d15708809aa3699 +Patch-mainline: 5.11-rc1 +References: git-fixes + +The shift of 1 by align_order is evaluated using 32 bit arithmetic and the +result is assigned to a resource_size_t type variable that is a 64 bit +unsigned integer on 64 bit platforms. Fix an overflow before widening issue +by making the 1 a ULL. + +[js] it's on two places in 4.12 + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: 32a9a682bef2 ("PCI: allow assignment of memory resources with a specified alignment") +Signed-off-by: Colin Ian King +Signed-off-by: Bjorn Helgaas +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jiri Slaby +--- + drivers/pci/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5661,7 +5661,7 @@ static resource_size_t pci_specified_res + if (align_order == -1) + align = PAGE_SIZE; + else +- align = 1 << align_order; ++ align = 1ULL << align_order; + /* Found */ + break; + } +@@ -5687,7 +5687,7 @@ static resource_size_t pci_specified_res + if (align_order == -1) + align = PAGE_SIZE; + else +- align = 1 << align_order; ++ align = 1ULL << align_order; + /* Found */ + break; + } diff --git a/patches.suse/PCI-iproc-Fix-out-of-bound-array-accesses.patch b/patches.suse/PCI-iproc-Fix-out-of-bound-array-accesses.patch new file mode 100644 index 0000000..4a32476 --- /dev/null +++ b/patches.suse/PCI-iproc-Fix-out-of-bound-array-accesses.patch @@ -0,0 +1,67 @@ +From: Bharat Gooty +Date: Thu, 1 Oct 2020 11:30:52 +0530 +Subject: PCI: iproc: Fix out-of-bound array accesses +Git-commit: a3ff529f5d368a17ff35ada8009e101162ebeaf9 +Patch-mainline: 5.11-rc1 +References: git-fixes + +Declare the full size array for all revisions of PAX register sets +to avoid potentially out of bound access of the register array +when they are being initialized in iproc_pcie_rev_init(). + +Link: https://lore.kernel.org/r/20201001060054.6616-2-srinath.mannam@broadcom.com +Fixes: 06324ede76cdf ("PCI: iproc: Improve core register population") +Signed-off-by: Bharat Gooty +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pcie-iproc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pci/host/pcie-iproc.c ++++ b/drivers/pci/host/pcie-iproc.c +@@ -303,7 +303,7 @@ enum iproc_pcie_reg { + }; + + /* iProc PCIe PAXB BCMA registers */ +-static const u16 iproc_pcie_reg_paxb_bcma[] = { ++static const u16 iproc_pcie_reg_paxb_bcma[IPROC_PCIE_MAX_NUM_REG] = { + [IPROC_PCIE_CLK_CTRL] = 0x000, + [IPROC_PCIE_CFG_IND_ADDR] = 0x120, + [IPROC_PCIE_CFG_IND_DATA] = 0x124, +@@ -314,7 +314,7 @@ static const u16 iproc_pcie_reg_paxb_bcm + }; + + /* iProc PCIe PAXB registers */ +-static const u16 iproc_pcie_reg_paxb[] = { ++static const u16 iproc_pcie_reg_paxb[IPROC_PCIE_MAX_NUM_REG] = { + [IPROC_PCIE_CLK_CTRL] = 0x000, + [IPROC_PCIE_CFG_IND_ADDR] = 0x120, + [IPROC_PCIE_CFG_IND_DATA] = 0x124, +@@ -330,7 +330,7 @@ static const u16 iproc_pcie_reg_paxb[] = + }; + + /* iProc PCIe PAXB v2 registers */ +-static const u16 iproc_pcie_reg_paxb_v2[] = { ++static const u16 iproc_pcie_reg_paxb_v2[IPROC_PCIE_MAX_NUM_REG] = { + [IPROC_PCIE_CLK_CTRL] = 0x000, + [IPROC_PCIE_CFG_IND_ADDR] = 0x120, + [IPROC_PCIE_CFG_IND_DATA] = 0x124, +@@ -358,7 +358,7 @@ static const u16 iproc_pcie_reg_paxb_v2[ + }; + + /* iProc PCIe PAXC v1 registers */ +-static const u16 iproc_pcie_reg_paxc[] = { ++static const u16 iproc_pcie_reg_paxc[IPROC_PCIE_MAX_NUM_REG] = { + [IPROC_PCIE_CLK_CTRL] = 0x000, + [IPROC_PCIE_CFG_IND_ADDR] = 0x1f0, + [IPROC_PCIE_CFG_IND_DATA] = 0x1f4, +@@ -367,7 +367,7 @@ static const u16 iproc_pcie_reg_paxc[] = + }; + + /* iProc PCIe PAXC v2 registers */ +-static const u16 iproc_pcie_reg_paxc_v2[] = { ++static const u16 iproc_pcie_reg_paxc_v2[IPROC_PCIE_MAX_NUM_REG] = { + [IPROC_PCIE_MSI_GIC_MODE] = 0x050, + [IPROC_PCIE_MSI_BASE_ADDR] = 0x074, + [IPROC_PCIE_MSI_WINDOW_SIZE] = 0x078, diff --git a/patches.suse/PCI-iproc-Set-affinity-mask-on-MSI-interrupts.patch b/patches.suse/PCI-iproc-Set-affinity-mask-on-MSI-interrupts.patch new file mode 100644 index 0000000..d4ebd67 --- /dev/null +++ b/patches.suse/PCI-iproc-Set-affinity-mask-on-MSI-interrupts.patch @@ -0,0 +1,48 @@ +From: Mark Tomlinson +Date: Mon, 3 Aug 2020 15:52:40 +1200 +Subject: PCI: iproc: Set affinity mask on MSI interrupts +Git-commit: eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c +Patch-mainline: 5.10-rc1 +References: git-fixes + +The core interrupt code expects the irq_set_affinity call to update the +effective affinity for the interrupt. This was not being done, so update +iproc_msi_irq_set_affinity() to do so. + +Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz +Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support") +Signed-off-by: Mark Tomlinson +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Ray Jui +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pcie-iproc-msi.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/host/pcie-iproc-msi.c ++++ b/drivers/pci/host/pcie-iproc-msi.c +@@ -217,15 +217,20 @@ static int iproc_msi_irq_set_affinity(st + struct iproc_msi *msi = irq_data_get_irq_chip_data(data); + int target_cpu = cpumask_first(mask); + int curr_cpu; ++ int ret; + + curr_cpu = hwirq_to_cpu(msi, data->hwirq); + if (curr_cpu == target_cpu) +- return IRQ_SET_MASK_OK_DONE; ++ ret = IRQ_SET_MASK_OK_DONE; ++ else { ++ /* steer MSI to the target CPU */ ++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ ret = IRQ_SET_MASK_OK; ++ } + +- /* steer MSI to the target CPU */ +- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu)); + +- return IRQ_SET_MASK_OK; ++ return ret; + } + + static void iproc_msi_irq_compose_msi_msg(struct irq_data *data, diff --git a/patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch b/patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch index 5591a3f..4838787 100644 --- a/patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch +++ b/patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch @@ -42,15 +42,15 @@ Signed-off-by: Jiri Slaby res->phy_reset = devm_reset_control_get_exclusive(dev, "phy"); return PTR_ERR_OR_ZERO(res->phy_reset); } -@@ -288,6 +293,7 @@ static void qcom_pcie_deinit_2_1_0(struc +@@ -289,6 +294,7 @@ static void qcom_pcie_deinit_2_1_0(struc reset_control_assert(res->axi_reset); reset_control_assert(res->ahb_reset); reset_control_assert(res->por_reset); + reset_control_assert(res->ext_reset); - reset_control_assert(res->pci_reset); + reset_control_assert(res->phy_reset); clk_disable_unprepare(res->iface_clk); clk_disable_unprepare(res->core_clk); -@@ -353,6 +359,12 @@ static int qcom_pcie_init_2_1_0(struct q +@@ -347,6 +353,12 @@ static int qcom_pcie_init_2_1_0(struct q goto err_deassert_ahb; } diff --git a/patches.suse/PCI-qcom-Change-duplicate-PCI-reset-to-phy-reset.patch b/patches.suse/PCI-qcom-Change-duplicate-PCI-reset-to-phy-reset.patch new file mode 100644 index 0000000..17c35f0 --- /dev/null +++ b/patches.suse/PCI-qcom-Change-duplicate-PCI-reset-to-phy-reset.patch @@ -0,0 +1,75 @@ +From: Abhishek Sahu +Date: Mon, 15 Jun 2020 23:05:59 +0200 +Subject: PCI: qcom: Change duplicate PCI reset to phy reset +Git-commit: dd58318c019f10bc94db36df66af6c55d4c0cbba +Patch-mainline: 5.9-rc1 +References: git-fixes + +The deinit issues reset_control_assert for PCI twice and does not contain +phy reset. + +Link: https://lore.kernel.org/r/20200615210608.21469-4-ansuelsmth@gmail.com +Signed-off-by: Abhishek Sahu +Signed-off-by: Ansuel Smith +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Rob Herring +Acked-by: Stanimir Varbanov +Signed-off-by: Jiri Slaby +--- + drivers/pci/dwc/pcie-qcom.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/drivers/pci/dwc/pcie-qcom.c ++++ b/drivers/pci/dwc/pcie-qcom.c +@@ -284,14 +284,14 @@ static void qcom_pcie_deinit_2_1_0(struc + { + struct qcom_pcie_resources_2_1_0 *res = &pcie->res.v2_1_0; + ++ clk_disable_unprepare(res->phy_clk); + reset_control_assert(res->pci_reset); + reset_control_assert(res->axi_reset); + reset_control_assert(res->ahb_reset); + reset_control_assert(res->por_reset); +- reset_control_assert(res->pci_reset); ++ reset_control_assert(res->phy_reset); + clk_disable_unprepare(res->iface_clk); + clk_disable_unprepare(res->core_clk); +- clk_disable_unprepare(res->phy_clk); + clk_disable_unprepare(res->aux_clk); + clk_disable_unprepare(res->ref_clk); + regulator_bulk_disable(ARRAY_SIZE(res->supplies), res->supplies); +@@ -329,12 +329,6 @@ static int qcom_pcie_init_2_1_0(struct q + goto err_clk_core; + } + +- ret = clk_prepare_enable(res->phy_clk); +- if (ret) { +- dev_err(dev, "cannot prepare/enable phy clock\n"); +- goto err_clk_phy; +- } +- + ret = clk_prepare_enable(res->aux_clk); + if (ret) { + dev_err(dev, "cannot prepare/enable aux clock\n"); +@@ -387,6 +381,12 @@ static int qcom_pcie_init_2_1_0(struct q + return ret; + } + ++ ret = clk_prepare_enable(res->phy_clk); ++ if (ret) { ++ dev_err(dev, "cannot prepare/enable phy clock\n"); ++ goto err_deassert_ahb; ++ } ++ + /* wait for clock acquisition */ + usleep_range(1000, 1500); + +@@ -404,8 +404,6 @@ err_deassert_ahb: + err_clk_ref: + clk_disable_unprepare(res->aux_clk); + err_clk_aux: +- clk_disable_unprepare(res->phy_clk); +-err_clk_phy: + clk_disable_unprepare(res->core_clk); + err_clk_core: + clk_disable_unprepare(res->iface_clk); diff --git a/patches.suse/PCI-qcom-Make-sure-PCIe-is-reset-before-init-for-rev.patch b/patches.suse/PCI-qcom-Make-sure-PCIe-is-reset-before-init-for-rev.patch new file mode 100644 index 0000000..84233d4 --- /dev/null +++ b/patches.suse/PCI-qcom-Make-sure-PCIe-is-reset-before-init-for-rev.patch @@ -0,0 +1,52 @@ +From: Ansuel Smith +Date: Tue, 1 Sep 2020 14:49:54 +0200 +Subject: PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0 +Git-commit: d3d4d028afb785e52c55024d779089654f8302e7 +Patch-mainline: 5.10-rc1 +References: git-fixes + +Qsdk U-Boot can incorrectly leave the PCIe interface in an undefined +state if bootm command is used instead of bootipq. This is caused by the +not deinit of PCIe when bootm is called. Reset the PCIe before init +anyway to fix this U-Boot bug. + +Link: https://lore.kernel.org/r/20200901124955.137-1-ansuelsmth@gmail.com +Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") +Signed-off-by: Ansuel Smith +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Bjorn Andersson +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Jiri Slaby +--- + drivers/pci/dwc/pcie-qcom.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/pci/dwc/pcie-qcom.c ++++ b/drivers/pci/dwc/pcie-qcom.c +@@ -318,6 +318,9 @@ static void qcom_pcie_deinit_2_1_0(struc + clk_disable_unprepare(res->core_clk); + clk_disable_unprepare(res->aux_clk); + clk_disable_unprepare(res->ref_clk); ++ ++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL); ++ + regulator_bulk_disable(ARRAY_SIZE(res->supplies), res->supplies); + } + +@@ -330,6 +333,16 @@ static int qcom_pcie_init_2_1_0(struct q + u32 val; + int ret; + ++ /* reset the PCIe interface as uboot can leave it undefined state */ ++ reset_control_assert(res->pci_reset); ++ reset_control_assert(res->axi_reset); ++ reset_control_assert(res->ahb_reset); ++ reset_control_assert(res->por_reset); ++ reset_control_assert(res->ext_reset); ++ reset_control_assert(res->phy_reset); ++ ++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL); ++ + ret = regulator_bulk_enable(ARRAY_SIZE(res->supplies), res->supplies); + if (ret < 0) { + dev_err(dev, "cannot enable regulators\n"); diff --git a/patches.suse/PCI-switchtec-Read-all-64-bits-of-part_event_bitmap.patch b/patches.suse/PCI-switchtec-Read-all-64-bits-of-part_event_bitmap.patch new file mode 100644 index 0000000..afddf7f --- /dev/null +++ b/patches.suse/PCI-switchtec-Read-all-64-bits-of-part_event_bitmap.patch @@ -0,0 +1,43 @@ +From: Logan Gunthorpe +Date: Tue, 10 Sep 2019 13:58:33 -0600 +Subject: PCI/switchtec: Read all 64 bits of part_event_bitmap +Git-commit: 6acdf7e19b37cb3a9258603d0eab315079c19c5e +Patch-mainline: 5.5-rc1 +References: git-fixes + +The part_event_bitmap register is 64 bits wide, so read it with ioread64() +instead of the 32-bit ioread32(). + +[js] include also linux/io-64-nonatomic-lo-hi.h, it was added later + +Fixes: 52eabba5bcdb ("switchtec: Add IOCTLs to the Switchtec driver") +Link: https://lore.kernel.org/r/20190910195833.3891-1-logang@deltatee.com +Reported-by: Doug Meyer +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.12+ +Cc: Kelvin Cao +Signed-off-by: Jiri Slaby +--- + drivers/pci/switch/switchtec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -24,6 +24,7 @@ + #include + #include + ++#include + #include + + MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver"); +@@ -876,7 +877,7 @@ static int ioctl_event_summary(struct sw + u32 reg; + + s.global = ioread32(&stdev->mmio_sw_event->global_summary); +- s.part_bitmap = ioread32(&stdev->mmio_sw_event->part_event_bitmap); ++ s.part_bitmap = ioread64(&stdev->mmio_sw_event->part_event_bitmap); + s.local_part = ioread32(&stdev->mmio_part_cfg->part_event_summary); + + for (i = 0; i < stdev->partition_count; i++) { diff --git a/patches.suse/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.patch b/patches.suse/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.patch new file mode 100644 index 0000000..6ffc0ef --- /dev/null +++ b/patches.suse/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.patch @@ -0,0 +1,50 @@ +From: ChenXiaoSong +Date: Tue, 29 Mar 2022 19:32:07 +0800 +Subject: [PATCH] Revert "NFSv4: Handle the special Linux file open access + mode" +Git-commit: ab0fc21bc7105b54bafd85bd8b82742f9e68898a +Patch-mainline: v5.18 +References: git-fixes + +This reverts commit 44942b4e457beda00981f616402a1a791e8c616e. + +After secondly opening a file with O_ACCMODE|O_DIRECT flags, +nfs4_valid_open_stateid() will dereference NULL nfs4_state when lseek(). + +Reproducer: 1. mount -t nfs -o vers=4.2 $server_ip:/ /mnt/ + 2. fd = open("/mnt/file", O_ACCMODE|O_DIRECT|O_CREAT) + 3. close(fd) + 4. fd = open("/mnt/file", O_ACCMODE|O_DIRECT) + 5. lseek(fd) + +Reported-by: Lyu Tao +Signed-off-by: ChenXiaoSong +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/inode.c | 1 - + fs/nfs/nfs4file.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1002,7 +1002,6 @@ int nfs_open(struct inode *inode, struct + nfs_fscache_open_file(inode, filp); + return 0; + } +-EXPORT_SYMBOL_GPL(nfs_open); + + /* + * This function is called whenever some part of NFS notices that +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -49,7 +49,7 @@ nfs4_file_open(struct inode *inode, stru + return err; + + if ((openflags & O_ACCMODE) == 3) +- return nfs_open(inode, filp); ++ openflags--; + + /* We can't create new files here */ + openflags &= ~(O_CREAT|O_EXCL); diff --git a/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch b/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch new file mode 100644 index 0000000..a838b63 --- /dev/null +++ b/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch @@ -0,0 +1,36 @@ +From 198a7ebd5fa17b4d0be8cb70240ee1be885175c0 Mon Sep 17 00:00:00 2001 +From: Dmytro Bagrii +Date: Thu, 10 Feb 2022 18:41:37 +0200 +Subject: [PATCH] Revert "USB: serial: ch341: add new Product ID for CH341A" +Git-commit: 198a7ebd5fa17b4d0be8cb70240ee1be885175c0 +References: git-fixes +Patch-mainline: v5.17-rc6 + +This reverts commit 46ee4abb10a07bd8f8ce910ee6b4ae6a947d7f63. + +CH341 has Product ID 0x5512 in EPP/MEM mode which is used for +I2C/SPI/GPIO interfaces. In asynchronous serial interface mode +CH341 has PID 0x5523 which is already in the table. + +Mode is selected by corresponding jumper setting. + +Signed-off-by: Dmytro Bagrii +Link: https://lore.kernel.org/r/20220210164137.4376-1-dimich.dmb@gmail.com +Link: https://lore.kernel.org/r/YJ0OCS/sh+1ifD/q@hovoldconsulting.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -83,7 +83,6 @@ + #define CH341_LCR_CS5 0x00 + + static const struct usb_device_id id_table[] = { +- { USB_DEVICE(0x1a86, 0x5512) }, + { USB_DEVICE(0x1a86, 0x5523) }, + { USB_DEVICE(0x1a86, 0x7522) }, + { USB_DEVICE(0x1a86, 0x7523) }, diff --git a/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch b/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch new file mode 100644 index 0000000..47b94cf --- /dev/null +++ b/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch @@ -0,0 +1,258 @@ +From ea94e7b11702e12d44ba6b0525aee4a55e52c825 Mon Sep 17 00:00:00 2001 +From: Dany Madden +Date: Wed, 27 Apr 2022 18:51:46 -0500 +Subject: [PATCH] Revert "ibmvnic: Add ethtool private flag for driver-defined + queue limits" + +References: bsc#1121726 ltc#174633 git-fixes +Patch-mainline: v5.18-rc5 +Git-commit: aeaf59b78712c7a1827c76f086acff4f586e072f + +This reverts commit 723ad916134784b317b72f3f6cf0f7ba774e5dae + +When client requests channel or ring size larger than what the server +can support the server will cap the request to the supported max. So, +the client would not be able to successfully request resources that +exceed the server limit. + +Fixes: 723ad9161347 ("ibmvnic: Add ethtool private flag for driver-defined queue limits") +Signed-off-by: Dany Madden +Link: https://lore.kernel.org/r/20220427235146.23189-1-drt@linux.ibm.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmvnic.c | 129 ++++++++--------------------- + drivers/net/ethernet/ibm/ibmvnic.h | 6 -- + 2 files changed, 35 insertions(+), 100 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index a84d459f204f..13acff619cf4 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2918,13 +2918,8 @@ static void ibmvnic_get_ringparam(struct net_device *netdev, + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); + +- if (adapter->priv_flags & IBMVNIC_USE_SERVER_MAXES) { +- ring->rx_max_pending = adapter->max_rx_add_entries_per_subcrq; +- ring->tx_max_pending = adapter->max_tx_entries_per_subcrq; +- } else { +- ring->rx_max_pending = IBMVNIC_MAX_QUEUE_SZ; +- ring->tx_max_pending = IBMVNIC_MAX_QUEUE_SZ; +- } ++ ring->rx_max_pending = adapter->max_rx_add_entries_per_subcrq; ++ ring->tx_max_pending = adapter->max_tx_entries_per_subcrq; + ring->rx_mini_max_pending = 0; + ring->rx_jumbo_max_pending = 0; + ring->rx_pending = adapter->req_rx_add_entries_per_subcrq; +@@ -2937,23 +2932,21 @@ static int ibmvnic_set_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring) + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- int ret; + +- ret = 0; ++ if (ring->rx_pending > adapter->max_rx_add_entries_per_subcrq || ++ ring->tx_pending > adapter->max_tx_entries_per_subcrq) { ++ netdev_err(netdev, "Invalid request.\n"); ++ netdev_err(netdev, "Max tx buffers = %llu\n", ++ adapter->max_rx_add_entries_per_subcrq); ++ netdev_err(netdev, "Max rx buffers = %llu\n", ++ adapter->max_tx_entries_per_subcrq); ++ return -EINVAL; ++ } ++ + adapter->desired.rx_entries = ring->rx_pending; + adapter->desired.tx_entries = ring->tx_pending; + +- ret = wait_for_reset(adapter); +- +- if (!ret && +- (adapter->req_rx_add_entries_per_subcrq != ring->rx_pending || +- adapter->req_tx_entries_per_subcrq != ring->tx_pending)) +- netdev_info(netdev, +- "Could not match full ringsize request. Requested: RX %d, TX %d; Allowed: RX %llu, TX %llu\n", +- ring->rx_pending, ring->tx_pending, +- adapter->req_rx_add_entries_per_subcrq, +- adapter->req_tx_entries_per_subcrq); +- return ret; ++ return wait_for_reset(adapter); + } + + static void ibmvnic_get_channels(struct net_device *netdev, +@@ -2961,14 +2954,8 @@ static void ibmvnic_get_channels(struct net_device *netdev, + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); + +- if (adapter->priv_flags & IBMVNIC_USE_SERVER_MAXES) { +- channels->max_rx = adapter->max_rx_queues; +- channels->max_tx = adapter->max_tx_queues; +- } else { +- channels->max_rx = IBMVNIC_MAX_QUEUES; +- channels->max_tx = IBMVNIC_MAX_QUEUES; +- } +- ++ channels->max_rx = adapter->max_rx_queues; ++ channels->max_tx = adapter->max_tx_queues; + channels->max_other = 0; + channels->max_combined = 0; + channels->rx_count = adapter->req_rx_queues; +@@ -2981,22 +2968,11 @@ static int ibmvnic_set_channels(struct net_device *netdev, + struct ethtool_channels *channels) + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- int ret; + +- ret = 0; + adapter->desired.rx_queues = channels->rx_count; + adapter->desired.tx_queues = channels->tx_count; + +- ret = wait_for_reset(adapter); +- +- if (!ret && +- (adapter->req_rx_queues != channels->rx_count || +- adapter->req_tx_queues != channels->tx_count)) +- netdev_info(netdev, +- "Could not match full channels request. Requested: RX %d, TX %d; Allowed: RX %llu, TX %llu\n", +- channels->rx_count, channels->tx_count, +- adapter->req_rx_queues, adapter->req_tx_queues); +- return ret; ++ return wait_for_reset(adapter); + } + + static void ibmvnic_get_strings(struct net_device *dev, u32 stringset, u8 *data) +@@ -3004,43 +2980,32 @@ static void ibmvnic_get_strings(struct net_device *dev, u32 stringset, u8 *data) + struct ibmvnic_adapter *adapter = netdev_priv(dev); + int i; + +- switch (stringset) { +- case ETH_SS_STATS: +- for (i = 0; i < ARRAY_SIZE(ibmvnic_stats); +- i++, data += ETH_GSTRING_LEN) +- memcpy(data, ibmvnic_stats[i].name, ETH_GSTRING_LEN); ++ if (stringset != ETH_SS_STATS) ++ return; + +- for (i = 0; i < adapter->req_tx_queues; i++) { +- snprintf(data, ETH_GSTRING_LEN, "tx%d_packets", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < ARRAY_SIZE(ibmvnic_stats); i++, data += ETH_GSTRING_LEN) ++ memcpy(data, ibmvnic_stats[i].name, ETH_GSTRING_LEN); + +- snprintf(data, ETH_GSTRING_LEN, "tx%d_bytes", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < adapter->req_tx_queues; i++) { ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_packets", i); ++ data += ETH_GSTRING_LEN; + +- snprintf(data, ETH_GSTRING_LEN, +- "tx%d_dropped_packets", i); +- data += ETH_GSTRING_LEN; +- } ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_bytes", i); ++ data += ETH_GSTRING_LEN; + +- for (i = 0; i < adapter->req_rx_queues; i++) { +- snprintf(data, ETH_GSTRING_LEN, "rx%d_packets", i); +- data += ETH_GSTRING_LEN; ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_dropped_packets", i); ++ data += ETH_GSTRING_LEN; ++ } + +- snprintf(data, ETH_GSTRING_LEN, "rx%d_bytes", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < adapter->req_rx_queues; i++) { ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_packets", i); ++ data += ETH_GSTRING_LEN; + +- snprintf(data, ETH_GSTRING_LEN, "rx%d_interrupts", i); +- data += ETH_GSTRING_LEN; +- } +- break; ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_bytes", i); ++ data += ETH_GSTRING_LEN; + +- case ETH_SS_PRIV_FLAGS: +- for (i = 0; i < ARRAY_SIZE(ibmvnic_priv_flags); i++) +- strcpy(data + i * ETH_GSTRING_LEN, +- ibmvnic_priv_flags[i]); +- break; +- default: +- return; ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_interrupts", i); ++ data += ETH_GSTRING_LEN; + } + } + +@@ -3053,8 +3018,6 @@ static int ibmvnic_get_sset_count(struct net_device *dev, int sset) + return ARRAY_SIZE(ibmvnic_stats) + + adapter->req_tx_queues * NUM_TX_STATS + + adapter->req_rx_queues * NUM_RX_STATS; +- case ETH_SS_PRIV_FLAGS: +- return ARRAY_SIZE(ibmvnic_priv_flags); + default: + return -EOPNOTSUPP; + } +@@ -3107,26 +3070,6 @@ static void ibmvnic_get_ethtool_stats(struct net_device *dev, + } + } + +-static u32 ibmvnic_get_priv_flags(struct net_device *netdev) +-{ +- struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- +- return adapter->priv_flags; +-} +- +-static int ibmvnic_set_priv_flags(struct net_device *netdev, u32 flags) +-{ +- struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- bool which_maxes = !!(flags & IBMVNIC_USE_SERVER_MAXES); +- +- if (which_maxes) +- adapter->priv_flags |= IBMVNIC_USE_SERVER_MAXES; +- else +- adapter->priv_flags &= ~IBMVNIC_USE_SERVER_MAXES; +- +- return 0; +-} +- + static const struct ethtool_ops ibmvnic_ethtool_ops = { + .get_drvinfo = ibmvnic_get_drvinfo, + .get_msglevel = ibmvnic_get_msglevel, +@@ -3140,8 +3083,6 @@ static const struct ethtool_ops ibmvnic_ethtool_ops = { + .get_sset_count = ibmvnic_get_sset_count, + .get_ethtool_stats = ibmvnic_get_ethtool_stats, + .get_link_ksettings = ibmvnic_get_link_ksettings, +- .get_priv_flags = ibmvnic_get_priv_flags, +- .set_priv_flags = ibmvnic_set_priv_flags, + }; + + /* Routines for managing CRQs/sCRQs */ +diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h +index 9fc4d3068018..d87f88d1552d 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.h ++++ b/drivers/net/ethernet/ibm/ibmvnic.h +@@ -52,11 +52,6 @@ + + #define IBMVNIC_RESET_DELAY 100 + +-static const char ibmvnic_priv_flags[][ETH_GSTRING_LEN] = { +-#define IBMVNIC_USE_SERVER_MAXES 0x1 +- "use-server-maxes" +-}; +- + struct ibmvnic_login_buffer { + __be32 len; + __be32 version; +@@ -895,7 +890,6 @@ struct ibmvnic_adapter { + struct ibmvnic_control_ip_offload_buffer ip_offload_ctrl; + dma_addr_t ip_offload_ctrl_tok; + u32 msg_enable; +- u32 priv_flags; + + /* Vital Product Data (VPD) */ + struct ibmvnic_vpd *vpd; +-- +2.34.1 + diff --git a/patches.suse/SUNRPC-Handle-low-memory-situations-in-call_status.patch b/patches.suse/SUNRPC-Handle-low-memory-situations-in-call_status.patch new file mode 100644 index 0000000..52bf37f --- /dev/null +++ b/patches.suse/SUNRPC-Handle-low-memory-situations-in-call_status.patch @@ -0,0 +1,35 @@ +From: Trond Myklebust +Date: Thu, 7 Apr 2022 09:50:19 -0400 +Subject: [PATCH] SUNRPC: Handle low memory situations in call_status() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9d82819d5b065348ce623f196bf601028e22ed00 +Patch-mainline: v5.18 +References: git-fixes + +We need to handle ENFILE, ENOBUFS, and ENOMEM, because +xprt_wake_pending_tasks() can be called with any one of these due to +socket creation failures. + +Fixes: b61d59fffd3e ("SUNRPC: xs_tcp_connect_worker{4,6}: merge common code") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + net/sunrpc/clnt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2245,7 +2245,10 @@ call_status(struct rpc_task *task) + task->tk_action = call_bind; + break; + case -ENOBUFS: ++ case -ENFILE: ++ case -ENOMEM: + rpc_delay(task, HZ>>2); ++ break; + case -EAGAIN: + task->tk_action = call_transmit; + break; diff --git a/patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch b/patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch index 818cc11..28cd3e4 100644 --- a/patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch +++ b/patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch @@ -1,7 +1,8 @@ From: NeilBrown Date: Tue, 8 Mar 2022 13:20:57 +1100 Subject: [PATCH] SUNRPC: avoid race between mod_timer() and del_timer_sync() -Patch-mainline: Submitted, 08mar2022 - linux-nfs@vger.kernel.org +Patch-mainline: v5.18 +Git-commit: 3848e96edf4788f772d83990022fa7023a233d83 References: bnc#1195403 xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync(). diff --git a/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch b/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch new file mode 100644 index 0000000..d33d15f --- /dev/null +++ b/patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch @@ -0,0 +1,71 @@ +From 1d7d4c07932e04355d6e6528d44a2f2c9e354346 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Dec 2021 21:07:12 -0500 +Subject: [PATCH] USB: Fix "slab-out-of-bounds Write" bug in + usb_hcd_poll_rh_status +Git-commit: 1d7d4c07932e04355d6e6528d44a2f2c9e354346 +References: git-fixes +Patch-mainline: v5.17-rc1 + +When the USB core code for getting root-hub status reports was +originally written, it was assumed that the hub driver would be its +only caller. But this isn't true now; user programs can use usbfs to +communicate with root hubs and get status reports. When they do this, +they may use a transfer_buffer that is smaller than the data returned +by the HCD, which will lead to a buffer overflow error when +usb_hcd_poll_rh_status() tries to store the status data. This was +discovered by syzbot: + +BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776 +Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062 + +This patch fixes the bug by reducing the amount of status data if it +won't fit in the transfer_buffer. If some data gets discarded then +the URB's completion status is set to -EOVERFLOW rather than 0, to let +the user know what happened. + +Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Cc: +Link: https://lore.kernel.org/r/Yc+3UIQJ2STbxNua@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/core/hcd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 9ffc63ae65ac..3e01dd6e509b 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + { + struct urb *urb; + int length; ++ int status; + unsigned long flags; + char buffer[6]; /* Any root hubs with > 31 ports? */ + +@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + if (urb) { + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); + hcd->status_urb = NULL; ++ if (urb->transfer_buffer_length >= length) { ++ status = 0; ++ } else { ++ status = -EOVERFLOW; ++ length = urb->transfer_buffer_length; ++ } + urb->actual_length = length; + memcpy(urb->transfer_buffer, buffer, length); + + usb_hcd_unlink_urb_from_ep(hcd, urb); +- usb_hcd_giveback_urb(hcd, urb, 0); ++ usb_hcd_giveback_urb(hcd, urb, status); + } else { + length = 0; + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); +-- +2.34.1 + diff --git a/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch b/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch new file mode 100644 index 0000000..b2ee44f --- /dev/null +++ b/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch @@ -0,0 +1,58 @@ +From e91ac20889d1a26d077cc511365cd7ff4346a6f3 Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Fri, 8 Apr 2022 16:48:21 +0300 +Subject: [PATCH] USB: Fix xhci event ring dequeue pointer ERDP update issue +Git-commit: e91ac20889d1a26d077cc511365cd7ff4346a6f3 +References: git-fixes +Patch-mainline: v5.18-rc5 + +In some situations software handles TRB events slower than adding TRBs. +If the number of TRB events to be processed in a given interrupt is exactly +the same as the event ring size 256, then the local variable +"event_ring_deq" that holds the initial dequeue position is equal to +software_dequeue after handling all 256 interrupts. + +It will cause driver to not update ERDP to hardware, + +Software dequeue pointer is out of sync with ERDP on interrupt exit. +On the next interrupt, the event ring may full but driver will not +update ERDP as software_dequeue is equal to ERDP. + +[ 536.377115] xhci_hcd 0000:00:12.0: ERROR unknown event type 37 +[ 566.933173] sd 8:0:0:0: [sdb] tag#27 uas_eh_abort_handler 0 uas-tag 7 inflight: CMD OUT +[ 566.933181] sd 8:0:0:0: [sdb] tag#27 CDB: Write(10) 2a 00 17 71 e6 78 00 00 08 00 +[ 572.041186] xhci_hcd On some situataions,the0000:00:12.0: xHCI host not responding to stop endpoint command. +[ 572.057193] xhci_hcd 0000:00:12.0: Host halt failed, -110 +[ 572.057196] xhci_hcd 0000:00:12.0: xHCI host controller not responding, assume dead +[ 572.057236] sd 8:0:0:0: [sdb] tag#26 uas_eh_abort_handler 0 uas-tag 6 inflight: CMD +[ 572.057240] sd 8:0:0:0: [sdb] tag#26 CDB: Write(10) 2a 00 38 eb cc d8 00 00 08 00 +[ 572.057244] sd 8:0:0:0: [sdb] tag#25 uas_eh_abort_handler 0 uas-tag 5 inflight: CMD + +Hardware ERDP is updated mid event handling if there are more than 128 +events in an interrupt (half of ring size). +Fix this by updating the software local variable at the same time as +hardware ERDP. + +[commit message rewording -Mathias] + +Fixes: dc0ffbea5729 ("usb: host: xhci: update event ring dequeue pointer on purpose") +Reviewed-by: Peter Chen +Signed-off-by: Weitao Wang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220408134823.2527272-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci-ring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2874,6 +2874,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd + } + + xhci_update_erst_dequeue(xhci, event_ring_deq); ++ event_ring_deq = xhci->event_ring->dequeue; + ret = IRQ_HANDLED; + + out: diff --git a/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch b/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch new file mode 100644 index 0000000..9e27ed6 --- /dev/null +++ b/patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch @@ -0,0 +1,75 @@ +From 0f663729bb4afc92a9986b66131ebd5b8a9254d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Sat, 1 Jan 2022 14:52:14 -0500 +Subject: [PATCH] USB: core: Fix bug in resuming hub's handling of wakeup + requests +Git-commit: 0f663729bb4afc92a9986b66131ebd5b8a9254d1 +References: git-fixes +Patch-mainline: v5.17-rc1 + +Bugzilla #213839 reports a 7-port hub that doesn't work properly when +devices are plugged into some of the ports; the kernel goes into an +unending disconnect/reinitialize loop as shown in the bug report. + +This "7-port hub" comprises two four-port hubs with one plugged into +the other; the failures occur when a device is plugged into one of the +downstream hub's ports. (These hubs have other problems too. For +example, they bill themselves as USB-2.0 compliant but they only run +at full speed.) + +It turns out that the failures are caused by bugs in both the kernel +and the hub. The hub's bug is that it reports a different +bmAttributes value in its configuration descriptor following a remote +wakeup (0xe0 before, 0xc0 after -- the wakeup-support bit has +changed). + +The kernel's bug is inside the hub driver's resume handler. When +hub_activate() sees that one of the hub's downstream ports got a +wakeup request from a child device, it notes this fact by setting the +corresponding bit in the hub->change_bits variable. But this variable +is meant for connection changes, not wakeup events; setting it causes +the driver to believe the downstream port has been disconnected and +then connected again (in addition to having received a wakeup +request). + +Because of this, the hub driver then tries to check whether the device +currently plugged into the downstream port is the same as the device +that had been attached there before. Normally this check succeeds and +wakeup handling continues with no harm done (which is why the bug +remained undetected until now). But with these dodgy hubs, the check +fails because the config descriptor has changed. This causes the hub +driver to reinitialize the child device, leading to the +disconnect/reinitialize loop described in the bug report. + +The proper way to note reception of a downstream wakeup request is +to set a bit in the hub->event_bits variable instead of +hub->change_bits. That way the hub driver will realize that something +has happened to the port but will not think the port and child device +have been disconnected. This patch makes that change. + +Cc: +Tested-by: Jonathan McDowell +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YdCw7nSfWYPKWQoD@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 721794f0f494..47a1c8bddf86 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1228,7 +1228,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + */ + if (portchange || (hub_is_superspeed(hub->hdev) && + port_resumed)) +- set_bit(port1, hub->change_bits); ++ set_bit(port1, hub->event_bits); + + } else if (udev->persist_enabled) { + #ifdef CONFIG_PM +-- +2.34.1 + diff --git a/patches.suse/USB-serial-cp210x-add-NCR-Retail-IO-box-id.patch b/patches.suse/USB-serial-cp210x-add-NCR-Retail-IO-box-id.patch new file mode 100644 index 0000000..a8feac9 --- /dev/null +++ b/patches.suse/USB-serial-cp210x-add-NCR-Retail-IO-box-id.patch @@ -0,0 +1,32 @@ +From b50f8f09c622297d3cf46e332e17ba8adedec9af Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Feb 2022 11:42:52 +0100 +Subject: [PATCH] USB: serial: cp210x: add NCR Retail IO box id +Git-commit: b50f8f09c622297d3cf46e332e17ba8adedec9af +References: git-fixes +Patch-mainline: v5.17-rc4 + +Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane +SelfServ Checkout - R6C: + + https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c + +Reported-by: Scott Russell +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -55,6 +55,7 @@ static int cp210x_port_remove(struct usb + static void cp210x_dtr_rts(struct usb_serial_port *p, int on); + + static const struct usb_device_id id_table[] = { ++ { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */ + { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */ + { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */ + { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */ diff --git a/patches.suse/USB-serial-pl2303-add-IBM-device-IDs.patch b/patches.suse/USB-serial-pl2303-add-IBM-device-IDs.patch new file mode 100644 index 0000000..2beb270 --- /dev/null +++ b/patches.suse/USB-serial-pl2303-add-IBM-device-IDs.patch @@ -0,0 +1,53 @@ +From e1d15646565b284e9ef2433234d6cfdaf66695f1 Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Tue, 1 Mar 2022 16:44:46 -0600 +Subject: [PATCH] USB: serial: pl2303: add IBM device IDs +Git-commit: e1d15646565b284e9ef2433234d6cfdaf66695f1 +References: git-fixes +Patch-mainline: v5.18-rc1 + +IBM manufactures a PL2303 device for UPS communications. Add the vendor +and product IDs so that the PL2303 driver binds to the device. + +Signed-off-by: Eddie James +Signed-off-by: Joel Stanley +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20220301224446.21236-1-eajames@linux.ibm.com +Cc: stable@vger.kernel.org +[ johan: amend the SoB chain ] +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index a70fd86f735c..e2ef761ed39c 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -116,6 +116,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530GC_PRODUCT_ID) }, + { USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) }, + { USB_DEVICE(AT_VENDOR_ID, AT_VTKIT3_PRODUCT_ID) }, ++ { USB_DEVICE(IBM_VENDOR_ID, IBM_PRODUCT_ID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index 6097ee8fccb2..c5406452b774 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -35,6 +35,9 @@ + #define ATEN_PRODUCT_UC232B 0x2022 + #define ATEN_PRODUCT_ID2 0x2118 + ++#define IBM_VENDOR_ID 0x04b3 ++#define IBM_PRODUCT_ID 0x4016 ++ + #define IODATA_VENDOR_ID 0x04bb + #define IODATA_PRODUCT_ID 0x0a03 + #define IODATA_PRODUCT_ID_RSAQ5 0x0a0e +-- +2.34.1 + diff --git a/patches.suse/USB-serial-simple-add-Nokia-phone-driver.patch b/patches.suse/USB-serial-simple-add-Nokia-phone-driver.patch new file mode 100644 index 0000000..ab6a624 --- /dev/null +++ b/patches.suse/USB-serial-simple-add-Nokia-phone-driver.patch @@ -0,0 +1,156 @@ +From c4b9c570965f75d0d55e639747f1e5ccdad2fae0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 28 Feb 2022 09:49:19 +0100 +Subject: [PATCH] USB: serial: simple: add Nokia phone driver +Git-commit: c4b9c570965f75d0d55e639747f1e5ccdad2fae0 +References: git-fixes +Patch-mainline: v5.18-rc1 + +Add a new "simple" driver for certain Nokia phones, including Nokia 130 +(RM-1035) which exposes two serial ports in "charging only" mode: + +Bus 001 Device 009: ID 0421:069a Nokia Mobile Phones 130 [RM-1035] (Charging only) +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 8 + idVendor 0x0421 Nokia Mobile Phones + idProduct 0x069a 130 [RM-1035] (Charging only) + bcdDevice 1.00 + iManufacturer 1 Nokia + iProduct 2 Nokia 130 (RM-1035) + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0037 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 +Device Status: 0x0000 + (Bus Powered) + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220228084919.10656-1-johan@kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/Kconfig | 1 + + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index de5c01257060..ef8d1c73c754 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -66,6 +66,7 @@ config USB_SERIAL_SIMPLE + - Libtransistor USB console + - a number of Motorola phones + - Motorola Tetra devices ++ - Nokia mobile phones + - Novatel Wireless GPS receivers + - Siemens USB/MPI adapter. + - ViVOtech ViVOpay USB device. +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index bd23a7cb1be2..4c6747889a19 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -91,6 +91,11 @@ DEVICE(moto_modem, MOTO_IDS); + { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); + ++/* Nokia mobile phone driver */ ++#define NOKIA_IDS() \ ++ { USB_DEVICE(0x0421, 0x069a) } /* Nokia 130 (RM-1035) */ ++DEVICE(nokia, NOKIA_IDS); ++ + /* Novatel Wireless GPS driver */ + #define NOVATEL_IDS() \ + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ +@@ -123,6 +128,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, ++ &nokia_device, + &novatel_gps_device, + &hp4x_device, + &suunto_device, +@@ -140,6 +146,7 @@ static const struct usb_device_id id_table[] = { + VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), ++ NOKIA_IDS(), + NOVATEL_IDS(), + HP4X_IDS(), + SUUNTO_IDS(), +-- +2.34.1 + diff --git a/patches.suse/USB-usb-storage-Fix-use-of-bitfields-for-hardware-da.patch b/patches.suse/USB-usb-storage-Fix-use-of-bitfields-for-hardware-da.patch new file mode 100644 index 0000000..2e9e6a2 --- /dev/null +++ b/patches.suse/USB-usb-storage-Fix-use-of-bitfields-for-hardware-da.patch @@ -0,0 +1,353 @@ +From 1892bf90677abcad7f06e897e308f5c3e3618dd4 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 17 Mar 2022 16:39:10 -0400 +Subject: [PATCH] USB: usb-storage: Fix use of bitfields for hardware data in + ene_ub6250.c +Git-commit: 1892bf90677abcad7f06e897e308f5c3e3618dd4 +References: git-fixes +Patch-mainline: v5.18-rc1 + +The kernel test robot found a problem with the ene_ub6250 subdriver in +usb-storage: It uses structures containing bitfields to represent +hardware bits in its SD_STATUS, MS_STATUS, and SM_STATUS bytes. This +is not safe; it presumes a particular bit ordering and it assumes the +compiler will not insert padding, neither of which is guaranteed. + +This patch fixes the problem by changing the structures to simple u8 +values, with the bitfields replaced by bitmask constants. + +CC: +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YjOcbuU106UpJ/V8@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/storage/ene_ub6250.c | 153 +++++++++++++++++++-------------------- + 1 file changed, 75 insertions(+), 78 deletions(-) + +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -251,36 +251,33 @@ static struct us_unusual_dev ene_ub6250_ + #define memstick_logaddr(logadr1, logadr0) ((((u16)(logadr1)) << 8) | (logadr0)) + + +-struct SD_STATUS { +- u8 Insert:1; +- u8 Ready:1; +- u8 MediaChange:1; +- u8 IsMMC:1; +- u8 HiCapacity:1; +- u8 HiSpeed:1; +- u8 WtP:1; +- u8 Reserved:1; +-}; +- +-struct MS_STATUS { +- u8 Insert:1; +- u8 Ready:1; +- u8 MediaChange:1; +- u8 IsMSPro:1; +- u8 IsMSPHG:1; +- u8 Reserved1:1; +- u8 WtP:1; +- u8 Reserved2:1; +-}; +- +-struct SM_STATUS { +- u8 Insert:1; +- u8 Ready:1; +- u8 MediaChange:1; +- u8 Reserved:3; +- u8 WtP:1; +- u8 IsMS:1; +-}; ++/* SD_STATUS bits */ ++#define SD_Insert BIT(0) ++#define SD_Ready BIT(1) ++#define SD_MediaChange BIT(2) ++#define SD_IsMMC BIT(3) ++#define SD_HiCapacity BIT(4) ++#define SD_HiSpeed BIT(5) ++#define SD_WtP BIT(6) ++ /* Bit 7 reserved */ ++ ++/* MS_STATUS bits */ ++#define MS_Insert BIT(0) ++#define MS_Ready BIT(1) ++#define MS_MediaChange BIT(2) ++#define MS_IsMSPro BIT(3) ++#define MS_IsMSPHG BIT(4) ++ /* Bit 5 reserved */ ++#define MS_WtP BIT(6) ++ /* Bit 7 reserved */ ++ ++/* SM_STATUS bits */ ++#define SM_Insert BIT(0) ++#define SM_Ready BIT(1) ++#define SM_MediaChange BIT(2) ++ /* Bits 3-5 reserved */ ++#define SM_WtP BIT(6) ++#define SM_IsMS BIT(7) + + struct ms_bootblock_cis { + u8 bCistplDEVICE[6]; /* 0 */ +@@ -451,9 +448,9 @@ struct ene_ub6250_info { + u8 *bbuf; + + /* for 6250 code */ +- struct SD_STATUS SD_Status; +- struct MS_STATUS MS_Status; +- struct SM_STATUS SM_Status; ++ u8 SD_Status; ++ u8 MS_Status; ++ u8 SM_Status; + + /* ----- SD Control Data ---------------- */ + /*SD_REGISTER SD_Regs; */ +@@ -588,7 +585,7 @@ static int sd_scsi_test_unit_ready(struc + { + struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra; + +- if (info->SD_Status.Insert && info->SD_Status.Ready) ++ if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready)) + return USB_STOR_TRANSPORT_GOOD; + else { + ene_sd_init(us); +@@ -620,7 +617,7 @@ static int sd_scsi_mode_sense(struct us_ + 0x0b, 0x00, 0x80, 0x08, 0x00, 0x00, + 0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 }; + +- if (info->SD_Status.WtP) ++ if (info->SD_Status & SD_WtP) + usb_stor_set_xfer_buf(mediaWP, 12, srb); + else + usb_stor_set_xfer_buf(mediaNoWP, 12, srb); +@@ -639,9 +636,9 @@ static int sd_scsi_read_capacity(struct + struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra; + + usb_stor_dbg(us, "sd_scsi_read_capacity\n"); +- if (info->SD_Status.HiCapacity) { ++ if (info->SD_Status & SD_HiCapacity) { + bl_len = 0x200; +- if (info->SD_Status.IsMMC) ++ if (info->SD_Status & SD_IsMMC) + bl_num = info->HC_C_SIZE-1; + else + bl_num = (info->HC_C_SIZE + 1) * 1024 - 1; +@@ -691,7 +688,7 @@ static int sd_scsi_read(struct us_data * + return USB_STOR_TRANSPORT_ERROR; + } + +- if (info->SD_Status.HiCapacity) ++ if (info->SD_Status & SD_HiCapacity) + bnByte = bn; + + /* set up the command wrapper */ +@@ -731,7 +728,7 @@ static int sd_scsi_write(struct us_data + return USB_STOR_TRANSPORT_ERROR; + } + +- if (info->SD_Status.HiCapacity) ++ if (info->SD_Status & SD_HiCapacity) + bnByte = bn; + + /* set up the command wrapper */ +@@ -1445,7 +1442,7 @@ static int ms_scsi_test_unit_ready(struc + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + + /* pr_info("MS_SCSI_Test_Unit_Ready\n"); */ +- if (info->MS_Status.Insert && info->MS_Status.Ready) { ++ if ((info->MS_Status & MS_Insert) && (info->MS_Status & MS_Ready)) { + return USB_STOR_TRANSPORT_GOOD; + } else { + ene_ms_init(us); +@@ -1478,7 +1475,7 @@ static int ms_scsi_mode_sense(struct us_ + 0x0b, 0x00, 0x80, 0x08, 0x00, 0x00, + 0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 }; + +- if (info->MS_Status.WtP) ++ if (info->MS_Status & MS_WtP) + usb_stor_set_xfer_buf(mediaWP, 12, srb); + else + usb_stor_set_xfer_buf(mediaNoWP, 12, srb); +@@ -1497,7 +1494,7 @@ static int ms_scsi_read_capacity(struct + + usb_stor_dbg(us, "ms_scsi_read_capacity\n"); + bl_len = 0x200; +- if (info->MS_Status.IsMSPro) ++ if (info->MS_Status & MS_IsMSPro) + bl_num = info->MSP_TotalBlock - 1; + else + bl_num = info->MS_Lib.NumberOfLogBlock * info->MS_Lib.blockSize * 2 - 1; +@@ -1652,7 +1649,7 @@ static int ms_scsi_read(struct us_data * + if (bn > info->bl_num) + return USB_STOR_TRANSPORT_ERROR; + +- if (info->MS_Status.IsMSPro) { ++ if (info->MS_Status & MS_IsMSPro) { + result = ene_load_bincode(us, MSP_RW_PATTERN); + if (result != USB_STOR_XFER_GOOD) { + usb_stor_dbg(us, "Load MPS RW pattern Fail !!\n"); +@@ -1753,7 +1750,7 @@ static int ms_scsi_write(struct us_data + if (bn > info->bl_num) + return USB_STOR_TRANSPORT_ERROR; + +- if (info->MS_Status.IsMSPro) { ++ if (info->MS_Status & MS_IsMSPro) { + result = ene_load_bincode(us, MSP_RW_PATTERN); + if (result != USB_STOR_XFER_GOOD) { + pr_info("Load MSP RW pattern Fail !!\n"); +@@ -1861,12 +1858,12 @@ static int ene_get_card_status(struct us + + tmpreg = (u16) reg4b; + reg4b = *(u32 *)(&buf[0x14]); +- if (info->SD_Status.HiCapacity && !info->SD_Status.IsMMC) ++ if ((info->SD_Status & SD_HiCapacity) && !(info->SD_Status & SD_IsMMC)) + info->HC_C_SIZE = (reg4b >> 8) & 0x3fffff; + + info->SD_C_SIZE = ((tmpreg & 0x03) << 10) | (u16)(reg4b >> 22); + info->SD_C_SIZE_MULT = (u8)(reg4b >> 7) & 0x07; +- if (info->SD_Status.HiCapacity && info->SD_Status.IsMMC) ++ if ((info->SD_Status & SD_HiCapacity) && (info->SD_Status & SD_IsMMC)) + info->HC_C_SIZE = *(u32 *)(&buf[0x100]); + + if (info->SD_READ_BL_LEN > SD_BLOCK_LEN) { +@@ -2076,6 +2073,7 @@ static int ene_ms_init(struct us_data *u + u16 MSP_BlockSize, MSP_UserAreaBlocks; + struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra; + u8 *bbuf = info->bbuf; ++ unsigned int s; + + printk(KERN_INFO "transport --- ENE_MSInit\n"); + +@@ -2100,15 +2098,16 @@ static int ene_ms_init(struct us_data *u + return USB_STOR_TRANSPORT_ERROR; + } + /* the same part to test ENE */ +- info->MS_Status = *(struct MS_STATUS *) bbuf; ++ info->MS_Status = bbuf[0]; + +- if (info->MS_Status.Insert && info->MS_Status.Ready) { +- printk(KERN_INFO "Insert = %x\n", info->MS_Status.Insert); +- printk(KERN_INFO "Ready = %x\n", info->MS_Status.Ready); +- printk(KERN_INFO "IsMSPro = %x\n", info->MS_Status.IsMSPro); +- printk(KERN_INFO "IsMSPHG = %x\n", info->MS_Status.IsMSPHG); +- printk(KERN_INFO "WtP= %x\n", info->MS_Status.WtP); +- if (info->MS_Status.IsMSPro) { ++ s = info->MS_Status; ++ if ((s & MS_Insert) && (s & MS_Ready)) { ++ printk(KERN_INFO "Insert = %x\n", !!(s & MS_Insert)); ++ printk(KERN_INFO "Ready = %x\n", !!(s & MS_Ready)); ++ printk(KERN_INFO "IsMSPro = %x\n", !!(s & MS_IsMSPro)); ++ printk(KERN_INFO "IsMSPHG = %x\n", !!(s & MS_IsMSPHG)); ++ printk(KERN_INFO "WtP= %x\n", !!(s & MS_WtP)); ++ if (s & MS_IsMSPro) { + MSP_BlockSize = (bbuf[6] << 8) | bbuf[7]; + MSP_UserAreaBlocks = (bbuf[10] << 8) | bbuf[11]; + info->MSP_TotalBlock = MSP_BlockSize * MSP_UserAreaBlocks; +@@ -2169,17 +2168,17 @@ static int ene_sd_init(struct us_data *u + return USB_STOR_TRANSPORT_ERROR; + } + +- info->SD_Status = *(struct SD_STATUS *) bbuf; +- if (info->SD_Status.Insert && info->SD_Status.Ready) { +- struct SD_STATUS *s = &info->SD_Status; ++ info->SD_Status = bbuf[0]; ++ if ((info->SD_Status & SD_Insert) && (info->SD_Status & SD_Ready)) { ++ unsigned int s = info->SD_Status; + + ene_get_card_status(us, bbuf); +- usb_stor_dbg(us, "Insert = %x\n", s->Insert); +- usb_stor_dbg(us, "Ready = %x\n", s->Ready); +- usb_stor_dbg(us, "IsMMC = %x\n", s->IsMMC); +- usb_stor_dbg(us, "HiCapacity = %x\n", s->HiCapacity); +- usb_stor_dbg(us, "HiSpeed = %x\n", s->HiSpeed); +- usb_stor_dbg(us, "WtP = %x\n", s->WtP); ++ usb_stor_dbg(us, "Insert = %x\n", !!(s & SD_Insert)); ++ usb_stor_dbg(us, "Ready = %x\n", !!(s & SD_Ready)); ++ usb_stor_dbg(us, "IsMMC = %x\n", !!(s & SD_IsMMC)); ++ usb_stor_dbg(us, "HiCapacity = %x\n", !!(s & SD_HiCapacity)); ++ usb_stor_dbg(us, "HiSpeed = %x\n", !!(s & SD_HiSpeed)); ++ usb_stor_dbg(us, "WtP = %x\n", !!(s & SD_WtP)); + } else { + usb_stor_dbg(us, "SD Card Not Ready --- %x\n", bbuf[0]); + return USB_STOR_TRANSPORT_ERROR; +@@ -2201,14 +2200,14 @@ static int ene_init(struct us_data *us) + + misc_reg03 = bbuf[0]; + if (misc_reg03 & 0x01) { +- if (!info->SD_Status.Ready) { ++ if (!(info->SD_Status & SD_Ready)) { + result = ene_sd_init(us); + if (result != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; + } + } + if (misc_reg03 & 0x02) { +- if (!info->MS_Status.Ready) { ++ if (!(info->MS_Status & MS_Ready)) { + result = ene_ms_init(us); + if (result != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; +@@ -2298,13 +2297,13 @@ static int ene_transport(struct scsi_cmn + + /*US_DEBUG(usb_stor_show_command(us, srb)); */ + scsi_set_resid(srb, 0); +- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) { ++ if (unlikely(!(info->SD_Status & SD_Ready) || (info->MS_Status & MS_Ready))) { + result = ene_init(us); + } else { +- if (info->SD_Status.Ready) ++ if (info->SD_Status & SD_Ready) + result = sd_scsi_irp(us, srb); + +- if (info->MS_Status.Ready) ++ if (info->MS_Status & MS_Ready) + result = ms_scsi_irp(us, srb); + } + return 0; +@@ -2368,7 +2367,6 @@ static int ene_ub6250_probe(struct usb_i + + static int ene_ub6250_resume(struct usb_interface *iface) + { +- u8 tmp = 0; + struct us_data *us = usb_get_intfdata(iface); + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + +@@ -2380,17 +2378,16 @@ static int ene_ub6250_resume(struct usb_ + mutex_unlock(&us->dev_mutex); + + info->Power_IsResum = true; +- /*info->SD_Status.Ready = 0; */ +- info->SD_Status = *(struct SD_STATUS *)&tmp; +- info->MS_Status = *(struct MS_STATUS *)&tmp; +- info->SM_Status = *(struct SM_STATUS *)&tmp; ++ /* info->SD_Status &= ~SD_Ready; */ ++ info->SD_Status = 0; ++ info->MS_Status = 0; ++ info->SM_Status = 0; + + return 0; + } + + static int ene_ub6250_reset_resume(struct usb_interface *iface) + { +- u8 tmp = 0; + struct us_data *us = usb_get_intfdata(iface); + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + +@@ -2402,10 +2399,10 @@ static int ene_ub6250_reset_resume(struc + * the device + */ + info->Power_IsResum = true; +- /*info->SD_Status.Ready = 0; */ +- info->SD_Status = *(struct SD_STATUS *)&tmp; +- info->MS_Status = *(struct MS_STATUS *)&tmp; +- info->SM_Status = *(struct SM_STATUS *)&tmp; ++ /* info->SD_Status &= ~SD_Ready; */ ++ info->SD_Status = 0; ++ info->MS_Status = 0; ++ info->SM_Status = 0; + + return 0; + } diff --git a/patches.suse/af_key-add-__GFP_ZERO-flag-for-compose_sadb_supporte.patch b/patches.suse/af_key-add-__GFP_ZERO-flag-for-compose_sadb_supporte.patch new file mode 100644 index 0000000..9f5b5c0 --- /dev/null +++ b/patches.suse/af_key-add-__GFP_ZERO-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,42 @@ +From 4f47e6df9d16e20800ca69824c68b3cab663e44f Mon Sep 17 00:00:00 2001 +From: Haimin Zhang +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: [PATCH] af_key: add __GFP_ZERO flag for compose_sadb_supported in + function pfkey_register +Git-commit: 9a564bccb78a76740ea9d75a259942df8143d02c +Patch-mainline: v5.17 +References: CVE-2022-1353 bsc#1198516 + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Denis Kirjanov +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 72f8e44838d9..06376c06169d 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1709,7 +1709,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.16.4 + diff --git a/patches.suse/ath10k-fix-max-antenna-gain-unit.patch b/patches.suse/ath10k-fix-max-antenna-gain-unit.patch new file mode 100644 index 0000000..6ced2e4 --- /dev/null +++ b/patches.suse/ath10k-fix-max-antenna-gain-unit.patch @@ -0,0 +1,78 @@ +From 0a491167fe0cf9f26062462de2a8688b96125d48 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 11 Jun 2019 19:21:31 +0200 +Subject: [PATCH] ath10k: fix max antenna gain unit +Git-commit: 0a491167fe0cf9f26062462de2a8688b96125d48 +References: git-fixes +Patch-mainline: v5.16-rc1 + +Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB +steps). This isn't the case for max_antenna_gain - which is still expected +by the firmware as dB. + +The firmware is converting it from dB to the internal (twicepower) +representation when it calculates the limits of a channel. This can be seen +in tpc_stats when configuring "12" as max_antenna_gain. Instead of the +expected 12 (6 dB), the tpc_stats shows 24 (12 dB). + +Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057. + +Fixes: 02256930d9b8 ("ath10k: use proper tx power unit") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20190611172131.6064-1-sven@narfation.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/mac.c | 6 +++--- + drivers/net/wireless/ath/ath10k/wmi.h | 3 +++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1003,7 +1003,7 @@ static int ath10k_monitor_vdev_start(str + arg.channel.min_power = 0; + arg.channel.max_power = channel->max_power * 2; + arg.channel.max_reg_power = channel->max_reg_power * 2; +- arg.channel.max_antenna_gain = channel->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = channel->max_antenna_gain; + + reinit_completion(&ar->vdev_setup_done); + +@@ -1445,7 +1445,7 @@ static int ath10k_vdev_start_restart(str + arg.channel.min_power = 0; + arg.channel.max_power = chandef->chan->max_power * 2; + arg.channel.max_reg_power = chandef->chan->max_reg_power * 2; +- arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain; + + if (arvif->vdev_type == WMI_VDEV_TYPE_AP) { + arg.ssid = arvif->u.ap.ssid; +@@ -3104,7 +3104,7 @@ static int ath10k_update_channel_list(st + ch->min_power = 0; + ch->max_power = channel->max_power * 2; + ch->max_reg_power = channel->max_reg_power * 2; +- ch->max_antenna_gain = channel->max_antenna_gain * 2; ++ ch->max_antenna_gain = channel->max_antenna_gain; + ch->reg_class_id = 0; /* FIXME */ + + /* FIXME: why use only legacy modes, why not any +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -1988,7 +1988,9 @@ struct wmi_channel { + union { + __le32 reginfo1; + struct { ++ /* note: power unit is 1 dBm */ + u8 antenna_max; ++ /* note: power unit is 0.5 dBm */ + u8 max_tx_power; + } __packed; + } __packed; +@@ -2008,6 +2010,7 @@ struct wmi_channel_arg { + u32 min_power; + u32 max_power; + u32 max_reg_power; ++ /* note: power unit is 1 dBm */ + u32 max_antenna_gain; + u32 reg_class_id; + enum wmi_phy_mode mode; diff --git a/patches.suse/ath6kl-fix-control-message-timeout.patch b/patches.suse/ath6kl-fix-control-message-timeout.patch new file mode 100644 index 0000000..988ca02 --- /dev/null +++ b/patches.suse/ath6kl-fix-control-message-timeout.patch @@ -0,0 +1,37 @@ +From a066d28a7e729f808a3e6eff22e70c003091544e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:20 +0200 +Subject: [PATCH] ath6kl: fix control-message timeout +Git-commit: a066d28a7e729f808a3e6eff22e70c003091544e +References: git-fixes +Patch-mainline: v5.16-rc1 + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 241b128b6b69 ("ath6kl: add back beginnings of USB support") +Cc: stable@vger.kernel.org # 3.4 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-3-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath6kl/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c +index 5372e948e761..bd367b79a4d3 100644 +--- a/drivers/net/wireless/ath/ath6kl/usb.c ++++ b/drivers/net/wireless/ath/ath6kl/usb.c +@@ -907,7 +907,7 @@ static int ath6kl_usb_submit_ctrl_in(struct ath6kl_usb *ar_usb, + req, + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, buf, +- size, 2 * HZ); ++ size, 2000); + + if (ret < 0) { + ath6kl_warn("Failed to read usb control message: %d\n", ret); +-- +2.34.1 + diff --git a/patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch b/patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch new file mode 100644 index 0000000..5573261 --- /dev/null +++ b/patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,46 @@ +From c1b9ca365deae667192be9fe24db244919971234 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:18 +0200 +Subject: [PATCH] ath6kl: fix division by zero in send path +Git-commit: c1b9ca365deae667192be9fe24db244919971234 +References: git-fixes +Patch-mainline: v5.16-rc1 + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in ath10k_usb_hif_tx_sg() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 9cbee358687e ("ath6kl: add full USB support") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-3-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath6kl/usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c +index bd367b79a4d3..aba70f35e574 100644 +--- a/drivers/net/wireless/ath/ath6kl/usb.c ++++ b/drivers/net/wireless/ath/ath6kl/usb.c +@@ -340,6 +340,11 @@ static int ath6kl_usb_setup_pipe_resources(struct ath6kl_usb *ar_usb) + le16_to_cpu(endpoint->wMaxPacketSize), + endpoint->bInterval); + } ++ ++ /* Ignore broken descriptors. */ ++ if (usb_endpoint_maxp(endpoint) == 0) ++ continue; ++ + urbcount = 0; + + pipe_num = +-- +2.34.1 + diff --git a/patches.suse/ath9k-Fix-potential-interrupt-storm-on-queue-reset.patch b/patches.suse/ath9k-Fix-potential-interrupt-storm-on-queue-reset.patch new file mode 100644 index 0000000..79bdd92 --- /dev/null +++ b/patches.suse/ath9k-Fix-potential-interrupt-storm-on-queue-reset.patch @@ -0,0 +1,98 @@ +From 4925642d541278575ad1948c5924d71ffd57ef14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Tue, 5 Oct 2021 16:55:53 +0300 +Subject: [PATCH] ath9k: Fix potential interrupt storm on queue reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 4925642d541278575ad1948c5924d71ffd57ef14 +References: git-fixes +Patch-mainline: v5.16-rc1 + +In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt +19.07 we could force a silent restart of a device with no serial +output when we were sending a high amount of UDP traffic (iperf3 at 80 +MBit/s in both directions from external hosts, saturating the wifi and +causing a load of about 4.5 to 6) and were then triggering an +ath9k_queue_reset(). + +Further debugging showed that the restart was caused by the ath79 +watchdog. With disabled watchdog we could observe that the device was +constantly going into ath_isr() interrupt handler and was returning +early after the ATH_OP_HW_RESET flag test, without clearing any +interrupts. Even though ath9k_queue_reset() calls +ath9k_hw_kill_interrupts(). + +With JTAG we could observe the following race condition: + +1) ath9k_queue_reset() + ... + -> ath9k_hw_kill_interrupts() + -> set_bit(ATH_OP_HW_RESET, &common->op_flags); + ... + <- returns + + 2) ath9k_tasklet() + ... + -> ath9k_hw_resume_interrupts() + ... + <- returns + + 3) loops around: + ... + handle_int() + -> ath_isr() + ... + -> if (test_bit(ATH_OP_HW_RESET, + &common->op_flags)) + return IRQ_HANDLED; + + x) ath_reset_internal(): + => never reached <= + +And in ath_isr() we would typically see the following interrupts / +interrupt causes: + +* status: 0x00111030 or 0x00110030 +* async_cause: 2 (AR_INTR_MAC_IPQ) +* sync_cause: 0 + +So the ath9k_tasklet() reenables the ath9k interrupts +through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just +disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED +without actually clearing the interrupt. + +To fix this IRQ storm also clear/disable the interrupts again when we +are in reset state. + +Cc: Sven Eckelmann +Cc: Simon Wunderlich +Cc: Linus Lüssing +Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset") +Signed-off-by: Linus Lüssing +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath9k/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 139831539da3..98090e40e1cf 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -533,8 +533,10 @@ irqreturn_t ath_isr(int irq, void *dev) + ath9k_debug_sync_cause(sc, sync_cause); + status &= ah->imask; /* discard unasked-for bits */ + +- if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) ++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) { ++ ath9k_hw_kill_interrupts(sc->sc_ah); + return IRQ_HANDLED; ++ } + + /* + * If there are no status bits set, then this interrupt was not +-- +2.34.1 + diff --git a/patches.suse/b43-fix-a-lower-bounds-test.patch b/patches.suse/b43-fix-a-lower-bounds-test.patch new file mode 100644 index 0000000..b85a5fe --- /dev/null +++ b/patches.suse/b43-fix-a-lower-bounds-test.patch @@ -0,0 +1,46 @@ +From 9b793db5fca44d01f72d3564a168171acf7c4076 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 6 Oct 2021 10:36:22 +0300 +Subject: [PATCH] b43: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 9b793db5fca44d01f72d3564a168171acf7c4076 +References: git-fixes +Patch-mainline: v5.16-rc1 + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073621.GE8404@kili +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/broadcom/b43/phy_g.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_g.c b/drivers/net/wireless/broadcom/b43/phy_g.c +index d5a1a5c58236..ac72ca39e409 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_g.c ++++ b/drivers/net/wireless/broadcom/b43/phy_g.c +@@ -2297,7 +2297,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev) + b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF); + b43_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.34.1 + diff --git a/patches.suse/b43legacy-fix-a-lower-bounds-test.patch b/patches.suse/b43legacy-fix-a-lower-bounds-test.patch new file mode 100644 index 0000000..eeae08a --- /dev/null +++ b/patches.suse/b43legacy-fix-a-lower-bounds-test.patch @@ -0,0 +1,46 @@ +From c1c8380b0320ab757e60ed90efc8b1992a943256 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 6 Oct 2021 10:35:42 +0300 +Subject: [PATCH] b43legacy: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: c1c8380b0320ab757e60ed90efc8b1992a943256 +References: git-fixes +Patch-mainline: v5.16-rc1 + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073542.GD8404@kili +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c +index 06891b4f837b..fdf78c10a05c 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/radio.c ++++ b/drivers/net/wireless/broadcom/b43legacy/radio.c +@@ -283,7 +283,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) + & 0x7FFF); + b43legacy_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.34.1 + diff --git a/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch b/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch new file mode 100644 index 0000000..5425000 --- /dev/null +++ b/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch @@ -0,0 +1,145 @@ +From: Manish Chopra +Date: Tue, 26 Apr 2022 08:39:13 -0700 +Subject: bnx2x: fix napi API usage sequence +Patch-mainline: v5.18-rc5 +Git-commit: af68656d66eda219b7f55ce8313a1da0312c79e1 +References: bsc#1198217 + +While handling PCI errors (AER flow) driver tries to +disable NAPI [napi_disable()] after NAPI is deleted +[__netif_napi_del()] which causes unexpected system +hang/crash. + +System message log shows the following: +======================================= +[ 3222.537510] EEH: Detected PCI bus error on PHB#384-PE#800000 [ 3222.537511] EEH: This PCI device has failed 2 times in the last hour and will be permanently disabled after 5 failures. +[ 3222.537512] EEH: Notify device drivers to shutdown [ 3222.537513] EEH: Beginning: 'error_detected(IO frozen)' +[ 3222.537514] EEH: PE#800000 (PCI 0384:80:00.0): Invoking +bnx2x->error_detected(IO frozen) +[ 3222.537516] bnx2x: [bnx2x_io_error_detected:14236(eth14)]IO error detected [ 3222.537650] EEH: PE#800000 (PCI 0384:80:00.0): bnx2x driver reports: +'need reset' +[ 3222.537651] EEH: PE#800000 (PCI 0384:80:00.1): Invoking +bnx2x->error_detected(IO frozen) +[ 3222.537651] bnx2x: [bnx2x_io_error_detected:14236(eth13)]IO error detected [ 3222.537729] EEH: PE#800000 (PCI 0384:80:00.1): bnx2x driver reports: +'need reset' +[ 3222.537729] EEH: Finished:'error_detected(IO frozen)' with aggregate recovery state:'need reset' +[ 3222.537890] EEH: Collect temporary log [ 3222.583481] EEH: of node=0384:80:00.0 [ 3222.583519] EEH: PCI device/vendor: 168e14e4 [ 3222.583557] EEH: PCI cmd/status register: 00100140 [ 3222.583557] EEH: PCI-E capabilities and status follow: +[ 3222.583744] EEH: PCI-E 00: 00020010 012c8da2 00095d5e 00455c82 [ 3222.583892] EEH: PCI-E 10: 10820000 00000000 00000000 00000000 [ 3222.583893] EEH: PCI-E 20: 00000000 [ 3222.583893] EEH: PCI-E AER capability register set follows: +[ 3222.584079] EEH: PCI-E AER 00: 13c10001 00000000 00000000 00062030 [ 3222.584230] EEH: PCI-E AER 10: 00002000 000031c0 000001e0 00000000 [ 3222.584378] EEH: PCI-E AER 20: 00000000 00000000 00000000 00000000 [ 3222.584416] EEH: PCI-E AER 30: 00000000 00000000 [ 3222.584416] EEH: of node=0384:80:00.1 [ 3222.584454] EEH: PCI device/vendor: 168e14e4 [ 3222.584491] EEH: PCI cmd/status register: 00100140 [ 3222.584492] EEH: PCI-E capabilities and status follow: +[ 3222.584677] EEH: PCI-E 00: 00020010 012c8da2 00095d5e 00455c82 [ 3222.584825] EEH: PCI-E 10: 10820000 00000000 00000000 00000000 [ 3222.584826] EEH: PCI-E 20: 00000000 [ 3222.584826] EEH: PCI-E AER capability register set follows: +[ 3222.585011] EEH: PCI-E AER 00: 13c10001 00000000 00000000 00062030 [ 3222.585160] EEH: PCI-E AER 10: 00002000 000031c0 000001e0 00000000 [ 3222.585309] EEH: PCI-E AER 20: 00000000 00000000 00000000 00000000 [ 3222.585347] EEH: PCI-E AER 30: 00000000 00000000 [ 3222.586872] RTAS: event: 5, Type: Platform Error (224), Severity: 2 [ 3222.586873] EEH: Reset without hotplug activity [ 3224.762767] EEH: Beginning: 'slot_reset' +[ 3224.762770] EEH: PE#800000 (PCI 0384:80:00.0): Invoking +bnx2x->slot_reset() +[ 3224.762771] bnx2x: [bnx2x_io_slot_reset:14271(eth14)]IO slot reset initializing... +[ 3224.762887] bnx2x 0384:80:00.0: enabling device (0140 -> 0142) [ 3224.768157] bnx2x: [bnx2x_io_slot_reset:14287(eth14)]IO slot reset +--> driver unload + +Uninterruptible tasks +===================== +crash> ps | grep UN + 213 2 11 c000000004c89e00 UN 0.0 0 0 [eehd] + 215 2 0 c000000004c80000 UN 0.0 0 0 +[kworker/0:2] + 2196 1 28 c000000004504f00 UN 0.1 15936 11136 wickedd + 4287 1 9 c00000020d076800 UN 0.0 4032 3008 agetty + 4289 1 20 c00000020d056680 UN 0.0 7232 3840 agetty + 32423 2 26 c00000020038c580 UN 0.0 0 0 +[kworker/26:3] + 32871 4241 27 c0000002609ddd00 UN 0.1 18624 11648 sshd + 32920 10130 16 c00000027284a100 UN 0.1 48512 12608 sendmail + 33092 32987 0 c000000205218b00 UN 0.1 48512 12608 sendmail + 33154 4567 16 c000000260e51780 UN 0.1 48832 12864 pickup + 33209 4241 36 c000000270cb6500 UN 0.1 18624 11712 sshd + 33473 33283 0 c000000205211480 UN 0.1 48512 12672 sendmail + 33531 4241 37 c00000023c902780 UN 0.1 18624 11648 sshd + +EEH handler hung while bnx2x sleeping and holding RTNL lock +=========================================================== +crash> bt 213 +PID: 213 TASK: c000000004c89e00 CPU: 11 COMMAND: "eehd" + #0 [c000000004d477e0] __schedule at c000000000c70808 + #1 [c000000004d478b0] schedule at c000000000c70ee0 + #2 [c000000004d478e0] schedule_timeout at c000000000c76dec + #3 [c000000004d479c0] msleep at c0000000002120cc + #4 [c000000004d479f0] napi_disable at c000000000a06448 + ^^^^^^^^^^^^^^^^ + #5 [c000000004d47a30] bnx2x_netif_stop at c0080000018dba94 [bnx2x] + #6 [c000000004d47a60] bnx2x_io_slot_reset at c0080000018a551c [bnx2x] + #7 [c000000004d47b20] eeh_report_reset at c00000000004c9bc + #8 [c000000004d47b90] eeh_pe_report at c00000000004d1a8 + #9 [c000000004d47c40] eeh_handle_normal_event at c00000000004da64 + +And the sleeping source code +============================ +crash> dis -ls c000000000a06448 +FILE: ../net/core/dev.c +LINE: 6702 + + 6697 { + 6698 might_sleep(); + 6699 set_bit(NAPI_STATE_DISABLE, &n->state); + 6700 + 6701 while (test_and_set_bit(NAPI_STATE_SCHED, &n->state)) +* 6702 msleep(1); + 6703 while (test_and_set_bit(NAPI_STATE_NPSVC, &n->state)) + 6704 msleep(1); + 6705 + 6706 hrtimer_cancel(&n->timer); + 6707 + 6708 clear_bit(NAPI_STATE_DISABLE, &n->state); + 6709 } + +EEH calls into bnx2x twice based on the system log above, first through +bnx2x_io_error_detected() and then bnx2x_io_slot_reset(), and executes +the following call chains: + +bnx2x_io_error_detected() + +-> bnx2x_eeh_nic_unload() + +-> bnx2x_del_all_napi() + +-> __netif_napi_del() + +bnx2x_io_slot_reset() + +-> bnx2x_netif_stop() + +-> bnx2x_napi_disable() + +->napi_disable() + +Fix this by correcting the sequence of NAPI APIs usage, +that is delete the NAPI after disabling it. + +Fixes: 7fa6f34081f1 ("bnx2x: AER revised") +Reported-by: David Christensen +Tested-by: David Christensen +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20220426153913.6966-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -14286,10 +14286,6 @@ static int bnx2x_eeh_nic_unload(struct b + + /* Stop Tx */ + bnx2x_tx_disable(bp); +- /* Delete all NAPI objects */ +- bnx2x_del_all_napi(bp); +- if (CNIC_LOADED(bp)) +- bnx2x_del_all_napi_cnic(bp); + netdev_reset_tc(bp->dev); + + del_timer_sync(&bp->timer); +@@ -14394,6 +14390,11 @@ static pci_ers_result_t bnx2x_io_slot_re + bnx2x_drain_tx_queues(bp); + bnx2x_send_unload_req(bp, UNLOAD_RECOVERY); + bnx2x_netif_stop(bp, 1); ++ bnx2x_del_all_napi(bp); ++ ++ if (CNIC_LOADED(bp)) ++ bnx2x_del_all_napi_cnic(bp); ++ + bnx2x_free_irq(bp); + + /* Report UNLOAD_DONE to MCP */ diff --git a/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch b/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch new file mode 100644 index 0000000..9475a58 --- /dev/null +++ b/patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch @@ -0,0 +1,56 @@ +From 87f4d14780b1ac426274050c519bfbc0e74872c7 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 10 Dec 2021 10:03:09 +0100 +Subject: [PATCH 4/6] can: gs_usb: fix use of uninitialized variable, detach + device on reception of invalid USB data +References: git-fixes +Patch-mainline: v5.17-rc1 +Git-commit: 4a8737ff068724f509d583fef404d349adba80d6 + +The received data contains the channel the received data is associated +with. If the channel number is bigger than the actual number of +channels assume broken or malicious USB device and shut it down. + +This fixes the error found by clang: + +| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used +| uninitialized whenever 'if' condition is true +| if (hf->channel >= GS_MAX_INTF) +| ^~~~~~~~~~~~~~~~~~~~~~~~~~ +| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here +| hf, dev->gs_hf_size, gs_usb_receive_bulk_callback, +| ^~~ + +Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Denis Kirjanov +--- + drivers/net/can/usb/gs_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 99c42f297afd..7fbb757af8e9 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -328,7 +328,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* device reports out of range channel id */ + if (hf->channel >= GS_MAX_INTF) +- goto resubmit_urb; ++ goto device_detach; + + dev = usbcan->canch[hf->channel]; + +@@ -413,6 +413,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { ++ device_detach: + for (rc = 0; rc < GS_MAX_INTF; rc++) { + if (usbcan->canch[rc]) + netif_device_detach(usbcan->canch[rc]->netdev); +-- +2.16.4 + diff --git a/patches.suse/char-mwave-Adjust-io-port-register-size.patch b/patches.suse/char-mwave-Adjust-io-port-register-size.patch new file mode 100644 index 0000000..eb9d9fb --- /dev/null +++ b/patches.suse/char-mwave-Adjust-io-port-register-size.patch @@ -0,0 +1,44 @@ +From: Kees Cook +Date: Fri, 3 Dec 2021 00:42:06 -0800 +Subject: char/mwave: Adjust io port register size +Git-commit: f5912cc19acd7c24b2dbf65a6340bf194244f085 +Patch-mainline: 5.17-rc1 +References: git-fixes + +Using MKWORD() on a byte-sized variable results in OOB read. Expand the +size of the reserved area so both MKWORD and MKBYTE continue to work +without overflow. Silences this warning on a -Warray-bounds build: + +drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds] + 346 | #define MKWORD(var) (*((unsigned short *)(&var))) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp' + 356 | #define OutWordDsp(index,value) outw(value,usDspBaseIO+index) + | ^~~~~ +drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD' + 373 | OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl)); + | ^~~~~~ +drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl' + 358 | DSP_ISA_SLAVE_CONTROL rSlaveControl; + | ^~~~~~~~~~~~~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/char/mwave/3780i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/mwave/3780i.h ++++ b/drivers/char/mwave/3780i.h +@@ -68,7 +68,7 @@ typedef struct { + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */ + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */ + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */ +- unsigned char Reserved:5; /* 0: Reserved */ ++ unsigned short Reserved:13; /* 0: Reserved */ + } DSP_ISA_SLAVE_CONTROL; + + diff --git a/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch b/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch new file mode 100644 index 0000000..e44c5e3 --- /dev/null +++ b/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch @@ -0,0 +1,120 @@ +From 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Mon, 12 Jul 2021 12:35:06 +0800 +Subject: [PATCH] drm: add a locked version of drm_is_current_master +Git-commit: 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb +Patch-mainline: v5.15-rc1 +References: CVE-2022-1280 bsc#1197914 + +While checking the master status of the DRM file in +drm_is_current_master(), the device's master mutex should be +held. Without the mutex, the pointer fpriv->master may be freed +concurrently by another process calling drm_setmaster_ioctl(). This +could lead to use-after-free errors when the pointer is subsequently +dereferenced in drm_lease_owner(). + +The callers of drm_is_current_master() from drm_auth.c hold the +device's master mutex, but external callers do not. Hence, we implement +drm_is_current_master_locked() to be used within drm_auth.c, and +modify drm_is_current_master() to grab the device's master mutex +before checking the master status. + +Reported-by: Daniel Vetter +Signed-off-by: Desmond Cheong Zhi Xi +Reviewed-by: Emil Velikov +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-4-desmondcheongzx@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_auth.c | 51 ++++++++++++++++++++++++++++----------------- + 1 file changed, 32 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -55,6 +55,35 @@ + * trusted clients. + */ + ++static bool drm_is_current_master_locked(struct drm_file *fpriv) ++{ ++ lockdep_assert_held_once(&fpriv->minor->dev->master_mutex); ++ ++ return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; ++} ++ ++/** ++ * drm_is_current_master - checks whether @priv is the current master ++ * @fpriv: DRM file private ++ * ++ * Checks whether @fpriv is current master on its device. This decides whether a ++ * client is allowed to run DRM_MASTER IOCTLs. ++ * ++ * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting ++ * - the current master is assumed to own the non-shareable display hardware. ++ */ ++bool drm_is_current_master(struct drm_file *fpriv) ++{ ++ bool ret; ++ ++ mutex_lock(&fpriv->minor->dev->master_mutex); ++ ret = drm_is_current_master_locked(fpriv); ++ mutex_unlock(&fpriv->minor->dev->master_mutex); ++ ++ return ret; ++} ++EXPORT_SYMBOL(drm_is_current_master); ++ + int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) + { + struct drm_auth *auth = data; +@@ -182,7 +211,7 @@ int drm_setmaster_ioctl(struct drm_devic + int ret = 0; + + mutex_lock(&dev->master_mutex); +- if (drm_is_current_master(file_priv)) ++ if (drm_is_current_master_locked(file_priv)) + goto out_unlock; + + if (dev->master) { +@@ -226,7 +255,7 @@ int drm_dropmaster_ioctl(struct drm_devi + int ret = -EINVAL; + + mutex_lock(&dev->master_mutex); +- if (!drm_is_current_master(file_priv)) ++ if (!drm_is_current_master_locked(file_priv)) + goto out_unlock; + + if (!dev->master) +@@ -272,7 +301,7 @@ void drm_master_release(struct drm_file + if (file_priv->magic) + idr_remove(&file_priv->master->magic_map, file_priv->magic); + +- if (!drm_is_current_master(file_priv)) ++ if (!drm_is_current_master_locked(file_priv)) + goto out; + + if (drm_core_check_feature(dev, DRIVER_LEGACY)) { +@@ -308,22 +337,6 @@ out: + } + + /** +- * drm_is_current_master - checks whether @priv is the current master +- * @fpriv: DRM file private +- * +- * Checks whether @fpriv is current master on its device. This decides whether a +- * client is allowed to run DRM_MASTER IOCTLs. +- * +- * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting +- * - the current master is assumed to own the non-shareable display hardware. +- */ +-bool drm_is_current_master(struct drm_file *fpriv) +-{ +- return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; +-} +-EXPORT_SYMBOL(drm_is_current_master); +- +-/** + * drm_master_get - reference a master pointer + * @master: &struct drm_master + * diff --git a/patches.suse/drm-protect-drm_master-pointers-in-drm_lease.c.patch b/patches.suse/drm-protect-drm_master-pointers-in-drm_lease.c.patch new file mode 100644 index 0000000..e273e77 --- /dev/null +++ b/patches.suse/drm-protect-drm_master-pointers-in-drm_lease.c.patch @@ -0,0 +1,335 @@ +From 56f0729a510f92151682ff6c89f69724d5595d6e Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Mon, 12 Jul 2021 12:35:08 +0800 +Subject: [PATCH] drm: protect drm_master pointers in drm_lease.c +Git-commit: 56f0729a510f92151682ff6c89f69724d5595d6e +Patch-mainline: v5.15-rc1 +References: CVE-2022-1280 bsc#1197914 + +drm_file->master pointers should be protected by +drm_device.master_mutex or drm_file.master_lookup_lock when being +dereferenced. + +However, in drm_lease.c, there are multiple instances where +drm_file->master is accessed and dereferenced while neither lock is +held. This makes drm_lease.c vulnerable to use-after-free bugs. + +We address this issue in 2 ways: + +1. Add a new drm_file_get_master() function that calls drm_master_get +on drm_file->master while holding on to +drm_file.master_lookup_lock. Since drm_master_get increments the +reference count of master, this prevents master from being freed until +we unreference it with drm_master_put. + +2. In each case where drm_file->master is directly accessed and +eventually dereferenced in drm_lease.c, we wrap the access in a call +to the new drm_file_get_master function, then unreference the master +pointer once we are done using it. + +Reported-by: Daniel Vetter +Signed-off-by: Desmond Cheong Zhi Xi +Reviewed-by: Emil Velikov +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_auth.c | 25 +++++++++++++ + drivers/gpu/drm/drm_lease.c | 79 +++++++++++++++++++++++++++++++++----------- + include/drm/drm_auth.h | 1 + include/drm/drm_file.h | 6 +++ + 4 files changed, 93 insertions(+), 18 deletions(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -354,6 +354,31 @@ struct drm_master *drm_master_get(struct + } + EXPORT_SYMBOL(drm_master_get); + ++/** ++ * drm_file_get_master - reference &drm_file.master of @file_priv ++ * @file_priv: DRM file private ++ * ++ * Increments the reference count of @file_priv's &drm_file.master and returns ++ * the &drm_file.master. If @file_priv has no &drm_file.master, returns NULL. ++ * ++ * Master pointers returned from this function should be unreferenced using ++ * drm_master_put(). ++ */ ++struct drm_master *drm_file_get_master(struct drm_file *file_priv) ++{ ++ struct drm_master *master = NULL; ++ ++ spin_lock(&file_priv->master_lookup_lock); ++ if (!file_priv->master) ++ goto unlock; ++ master = drm_master_get(file_priv->master); ++ ++unlock: ++ spin_unlock(&file_priv->master_lookup_lock); ++ return master; ++} ++EXPORT_SYMBOL(drm_file_get_master); ++ + static void drm_master_destroy(struct kref *kref) + { + struct drm_master *master = container_of(kref, struct drm_master, refcount); +--- a/drivers/gpu/drm/drm_lease.c ++++ b/drivers/gpu/drm/drm_lease.c +@@ -112,10 +112,19 @@ static bool _drm_has_leased(struct drm_m + */ + bool _drm_lease_held(struct drm_file *file_priv, int id) + { +- if (file_priv == NULL || file_priv->master == NULL) ++ bool ret; ++ struct drm_master *master; ++ ++ if (!file_priv) + return true; + +- return _drm_lease_held_master(file_priv->master, id); ++ master = drm_file_get_master(file_priv); ++ if (!master) ++ return true; ++ ret = _drm_lease_held_master(master, id); ++ drm_master_put(&master); ++ ++ return ret; + } + EXPORT_SYMBOL(_drm_lease_held); + +@@ -135,13 +144,22 @@ bool drm_lease_held(struct drm_file *fil + struct drm_master *master; + bool ret; + +- if (file_priv == NULL || file_priv->master == NULL) ++ if (!file_priv) + return true; + +- master = file_priv->master; ++ master = drm_file_get_master(file_priv); ++ if (!master) ++ return true; ++ if (!master->lessor) { ++ ret = true; ++ goto out; ++ } + mutex_lock(&master->dev->mode_config.idr_mutex); + ret = _drm_lease_held_master(master, id); + mutex_unlock(&master->dev->mode_config.idr_mutex); ++ ++out: ++ drm_master_put(&master); + return ret; + } + EXPORT_SYMBOL(drm_lease_held); +@@ -162,10 +180,16 @@ uint32_t drm_lease_filter_crtcs(struct d + int count_in, count_out; + uint32_t crtcs_out = 0; + +- if (file_priv == NULL || file_priv->master == NULL) ++ if (!file_priv) + return crtcs_in; + +- master = file_priv->master; ++ master = drm_file_get_master(file_priv); ++ if (!master) ++ return crtcs_in; ++ if (!master->lessor) { ++ crtcs_out = crtcs_in; ++ goto out; ++ } + dev = master->dev; + + count_in = count_out = 0; +@@ -182,6 +206,9 @@ uint32_t drm_lease_filter_crtcs(struct d + count_in++; + } + mutex_unlock(&master->dev->mode_config.idr_mutex); ++ ++out: ++ drm_master_put(&master); + return crtcs_out; + } + EXPORT_SYMBOL(drm_lease_filter_crtcs); +@@ -496,7 +523,7 @@ int drm_mode_create_lease_ioctl(struct d + size_t object_count; + int ret = 0; + struct idr leases; +- struct drm_master *lessor = lessor_priv->master; ++ struct drm_master *lessor; + struct drm_master *lessee = NULL; + struct file *lessee_file = NULL; + struct file *lessor_file = lessor_priv->filp; +@@ -508,10 +535,6 @@ int drm_mode_create_lease_ioctl(struct d + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; + +- /* Do not allow sub-leases */ +- if (lessor->lessor) +- return -EINVAL; +- + /* need some objects */ + if (cl->object_count == 0) + return -EINVAL; +@@ -519,12 +542,22 @@ int drm_mode_create_lease_ioctl(struct d + if (cl->flags && (cl->flags & ~(O_CLOEXEC | O_NONBLOCK))) + return -EINVAL; + ++ lessor = drm_file_get_master(lessor_priv); ++ /* Do not allow sub-leases */ ++ if (lessor->lessor) { ++ DRM_DEBUG_LEASE("recursive leasing not allowed\n"); ++ ret = -EINVAL; ++ goto out_lessor; ++ } ++ + object_count = cl->object_count; + + object_ids = memdup_user(u64_to_user_ptr(cl->object_ids), + array_size(object_count, sizeof(__u32))); +- if (IS_ERR(object_ids)) +- return PTR_ERR(object_ids); ++ if (IS_ERR(object_ids)) { ++ ret = PTR_ERR(object_ids); ++ goto out_lessor; ++ } + + idr_init(&leases); + +@@ -534,14 +567,15 @@ int drm_mode_create_lease_ioctl(struct d + kfree(object_ids); + if (ret) { + idr_destroy(&leases); +- return ret; ++ goto out_lessor; + } + + /* Allocate a file descriptor for the lease */ + fd = get_unused_fd_flags(cl->flags & (O_CLOEXEC | O_NONBLOCK)); + if (fd < 0) { + idr_destroy(&leases); +- return fd; ++ ret = fd; ++ goto out_lessor; + } + + DRM_DEBUG_LEASE("Creating lease\n"); +@@ -577,6 +611,7 @@ int drm_mode_create_lease_ioctl(struct d + /* Hook up the fd */ + fd_install(fd, lessee_file); + ++ drm_master_put(&lessor); + DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n"); + return 0; + +@@ -586,6 +621,8 @@ out_lessee: + out_leases: + put_unused_fd(fd); + ++out_lessor: ++ drm_master_put(&lessor); + DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl failed: %d\n", ret); + return ret; + } +@@ -608,7 +645,7 @@ int drm_mode_list_lessees_ioctl(struct d + struct drm_mode_list_lessees *arg = data; + __u32 __user *lessee_ids = (__u32 __user *) (uintptr_t) (arg->lessees_ptr); + __u32 count_lessees = arg->count_lessees; +- struct drm_master *lessor = lessor_priv->master, *lessee; ++ struct drm_master *lessor, *lessee; + int count; + int ret = 0; + +@@ -619,6 +656,7 @@ int drm_mode_list_lessees_ioctl(struct d + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; + ++ lessor = drm_file_get_master(lessor_priv); + DRM_DEBUG_LEASE("List lessees for %d\n", lessor->lessee_id); + + mutex_lock(&dev->mode_config.idr_mutex); +@@ -642,6 +680,7 @@ int drm_mode_list_lessees_ioctl(struct d + arg->count_lessees = count; + + mutex_unlock(&dev->mode_config.idr_mutex); ++ drm_master_put(&lessor); + + return ret; + } +@@ -661,7 +700,7 @@ int drm_mode_get_lease_ioctl(struct drm_ + struct drm_mode_get_lease *arg = data; + __u32 __user *object_ids = (__u32 __user *) (uintptr_t) (arg->objects_ptr); + __u32 count_objects = arg->count_objects; +- struct drm_master *lessee = lessee_priv->master; ++ struct drm_master *lessee; + struct idr *object_idr; + int count; + void *entry; +@@ -675,6 +714,7 @@ int drm_mode_get_lease_ioctl(struct drm_ + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; + ++ lessee = drm_file_get_master(lessee_priv); + DRM_DEBUG_LEASE("get lease for %d\n", lessee->lessee_id); + + mutex_lock(&dev->mode_config.idr_mutex); +@@ -702,6 +742,7 @@ int drm_mode_get_lease_ioctl(struct drm_ + arg->count_objects = count; + + mutex_unlock(&dev->mode_config.idr_mutex); ++ drm_master_put(&lessee); + + return ret; + } +@@ -720,7 +761,7 @@ int drm_mode_revoke_lease_ioctl(struct d + void *data, struct drm_file *lessor_priv) + { + struct drm_mode_revoke_lease *arg = data; +- struct drm_master *lessor = lessor_priv->master; ++ struct drm_master *lessor; + struct drm_master *lessee; + int ret = 0; + +@@ -730,6 +771,7 @@ int drm_mode_revoke_lease_ioctl(struct d + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; + ++ lessor = drm_file_get_master(lessor_priv); + mutex_lock(&dev->mode_config.idr_mutex); + + lessee = _drm_find_lessee(lessor, arg->lessee_id); +@@ -750,6 +792,7 @@ int drm_mode_revoke_lease_ioctl(struct d + + fail: + mutex_unlock(&dev->mode_config.idr_mutex); ++ drm_master_put(&lessor); + + return ret; + } +--- a/include/drm/drm_auth.h ++++ b/include/drm/drm_auth.h +@@ -98,6 +98,7 @@ struct drm_master { + }; + + struct drm_master *drm_master_get(struct drm_master *master); ++struct drm_master *drm_file_get_master(struct drm_file *file_priv); + void drm_master_put(struct drm_master **master); + bool drm_is_current_master(struct drm_file *fpriv); + +--- a/include/drm/drm_file.h ++++ b/include/drm/drm_file.h +@@ -220,6 +220,12 @@ struct drm_file { + * this only matches &drm_device.master if the master is the currently + * active one. + * ++ * When dereferencing this pointer, either hold struct ++ * &drm_device.master_mutex for the duration of the pointer's use, or ++ * use drm_file_get_master() if struct &drm_device.master_mutex is not ++ * currently held and there is no other need to hold it. This prevents ++ * @master from being freed during use. ++ * + * See also @authentication and @is_master and the :ref:`section on + * primary nodes and authentication `. + */ diff --git a/patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch b/patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch new file mode 100644 index 0000000..5987a39 --- /dev/null +++ b/patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch @@ -0,0 +1,129 @@ +From 0b0860a3cf5eccf183760b1177a1dcdb821b0b66 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Mon, 12 Jul 2021 12:35:07 +0800 +Subject: [PATCH] drm: serialize drm_file.master with a new spinlock +Git-commit: 0b0860a3cf5eccf183760b1177a1dcdb821b0b66 +Patch-mainline: v5.15-rc1 +References: CVE-2022-1280 bsc#1197914 + +Currently, drm_file.master pointers should be protected by +drm_device.master_mutex when being dereferenced. This is because +drm_file.master is not invariant for the lifetime of drm_file. If +drm_file is not the creator of master, then drm_file.is_master is +false, and a call to drm_setmaster_ioctl will invoke +drm_new_set_master, which then allocates a new master for drm_file and +puts the old master. + +Thus, without holding drm_device.master_mutex, the old value of +drm_file.master could be freed while it is being used by another +concurrent process. + +However, it is not always possible to lock drm_device.master_mutex to +dereference drm_file.master. Through the fbdev emulation code, this +might occur in a deep nest of other locks. But drm_device.master_mutex +is also the outermost lock in the nesting hierarchy, so this leads to +potential deadlocks. + +To address this, we introduce a new spin lock at the bottom of the +lock hierarchy that only serializes drm_file.master. With this change, +the value of drm_file.master changes only when both +drm_device.master_mutex and drm_file.master_lookup_lock are +held. Hence, any process holding either of those locks can ensure that +the value of drm_file.master will not change concurrently. + +Since no lock depends on the new drm_file.master_lookup_lock, when +drm_file.master is dereferenced, but drm_device.master_mutex cannot be +held, we can safely protect the master pointer with +drm_file.master_lookup_lock. + +Reported-by: Daniel Vetter +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-5-desmondcheongzx@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_auth.c | 17 +++++++++++------ + drivers/gpu/drm/drm_file.c | 1 + + include/drm/drm_file.h | 12 +++++++++--- + 3 files changed, 21 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -167,17 +167,19 @@ static int drm_set_master(struct drm_dev + static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv) + { + struct drm_master *old_master; ++ struct drm_master *new_master; + int ret; + + lockdep_assert_held_once(&dev->master_mutex); + + WARN_ON(fpriv->is_master); + old_master = fpriv->master; +- fpriv->master = drm_master_create(dev); +- if (!fpriv->master) { +- fpriv->master = old_master; ++ new_master = drm_master_create(dev); ++ if (!new_master) + return -ENOMEM; +- } ++ spin_lock(&fpriv->master_lookup_lock); ++ fpriv->master = new_master; ++ spin_unlock(&fpriv->master_lookup_lock); + + if (dev->driver->master_create) { + ret = dev->driver->master_create(dev, fpriv->master); +@@ -282,10 +284,13 @@ int drm_master_open(struct drm_file *fil + /* if there is no current master make this fd it, but do not create + * any master object for render clients */ + mutex_lock(&dev->master_mutex); +- if (!dev->master) ++ if (!dev->master) { + ret = drm_new_set_master(dev, file_priv); +- else ++ } else { ++ spin_lock(&file_priv->master_lookup_lock); + file_priv->master = drm_master_get(dev->master); ++ spin_unlock(&file_priv->master_lookup_lock); ++ } + mutex_unlock(&dev->master_mutex); + + return ret; +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -139,6 +139,7 @@ struct drm_file *drm_file_alloc(struct d + init_waitqueue_head(&file->event_wait); + file->event_space = 4096; /* set aside 4k for event buffer */ + ++ spin_lock_init(&file->master_lookup_lock); + mutex_init(&file->event_read_lock); + + if (drm_core_check_feature(dev, DRIVER_GEM)) +--- a/include/drm/drm_file.h ++++ b/include/drm/drm_file.h +@@ -213,15 +213,21 @@ struct drm_file { + /** + * @master: + * +- * Master this node is currently associated with. Only relevant if +- * drm_is_primary_client() returns true. Note that this only +- * matches &drm_device.master if the master is the currently active one. ++ * Master this node is currently associated with. Protected by struct ++ * &drm_device.master_mutex, and serialized by @master_lookup_lock. ++ * ++ * Only relevant if drm_is_primary_client() returns true. Note that ++ * this only matches &drm_device.master if the master is the currently ++ * active one. + * + * See also @authentication and @is_master and the :ref:`section on + * primary nodes and authentication `. + */ + struct drm_master *master; + ++ /** @master_lock: Serializes @master. */ ++ spinlock_t master_lookup_lock; ++ + /** @pid: Process that opened this file. */ + struct pid *pid; + diff --git a/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch b/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch index 4eb8967..c7fc2c9 100644 --- a/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch +++ b/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 5de5b6ecf97a021f29403aa272cb4e03318ef586 Patch-mainline: v5.9-rc1 -References: bsc#1175232 +References: bsc#1175232 bsc#1183723 CVE-2021-20292 This is confusing, and from my reading of all the drivers only nouveau got this right. diff --git a/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch b/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch new file mode 100644 index 0000000..3895fca --- /dev/null +++ b/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch @@ -0,0 +1,51 @@ +From 28be2405fb753927e18bc1a891617a430b2a0684 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Sat, 24 Jul 2021 19:18:22 +0800 +Subject: [PATCH] drm: use the lookup lock in drm_is_current_master +Git-commit: 28be2405fb753927e18bc1a891617a430b2a0684 +Patch-mainline: v5.15-rc1 +References: CVE-2022-1280 bsc#1197914 + +Inside drm_is_current_master, using the outer drm_device.master_mutex +to protect reads of drm_file.master makes the function prone to creating +lock hierarchy inversions. Instead, we can use the +drm_file.master_lookup_lock that sits at the bottom of the lock +hierarchy. + +Reported-by: Daniel Vetter +Signed-off-by: Desmond Cheong Zhi Xi +Reviewed-by: Daniel Vetter +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210724111824.59266-2-desmondcheongzx@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_auth.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -57,8 +57,9 @@ + + static bool drm_is_current_master_locked(struct drm_file *fpriv) + { +- lockdep_assert_held_once(&fpriv->minor->dev->master_mutex); +- ++ /* Either drm_device.master_mutex or drm_file.master_lookup_lock ++ * should be held here. ++ */ + return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; + } + +@@ -76,9 +77,9 @@ bool drm_is_current_master(struct drm_fi + { + bool ret; + +- mutex_lock(&fpriv->minor->dev->master_mutex); ++ spin_lock(&fpriv->master_lookup_lock); + ret = drm_is_current_master_locked(fpriv); +- mutex_unlock(&fpriv->minor->dev->master_mutex); ++ spin_unlock(&fpriv->master_lookup_lock); + + return ret; + } diff --git a/patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch b/patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch index d855435..eff50f2 100644 --- a/patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch +++ b/patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch @@ -4,7 +4,7 @@ Date: Thu, 20 Sep 2018 09:09:48 -0600 Subject: [PATCH] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl Git-commit: 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Patch-mainline: v4.19-rc5 -References: bsc#1051510 +References: bsc#1051510 bsc#1084513 CVE-2018-7755 The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to @@ -28,6 +28,7 @@ Broke up long line. Signed-off-by: Jens Axboe Acked-by: Takashi Iwai +Acked-by: Vasant Karasulli --- drivers/block/floppy.c | 3 +++ @@ -47,6 +48,6 @@ index 48f622728ce6..f2b6f4da1034 100644 break; case FDMSGON: UDP->flags |= FTD_MSG; --- +-- 2.18.0 diff --git a/patches.suse/fs-nfs-Use-fatal_signal_pending-instead-of-signal_pe.patch b/patches.suse/fs-nfs-Use-fatal_signal_pending-instead-of-signal_pe.patch new file mode 100644 index 0000000..38d96f1 --- /dev/null +++ b/patches.suse/fs-nfs-Use-fatal_signal_pending-instead-of-signal_pe.patch @@ -0,0 +1,40 @@ +From: zhouchuangao +Date: Sun, 9 May 2021 19:34:37 -0700 +Subject: [PATCH] fs/nfs: Use fatal_signal_pending instead of signal_pending +Git-commit: bb002388901151fe35b6697ab116f6ed0721a9ed +Patch-mainline: v5.13 +References: git-fixes + +We set the state of the current process to TASK_KILLABLE via +prepare_to_wait(). Should we use fatal_signal_pending() to detect +the signal here? + +Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE") +Signed-off-by: zhouchuangao +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs4proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1525,7 +1525,7 @@ static void nfs_set_open_stateid_locked( + spin_unlock(&state->owner->so_lock); + rcu_read_unlock(); + +- if (!signal_pending(current)) { ++ if (!fatal_signal_pending(current)) { + if (schedule_timeout(5*HZ) == 0) + status = -EAGAIN; + else +@@ -3182,7 +3182,7 @@ static bool nfs4_refresh_open_old_statei + write_sequnlock(&state->seqlock); + trace_nfs4_close_stateid_update_wait(state->inode, dst, 0); + +- if (signal_pending(current)) ++ if (fatal_signal_pending(current)) + status = -EINTR; + else + if (schedule_timeout(5*HZ) != 0) diff --git a/patches.suse/fsl-fman-Check-for-null-pointer-after-calling-devm_i.patch b/patches.suse/fsl-fman-Check-for-null-pointer-after-calling-devm_i.patch new file mode 100644 index 0000000..f0d653d --- /dev/null +++ b/patches.suse/fsl-fman-Check-for-null-pointer-after-calling-devm_i.patch @@ -0,0 +1,96 @@ +From 930d4e08f3fe403361c3eca2281d45a50073c439 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Thu, 6 Jan 2022 18:04:10 +0800 +Subject: [PATCH 6/6] fsl/fman: Check for null pointer after calling + devm_ioremap +References: git-fixes +Patch-mainline: v5.17-rc1 +Git-commit: d5a73ec96cc57cf67e51b12820fc2354e7ca46f8 + +As the possible failure of the allocation, the devm_ioremap() may return +NULL pointer. +Take tgec_initialization() as an example. +If allocation fails, the params->base_addr will be NULL pointer and will +be assigned to tgec->regs in tgec_config(). +Then it will cause the dereference of NULL pointer in set_mac_address(), +which is called by tgec_init(). +Therefore, it should be better to add the sanity check after the calling +of the devm_ioremap(). + +Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/freescale/fman/mac.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c +index 2f668abae8cc..3198ab317b44 100644 +--- a/drivers/net/ethernet/freescale/fman/mac.c ++++ b/drivers/net/ethernet/freescale/fman/mac.c +@@ -94,14 +94,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex) + __func__, ex); + } + +-static void set_fman_mac_params(struct mac_device *mac_dev, +- struct fman_mac_params *params) ++static int set_fman_mac_params(struct mac_device *mac_dev, ++ struct fman_mac_params *params) + { + struct mac_priv_s *priv = mac_dev->priv; + + params->base_addr = (typeof(params->base_addr)) + devm_ioremap(priv->dev, mac_dev->res->start, + resource_size(mac_dev->res)); ++ if (!params->base_addr) ++ return -ENOMEM; ++ + memcpy(¶ms->addr, mac_dev->addr, sizeof(mac_dev->addr)); + params->max_speed = priv->max_speed; + params->phy_if = mac_dev->phy_if; +@@ -112,6 +115,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev, + params->event_cb = mac_exception; + params->dev_id = mac_dev; + params->internal_phy_node = priv->internal_phy_node; ++ ++ return 0; + } + + static int tgec_initialization(struct mac_device *mac_dev) +@@ -123,7 +128,9 @@ static int tgec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = tgec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -169,7 +176,9 @@ static int dtsec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = dtsec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -218,7 +227,9 @@ static int memac_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + if (priv->max_speed == SPEED_10000) + params.phy_if = PHY_INTERFACE_MODE_XGMII; +-- +2.16.4 + diff --git a/patches.suse/fuse-fix-pipe-buffer-lifetime-for-direct_io.patch b/patches.suse/fuse-fix-pipe-buffer-lifetime-for-direct_io.patch new file mode 100644 index 0000000..e89b0f5 --- /dev/null +++ b/patches.suse/fuse-fix-pipe-buffer-lifetime-for-direct_io.patch @@ -0,0 +1,88 @@ +From 36c296eb1c781d00f25c05b91375ccdaa367bb9f Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 30 Mar 2022 08:45:04 -0700 +Subject: [PATCH] fuse: fix pipe buffer lifetime for direct_io +Git-commit: 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 +Patch-mainline: v5.17-rc8 +References: bsc#1197343 CVE-2022-1011 + +commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream. + +In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls +fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then +imports the write buffer with fuse_get_user_pages(), which uses +iov_iter_get_pages() to grab references to userspace pages instead of +actually copying memory. + +On the filesystem device side, these pages can then either be read to +userspace (via fuse_dev_read()), or splice()d over into a pipe using +fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. + +This is wrong because after fuse_dev_do_read() unlocks the FUSE request, +the userspace filesystem can mark the request as completed, causing write() +to return. At that point, the userspace filesystem should no longer have +access to the pipe buffer. + +Fix by copying pages coming from the user address space to new pipe +buffers. + +Reported-by: Jann Horn +Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Zach O'Keefe +Acked-by: Luís Henriques +--- + fs/fuse/dev.c | 12 +++++++++++- + fs/fuse/file.c | 1 + + fs/fuse/fuse_i.h | 2 ++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index b6f2a10663a0..26d40fecf296 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -985,7 +985,17 @@ static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep, + + while (count) { + if (cs->write && cs->pipebufs && page) { +- return fuse_ref_page(cs, page, offset, count); ++ /* ++ * Can't control lifetime of pipe buffers, so always ++ * copy user pages. ++ */ ++ if (cs->req->user_pages) { ++ err = fuse_copy_fill(cs); ++ if (err) ++ return err; ++ } else { ++ return fuse_ref_page(cs, page, offset, count); ++ } + } else if (!cs->len) { + if (cs->move_pages && page && + offset == 0 && count == PAGE_SIZE) { +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 4238939af2fe..c01a180b571f 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1316,6 +1316,7 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii, + (PAGE_SIZE - ret) & (PAGE_SIZE - 1); + } + ++ req->user_pages = true; + if (write) + req->in.argpages = 1; + else +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h +index 338aa5e266d6..cfe57b70bb29 100644 +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -310,6 +310,8 @@ struct fuse_req { + /** refcount */ + refcount_t count; + ++ bool user_pages; ++ + /** Unique ID for the interrupt request */ + u64 intr_unique; + diff --git a/patches.suse/hwrng-atmel-disable-trng-on-failure-path.patch b/patches.suse/hwrng-atmel-disable-trng-on-failure-path.patch new file mode 100644 index 0000000..fc89398 --- /dev/null +++ b/patches.suse/hwrng-atmel-disable-trng-on-failure-path.patch @@ -0,0 +1,27 @@ +From: Claudiu Beznea +Date: Mon, 21 Feb 2022 09:59:23 +0200 +Subject: hwrng: atmel - disable trng on failure path +Git-commit: a223ea9f89ab960eb254ba78429efd42eaf845eb +Patch-mainline: 5.18-rc1 +References: git-fixes + +Call atmel_trng_disable() on failure path of probe. + +Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend") +Signed-off-by: Claudiu Beznea +Signed-off-by: Herbert Xu +Signed-off-by: Jiri Slaby +--- + drivers/char/hw_random/atmel-rng.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/hw_random/atmel-rng.c ++++ b/drivers/char/hw_random/atmel-rng.c +@@ -95,6 +95,7 @@ static int atmel_trng_probe(struct platf + + err_register: + clk_disable_unprepare(trng->clk); ++ atmel_trng_disable(trng); + return ret; + } + diff --git a/patches.suse/hwrng-cavium-HW_RANDOM_CAVIUM-should-depend-on-ARCH_.patch b/patches.suse/hwrng-cavium-HW_RANDOM_CAVIUM-should-depend-on-ARCH_.patch new file mode 100644 index 0000000..0af49b5 --- /dev/null +++ b/patches.suse/hwrng-cavium-HW_RANDOM_CAVIUM-should-depend-on-ARCH_.patch @@ -0,0 +1,31 @@ +From: Geert Uytterhoeven +Date: Wed, 12 Jan 2022 15:05:03 +0100 +Subject: hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER +Git-commit: ab7d88549e2f7ae116afd303f32e1950cb790a1d +Patch-mainline: 5.18-rc1 +References: git-fixes + +The Cavium ThunderX Random Number Generator is only present on Cavium +ThunderX SoCs, and not available as an independent PCIe endpoint. Hence +add a dependency on ARCH_THUNDER, to prevent asking the user about this +driver when configuring a kernel without Cavium Thunder SoC support. + +Fixes: cc2f1908c6b8f625 ("hwrng: cavium - Add Cavium HWRNG driver for ThunderX SoC.") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Herbert Xu +Signed-off-by: Jiri Slaby +--- + drivers/char/hw_random/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/hw_random/Kconfig ++++ b/drivers/char/hw_random/Kconfig +@@ -385,7 +385,7 @@ config HW_RANDOM_MESON + + config HW_RANDOM_CAVIUM + tristate "Cavium ThunderX Random Number Generator support" +- depends on HW_RANDOM && PCI && (ARM64 || (COMPILE_TEST && 64BIT)) ++ depends on HW_RANDOM && PCI && (ARCH_THUNDER || (COMPILE_TEST && 64BIT)) + default HW_RANDOM + ---help--- + This driver provides kernel-side support for the Random Number diff --git a/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch b/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch new file mode 100644 index 0000000..d74f8b1 --- /dev/null +++ b/patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch @@ -0,0 +1,90 @@ +From 0d9d241c68a703479815cc561b634be8da5f4aff Mon Sep 17 00:00:00 2001 +From: Jedrzej Jagielski +Date: Fri, 17 Dec 2021 14:29:05 +0000 +Subject: [PATCH 1/6] i40e: Fix incorrect netdev's real number of RX/TX queues +References: git-fixes +Patch-mainline: v5.16 +Git-commit: e738451d78b2f8a9635d66c6a87f304b4d965f7a + +There was a wrong queues representation in sysfs during +driver's reinitialization in case of online cpus number is +less than combined queues. It was caused by stopped +NetworkManager, which is responsible for calling vsi_open +function during driver's initialization. +In specific situation (ex. 12 cpus online) there were 16 queues +in /sys/class/net//queues. In case of modifying queues with +value higher, than number of online cpus, then it caused write +errors and other errors. +Add updating of sysfs's queues representation during driver +initialization. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Lukasz Cieplicki +Signed-off-by: Jedrzej Jagielski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 32 ++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index df13d37c0e95..6847f3c382a8 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7869,6 +7869,27 @@ int i40e_open(struct net_device *netdev) + return 0; + } + ++/** ++ * i40e_netif_set_realnum_tx_rx_queues - Update number of tx/rx queues ++ * @vsi: vsi structure ++ * ++ * This updates netdev's number of tx/rx queues ++ * ++ * Returns status of setting tx/rx queues ++ **/ ++static int i40e_netif_set_realnum_tx_rx_queues(struct i40e_vsi *vsi) ++{ ++ int ret; ++ ++ ret = netif_set_real_num_rx_queues(vsi->netdev, ++ vsi->num_queue_pairs); ++ if (ret) ++ return ret; ++ ++ return netif_set_real_num_tx_queues(vsi->netdev, ++ vsi->num_queue_pairs); ++} ++ + /** + * i40e_vsi_open - + * @vsi: the VSI to open +@@ -7905,13 +7926,7 @@ int i40e_vsi_open(struct i40e_vsi *vsi) + goto err_setup_rx; + + /* Notify the stack of the actual queue counts. */ +- err = netif_set_real_num_tx_queues(vsi->netdev, +- vsi->num_queue_pairs); +- if (err) +- goto err_set_queues; +- +- err = netif_set_real_num_rx_queues(vsi->netdev, +- vsi->num_queue_pairs); ++ err = i40e_netif_set_realnum_tx_rx_queues(vsi); + if (err) + goto err_set_queues; + +@@ -13300,6 +13315,9 @@ struct i40e_vsi *i40e_vsi_setup(struct i40e_pf *pf, u8 type, + case I40E_VSI_MAIN: + case I40E_VSI_VMDQ2: + ret = i40e_config_netdev(vsi); ++ if (ret) ++ goto err_netdev; ++ ret = i40e_netif_set_realnum_tx_rx_queues(vsi); + if (ret) + goto err_netdev; + ret = register_netdev(vsi->netdev); +-- +2.16.4 + diff --git a/patches.suse/ibmvnic-Allow-queueing-resets-during-probe.patch b/patches.suse/ibmvnic-Allow-queueing-resets-during-probe.patch index 54cd1ca..fe6aba6 100644 --- a/patches.suse/ibmvnic-Allow-queueing-resets-during-probe.patch +++ b/patches.suse/ibmvnic-Allow-queueing-resets-during-probe.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:58 -0800 Subject: [PATCH] ibmvnic: Allow queueing resets during probe References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: fd98693cb0721317f27341951593712c580c36a1 We currently don't allow queuing resets when adapter is in VNIC_PROBING diff --git a/patches.suse/ibmvnic-clear-fop-when-retrying-probe.patch b/patches.suse/ibmvnic-clear-fop-when-retrying-probe.patch index e521ecf..7497c8b 100644 --- a/patches.suse/ibmvnic-clear-fop-when-retrying-probe.patch +++ b/patches.suse/ibmvnic-clear-fop-when-retrying-probe.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:57 -0800 Subject: [PATCH] ibmvnic: clear fop when retrying probe References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: f628ad531b4f34fdba0984255b4a2850dd369513 Clear ->failover_pending flag that may have been set in the previous diff --git a/patches.suse/ibmvnic-complete-init_done-on-transport-events.patch b/patches.suse/ibmvnic-complete-init_done-on-transport-events.patch index 07beb3f..797ccee 100644 --- a/patches.suse/ibmvnic-complete-init_done-on-transport-events.patch +++ b/patches.suse/ibmvnic-complete-init_done-on-transport-events.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:54 -0800 Subject: [PATCH] ibmvnic: complete init_done on transport events References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: 36491f2df9ad2501e5a4ec25d3d95d72bafd2781 If we get a transport event, set the error and mark the init as diff --git a/patches.suse/ibmvnic-define-flush_reset_queue-helper.patch b/patches.suse/ibmvnic-define-flush_reset_queue-helper.patch index 77a036e..df3cfaa 100644 --- a/patches.suse/ibmvnic-define-flush_reset_queue-helper.patch +++ b/patches.suse/ibmvnic-define-flush_reset_queue-helper.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:53 -0800 Subject: [PATCH] ibmvnic: define flush_reset_queue helper References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: 83da53f7e4bd86dca4b2edc1e2bb324fb3c033a1 Define and use a helper to flush the reset queue. diff --git a/patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch b/patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch index 8cee543..09ac784 100644 --- a/patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch +++ b/patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:51 -0800 Subject: [PATCH] ibmvnic: free reset-work-item when flushing References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: 8d0657f39f487d904fca713e0bc39c2707382553 Fix a tiny memory leak when flushing the reset work queue. diff --git a/patches.suse/ibmvnic-init-init_done_rc-earlier.patch b/patches.suse/ibmvnic-init-init_done_rc-earlier.patch index feca4bc..84fb65e 100644 --- a/patches.suse/ibmvnic-init-init_done_rc-earlier.patch +++ b/patches.suse/ibmvnic-init-init_done_rc-earlier.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:56 -0800 Subject: [PATCH] ibmvnic: init init_done_rc earlier References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: ae16bf15374d8b055e040ac6f3f1147ab1c9bb7d We currently initialize the ->init_done completion/return code fields diff --git a/patches.suse/ibmvnic-initialize-rc-before-completing-wait.patch b/patches.suse/ibmvnic-initialize-rc-before-completing-wait.patch index 3eefad2..ef90e4b 100644 --- a/patches.suse/ibmvnic-initialize-rc-before-completing-wait.patch +++ b/patches.suse/ibmvnic-initialize-rc-before-completing-wait.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:52 -0800 Subject: [PATCH] ibmvnic: initialize rc before completing wait References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: 765559b10ce514eb1576595834f23cdc92125fee We should initialize ->init_done_rc before calling complete(). Otherwise diff --git a/patches.suse/ibmvnic-register-netdev-after-init-of-adapter.patch b/patches.suse/ibmvnic-register-netdev-after-init-of-adapter.patch index 3a54386..22f2815 100644 --- a/patches.suse/ibmvnic-register-netdev-after-init-of-adapter.patch +++ b/patches.suse/ibmvnic-register-netdev-after-init-of-adapter.patch @@ -4,7 +4,7 @@ Date: Thu, 24 Feb 2022 22:23:55 -0800 Subject: [PATCH] ibmvnic: register netdev after init of adapter References: bsc#1196516 ltc#196391 -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 Git-commit: 570425f8c7c18b14fa8a2a58a0adb431968ad118 Finish initializing the adapter before registering netdev so state diff --git a/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch b/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch new file mode 100644 index 0000000..1418c3c --- /dev/null +++ b/patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch @@ -0,0 +1,70 @@ +From 1c9aa0e43dbfdae35b72e84c3374b18a54927e3e Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 4 Jan 2022 21:28:06 +0300 +Subject: [PATCH 2/6] ieee802154: atusb: fix uninit value in + atusb_set_extended_addr +References: git-fixes +Patch-mainline: v5.16 +Git-commit: 754e4382354f7908923a1949d8dc8d05f82f09cb + +Alexander reported a use of uninitialized value in +atusb_set_extended_addr(), that is caused by reading 0 bytes via +usb_control_msg(). + +Fix it by validating if the number of bytes transferred is actually +correct, since usb_control_msg() may read less bytes, than was requested +by caller. + +Fail log: + +BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline] +BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline] +BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056 +Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd + ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline] + atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline] + atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056 + usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 + +Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver") +Reported-by: Alexander Potapenko +Acked-by: Alexander Aring +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20220104182806.7188-1-paskripkin@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Denis Kirjanov +--- + drivers/net/ieee802154/atusb.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c +index 2c4274453c15..95510638ebd7 100644 +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -84,7 +84,9 @@ static int atusb_control_msg(struct atusb *atusb, unsigned int pipe, + + ret = usb_control_msg(usb_dev, pipe, request, requesttype, + value, index, data, size, timeout); +- if (ret < 0) { ++ if (ret < size) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + atusb->err = ret; + dev_err(&usb_dev->dev, + "atusb_control_msg: req 0x%02x val 0x%x idx 0x%x, error %d\n", +@@ -656,9 +658,9 @@ static int atusb_get_and_show_build(struct atusb *atusb) + if (!build) + return -ENOMEM; + +- ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), +- ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0, +- build, ATUSB_BUILD_SIZE, 1000); ++ /* We cannot call atusb_control_msg() here, since this request may read various length data */ ++ ret = usb_control_msg(atusb->usb_dev, usb_rcvctrlpipe(usb_dev, 0), ATUSB_BUILD, ++ ATUSB_REQ_FROM_DEV, 0, 0, build, ATUSB_BUILD_SIZE, 1000); + if (ret >= 0) { + build[ret] = 0; + dev_info(&usb_dev->dev, "Firmware: build %s\n", build); +-- +2.16.4 + diff --git a/patches.suse/io-64-nonatomic-add-io-read-write-64-be-_lo_hi-_hi_l.patch b/patches.suse/io-64-nonatomic-add-io-read-write-64-be-_lo_hi-_hi_l.patch new file mode 100644 index 0000000..83d1c08 --- /dev/null +++ b/patches.suse/io-64-nonatomic-add-io-read-write-64-be-_lo_hi-_hi_l.patch @@ -0,0 +1,174 @@ +From: Logan Gunthorpe +Date: Wed, 16 Jan 2019 11:25:21 -0700 +Subject: io-64-nonatomic: add io{read|write}64[be]{_lo_hi|_hi_lo} macros +Git-commit: c81d64d3dc1f2decf8f3a9354416b7496b5c389b +Patch-mainline: 5.1-rc1 +References: git-fixes + +This patch adds generic io{read|write}64[be]{_lo_hi|_hi_lo} macros if +they are not already defined by the architecture. (As they are provided +by the generic iomap library). + +The patch also points io{read|write}64[be] to the variant specified by the +header name. + +This is because new drivers are encouraged to use ioreadXX, et al instead +of readX[1], et al -- and mixing ioreadXX with readq is pretty ugly. + +[1] LDD3: section 9.4.2 + +Signed-off-by: Logan Gunthorpe +Reviewed-by: Andy Shevchenko +Cc: Christoph Hellwig +Cc: Arnd Bergmann +Cc: Alan Cox +Cc: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + include/linux/io-64-nonatomic-hi-lo.h | 64 ++++++++++++++++++++++++++++++++++ + include/linux/io-64-nonatomic-lo-hi.h | 64 ++++++++++++++++++++++++++++++++++ + 2 files changed, 128 insertions(+) + +--- a/include/linux/io-64-nonatomic-hi-lo.h ++++ b/include/linux/io-64-nonatomic-hi-lo.h +@@ -54,4 +54,68 @@ static inline void hi_lo_writeq_relaxed( + #define writeq_relaxed hi_lo_writeq_relaxed + #endif + ++#ifndef ioread64_hi_lo ++#define ioread64_hi_lo ioread64_hi_lo ++static inline u64 ioread64_hi_lo(void __iomem *addr) ++{ ++ u32 low, high; ++ ++ high = ioread32(addr + sizeof(u32)); ++ low = ioread32(addr); ++ ++ return low + ((u64)high << 32); ++} ++#endif ++ ++#ifndef iowrite64_hi_lo ++#define iowrite64_hi_lo iowrite64_hi_lo ++static inline void iowrite64_hi_lo(u64 val, void __iomem *addr) ++{ ++ iowrite32(val >> 32, addr + sizeof(u32)); ++ iowrite32(val, addr); ++} ++#endif ++ ++#ifndef ioread64be_hi_lo ++#define ioread64be_hi_lo ioread64be_hi_lo ++static inline u64 ioread64be_hi_lo(void __iomem *addr) ++{ ++ u32 low, high; ++ ++ high = ioread32be(addr); ++ low = ioread32be(addr + sizeof(u32)); ++ ++ return low + ((u64)high << 32); ++} ++#endif ++ ++#ifndef iowrite64be_hi_lo ++#define iowrite64be_hi_lo iowrite64be_hi_lo ++static inline void iowrite64be_hi_lo(u64 val, void __iomem *addr) ++{ ++ iowrite32be(val >> 32, addr); ++ iowrite32be(val, addr + sizeof(u32)); ++} ++#endif ++ ++#ifndef ioread64 ++#define ioread64_is_nonatomic ++#define ioread64 ioread64_hi_lo ++#endif ++ ++#ifndef iowrite64 ++#define iowrite64_is_nonatomic ++#define iowrite64 iowrite64_hi_lo ++#endif ++ ++#ifndef ioread64be ++#define ioread64be_is_nonatomic ++#define ioread64be ioread64be_hi_lo ++#endif ++ ++#ifndef iowrite64be ++#define iowrite64be_is_nonatomic ++#define iowrite64be iowrite64be_hi_lo ++#endif ++ + #endif /* _LINUX_IO_64_NONATOMIC_HI_LO_H_ */ +--- a/include/linux/io-64-nonatomic-lo-hi.h ++++ b/include/linux/io-64-nonatomic-lo-hi.h +@@ -54,4 +54,68 @@ static inline void lo_hi_writeq_relaxed( + #define writeq_relaxed lo_hi_writeq_relaxed + #endif + ++#ifndef ioread64_lo_hi ++#define ioread64_lo_hi ioread64_lo_hi ++static inline u64 ioread64_lo_hi(void __iomem *addr) ++{ ++ u32 low, high; ++ ++ low = ioread32(addr); ++ high = ioread32(addr + sizeof(u32)); ++ ++ return low + ((u64)high << 32); ++} ++#endif ++ ++#ifndef iowrite64_lo_hi ++#define iowrite64_lo_hi iowrite64_lo_hi ++static inline void iowrite64_lo_hi(u64 val, void __iomem *addr) ++{ ++ iowrite32(val, addr); ++ iowrite32(val >> 32, addr + sizeof(u32)); ++} ++#endif ++ ++#ifndef ioread64be_lo_hi ++#define ioread64be_lo_hi ioread64be_lo_hi ++static inline u64 ioread64be_lo_hi(void __iomem *addr) ++{ ++ u32 low, high; ++ ++ low = ioread32be(addr + sizeof(u32)); ++ high = ioread32be(addr); ++ ++ return low + ((u64)high << 32); ++} ++#endif ++ ++#ifndef iowrite64be_lo_hi ++#define iowrite64be_lo_hi iowrite64be_lo_hi ++static inline void iowrite64be_lo_hi(u64 val, void __iomem *addr) ++{ ++ iowrite32be(val, addr + sizeof(u32)); ++ iowrite32be(val >> 32, addr); ++} ++#endif ++ ++#ifndef ioread64 ++#define ioread64_is_nonatomic ++#define ioread64 ioread64_lo_hi ++#endif ++ ++#ifndef iowrite64 ++#define iowrite64_is_nonatomic ++#define iowrite64 iowrite64_lo_hi ++#endif ++ ++#ifndef ioread64be ++#define ioread64be_is_nonatomic ++#define ioread64be ioread64be_lo_hi ++#endif ++ ++#ifndef iowrite64be ++#define iowrite64be_is_nonatomic ++#define iowrite64be iowrite64be_lo_hi ++#endif ++ + #endif /* _LINUX_IO_64_NONATOMIC_LO_HI_H_ */ diff --git a/patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch b/patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch new file mode 100644 index 0000000..b86e54e --- /dev/null +++ b/patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch @@ -0,0 +1,65 @@ +From: Xiaolong Huang +Date: Fri, 8 Oct 2021 14:58:30 +0800 +Subject: isdn: cpai: check ctr->cnr to avoid array index out of bound +Git-commit: 1f3e2e97c003f80c4b087092b225c8787ff91e4d +Patch-mainline: v5.15-rc6 +References: bsc#1191958 CVE-2021-43389 + +The cmtp_add_connection() would add a cmtp session to a controller +and run a kernel thread to process cmtp. + + __module_get(THIS_MODULE); + session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", + session->num); + +During this process, the kernel thread would call detach_capi_ctr() +to detach a register controller. if the controller +was not attached yet, detach_capi_ctr() would +trigger an array-index-out-bounds bug. + +[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in +drivers/isdn/capi/kcapi.c:483:21 +[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' +[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted +5.15.0-rc2+ #8 +[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, +1996), BIOS 1.14.0-2 04/01/2014 +[ 46.870107][ T6479] Call Trace: +[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d +[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 +[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 +[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 +[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 +[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 +[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 +[ 46.874256][ T6479] kthread+0x147/0x170 +[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 +[ 46.875248][ T6479] ret_from_fork+0x1f/0x30 +[ 46.875773][ T6479] + +Signed-off-by: Xiaolong Huang +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Borislav Petkov +--- + drivers/isdn/capi/kcapi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c +index cb0afe897162..7313454e403a 100644 +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -480,6 +480,11 @@ int detach_capi_ctr(struct capi_ctr *ctr) + + ctr_down(ctr, CAPI_CTR_DETACHED); + ++ if (ctr->cnr < 1 || ctr->cnr - 1 >= CAPI_MAXCONTR) { ++ err = -EINVAL; ++ goto unlock_out; ++ } ++ + if (capi_controller[ctr->cnr - 1] != ctr) { + err = -EINVAL; + goto unlock_out; + diff --git a/patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch b/patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch new file mode 100644 index 0000000..815a511 --- /dev/null +++ b/patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch @@ -0,0 +1,71 @@ +From 9692151e2fe7a326bafe99836fd1f20a2cc3a049 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 20 Oct 2021 20:03:45 +0800 +Subject: [PATCH] libertas: Fix possible memory leak in probe and disconnect +Git-commit: 9692151e2fe7a326bafe99836fd1f20a2cc3a049 +References: git-fixes +Patch-mainline: v5.16-rc1 + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88812c7d7400 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s) + hex dump (first 32 bytes): + 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x63/0x446 [usb8xxx] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index 20436a289d5c..5d6dc1dd050d 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -292,6 +292,7 @@ static int if_usb_probe(struct usb_interface *intf, + if_usb_reset_device(cardp); + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + + error: + return r; +@@ -316,6 +317,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.34.1 + diff --git a/patches.suse/libertas_tf-Fix-possible-memory-leak-in-probe-and-di.patch b/patches.suse/libertas_tf-Fix-possible-memory-leak-in-probe-and-di.patch new file mode 100644 index 0000000..fcc1856 --- /dev/null +++ b/patches.suse/libertas_tf-Fix-possible-memory-leak-in-probe-and-di.patch @@ -0,0 +1,71 @@ +From d549107305b4634c81223a853701c06bcf657bc3 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 20 Oct 2021 20:03:44 +0800 +Subject: [PATCH] libertas_tf: Fix possible memory leak in probe and disconnect +Git-commit: d549107305b4634c81223a853701c06bcf657bc3 +References: git-fixes +Patch-mainline: v5.16-rc1 + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88810a2ddc00 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s) + hex dump (first 32 bytes): + 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x60/0x37c [libertas_tf_usb] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +index fe0a69e804d8..75b5319d033f 100644 +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -230,6 +230,7 @@ static int if_usb_probe(struct usb_interface *intf, + + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + error: + lbtf_deb_leave(LBTF_DEB_MAIN); + return -ENOMEM; +@@ -254,6 +255,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.34.1 + diff --git a/patches.suse/mac80211-mesh-fix-potentially-unaligned-access.patch b/patches.suse/mac80211-mesh-fix-potentially-unaligned-access.patch new file mode 100644 index 0000000..4159548 --- /dev/null +++ b/patches.suse/mac80211-mesh-fix-potentially-unaligned-access.patch @@ -0,0 +1,31 @@ +From b9731062ce8afd35cf723bf3a8ad55d208f915a5 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 20 Sep 2021 15:40:05 +0200 +Subject: [PATCH] mac80211: mesh: fix potentially unaligned access +Git-commit: b9731062ce8afd35cf723bf3a8ad55d208f915a5 +References: git-fixes +Patch-mainline: v5.15-rc4 + +The pointer here points directly into the frame, so the +access is potentially unaligned. Use get_unaligned_le16 +to avoid that. + +Fixes: 3f52b7e328c5 ("mac80211: mesh power save basics") +Link: https://lore.kernel.org/r/20210920154009.3110ff75be0c.Ib6a2ff9e9cc9bc6fca50fce631ec1ce725cc926b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Oliver Neukum +--- + net/mac80211/mesh_ps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mesh_ps.c ++++ b/net/mac80211/mesh_ps.c +@@ -587,7 +587,7 @@ void ieee80211_mps_frame_release(struct + + /* only transmit to PS STA with announced, non-zero awake window */ + if (test_sta_flag(sta, WLAN_STA_PS_STA) && +- (!elems->awake_window || !le16_to_cpu(*elems->awake_window))) ++ (!elems->awake_window || !get_unaligned_le16(elems->awake_window))) + return; + + if (!test_sta_flag(sta, WLAN_STA_MPSP_OWNER)) diff --git a/patches.suse/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch b/patches.suse/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch new file mode 100644 index 0000000..9be133c --- /dev/null +++ b/patches.suse/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch @@ -0,0 +1,51 @@ +From c5453769f77ce19a5b03f1f49946fd3f8a374009 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Fri, 25 Jun 2021 07:33:27 +0200 +Subject: [PATCH] media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init +Git-commit: c5453769f77ce19a5b03f1f49946fd3f8a374009 +References: git-fixes +Patch-mainline: v5.15-rc1 + +If dibusb_read_eeprom_byte fails, the mac address is not initialized. +And nova_t_read_mac_address does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of dibusb_read_eeprom_byte. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/dvb-usb/nova-t-usb2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/nova-t-usb2.c b/drivers/media/usb/dvb-usb/nova-t-usb2.c +index e7b290552b66..9c0eb0d40822 100644 +--- a/drivers/media/usb/dvb-usb/nova-t-usb2.c ++++ b/drivers/media/usb/dvb-usb/nova-t-usb2.c +@@ -130,7 +130,7 @@ static int nova_t_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + + static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + { +- int i; ++ int i, ret; + u8 b; + + mac[0] = 0x00; +@@ -139,7 +139,9 @@ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + + /* this is a complete guess, but works for my box */ + for (i = 136; i < 139; i++) { +- dibusb_read_eeprom_byte(d,i, &b); ++ ret = dibusb_read_eeprom_byte(d, i, &b); ++ if (ret) ++ return ret; + + mac[5 - (i - 136)] = b; + } +-- +2.34.1 + diff --git a/patches.suse/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch b/patches.suse/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch new file mode 100644 index 0000000..d8958e1 --- /dev/null +++ b/patches.suse/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch @@ -0,0 +1,56 @@ +From 797c061ad715a9a1480eb73f44b6939fbe3209ed Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Fri, 25 Jun 2021 07:59:04 +0200 +Subject: [PATCH] media: dvb-usb: fix uninit-value in vp702x_read_mac_addr +Git-commit: 797c061ad715a9a1480eb73f44b6939fbe3209ed +References: git-fixes +Patch-mainline: v5.15-rc1 + +If vp702x_usb_in_op fails, the mac address is not initialized. +And vp702x_read_mac_addr does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of vp702x_usb_in_op. + +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/dvb-usb/vp702x.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/vp702x.c b/drivers/media/usb/dvb-usb/vp702x.c +index bf54747e2e01..a1d9e4801a2b 100644 +--- a/drivers/media/usb/dvb-usb/vp702x.c ++++ b/drivers/media/usb/dvb-usb/vp702x.c +@@ -291,16 +291,22 @@ static int vp702x_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + static int vp702x_read_mac_addr(struct dvb_usb_device *d,u8 mac[6]) + { + u8 i, *buf; ++ int ret; + struct vp702x_device_state *st = d->priv; + + mutex_lock(&st->buf_mutex); + buf = st->buf; +- for (i = 6; i < 12; i++) +- vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1); ++ for (i = 6; i < 12; i++) { ++ ret = vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, ++ &buf[i - 6], 1); ++ if (ret < 0) ++ goto err; ++ } + + memcpy(mac, buf, 6); ++err: + mutex_unlock(&st->buf_mutex); +- return 0; ++ return ret; + } + + static int vp702x_frontend_attach(struct dvb_usb_adapter *adap) +-- +2.34.1 + diff --git a/patches.suse/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch b/patches.suse/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch new file mode 100644 index 0000000..0f5e93e --- /dev/null +++ b/patches.suse/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch @@ -0,0 +1,38 @@ +From afae4ef7d5ad913cab1316137854a36bea6268a5 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 13 Aug 2021 16:34:20 +0200 +Subject: [PATCH] media: dvb-usb: fix ununit-value in az6027_rc_query +Git-commit: afae4ef7d5ad913cab1316137854a36bea6268a5 +References: git-fixes +Patch-mainline: v5.16-rc1 + +Syzbot reported ununit-value bug in az6027_rc_query(). The problem was +in missing state pointer initialization. Since this function does nothing +we can simply initialize state to REMOTE_NO_KEY_PRESSED. + +Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com + +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/dvb-usb/az6027.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 1c39b61cde29..86788771175b 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -391,6 +391,7 @@ static struct rc_map_table rc_map_az6027_table[] = { + /* remote control stuff (does not work with my box) */ + static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { ++ *state = REMOTE_NO_KEY_PRESSED; + return 0; + } + +-- +2.34.1 + diff --git a/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch b/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch new file mode 100644 index 0000000..6f1e402 --- /dev/null +++ b/patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch @@ -0,0 +1,75 @@ +From 22be5a10d0b24eec9e45decd15d7e6112b25f080 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Mon, 1 Nov 2021 09:55:39 +0000 +Subject: [PATCH] media: em28xx: fix memory leak in em28xx_init_dev +Git-commit: 22be5a10d0b24eec9e45decd15d7e6112b25f080 +References: git-fixes +Patch-mainline: v5.17-rc1 + +In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails +to deallocate the media_dev allocated in the em28xx_media_device_init. + +Fix this by adding em28xx_unregister_media_device to free media_dev. + +BTW, this patch is tested in my local syzkaller instance, and it can +prevent the memory leak from occurring again. + +CC: Pavel Skripkin +Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") +Signed-off-by: Dongliang Mu +Reported-by: syzkaller +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/em28xx/em28xx-cards.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3399,8 +3399,10 @@ static int em28xx_init_dev(struct em28xx + + if (dev->is_audio_only) { + retval = em28xx_audio_setup(dev); +- if (retval) +- return -ENODEV; ++ if (retval) { ++ retval = -ENODEV; ++ goto err_deinit_media; ++ } + em28xx_init_extension(dev); + + return 0; +@@ -3430,7 +3432,7 @@ static int em28xx_init_dev(struct em28xx + dev_err(&dev->intf->dev, + "%s: em28xx_i2c_register bus 0 - error [%d]!\n", + __func__, retval); +- return retval; ++ goto err_deinit_media; + } + + /* register i2c bus 1 */ +@@ -3446,9 +3448,7 @@ static int em28xx_init_dev(struct em28xx + "%s: em28xx_i2c_register bus 1 - error [%d]!\n", + __func__, retval); + +- em28xx_i2c_unregister(dev, 0); +- +- return retval; ++ goto err_unreg_i2c; + } + } + +@@ -3456,6 +3456,12 @@ static int em28xx_init_dev(struct em28xx + em28xx_card_setup(dev); + + return 0; ++ ++err_unreg_i2c: ++ em28xx_i2c_unregister(dev, 0); ++err_deinit_media: ++ em28xx_unregister_media_device(dev); ++ return retval; + } + + /* high bandwidth multiplier, as encoded in highspeed endpoint descriptors */ diff --git a/patches.suse/media-lmedm04-Fix-misuse-of-comma.patch b/patches.suse/media-lmedm04-Fix-misuse-of-comma.patch new file mode 100644 index 0000000..a4b20de --- /dev/null +++ b/patches.suse/media-lmedm04-Fix-misuse-of-comma.patch @@ -0,0 +1,34 @@ +From 59a3e78f8cc33901fe39035c1ab681374bba95ad Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Sun, 23 Aug 2020 20:13:31 +0200 +Subject: [PATCH] media: lmedm04: Fix misuse of comma +Git-commit: 59a3e78f8cc33901fe39035c1ab681374bba95ad +References: git-fixes +Patch-mainline: v5.12-rc1 + +There's a comma used instead of a semicolon that causes multiple +statements to be executed after an if instead of just the intended +single statement. + +Replace the comma with a semicolon. + +Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") +Signed-off-by: Joe Perches +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -438,7 +438,7 @@ static int lme2510_int_read(struct dvb_u + ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); + + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) +- lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), ++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + + lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + diff --git a/patches.suse/media-rc-loopback-return-number-of-emitters-rather-t.patch b/patches.suse/media-rc-loopback-return-number-of-emitters-rather-t.patch new file mode 100644 index 0000000..06501de --- /dev/null +++ b/patches.suse/media-rc-loopback-return-number-of-emitters-rather-t.patch @@ -0,0 +1,36 @@ +From 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 3 Jul 2021 15:37:17 +0200 +Subject: [PATCH] media: rc-loopback: return number of emitters rather than + error +Git-commit: 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 +References: git-fixes +Patch-mainline: v5.15-rc1 + +The LIRC_SET_TRANSMITTER_MASK ioctl should return the number of emitters +if an invalid list was set. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/rc/rc-loopback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/rc/rc-loopback.c b/drivers/media/rc/rc-loopback.c +index 1ba3f96ffa7d..40ab66c850f2 100644 +--- a/drivers/media/rc/rc-loopback.c ++++ b/drivers/media/rc/rc-loopback.c +@@ -42,7 +42,7 @@ static int loop_set_tx_mask(struct rc_dev *dev, u32 mask) + + if ((mask & (RXMASK_REGULAR | RXMASK_LEARNING)) != mask) { + dprintk("invalid tx mask: %u\n", mask); +- return -EINVAL; ++ return 2; + } + + dprintk("setting tx mask: %u\n", mask); +-- +2.34.1 + diff --git a/patches.suse/media-stkwebcam-fix-memory-leak-in-stk_camera_probe.patch b/patches.suse/media-stkwebcam-fix-memory-leak-in-stk_camera_probe.patch new file mode 100644 index 0000000..f4d4488 --- /dev/null +++ b/patches.suse/media-stkwebcam-fix-memory-leak-in-stk_camera_probe.patch @@ -0,0 +1,48 @@ +From 514e97674400462cc09c459a1ddfb9bf39017223 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 7 Jul 2021 19:54:30 +0200 +Subject: [PATCH] media: stkwebcam: fix memory leak in stk_camera_probe +Git-commit: 514e97674400462cc09c459a1ddfb9bf39017223 +References: git-fixes +Patch-mainline: v5.15-rc1 + +My local syzbot instance hit memory leak in usb_set_configuration(). +The problem was in unputted usb interface. In case of errors after +usb_get_intf() the reference should be putted to correclty free memory +allocated for this interface. + +Fixes: ec16dae5453e ("V4L/DVB (7019): V4L: add support for Syntek DC1125 webcams") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/stkwebcam/stk-webcam.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/stkwebcam/stk-webcam.c ++++ b/drivers/media/usb/stkwebcam/stk-webcam.c +@@ -1357,7 +1357,7 @@ static int stk_camera_probe(struct usb_i + if (!dev->isoc_ep) { + STK_ERROR("Could not find isoc-in endpoint"); + err = -ENODEV; +- goto error; ++ goto error_put; + } + dev->vsettings.palette = V4L2_PIX_FMT_RGB565; + dev->vsettings.mode = MODE_VGA; +@@ -1370,10 +1370,12 @@ static int stk_camera_probe(struct usb_i + + err = stk_register_video_device(dev); + if (err) +- goto error; ++ goto error_put; + + return 0; + ++error_put: ++ usb_put_intf(interface); + error: + v4l2_ctrl_handler_free(hdl); + v4l2_device_unregister(&dev->v4l2_dev); diff --git a/patches.suse/media-uvc-don-t-do-DMA-on-stack.patch b/patches.suse/media-uvc-don-t-do-DMA-on-stack.patch new file mode 100644 index 0000000..2cc76c5 --- /dev/null +++ b/patches.suse/media-uvc-don-t-do-DMA-on-stack.patch @@ -0,0 +1,100 @@ +From 1a10d7fdb6d0e235e9d230916244cc2769d3f170 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 17 Jun 2021 14:33:29 +0200 +Subject: [PATCH] media: uvc: don't do DMA on stack +Git-commit: 1a10d7fdb6d0e235e9d230916244cc2769d3f170 +References: git-fixes +Patch-mainline: v5.15-rc1 + +As warned by smatch: + drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma on the stack (&i) + drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma on the stack (&i) + +those two functions call uvc_query_ctrl passing a pointer to +a data at the DMA stack. those are used to send URBs via +usb_control_msg(). Using DMA stack is not supported and should +not work anymore on modern Linux versions. + +So, use a kmalloc'ed buffer. + +Cc: stable@vger.kernel.org # Kernel 4.9 and upper +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/uvc/uvc_v4l2.c | 34 +++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 252136cc885c..6acb8013de08 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -899,8 +899,8 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input) + { + struct uvc_fh *handle = fh; + struct uvc_video_chain *chain = handle->chain; ++ u8 *buf; + int ret; +- u8 i; + + if (chain->selector == NULL || + (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { +@@ -908,22 +908,27 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input) + return 0; + } + ++ buf = kmalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id, + chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, +- &i, 1); +- if (ret < 0) +- return ret; ++ buf, 1); ++ if (!ret) ++ *input = *buf - 1; + +- *input = i - 1; +- return 0; ++ kfree(buf); ++ ++ return ret; + } + + static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input) + { + struct uvc_fh *handle = fh; + struct uvc_video_chain *chain = handle->chain; ++ u8 *buf; + int ret; +- u32 i; + + ret = uvc_acquire_privileges(handle); + if (ret < 0) +@@ -939,10 +944,17 @@ static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input) + if (input >= chain->selector->bNrInPins) + return -EINVAL; + +- i = input + 1; +- return uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, +- chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, +- &i, 1); ++ buf = kmalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ *buf = input + 1; ++ ret = uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, ++ chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, ++ buf, 1); ++ kfree(buf); ++ ++ return ret; + } + + static int uvc_ioctl_queryctrl(struct file *file, void *fh, +-- +2.34.1 + diff --git a/patches.suse/media-v4l2-ioctl-S_CTRL-output-the-right-value.patch b/patches.suse/media-v4l2-ioctl-S_CTRL-output-the-right-value.patch new file mode 100644 index 0000000..ac7accb --- /dev/null +++ b/patches.suse/media-v4l2-ioctl-S_CTRL-output-the-right-value.patch @@ -0,0 +1,55 @@ +From c87ed93574e3cd8346c05bd934c617596c12541b Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 18 Jun 2021 14:29:06 +0200 +Subject: [PATCH] media: v4l2-ioctl: S_CTRL output the right value +Git-commit: c87ed93574e3cd8346c05bd934c617596c12541b +References: git-fixes +Patch-mainline: v5.16-rc1 + +If the driver does not implement s_ctrl, but it does implement +s_ext_ctrls, we convert the call. + +When that happens we have also to convert back the response from +s_ext_ctrls. + +Fixes v4l2_compliance: +Control ioctls (Input 0): + fail: v4l2-test-controls.cpp(411): returned control value out of range + fail: v4l2-test-controls.cpp(507): invalid control 00980900 + test VIDIOC_G/S_CTRL: FAIL + +Fixes: 35ea11ff8471 ("V4L/DVB (8430): videodev: move some functions from v4l2-dev.h to v4l2-common.h or v4l2-ioctl.h") +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2052,6 +2052,7 @@ static int v4l_s_ctrl(const struct v4l2_ + test_bit(V4L2_FL_USES_V4L2_FH, &vfd->flags) ? fh : NULL; + struct v4l2_ext_controls ctrls; + struct v4l2_ext_control ctrl; ++ int ret; + + if (vfh && vfh->ctrl_handler) + return v4l2_s_ctrl(vfh, vfh->ctrl_handler, p); +@@ -2067,9 +2068,11 @@ static int v4l_s_ctrl(const struct v4l2_ + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, 1)) +- return ops->vidioc_s_ext_ctrls(file, fh, &ctrls); +- return -EINVAL; ++ if (!check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) ++ return -EINVAL; ++ ret = ops->vidioc_s_ext_ctrls(file, fh, &ctrls); ++ p->value = ctrl.value; ++ return ret; + } + + static int v4l_g_ext_ctrls(const struct v4l2_ioctl_ops *ops, diff --git a/patches.suse/media-videobuf2-core-dequeue-if-start_streaming-fail.patch b/patches.suse/media-videobuf2-core-dequeue-if-start_streaming-fail.patch new file mode 100644 index 0000000..7370834 --- /dev/null +++ b/patches.suse/media-videobuf2-core-dequeue-if-start_streaming-fail.patch @@ -0,0 +1,65 @@ +From c592b46907adbeb81243f7eb7a468c36692658b8 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 30 Jun 2021 09:58:23 +0200 +Subject: [PATCH] media: videobuf2-core: dequeue if start_streaming fails +Git-commit: c592b46907adbeb81243f7eb7a468c36692658b8 +References: git-fixes +Patch-mainline: v5.14-rc5 + +If a vb2_queue sets q->min_buffers_needed then when the number of +queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call +the start_streaming() callback. If start_streaming() returns an error, +then that error was just returned by vb2_core_qbuf(), but the buffer +was still queued. However, userspace expects that if VIDIOC_QBUF fails, +the buffer is returned dequeued. + +So if start_streaming() fails, then remove the buffer from the queue, +thus avoiding this unwanted side-effect. + +Signed-off-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Tested-by: Kieran Bingham +Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/v4l2-core/videobuf2-core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1373,6 +1373,7 @@ static int vb2_start_streaming(struct vb + int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb) + { + struct vb2_buffer *vb; ++ enum vb2_buffer_state orig_state; + int ret; + + if (q->error) { +@@ -1402,6 +1403,7 @@ int vb2_core_qbuf(struct vb2_queue *q, u + * Add to the queued buffers list, a buffer will stay on it until + * dequeued in dqbuf. + */ ++ orig_state = vb->state; + list_add_tail(&vb->queued_entry, &q->queued_list); + q->queued_count++; + q->waiting_for_buffers = false; +@@ -1432,8 +1434,17 @@ int vb2_core_qbuf(struct vb2_queue *q, u + if (q->streaming && !q->start_streaming_called && + q->queued_count >= q->min_buffers_needed) { + ret = vb2_start_streaming(q); +- if (ret) ++ if (ret) { ++ /* ++ * Since vb2_core_qbuf will return with an error, ++ * we should return it to state DEQUEUED since ++ * the error indicates that the buffer wasn't queued. ++ */ ++ list_del(&vb->queued_entry); ++ q->queued_count--; ++ vb->state = orig_state; + return ret; ++ } + } + + dprintk(1, "qbuf of buffer %d succeeded\n", vb->index); diff --git a/patches.suse/mwifiex-Read-a-PCI-register-after-writing-the-TX-rin.patch b/patches.suse/mwifiex-Read-a-PCI-register-after-writing-the-TX-rin.patch new file mode 100644 index 0000000..005b41e --- /dev/null +++ b/patches.suse/mwifiex-Read-a-PCI-register-after-writing-the-TX-rin.patch @@ -0,0 +1,59 @@ +From e5f4eb8223aa740237cd463246a7debcddf4eda1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= +Date: Mon, 11 Oct 2021 15:32:23 +0200 +Subject: [PATCH] mwifiex: Read a PCI register after writing the TX ring write + pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: e5f4eb8223aa740237cd463246a7debcddf4eda1 +References: git-fixes +Patch-mainline: v5.16-rc1 + +On the 88W8897 PCIe+USB card the firmware randomly crashes after setting +the TX ring write pointer. The issue is present in the latest firmware +version 15.68.19.p21 of the PCIe+USB card. + +Those firmware crashes can be worked around by reading any PCI register +of the card after setting that register, so read the PCI_VENDOR_ID +register here. The reason this works is probably because we keep the bus +from entering an ASPM state for a bit longer, because that's what causes +the cards firmware to crash. + +This fixes a bug where during RX/TX traffic and with ASPM L1 substates +enabled (the specific substates where the issue happens appear to be +platform dependent), the firmware crashes and eventually a command +timeout appears in the logs. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 +Cc: stable@vger.kernel.org +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211011133224.15561-2-verdre@v0yd.nl +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index c6ccce426b49..641fa539de1f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -1490,6 +1490,14 @@ mwifiex_pcie_send_data(struct mwifiex_adapter *adapter, struct sk_buff *skb, + ret = -1; + goto done_unmap; + } ++ ++ /* The firmware (latest version 15.68.19.p21) of the 88W8897 PCIe+USB card ++ * seems to crash randomly after setting the TX ring write pointer when ++ * ASPM powersaving is enabled. A workaround seems to be keeping the bus ++ * busy by reading a random register afterwards. ++ */ ++ mwifiex_read_reg(adapter, PCI_VENDOR_ID, &rx_val); ++ + if ((mwifiex_pcie_txbd_not_full(card)) && + tx_param->next_pkt_len) { + /* have more packets and TxBD still can hold more */ +-- +2.34.1 + diff --git a/patches.suse/mwifiex-Send-DELBA-requests-according-to-spec.patch b/patches.suse/mwifiex-Send-DELBA-requests-according-to-spec.patch new file mode 100644 index 0000000..697b184 --- /dev/null +++ b/patches.suse/mwifiex-Send-DELBA-requests-according-to-spec.patch @@ -0,0 +1,55 @@ +From cc8a8bc37466f79b24d972555237f3d591150602 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= +Date: Sat, 16 Oct 2021 17:32:43 +0200 +Subject: [PATCH] mwifiex: Send DELBA requests according to spec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: cc8a8bc37466f79b24d972555237f3d591150602 +References: git-fixes +Patch-mainline: v5.16-rc1 + +While looking at on-air packets using Wireshark, I noticed we're never +setting the initiator bit when sending DELBA requests to the AP: While +we set the bit on our del_ba_param_set bitmask, we forget to actually +copy that bitmask over to the command struct, which means we never +actually set the initiator bit. + +Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command +struct. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jonas Dreßler +Acked-by: Pali Rohár +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index b0695432b26a..9ff2058bcd7e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -657,14 +657,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac, + uint16_t del_ba_param_set; + + memset(&delba, 0, sizeof(delba)); +- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS); + +- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set); ++ del_ba_param_set = tid << DELBA_TID_POS; ++ + if (initiator) + del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK; + else + del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK; + ++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set); + memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN); + + /* We don't wait for the response of this command */ +-- +2.34.1 + diff --git a/patches.suse/mxser-fix-xmit_buf-leak-in-activate-when-LSR-0xff.patch b/patches.suse/mxser-fix-xmit_buf-leak-in-activate-when-LSR-0xff.patch new file mode 100644 index 0000000..703b259 --- /dev/null +++ b/patches.suse/mxser-fix-xmit_buf-leak-in-activate-when-LSR-0xff.patch @@ -0,0 +1,68 @@ +From: Jiri Slaby +Date: Mon, 24 Jan 2022 08:14:24 +0100 +Subject: mxser: fix xmit_buf leak in activate when LSR == 0xff +Git-commit: cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 +Patch-mainline: 5.18-rc1 +References: git-fixes + +When LSR is 0xff in ->activate() (rather unlike), we return an error. +Provided ->shutdown() is not called when ->activate() fails, nothing +actually frees the buffer in this case. + +Fix this by properly freeing the buffer in a designated label. We jump +there also from the "!info->type" if now too. + +Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/mxser.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/tty/mxser.c ++++ b/drivers/tty/mxser.c +@@ -860,6 +860,7 @@ static int mxser_activate(struct tty_por + struct mxser_port *info = container_of(port, struct mxser_port, port); + unsigned long page; + unsigned long flags; ++ int ret; + + page = __get_free_page(GFP_KERNEL); + if (!page) +@@ -869,9 +870,9 @@ static int mxser_activate(struct tty_por + + if (!info->ioaddr || !info->type) { + set_bit(TTY_IO_ERROR, &tty->flags); +- free_page(page); + spin_unlock_irqrestore(&info->slock, flags); +- return 0; ++ ret = 0; ++ goto err_free_xmit; + } + info->port.xmit_buf = (unsigned char *) page; + +@@ -897,8 +898,10 @@ static int mxser_activate(struct tty_por + if (capable(CAP_SYS_ADMIN)) { + set_bit(TTY_IO_ERROR, &tty->flags); + return 0; +- } else +- return -ENODEV; ++ } ++ ++ ret = -ENODEV; ++ goto err_free_xmit; + } + + /* +@@ -943,6 +946,10 @@ static int mxser_activate(struct tty_por + spin_unlock_irqrestore(&info->slock, flags); + + return 0; ++err_free_xmit: ++ free_page(page); ++ info->port.xmit_buf = NULL; ++ return ret; + } + + /* diff --git a/patches.suse/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch b/patches.suse/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch new file mode 100644 index 0000000..0a86c1b --- /dev/null +++ b/patches.suse/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch @@ -0,0 +1,137 @@ +From b048aa8154b180f3da08f58813c59d65f83f1d3e Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Tue, 4 Jan 2022 12:06:22 +0000 +Subject: [PATCH 3/6] net: ethernet: mtk_eth_soc: fix return values and + refactor MDIO ops +References: git-fixes +Patch-mainline: v5.17-rc1 +Git-commit: eda80b249df7bbc7b3dd13907343a3e59bfc57fd + +Instead of returning -1 (-EPERM) when MDIO bus is stuck busy +while writing or 0xffff if it happens while reading, return the +appropriate -ETIMEDOUT. Also fix return type to int instead of u32. +Refactor functions to use bitfield helpers instead of having various +masking and shifting constants in the code, which also results in the +register definitions in the header file being more obviously related +to what is stated in the MediaTek's Reference Manual. + +Fixes: 656e705243fd0 ("net-next: mediatek: add support for MT7623 ethernet") +Signed-off-by: Daniel Golle +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 53 ++++++++++++++++------------- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 16 ++++++--- + 2 files changed, 41 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 962975d192d1..5f15eb86ff00 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -78,46 +78,53 @@ static int mtk_mdio_busy_wait(struct mtk_eth *eth) + } + + dev_err(eth->dev, "mdio: MDIO timeout\n"); +- return -1; ++ return -ETIMEDOUT; + } + +-static u32 _mtk_mdio_write(struct mtk_eth *eth, u32 phy_addr, +- u32 phy_register, u32 write_data) ++static int _mtk_mdio_write(struct mtk_eth *eth, u32 phy_addr, u32 phy_reg, ++ u32 write_data) + { +- if (mtk_mdio_busy_wait(eth)) +- return -1; ++ int ret; + +- write_data &= 0xffff; ++ ret = mtk_mdio_busy_wait(eth); ++ if (ret < 0) ++ return ret; + +- mtk_w32(eth, PHY_IAC_ACCESS | PHY_IAC_START | PHY_IAC_WRITE | +- (phy_register << PHY_IAC_REG_SHIFT) | +- (phy_addr << PHY_IAC_ADDR_SHIFT) | write_data, ++ mtk_w32(eth, PHY_IAC_ACCESS | ++ PHY_IAC_START_C22 | ++ PHY_IAC_CMD_WRITE | ++ PHY_IAC_REG(phy_reg) | ++ PHY_IAC_ADDR(phy_addr) | ++ PHY_IAC_DATA(write_data), + MTK_PHY_IAC); + +- if (mtk_mdio_busy_wait(eth)) +- return -1; ++ ret = mtk_mdio_busy_wait(eth); ++ if (ret < 0) ++ return ret; + + return 0; + } + +-static u32 _mtk_mdio_read(struct mtk_eth *eth, int phy_addr, int phy_reg) ++static int _mtk_mdio_read(struct mtk_eth *eth, u32 phy_addr, u32 phy_reg) + { +- u32 d; ++ int ret; + +- if (mtk_mdio_busy_wait(eth)) +- return 0xffff; ++ ret = mtk_mdio_busy_wait(eth); ++ if (ret < 0) ++ return ret; + +- mtk_w32(eth, PHY_IAC_ACCESS | PHY_IAC_START | PHY_IAC_READ | +- (phy_reg << PHY_IAC_REG_SHIFT) | +- (phy_addr << PHY_IAC_ADDR_SHIFT), ++ mtk_w32(eth, PHY_IAC_ACCESS | ++ PHY_IAC_START_C22 | ++ PHY_IAC_CMD_C22_READ | ++ PHY_IAC_REG(phy_reg) | ++ PHY_IAC_ADDR(phy_addr), + MTK_PHY_IAC); + +- if (mtk_mdio_busy_wait(eth)) +- return 0xffff; +- +- d = mtk_r32(eth, MTK_PHY_IAC) & 0xffff; ++ ret = mtk_mdio_busy_wait(eth); ++ if (ret < 0) ++ return ret; + +- return d; ++ return mtk_r32(eth, MTK_PHY_IAC) & PHY_IAC_DATA_MASK; + } + + static int mtk_mdio_write(struct mii_bus *bus, int phy_addr, +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 3c46a3b613b9..d656a459e77b 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -288,11 +288,17 @@ + /* PHY Indirect Access Control registers */ + #define MTK_PHY_IAC 0x10004 + #define PHY_IAC_ACCESS BIT(31) +-#define PHY_IAC_READ BIT(19) +-#define PHY_IAC_WRITE BIT(18) +-#define PHY_IAC_START BIT(16) +-#define PHY_IAC_ADDR_SHIFT 20 +-#define PHY_IAC_REG_SHIFT 25 ++#define PHY_IAC_REG_MASK GENMASK(29, 25) ++#define PHY_IAC_REG(x) FIELD_PREP(PHY_IAC_REG_MASK, (x)) ++#define PHY_IAC_ADDR_MASK GENMASK(24, 20) ++#define PHY_IAC_ADDR(x) FIELD_PREP(PHY_IAC_ADDR_MASK, (x)) ++#define PHY_IAC_CMD_MASK GENMASK(19, 18) ++#define PHY_IAC_CMD_WRITE FIELD_PREP(PHY_IAC_CMD_MASK, 1) ++#define PHY_IAC_CMD_C22_READ FIELD_PREP(PHY_IAC_CMD_MASK, 2) ++#define PHY_IAC_START_MASK GENMASK(17, 16) ++#define PHY_IAC_START_C22 FIELD_PREP(PHY_IAC_START_MASK, 1) ++#define PHY_IAC_DATA_MASK GENMASK(15, 0) ++#define PHY_IAC_DATA(x) FIELD_PREP(PHY_IAC_DATA_MASK, (x)) + #define PHY_IAC_TIMEOUT HZ + + /* Mac control registers */ +-- +2.16.4 + diff --git a/patches.suse/net-sysfs-call-dev_hold-if-kobject_init_and_add-succ.patch b/patches.suse/net-sysfs-call-dev_hold-if-kobject_init_and_add-succ.patch new file mode 100644 index 0000000..68d1f84 --- /dev/null +++ b/patches.suse/net-sysfs-call-dev_hold-if-kobject_init_and_add-succ.patch @@ -0,0 +1,61 @@ +From: YueHaibing +Date: Tue, 19 Mar 2019 10:16:53 +0800 +Subject: net-sysfs: call dev_hold if kobject_init_and_add success +Patch-mainline: v5.1-rc3 +Git-commit: a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e +References: CVE-2019-20811 bsc#1172456 + +In netdev_queue_add_kobject and rx_queue_add_kobject, +if sysfs_create_group failed, kobject_put will call +netdev_queue_release to decrease dev refcont, however +dev_hold has not be called. So we will see this while +unregistering dev: + +unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 + +Reported-by: Hulk Robot +Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + net/core/net-sysfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -919,6 +919,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) + if (error) + return error; + ++ dev_hold(queue->dev); ++ + if (dev->sysfs_rx_queue_group) { + error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); + if (error) { +@@ -928,7 +930,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) + } + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return error; + } +@@ -1340,6 +1341,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) + if (error) + return error; + ++ dev_hold(queue->dev); ++ + #ifdef CONFIG_BQL + error = sysfs_create_group(kobj, &dql_group); + if (error) { +@@ -1349,7 +1352,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) + #endif + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return 0; + } diff --git a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch index 70322c5..07c5992 100644 --- a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch +++ b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch @@ -4,7 +4,7 @@ Date: Wed, 26 Jan 2022 14:14:52 +0100 Subject: [PATCH] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Git-commit: 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 -References: bsc#1196018 +References: bsc#1196018 CVE-2022-28748 Patch-mainline: v5.17-rc4 ax88179_rx_fixup() contains several out-of-bounds accesses that can be diff --git a/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch b/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch new file mode 100644 index 0000000..b86e806 --- /dev/null +++ b/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch @@ -0,0 +1,64 @@ +From d6f4bdc3bca4ddcdc60c0544d85ecf7670ee1c53 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sat, 26 Mar 2022 18:43:46 +0800 +Subject: [PATCH] net/x25: Fix null-ptr-deref caused by x25_disconnect +Git-commit: 7781607938c8371d4c2b243527430241c62e39c2 +Patch-mainline: v5.18-rc1 +References: CVE-2022-1516 bsc#1199012 + +When the link layer is terminating, x25->neighbour will be set to NULL +in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in +x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is +shown below. + + (Thread 1) | (Thread 2) +x25_link_terminated() | x25_recvmsg() + x25_kill_by_neigh() | ... + x25_disconnect() | lock_sock(sk) + ... | ... + x25->neighbour = NULL //(1) | + ... | x25->neighbour->extended //(2) + +The code sets NULL to x25->neighbour in position (1) and dereferences +x25->neighbour in position (2), which could cause null-ptr-deref bug. + +This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize +with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the +sock held by lock_sock() is not NULL, because it is extracted from x25_list +and uses x25_list_lock to synchronize. + +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/x25/af_x25.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index b7e91af375a9..bdf6e80c8597 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1789,10 +1789,15 @@ void x25_kill_by_neigh(struct x25_neigh *nb) + + write_lock_bh(&x25_list_lock); + +- sk_for_each(s, &x25_list) +- if (x25_sk(s)->neighbour == nb) ++ sk_for_each(s, &x25_list) { ++ if (x25_sk(s)->neighbour == nb) { ++ write_unlock_bh(&x25_list_lock); ++ lock_sock(s); + x25_disconnect(s, ENETUNREACH, 0, 0); +- ++ release_sock(s); ++ write_lock_bh(&x25_list_lock); ++ } ++ } + write_unlock_bh(&x25_list_lock); + + /* Remove any related forwards */ +-- +2.16.4 + diff --git a/patches.suse/nfc-fix-NULL-ptr-dereference-in-llcp_sock_getname-af.patch b/patches.suse/nfc-fix-NULL-ptr-dereference-in-llcp_sock_getname-af.patch index 1684585..c4c137b 100644 --- a/patches.suse/nfc-fix-NULL-ptr-dereference-in-llcp_sock_getname-af.patch +++ b/patches.suse/nfc-fix-NULL-ptr-dereference-in-llcp_sock_getname-af.patch @@ -4,7 +4,7 @@ Date: Mon, 31 May 2021 09:21:38 +0200 Subject: [PATCH] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Git-commit: 4ac06a1e013cf5fdd963317ffd3b968560f33bba Patch-mainline: v5.13-rc5 -References: git-fixes +References: CVE-2021-38208 bsc#1187055 It's possible to trigger NULL pointer dereference by local unprivileged user, when calling getsockname() after failed bind() (e.g. the bind @@ -60,5 +60,5 @@ index 53dbe733f998..6cfd30fc0798 100644 goto put_dev; } -- -2.26.2 +2.31.1 diff --git a/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch b/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch new file mode 100644 index 0000000..96b9cd1 --- /dev/null +++ b/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch @@ -0,0 +1,66 @@ +From 7c34058c01ed674e6d80f654153d80c01eaa6be9 Mon Sep 17 00:00:00 2001 +From: Zheng Liang +Date: Fri, 24 Sep 2021 09:16:27 +0800 +Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename() +Git-commit: a295aef603e109a47af355477326bd41151765b6 +Patch-mainline: v5.15-rc5 +References: CVE-2021-20321 bsc#1191647 + +The following reproducer + + mkdir lower upper work merge + touch lower/old + touch lower/new + mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge + rm merge/new + mv merge/old merge/new & unlink upper/new + +may result in this race: + +PROCESS A: + rename("merge/old", "merge/new"); + overwrite=true,ovl_lower_positive(old)=true, + ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE + +PROCESS B: + unlink("upper/new"); + +PROCESS A: + lookup newdentry in new_upperdir + call vfs_rename() with negative newdentry and RENAME_EXCHANGE + +Fix by adding the missing check for negative newdentry. + +Signed-off-by: Zheng Liang +Fixes: e9be9d5e76e3 ("overlay filesystem") +Cc: # v3.18 +Signed-off-by: Miklos Szeredi +Acked-by: David Disseldorp +--- + fs/overlayfs/dir.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index 3bd1462cea4e..7886426a0389 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -1025,9 +1025,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old, + goto out_dput; + } + } else { +- if (!d_is_negative(newdentry) && +- (!new_opaque || !ovl_is_whiteout(newdentry))) +- goto out_dput; ++ if (!d_is_negative(newdentry)) { ++ if (!new_opaque || !ovl_is_whiteout(newdentry)) ++ goto out_dput; ++ } else { ++ if (flags & RENAME_EXCHANGE) ++ goto out_dput; ++ } + } + + if (olddentry == trap) +-- +2.34.1 + diff --git a/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch b/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch new file mode 100644 index 0000000..a14b684 --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch @@ -0,0 +1,90 @@ +From 0dcad700bb2776e3886fe0a645a4bf13b1e747cd Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Tue, 19 Apr 2022 17:18:27 +0530 +Subject: [PATCH] powerpc/perf: Fix power9 event alternatives + +References: bsc#1137728, LTC#178106, git-fixes +Patch-mainline: v5.18-rc4 +Git-commit: 0dcad700bb2776e3886fe0a645a4bf13b1e747cd + +When scheduling a group of events, there are constraint checks done to +make sure all events can go in a group. Example, one of the criteria is +that events in a group cannot use the same PMC. But platform specific +PMU supports alternative event for some of the event codes. During +perf_event_open(), if any event group doesn't match constraint check +criteria, further lookup is done to find alternative event. + +By current design, the array of alternatives events in PMU code is +expected to be sorted by column 0. This is because in +find_alternative() the return criteria is based on event code +comparison. ie. "event < ev_alt[i][0])". This optimisation is there +since find_alternative() can be called multiple times. In power9 PMU +code, the alternative event array is not sorted properly and hence there +is breakage in finding alternative events. + +To work with existing logic, fix the alternative event array to be +sorted by column 0 for power9-pmu.c + +Results: + +With alternative events, multiplexing can be avoided. That is, for +example, in power9 PM_LD_MISS_L1 (0x3e054) has alternative event, +PM_LD_MISS_L1_ALT (0x400f0). This is an identical event which can be +programmed in a different PMC. + +Before: + + # perf stat -e r3e054,r300fc + + Performance counter stats for 'system wide': + + 1057860 r3e054 (50.21%) + 379 r300fc (49.79%) + + 0.944329741 seconds time elapsed + +Since both the events are using PMC3 in this case, they are +multiplexed here. + +After: + + # perf stat -e r3e054,r300fc + + Performance counter stats for 'system wide': + + 1006948 r3e054 + 182 r300fc + +Fixes: 91e0bd1e6251 ("powerpc/perf: Add PM_LD_MISS_L1 and PM_BR_2PATH to power9 event list") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220419114828.89843-1-atrajeev@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/perf/power9-pmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/perf/power9-pmu.c b/arch/powerpc/perf/power9-pmu.c +index c9eb5232e68b..c393e837648e 100644 +--- a/arch/powerpc/perf/power9-pmu.c ++++ b/arch/powerpc/perf/power9-pmu.c +@@ -133,11 +133,11 @@ int p9_dd22_bl_ev[] = { + + /* Table of alternatives, sorted by column 0 */ + static const unsigned int power9_event_alternatives[][MAX_ALT] = { +- { PM_INST_DISP, PM_INST_DISP_ALT }, +- { PM_RUN_CYC_ALT, PM_RUN_CYC }, +- { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL }, +- { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT }, + { PM_BR_2PATH, PM_BR_2PATH_ALT }, ++ { PM_INST_DISP, PM_INST_DISP_ALT }, ++ { PM_RUN_CYC_ALT, PM_RUN_CYC }, ++ { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT }, ++ { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL }, + }; + + static int power9_get_alternatives(u64 event, unsigned int flags, u64 alt[]) +-- +2.34.1 + diff --git a/patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch b/patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch index 0dad764..5cb709a 100644 --- a/patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch +++ b/patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch @@ -3,7 +3,7 @@ From: Michael Ellerman Date: Fri, 18 Mar 2022 14:42:19 +1100 Subject: [PATCH] powerpc/pseries: Fix use after free in remove_phb_dynamic() -References: bsc#1065729 +References: bsc#1065729 bsc#1198660 ltc#197803 Patch-mainline: v5.18-rc1 Git-commit: fe2640bd7a62f1f7c3f55fbda31084085075bc30 diff --git a/patches.suse/ppp-ensure-minimum-packet-size-in-ppp_write.patch b/patches.suse/ppp-ensure-minimum-packet-size-in-ppp_write.patch new file mode 100644 index 0000000..114ffd7 --- /dev/null +++ b/patches.suse/ppp-ensure-minimum-packet-size-in-ppp_write.patch @@ -0,0 +1,103 @@ +From c43dcac4c08208102d1309c0db8cc34a9c2605b9 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 5 Jan 2022 03:48:42 -0800 +Subject: [PATCH 5/6] ppp: ensure minimum packet size in ppp_write() +References: git-fixes +Patch-mainline: v5.17-rc1 +Git-commit: 44073187990d5629804ce0627525f6ea5cfef171 + +It seems pretty clear ppp layer assumed user space +would always be kind to provide enough data +in their write() to a ppp device. + +This patch makes sure user provides at least +2 bytes. + +It adds PPP_PROTO_LEN macro that could replace +in net-next many occurrences of hard-coded 2 value. + +I replaced only one occurrence to ease backports +to stable kernels. + +The bug manifests in the following report: + +BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640 + ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661 + ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Paul Mackerras +Cc: linux-ppp@vger.kernel.org +Reported-by: syzbot +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ppp/ppp_generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index d4dd44d0f002..352e751125fb 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -72,6 +72,8 @@ + #define MPHDRLEN 6 /* multilink protocol header length */ + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ + ++#define PPP_PROTO_LEN 2 ++ + /* + * An instance of /dev/ppp can be associated with either a ppp + * interface unit or a ppp channel. In both cases, file->private_data +@@ -501,6 +503,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, + + if (!pf) + return -ENXIO; ++ /* All PPP packets should start with the 2-byte protocol */ ++ if (count < PPP_PROTO_LEN) ++ return -EINVAL; + ret = -ENOMEM; + skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL); + if (!skb) +@@ -1536,7 +1541,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + } + + ++ppp->stats64.tx_packets; +- ppp->stats64.tx_bytes += skb->len - 2; ++ ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN; + + switch (proto) { + case PPP_IP: +-- +2.16.4 + diff --git a/patches.suse/ptrace-Check-PTRACE_O_SUSPEND_SECCOMP-permission-on-PTRACE_SEIZE.patch b/patches.suse/ptrace-Check-PTRACE_O_SUSPEND_SECCOMP-permission-on-PTRACE_SEIZE.patch new file mode 100644 index 0000000..ad8f139 --- /dev/null +++ b/patches.suse/ptrace-Check-PTRACE_O_SUSPEND_SECCOMP-permission-on-PTRACE_SEIZE.patch @@ -0,0 +1,106 @@ +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE +Git-commit: ee1fee900537b5d9560e9f937402de5ddc8412f3 +Patch-mainline: v5.18-rc1 +References: bsc#1198413 + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +Acked-by: Michal Koutný +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index eea265082e97..ccc4b465775b 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_struct *task, long request, + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -654,22 +682,11 @@ int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long ds + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; + diff --git a/patches.suse/random-check-for-signal_pending-outside-of-need_resc.patch b/patches.suse/random-check-for-signal_pending-outside-of-need_resc.patch new file mode 100644 index 0000000..67a5fc7 --- /dev/null +++ b/patches.suse/random-check-for-signal_pending-outside-of-need_resc.patch @@ -0,0 +1,44 @@ +From: Jann Horn +Date: Tue, 5 Apr 2022 18:39:31 +0200 +Subject: random: check for signal_pending() outside of need_resched() check +Git-commit: 1448769c9cdb69ad65287f4f7ab58bc5f2f5d7ba +Patch-mainline: 5.18-rc2 +References: git-fixes + +signal_pending() checks TIF_NOTIFY_SIGNAL and TIF_SIGPENDING, which +signal that the task should bail out of the syscall when possible. This +is a separate concept from need_resched(), which checks +TIF_NEED_RESCHED, signaling that the task should preempt. + +In particular, with the current code, the signal_pending() bailout +probably won't work reliably. + +Change this to look like other functions that read lots of data, such as +read_zero(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jann Horn +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Jiri Slaby +--- + drivers/char/random.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1035,13 +1035,13 @@ static ssize_t extract_crng_user(void __ + int large_request = (nbytes > 256); + + while (nbytes) { +- if (large_request && need_resched()) { ++ if (large_request) { + if (signal_pending(current)) { + if (ret == 0) + ret = -ERESTARTSYS; + break; + } +- schedule(); ++ cond_resched(); + } + + extract_crng(tmp); diff --git a/patches.suse/random-fix-data-race-on-crng_node_pool.patch b/patches.suse/random-fix-data-race-on-crng_node_pool.patch new file mode 100644 index 0000000..ef23052 --- /dev/null +++ b/patches.suse/random-fix-data-race-on-crng_node_pool.patch @@ -0,0 +1,104 @@ +From: Eric Biggers +Date: Mon, 20 Dec 2021 16:41:56 -0600 +Subject: random: fix data race on crng_node_pool +Git-commit: 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de +Patch-mainline: 5.17-rc1 +References: git-fixes + +extract_crng() and crng_backtrack_protect() load crng_node_pool with a +plain load, which causes undefined behavior if do_numa_crng_init() +modifies it concurrently. + +Fix this by using READ_ONCE(). Note: as per the previous discussion +https://lore.kernel.org/lkml/20211219025139.31085-1-ebiggers@kernel.org/T/#u, +READ_ONCE() is believed to be sufficient here, and it was requested that +it be used here instead of smp_load_acquire(). + +Also change do_numa_crng_init() to set crng_node_pool using +cmpxchg_release() instead of mb() + cmpxchg(), as the former is +sufficient here but is more lightweight. + +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Paul E. McKenney +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Jiri Slaby +--- + drivers/char/random.c | 42 ++++++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 20 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -814,8 +814,8 @@ static void do_numa_crng_init(struct wor + crng_initialize(crng); + pool[i] = crng; + } +- mb(); +- if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ /* pairs with READ_ONCE() in select_crng() */ ++ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { + for_each_node(i) + kfree(pool[i]); + kfree(pool); +@@ -828,8 +828,26 @@ static void numa_crng_init(void) + { + schedule_work(&numa_crng_init_work); + } ++ ++static struct crng_state *select_crng(void) ++{ ++ struct crng_state **pool; ++ int nid = numa_node_id(); ++ ++ /* pairs with cmpxchg_release() in do_numa_crng_init() */ ++ pool = READ_ONCE(crng_node_pool); ++ if (pool && pool[nid]) ++ return pool[nid]; ++ ++ return &primary_crng; ++} + #else + static void numa_crng_init(void) {} ++ ++static struct crng_state *select_crng(void) ++{ ++ return &primary_crng; ++} + #endif + + /* +@@ -978,15 +996,7 @@ static void _extract_crng(struct crng_st + + static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE]) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _extract_crng(crng, out); ++ _extract_crng(select_crng(), out); + } + + /* +@@ -1015,15 +1025,7 @@ static void _crng_backtrack_protect(stru + + static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _crng_backtrack_protect(crng, tmp, used); ++ _crng_backtrack_protect(select_crng(), tmp, used); + } + + static ssize_t extract_crng_user(void __user *buf, size_t nbytes) diff --git a/patches.suse/rtl8187-fix-control-message-timeouts.patch b/patches.suse/rtl8187-fix-control-message-timeouts.patch new file mode 100644 index 0000000..519d89b --- /dev/null +++ b/patches.suse/rtl8187-fix-control-message-timeouts.patch @@ -0,0 +1,91 @@ +From 2e9be536a213e838daed6ba42024dd68954ac061 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:21 +0200 +Subject: [PATCH] rtl8187: fix control-message timeouts +Git-commit: 2e9be536a213e838daed6ba42024dd68954ac061 +References: git-fixes +Patch-mainline: v5.16-rc1 + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 605bebe23bf6 ("[PATCH] Add rtl8187 wireless driver") +Cc: stable@vger.kernel.org # 2.6.23 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-4-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + .../net/wireless/realtek/rtl818x/rtl8187/rtl8225.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c +index 585784258c66..4efab907a3ac 100644 +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c +@@ -28,7 +28,7 @@ u8 rtl818x_ioread8_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits8, sizeof(val), 500); + + val = priv->io_dmabuf->bits8; + mutex_unlock(&priv->io_mutex); +@@ -45,7 +45,7 @@ u16 rtl818x_ioread16_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits16, sizeof(val), 500); + + val = priv->io_dmabuf->bits16; + mutex_unlock(&priv->io_mutex); +@@ -62,7 +62,7 @@ u32 rtl818x_ioread32_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits32, sizeof(val), 500); + + val = priv->io_dmabuf->bits32; + mutex_unlock(&priv->io_mutex); +@@ -79,7 +79,7 @@ void rtl818x_iowrite8_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits8, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -93,7 +93,7 @@ void rtl818x_iowrite16_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits16, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -107,7 +107,7 @@ void rtl818x_iowrite32_idx(struct rtl8187_priv *priv, + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits32, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -183,7 +183,7 @@ static void rtl8225_write_8051(struct ieee80211_hw *dev, u8 addr, __le16 data) + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + addr, 0x8225, &priv->io_dmabuf->bits16, sizeof(data), +- HZ / 2); ++ 500); + + mutex_unlock(&priv->io_mutex); + +-- +2.34.1 + diff --git a/patches.suse/scsi-scsi_dh_alua-Avoid-crash-during-alua_bus_detach.patch b/patches.suse/scsi-scsi_dh_alua-Avoid-crash-during-alua_bus_detach.patch new file mode 100644 index 0000000..b5db661 --- /dev/null +++ b/patches.suse/scsi-scsi_dh_alua-Avoid-crash-during-alua_bus_detach.patch @@ -0,0 +1,72 @@ +From 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Thu, 24 Sep 2020 12:45:59 +0200 +Subject: [PATCH] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() +References: bsc#1028340 bsc#1198825 +Git-commit: 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca +Patch-mainline: v5.10-rc3 + +alua_bus_detach() might be running concurrently with alua_rtpg_work(), so +we might trip over h->sdev == NULL and call BUG_ON(). The correct way of +handling it is to not set h->sdev to NULL in alua_bus_detach(), and call +rcu_synchronize() before the final delete to ensure that all concurrent +threads have left the critical section. Then we can get rid of the +BUG_ON() and replace it with a simple if condition. + +Link: https://lore.kernel.org/r/1600167537-12509-1-git-send-email-jitendra.khasdev@oracle.com +Link: https://lore.kernel.org/r/20200924104559.26753-1-hare@suse.de +Cc: Brian Bunker +Acked-by: Brian Bunker +Tested-by: Jitendra Khasdev +Reviewed-by: Jitendra Khasdev +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Thomas Abraham +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index f32da0ca529e..308bda2e9c00 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -658,8 +658,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + rcu_read_lock(); + list_for_each_entry_rcu(h, + &tmp_pg->dh_list, node) { +- /* h->sdev should always be valid */ +- BUG_ON(!h->sdev); ++ if (!h->sdev) ++ continue; + h->sdev->access_state = desc[0]; + } + rcu_read_unlock(); +@@ -705,7 +705,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + pg->expiry = 0; + rcu_read_lock(); + list_for_each_entry_rcu(h, &pg->dh_list, node) { +- BUG_ON(!h->sdev); ++ if (!h->sdev) ++ continue; + h->sdev->access_state = + (pg->state & SCSI_ACCESS_STATE_MASK); + if (pg->pref) +@@ -1147,7 +1148,6 @@ static void alua_bus_detach(struct scsi_device *sdev) + spin_lock(&h->pg_lock); + pg = rcu_dereference_protected(h->pg, lockdep_is_held(&h->pg_lock)); + rcu_assign_pointer(h->pg, NULL); +- h->sdev = NULL; + spin_unlock(&h->pg_lock); + if (pg) { + spin_lock_irq(&pg->lock); +@@ -1156,6 +1156,7 @@ static void alua_bus_detach(struct scsi_device *sdev) + kref_put(&pg->kref, release_port_group); + } + sdev->handler_data = NULL; ++ synchronize_rcu(); + kfree(h); + } + +-- +2.34.1 + diff --git a/patches.suse/usb-hub-Fix-usb-enumeration-issue-due-to-address0-ra.patch b/patches.suse/usb-hub-Fix-usb-enumeration-issue-due-to-address0-ra.patch new file mode 100644 index 0000000..04f13bf --- /dev/null +++ b/patches.suse/usb-hub-Fix-usb-enumeration-issue-due-to-address0-ra.patch @@ -0,0 +1,108 @@ +From 6ae6dc22d2d1ce6aa77a6da8a761e61aca216f8b Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 16 Nov 2021 00:16:30 +0200 +Subject: [PATCH] usb: hub: Fix usb enumeration issue due to address0 race +Git-commit: 6ae6dc22d2d1ce6aa77a6da8a761e61aca216f8b +References: git-fixes +Patch-mainline: v5.16-rc3 + +xHC hardware can only have one slot in default state with address 0 +waiting for a unique address at a time, otherwise "undefined behavior +may occur" according to xhci spec 5.4.3.4 + +The address0_mutex exists to prevent this across both xhci roothubs. + +If hub_port_init() fails, it may unlock the mutex and exit with a xhci +slot in default state. If the other xhci roothub calls hub_port_init() +at this point we end up with two slots in default state. + +Make sure the address0_mutex protects the slot default state across +hub_port_init() retries, until slot is addressed or disabled. + +Note, one known minor case is not fixed by this patch. +If device needs to be reset during resume, but fails all hub_port_init() +retries in usb_reset_and_verify_device(), then it's possible the slot is +still left in default state when address0_mutex is unlocked. + +Cc: +Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211115221630.871204-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/core/hub.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4462,8 +4462,6 @@ hub_port_init(struct usb_hub *hub, struc + if (oldspeed == USB_SPEED_LOW) + delay = HUB_LONG_RESET_TIME; + +- mutex_lock(hcd->address0_mutex); +- + /* Reset the device; full speed may morph to high speed */ + /* FIXME a USB 2.0 device may morph into SuperSpeed on reset. */ + retval = hub_port_reset(hub, port1, udev, delay, false); +@@ -4750,7 +4748,6 @@ fail: + hub_port_disable(hub, port1, 0); + update_devnum(udev, devnum); /* for disconnect processing */ + } +- mutex_unlock(hcd->address0_mutex); + return retval; + } + +@@ -4895,6 +4892,9 @@ static void hub_port_connect(struct usb_ + unit_load = 100; + + status = 0; ++ ++ mutex_lock(hcd->address0_mutex); ++ + for (i = 0; i < SET_CONFIG_TRIES; i++) { + + /* reallocate for each attempt, since references +@@ -4931,6 +4931,8 @@ static void hub_port_connect(struct usb_ + if (status < 0) + goto loop; + ++ mutex_unlock(hcd->address0_mutex); ++ + if (udev->quirks & USB_QUIRK_DELAY_INIT) + msleep(2000); + +@@ -5019,6 +5021,7 @@ static void hub_port_connect(struct usb_ + + loop_disable: + hub_port_disable(hub, port1, 1); ++ mutex_lock(hcd->address0_mutex); + loop: + usb_ep0_reinit(udev); + release_devnum(udev); +@@ -5045,6 +5048,8 @@ loop: + } + + done: ++ mutex_unlock(hcd->address0_mutex); ++ + hub_port_disable(hub, port1, 1); + if (hcd->driver->relinquish_port && !hub->hdev->parent) { + if (status != -ENOTCONN && status != -ENODEV) +@@ -5574,6 +5579,8 @@ static int usb_reset_and_verify_device(s + bos = udev->bos; + udev->bos = NULL; + ++ mutex_lock(hcd->address0_mutex); ++ + for (i = 0; i < SET_CONFIG_TRIES; ++i) { + + /* ep0 maxpacket size may change; let the HCD know about it. +@@ -5583,6 +5590,7 @@ static int usb_reset_and_verify_device(s + if (ret >= 0 || ret == -ENOTCONN || ret == -ENODEV) + break; + } ++ mutex_unlock(hcd->address0_mutex); + + if (ret < 0) + goto re_enumerate; diff --git a/patches.suse/usb-typec-tcpm-Wait-in-SNK_DEBOUNCED-until-disconnec.patch b/patches.suse/usb-typec-tcpm-Wait-in-SNK_DEBOUNCED-until-disconnec.patch new file mode 100644 index 0000000..168ba3d --- /dev/null +++ b/patches.suse/usb-typec-tcpm-Wait-in-SNK_DEBOUNCED-until-disconnec.patch @@ -0,0 +1,87 @@ +From fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 29 Nov 2021 16:18:25 -0800 +Subject: [PATCH] usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect +Git-commit: fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf +References: git-fixes +Patch-mainline: v5.16-rc4 + +Stub from the spec: +"4.5.2.2.4.2 Exiting from AttachWait.SNK State +A Sink shall transition to Unattached.SNK when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce. +A DRP shall transition to Unattached.SRC when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce." + +This change makes TCPM to wait in SNK_DEBOUNCED state until +CC1 and CC2 pins is SNK.Open for at least tPDDebounce. Previously, +TCPM resets the port if vbus is not present in PD_T_PS_SOURCE_ON. +This causes TCPM to loop continuously when connected to a +faulty power source that does not present vbus. Waiting in +SNK_DEBOUNCED also ensures that TCPM is adherant to +"4.5.2.2.4.2 Exiting from AttachWait.SNK State" requirements. + +[ 6169.280751] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6169.280759] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6169.280771] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6169.282427] CC1: 0 -> 0, CC2: 5 -> 5 [state SNK_ATTACH_WAIT, polarity 0, connected] +[ 6169.450825] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6169.450834] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6169.930892] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6169.931296] disable vbus discharge ret:0 +[ 6169.931301] Setting usb_comm capable false +[ 6169.932783] Setting voltage/current limit 0 mV 0 mA +[ 6169.932802] polarity 0 +[ 6169.933706] Requesting mux state 0, usb-role 0, orientation 0 +[ 6169.936689] cc:=0 +[ 6169.936812] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6169.937157] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] +[ 6170.036880] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms] +[ 6170.036890] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 6170.036896] Start toggling +[ 6170.041412] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] +[ 6170.042973] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6170.042976] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6170.042981] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6170.213014] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6170.213019] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6170.693068] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6170.693304] disable vbus discharge ret:0 +[ 6170.693308] Setting usb_comm capable false +[ 6170.695193] Setting voltage/current limit 0 mV 0 mA +[ 6170.695210] polarity 0 +[ 6170.695990] Requesting mux state 0, usb-role 0, orientation 0 +[ 6170.701896] cc:=0 +[ 6170.702181] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6170.703343] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] + +Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20211130001825.3142830-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/typec/tcpm/tcpm.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index 7f2f3ff1b391..6010b9901126 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -4110,11 +4110,7 @@ static void run_state_machine(struct tcpm_port *port) + tcpm_try_src(port) ? SRC_TRY + : SNK_ATTACHED, + 0); +- else +- /* Wait for VBUS, but not forever */ +- tcpm_set_state(port, PORT_RESET, PD_T_PS_SOURCE_ON); + break; +- + case SRC_TRY: + port->try_src_count++; + tcpm_set_cc(port, tcpm_rp_cc(port)); +-- +2.34.1 + diff --git a/patches.suse/usb-ulpi-Call-of_node_put-correctly.patch b/patches.suse/usb-ulpi-Call-of_node_put-correctly.patch new file mode 100644 index 0000000..cc0a263 --- /dev/null +++ b/patches.suse/usb-ulpi-Call-of_node_put-correctly.patch @@ -0,0 +1,51 @@ +From 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Thu, 27 Jan 2022 14:00:03 -0500 +Subject: [PATCH] usb: ulpi: Call of_node_put correctly +Git-commit: 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b +References: git-fixes +Patch-mainline: v5.17-rc4 + +of_node_put should always be called on device nodes gotten from +of_get_*. Additionally, it should only be called after there are no +remaining users. To address the first issue, call of_node_put if later +steps in ulpi_register fail. To address the latter, call put_device if +device_register fails, which will call ulpi_dev_release if necessary. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220127190004.1446909-3-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/common/ulpi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c +index 09ad569a1a35..5509d3847af4 100644 +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -248,12 +248,16 @@ static int ulpi_register(struct device *dev, struct ulpi *ulpi) + return ret; + + ret = ulpi_read_id(ulpi); +- if (ret) ++ if (ret) { ++ of_node_put(ulpi->dev.of_node); + return ret; ++ } + + ret = device_register(&ulpi->dev); +- if (ret) ++ if (ret) { ++ put_device(&ulpi->dev); + return ret; ++ } + + dev_dbg(&ulpi->dev, "registered ULPI PHY: vendor %04x, product %04x\n", + ulpi->id.vendor, ulpi->id.product); +-- +2.34.1 + diff --git a/patches.suse/usb-ulpi-Move-of_node_put-to-ulpi_dev_release.patch b/patches.suse/usb-ulpi-Move-of_node_put-to-ulpi_dev_release.patch new file mode 100644 index 0000000..aebd0f1 --- /dev/null +++ b/patches.suse/usb-ulpi-Move-of_node_put-to-ulpi_dev_release.patch @@ -0,0 +1,46 @@ +From 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Thu, 27 Jan 2022 14:00:02 -0500 +Subject: [PATCH] usb: ulpi: Move of_node_put to ulpi_dev_release +Git-commit: 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 +References: git-fixes +Patch-mainline: v5.17-rc4 + +Drivers are not unbound from the device when ulpi_unregister_interface +is called. Move of_node-freeing code to ulpi_dev_release which is called +only after all users are gone. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220127190004.1446909-2-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/common/ulpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c +index 8f8405b0d608..09ad569a1a35 100644 +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -130,6 +130,7 @@ static const struct attribute_group *ulpi_dev_attr_groups[] = { + + static void ulpi_dev_release(struct device *dev) + { ++ of_node_put(dev->of_node); + kfree(to_ulpi_dev(dev)); + } + +@@ -299,7 +300,6 @@ EXPORT_SYMBOL_GPL(ulpi_register_interface); + */ + void ulpi_unregister_interface(struct ulpi *ulpi) + { +- of_node_put(ulpi->dev.of_node); + device_unregister(&ulpi->dev); + } + EXPORT_SYMBOL_GPL(ulpi_unregister_interface); +-- +2.34.1 + diff --git a/patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch b/patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch new file mode 100644 index 0000000..a45991f --- /dev/null +++ b/patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch @@ -0,0 +1,41 @@ +From 960ae77f25631bbe4e3aafefe209b52e044baf31 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Wed, 20 Oct 2021 15:38:53 +0200 +Subject: [PATCH] wcn36xx: Fix HT40 capability for 2Ghz band +Git-commit: 960ae77f25631bbe4e3aafefe209b52e044baf31 +References: git-fixes +Patch-mainline: v5.16-rc1 + +All wcn36xx controllers are supposed to support HT40 (and SGI40), +This doubles the maximum bitrate/throughput with compatible APs. + +Tested with wcn3620 & wcn3680B. + +Cc: stable@vger.kernel.org +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634737133-22336-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 644b8523df68..1cddb78aa00e 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -135,7 +135,9 @@ static struct ieee80211_supported_band wcn_band_2ghz = { + .cap = IEEE80211_HT_CAP_GRN_FLD | + IEEE80211_HT_CAP_SGI_20 | + IEEE80211_HT_CAP_DSSSCCK40 | +- IEEE80211_HT_CAP_LSIG_TXOP_PROT, ++ IEEE80211_HT_CAP_LSIG_TXOP_PROT | ++ IEEE80211_HT_CAP_SGI_40 | ++ IEEE80211_HT_CAP_SUP_WIDTH_20_40, + .ht_supported = true, + .ampdu_factor = IEEE80211_HT_MAX_AMPDU_64K, + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, +-- +2.34.1 + diff --git a/patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch b/patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch new file mode 100644 index 0000000..c9624ca --- /dev/null +++ b/patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch @@ -0,0 +1,65 @@ +From 9bfe38e064af5decba2ffce66a2958ab8b10eaa4 Mon Sep 17 00:00:00 2001 +From: Benjamin Li +Date: Fri, 22 Oct 2021 17:15:28 -0700 +Subject: [PATCH] wcn36xx: add proper DMA memory barriers in rx path +Git-commit: 9bfe38e064af5decba2ffce66a2958ab8b10eaa4 +References: git-fixes +Patch-mainline: v5.16-rc1 + +This is essentially exactly following the dma_wmb()/dma_rmb() usage +instructions in Documentation/memory-barriers.txt. + +The theoretical races here are: + +1. DXE (the DMA Transfer Engine in the Wi-Fi subsystem) seeing the +dxe->ctrl & WCN36xx_DXE_CTRL_VLD write before the dxe->dst_addr_l +write, thus performing DMA into the wrong address. + +2. CPU reading dxe->dst_addr_l before DXE unsets dxe->ctrl & +WCN36xx_DXE_CTRL_VLD. This should generally be harmless since DXE +doesn't write dxe->dst_addr_l (no risk of freeing the wrong skb). + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Benjamin Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211023001528.3077822-1-benl@squareup.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index 0e0bbcd11300..aff04ef66266 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -606,6 +606,10 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dxe = ctl->desc; + + while (!(READ_ONCE(dxe->ctrl) & WCN36xx_DXE_CTRL_VLD)) { ++ /* do not read until we own DMA descriptor */ ++ dma_rmb(); ++ ++ /* read/modify DMA descriptor */ + skb = ctl->skb; + dma_addr = dxe->dst_addr_l; + ret = wcn36xx_dxe_fill_skb(wcn->dev, ctl, GFP_ATOMIC); +@@ -616,9 +620,15 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dma_unmap_single(wcn->dev, dma_addr, WCN36XX_PKT_SIZE, + DMA_FROM_DEVICE); + wcn36xx_rx_skb(wcn, skb); +- } /* else keep old skb not submitted and use it for rx DMA */ ++ } ++ /* else keep old skb not submitted and reuse it for rx DMA ++ * (dropping the packet that it contained) ++ */ + ++ /* flush descriptor changes before re-marking as valid */ ++ dma_wmb(); + dxe->ctrl = ctrl; ++ + ctl = ctl->next; + dxe = ctl->desc; + } +-- +2.34.1 + diff --git a/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch b/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch new file mode 100644 index 0000000..12bf486 --- /dev/null +++ b/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch @@ -0,0 +1,55 @@ +From: Pawan Gupta +Date: Mon, 4 Apr 2022 17:34:19 -0700 +Subject: x86/pm: Save the MSR validity status at context setup +Git-commit: 73924ec4d560257004d5b5116b22a3647661e364 +Patch-mainline: v5.18 or v5.18-rc2 (next release) +References: bsc#1198400 + +The mechanism to save/restore MSRs during S3 suspend/resume checks for +the MSR validity during suspend, and only restores the MSR if its a +valid MSR. This is not optimal, as an invalid MSR will unnecessarily +throw an exception for every suspend cycle. The more invalid MSRs, +higher the impact will be. + +Check and save the MSR validity at setup. This ensures that only valid +MSRs that are guaranteed to not throw an exception will be attempted +during suspend. + +Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume") +Suggested-by: Dave Hansen +Signed-off-by: Pawan Gupta +Reviewed-by: Dave Hansen +Acked-by: Borislav Petkov +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +--- + arch/x86/power/cpu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 9f2b251e83c5..eaec0cb3fe04 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -40,7 +40,8 @@ static void msr_save_context(struct saved_context *ctxt) + struct saved_msr *end = msr + ctxt->saved_msrs.num; + + while (msr < end) { +- msr->valid = !rdmsrl_safe(msr->info.msr_no, &msr->info.reg.q); ++ if (msr->valid) ++ rdmsrl(msr->info.msr_no, msr->info.reg.q); + msr++; + } + } +@@ -424,8 +425,10 @@ static int msr_build_context(const u32 *msr_id, const int num) + } + + for (i = saved_msrs->num, j = 0; i < total_num; i++, j++) { ++ u64 dummy; ++ + msr_array[i].info.msr_no = msr_id[j]; +- msr_array[i].valid = false; ++ msr_array[i].valid = !rdmsrl_safe(msr_id[j], &dummy); + msr_array[i].info.reg.q = 0; + } + saved_msrs->num = total_num; + diff --git a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch index 3fa9556..3e49efe 100644 --- a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch +++ b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch @@ -73,9 +73,9 @@ Tested-by: Neelima Krishnan #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h -@@ -118,6 +118,10 @@ - #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ - #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ +@@ -120,6 +120,10 @@ + + #define MSR_IA32_MCU_OPT_CTRL 0x00000123 +/* SRBDS support */ +#define MSR_IA32_MCU_OPT_CTRL 0x00000123 diff --git a/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch new file mode 100644 index 0000000..6400847 --- /dev/null +++ b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch @@ -0,0 +1,75 @@ +From: Pawan Gupta +Date: Mon, 4 Apr 2022 17:35:45 -0700 +Subject: x86/speculation: Restore speculation related MSRs during S3 resume +Git-commit: e2a1256b17b16f9b9adf1b6fea56819e7b68e463 +Patch-mainline: v5.18 or v5.18-rc2 (next release) +References: bsc#1198400 + +After resuming from suspend-to-RAM, the MSRs that control CPU's +speculative execution behavior are not being restored on the boot CPU. + +These MSRs are used to mitigate speculative execution vulnerabilities. +Not restoring them correctly may leave the CPU vulnerable. Secondary +CPU's MSRs are correctly being restored at S3 resume by +identify_secondary_cpu(). + +During S3 resume, restore these MSRs for boot CPU when restoring its +processor state. + +Fixes: 772439717dbf ("x86/bugs/intel: Set proper CPU features and setup RDS") +Reported-by: Neelima Krishnan +Signed-off-by: Pawan Gupta +Tested-by: Neelima Krishnan +Acked-by: Borislav Petkov +Reviewed-by: Dave Hansen +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds + + [ bp: Backporting note: I've added the MSR_IA32_MCU_OPT_CTRL definition so + that it builds. The branches merging this one will potentially already have + it due to additional backports so it will conflict but resolving should be + simple: simply remove the definition of that MSR here. Thx. ] + +--- + arch/x86/include/asm/msr-index.h | 2 ++ + arch/x86/power/cpu.c | 14 ++++++++++++++ + 2 files changed, 16 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -109,6 +109,8 @@ + #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ + #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ + ++#define MSR_IA32_MCU_OPT_CTRL 0x00000123 ++ + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 + #define MSR_IA32_SYSENTER_EIP 0x00000176 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -503,10 +503,24 @@ static int pm_cpu_check(const struct x86 + return ret; + } + ++static void pm_save_spec_msr(void) ++{ ++ u32 spec_msr_id[] = { ++ MSR_IA32_SPEC_CTRL, ++ MSR_IA32_TSX_CTRL, ++ MSR_TSX_FORCE_ABORT, ++ MSR_IA32_MCU_OPT_CTRL, ++ MSR_AMD64_LS_CFG, ++ }; ++ ++ msr_build_context(spec_msr_id, ARRAY_SIZE(spec_msr_id)); ++} ++ + static int pm_check_save_msr(void) + { + dmi_check_system(msr_save_dmi_table); + pm_cpu_check(msr_save_cpu_table); ++ pm_save_spec_msr(); + + return 0; + } diff --git a/patches.suse/xfrm-fix-mtu-regression.patch b/patches.suse/xfrm-fix-mtu-regression.patch index 0b62db6..dbb25c5 100644 --- a/patches.suse/xfrm-fix-mtu-regression.patch +++ b/patches.suse/xfrm-fix-mtu-regression.patch @@ -1,7 +1,7 @@ From: Jiri Bohac Subject: xfrm: fix MTU regression Git-commit: 6596a0229541270fb8d38d989f91b78838e5e9da -Patch-mainline: v5.17 or v5.17-rc7 (next release) +Patch-mainline: v5.17-rc7 References: bsc#1185377, bsc#1194048 Commit 749439bfac6e1a2932c582e2699f91d329658196 ("ipv6: fix udpv6 diff --git a/scripts/bs-upload-kernel b/scripts/bs-upload-kernel index b592cc8..c97c25a 100755 --- a/scripts/bs-upload-kernel +++ b/scripts/bs-upload-kernel @@ -103,6 +103,9 @@ my @macros = ("%is_kotd 1"); if ($ignore_kabi) { push(@macros, "%ignore_kabi_badness 1"); } +if (-e "$dir/klp-symbols") { + push(@macros, "%klp_symbols 1"); +} my @remove_packages = qw(kernel-dummy); if (!$enable_checks) { push(@remove_packages, "post-build-checks", "rpmlint-Factory", diff --git a/scripts/git_sort/lib.py b/scripts/git_sort/lib.py index 9442b37..c656116 100644 --- a/scripts/git_sort/lib.py +++ b/scripts/git_sort/lib.py @@ -280,6 +280,11 @@ class InputEntry(object): if not commit_tags: self.dest_head = git_sort.oot mainline = mainline_tags[0] + if re.match("^(v[1-9]|Queued)", mainline, re.IGNORECASE): + raise exc.KSError( + "There is a problem with patch \"%s\". " + "The Patch-mainline tag \"%s\" requires Git-commit." % ( + name, mainline,)) if not re.match("^(Submitted|Not yet)", mainline, re.IGNORECASE): raise exc.KSError( "There is a problem with patch \"%s\". " diff --git a/scripts/git_sort/tests/test_series_sort.py b/scripts/git_sort/tests/test_series_sort.py index 96f54e8..f0ffe5b 100755 --- a/scripts/git_sort/tests/test_series_sort.py +++ b/scripts/git_sort/tests/test_series_sort.py @@ -955,6 +955,18 @@ class TestFromPatch(unittest.TestCase): "Error: There is a problem with patch \"%s\". The Git-repo tag is incorrect or the patch is in the wrong section of series.conf and (the Git-commit tag is incorrect or the relevant remote is outdated or not available locally) or an entry for this repository is missing from \"remotes\". In the last case, please edit \"remotes\" in \"scripts/git_sort/git_sort.py\" and commit the result. Manual intervention is required.\n" % (name,)) + def test_malformed(self): + """ + Generate a series and destroy the Git-commit tag on one of the patches + This should report a specific error so that this situation is not conflated with wrong Patch-mainline tag in out-of-tree section + """ + + name, series2 = self.prepare_found_indexed_upstream_good() + subprocess.call(['sed', '-i', '-e', 's/commit/comit/', name]) + self.check_failure( +'Error: There is a problem with patch "%s". The Patch-mainline tag "Queued in subsystem maintainer repository" requires Git-commit.\n' % (name)) + + if __name__ == '__main__': # Run a single testcase suite = unittest.TestLoader().loadTestsFromTestCase(TestFromPatch) diff --git a/scripts/gitlog2changes b/scripts/gitlog2changes index 7f59a5d..15435c5 100755 --- a/scripts/gitlog2changes +++ b/scripts/gitlog2changes @@ -63,11 +63,22 @@ sub parse_gitlog { my $cur = { message => [] }; my @states = qw(commit tree parent author committer blank message); my $st = 0; + my $gpgsig = 0; while (my $line = <$fh>) { next if $line =~ /^#/; chomp($line); my $expect = $states[$st]; if ($expect eq "blank") { + if ($gpgsig > 0) { + if ($line =~ /-----END PGP SIGNATURE-----/) { + $gpgsig = 0; + } + next; + } + if ($line =~ /^gpgsig/) { + $gpgsig = 1; + next; + } if ($line ne "") { die "Malformed git rev-parse output ($cur->{commit}): expected blank line, got \"$line\"\n"; } diff --git a/scripts/python/check-patchhdr b/scripts/python/check-patchhdr index 0f8f89e..165eae2 100755 --- a/scripts/python/check-patchhdr +++ b/scripts/python/check-patchhdr @@ -1,9 +1,5 @@ -#!/usr/bin/python3 -# -*- coding: utf-8 -*-, - -from __future__ import absolute_import -from __future__ import print_function -from __future__ import division +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys from optparse import OptionParser diff --git a/scripts/python/suse_git/header.py b/scripts/python/suse_git/header.py index 423a756..7540558 100755 --- a/scripts/python/suse_git/header.py +++ b/scripts/python/suse_git/header.py @@ -1,5 +1,5 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*-, +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys import re @@ -330,7 +330,7 @@ class HeaderChecker(patch.PatchChecker): target[tag].append(new_req) def do_patch(self): - for line in self.stream: + for line in self.stream.readlines(): if diffstart.match(line): break diff --git a/scripts/python/suse_git/patch.py b/scripts/python/suse_git/patch.py index 13ff659..2116d15 100644 --- a/scripts/python/suse_git/patch.py +++ b/scripts/python/suse_git/patch.py @@ -1,5 +1,5 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*-, +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys diff --git a/scripts/python/test-all.sh b/scripts/python/test-all.sh old mode 100644 new mode 100755 index 77cb2eb..8308965 --- a/scripts/python/test-all.sh +++ b/scripts/python/test-all.sh @@ -1 +1,2 @@ -python3 -m unittest discover +#! /bin/sh +python3 -m unittest discover "$@" diff --git a/scripts/python/tests/test_header.py b/scripts/python/tests/test_header.py index b0b8360..98f0ad4 100755 --- a/scripts/python/tests/test_header.py +++ b/scripts/python/tests/test_header.py @@ -1,10 +1,10 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # -*- coding: utf-8 -*-, +# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: import sys import os.path import unittest -from io import StringIO from suse_git import header diff --git a/series.conf b/series.conf index fde1a1f..99eec03 100644 --- a/series.conf +++ b/series.conf @@ -16625,6 +16625,7 @@ patches.suse/NFSv4-Fix-OPEN-CLOSE-race.patch patches.suse/NFS-Fix-a-typo-in-nfs_rename.patch patches.suse/NFSv4-Retry-CLOSE-and-DELEGRETURN-on-NFS4ERR_OLD_STA.patch + patches.suse/NFSv4-Don-t-try-to-CLOSE-if-the-stateid-other-field-.patch patches.suse/NFSv4-Replace-closed-stateids-with-the-invalid-speci.patch patches.suse/0002-nfs-Fix-ugly-referral-attributes.patch patches.suse/NFS-Fix-typo-in-nomigration-mount-option.patch @@ -47328,6 +47329,7 @@ patches.suse/ALSA-usb-audio-Add-quirk-for-MOTU-MicroBook-II.patch patches.suse/hpet-Fix-missing-character-in-the-__setup-code-of-hp.patch patches.suse/applicom-Fix-potential-Spectre-v1-vulnerabilities.patch + patches.suse/io-64-nonatomic-add-io-read-write-64-be-_lo_hi-_hi_l.patch patches.suse/nvmem-allow-to-select-i.MX-nvmem-driver-for-i.MX-7D.patch patches.suse/parport_pc-fix-find_superio-io-compare-code-should-u.patch patches.suse/intel_th-Don-t-reference-unassigned-outputs.patch @@ -48221,6 +48223,7 @@ patches.suse/0001-s390-qeth-be-drop-monitor-friendly.patch patches.suse/mlxsw-core-mlxsw-core-avoid-Wint-in-bool-context-war.patch patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch + patches.suse/net-sysfs-call-dev_hold-if-kobject_init_and_add-succ.patch patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch patches.suse/net-packet-Set-__GFP_NOWARN-upon-allocation-in-alloc.patch @@ -52582,6 +52585,7 @@ patches.suse/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check patches.suse/binfmt_elf-Do-not-move-brk-for-INTERP-less-ET_EXEC.patch patches.suse/pNFS-Ensure-we-do-clear-the-return-on-close-layout-s.patch + patches.suse/NFSv4-Handle-NFS4ERR_OLD_STATEID-in-CLOSE-OPEN_DOWNG.patch patches.suse/0001-drm-atomic-Take-the-atomic-toys-away-from-X.patch patches.suse/drm-radeon-Bail-earlier-when-radeon.cik_-si_support-.patch patches.suse/drm-amdgpu-Check-for-valid-number-of-registers-to-re.patch @@ -53796,6 +53800,7 @@ patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch patches.suse/PCI-PM-Clear-PCIe-PME-Status-even-for-legacy-power-m.patch + patches.suse/PCI-switchtec-Read-all-64-bits-of-part_event_bitmap.patch patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch patches.suse/PCI-Add-DMA-alias-quirk-for-Intel-VCA-NTB.patch patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch @@ -54656,6 +54661,7 @@ patches.suse/NFS-Revalidate-the-file-size-on-a-fatal-write-error.patch patches.suse/NFS-Revalidate-the-file-mapping-on-all-fatal-writeba.patch patches.suse/NFS-pnfs-Fix-pnfs_generic_prepare_to_resend_writes.patch + patches.suse/NFSv4.x-recover-from-pre-mature-loss-of-openstateid.patch patches.suse/NFS-Fix-memory-leaks-and-corruption-in-readdir.patch patches.suse/NFS-Directory-page-cache-pages-need-to-be-locked-whe.patch patches.suse/NFSv4-try-lease-recovery-on-NFS4ERR_EXPIRED.patch @@ -54700,6 +54706,7 @@ patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch patches.suse/arm64-ssbs-Fix-context-switch-when-SSBS-is-present-o.patch patches.suse/drm-msm-Set-dma-maximum-segment-size-for-mdss.patch + patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch patches.suse/ALSA-usb-audio-Apply-48kHz-fixed-rate-playback-for-J.patch patches.suse/ALSA-usb-audio-Fix-UAC2-3-effect-unit-parsing.patch patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch @@ -57030,11 +57037,13 @@ patches.suse/tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch patches.suse/PCI-ASPM-Add-missing-newline-in-sysfs-policy.patch patches.suse/PCI-Fix-pci_cfg_wait-queue-locking-problem.patch + patches.suse/PCI-Add-device-even-if-driver-attach-failed.patch patches.suse/PCI-Fix-pci_create_slot-reference-count-leak.patch patches.suse/PCI-Release-IVRS-table-in-AMD-ACS-quirk.patch patches.suse/PCI-switchtec-Add-missing-__iomem-and-__user-tags-to.patch patches.suse/PCI-switchtec-Add-missing-__iomem-tag-to-fix-sparse-.patch patches.suse/PCI-qcom-Add-missing-ipq806x-clocks-in-PCIe-driver.patch + patches.suse/PCI-qcom-Change-duplicate-PCI-reset-to-phy-reset.patch patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch patches.suse/PCI-qcom-Define-some-PARF-params-needed-for-ipq8064-.patch patches.suse/PCI-qcom-Add-support-for-tx-term-offset-for-rev-2.1..patch @@ -57827,6 +57836,7 @@ patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch patches.suse/iommu-vt-d-don-t-dereference-iommu_device-if-iommu_api-is-not-built patches.suse/power-supply-test_power-add-missing-newlines-when-pr.patch + patches.suse/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN.patch patches.suse/NFS-fix-nfs_path-in-case-of-a-rename-retry.patch patches.suse/NFSv4.2-support-EXCHGID4_FLAG_SUPP_FENCE_OPS-4.2-EXC.patch patches.suse/ceph-promote-to-unsigned-long-long-before-shifting.patch @@ -57841,6 +57851,8 @@ patches.suse/ext4-limit-entries-returned-when-counting-fsmap-reco.patch patches.suse/ext4-fix-invalid-inode-checksum.patch patches.suse/x86-PCI-Fix-intel_mid_pci.c-build-error-when-ACPI-is.patch + patches.suse/PCI-iproc-Set-affinity-mask-on-MSI-interrupts.patch + patches.suse/PCI-qcom-Make-sure-PCIe-is-reset-before-init-for-rev.patch patches.suse/clk-ti-clockdomain-fix-static-checker-warning.patch patches.suse/clk-at91-remove-the-checking-of-parent_name.patch patches.suse/clk-at91-clk-main-update-key-before-writing-AT91_CKG.patch @@ -58001,6 +58013,7 @@ patches.suse/ALSA-usb-audio-add-usb-vendor-id-as-DSD-capable-for-.patch patches.suse/ALSA-usb-audio-Add-implicit-feedback-quirk-for-MODX.patch patches.suse/ALSA-usb-audio-Add-implicit-feedback-quirk-for-Qu-16.patch + patches.suse/scsi-scsi_dh_alua-Avoid-crash-during-alua_bus_detach.patch patches.suse/ceph-check-session-state-after-bumping-session-s_seq.patch patches.suse/nvme-introduce-nvme_sync_io_queues.patch patches.suse/nvme-rdma-avoid-race-between-time-out-and-tear-down.patch @@ -58134,6 +58147,7 @@ patches.suse/ibmvnic-skip-tx-timeout-reset-while-in-resetting.patch patches.suse/iwlwifi-pcie-limit-memory-read-spin-time.patch patches.suse/iwlwifi-mvm-fix-kernel-panic-in-case-of-assert-durin.patch + patches.suse/01-tcp-fix-race-condition-when-creating-child-sockets-from-syncookies.patch patches.suse/i40e-Fix-removing-driver-while-bare-metal-VFs-pass-t.patch patches.suse/nfc-s3fwrn5-use-signed-integer-for-parsing-GPIO-numb.patch patches.suse/net-ena-handle-bad-request-id-in-ena_netdev.patch @@ -58381,7 +58395,9 @@ patches.suse/cpufreq-scpi-Add-missing-MODULE_ALIAS.patch patches.suse/Revert-ACPI-resources-Use-AE_CTRL_TERMINATE-to-termi.patch patches.suse/PCI-Fix-pci_slot_release-NULL-pointer-dereference.patch + patches.suse/PCI-Fix-overflow-in-command-line-resource-alignment-.patch patches.suse/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9215-.patch + patches.suse/PCI-iproc-Fix-out-of-bound-array-accesses.patch patches.suse/btrfs-remove-err-variable-from-do_relocation.patch patches.suse/jfs-Fix-array-index-bounds-check-in-dbAdjTree.patch patches.suse/nfsd-Fix-message-level-for-normal-termination.patch @@ -58685,6 +58701,7 @@ patches.suse/powerpc-Fix-alignment-bug-within-the-init-sections.patch patches.suse/spi-cadence-cache-reference-clock-rate-during-probe.patch patches.suse/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch + patches.suse/02-tcp-fix-potential-use-after-free-due-to-double-kfree.patch patches.suse/can-dev-can_restart-fix-use-after-free-bug.patch patches.suse/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch patches.suse/btrfs-send-fix-invalid-clone-operations-when-cloning-from-the-same-file-and-root.patch @@ -58863,6 +58880,7 @@ patches.suse/media-media-pci-Fix-memleak-in-empress_init.patch patches.suse/media-tm6000-Fix-memleak-in-tm6000_start_stream.patch patches.suse/media-pwc-Use-correct-device-for-DMA.patch + patches.suse/media-lmedm04-Fix-misuse-of-comma.patch patches.suse/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch patches.suse/media-cx25821-Fix-a-bug-when-reallocating-some-dma-m.patch patches.suse/media-pxa_camera-declare-variable-when-DEBUG-is-defi.patch @@ -59731,6 +59749,7 @@ patches.suse/ASoC-cs42l42-Regmap-must-use_single_read-write.patch patches.suse/ASoC-sti-sas-add-missing-MODULE_DEVICE_TABLE.patch patches.suse/ASoC-cs35l33-fix-an-error-code-in-probe.patch + patches.suse/fs-nfs-Use-fatal_signal_pending-instead-of-signal_pe.patch patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch patches.suse/SUNRPC-in-case-of-backlog-hand-free-slots-directly-t.patch patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch @@ -60238,6 +60257,7 @@ patches.suse/smb3-rc-uninitialized-in-one-fallocate-path.patch patches.suse/clk-stm32f4-fix-post-divisor-setup-for-I2S-SAI-PLLs.patch patches.suse/media-rtl28xxu-fix-zero-length-control-request.patch + patches.suse/media-videobuf2-core-dequeue-if-start_streaming-fail.patch patches.suse/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch patches.suse/Bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch patches.suse/nfp-update-ethtool-reporting-of-pauseframe-control.patch @@ -60341,8 +60361,17 @@ patches.suse/tty-hvc-replace-BUG_ON-with-negative-return-value.patch patches.suse/tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch patches.suse/usb-host-xhci-rcar-Don-t-reload-firmware-after-the-c.patch + patches.suse/media-uvc-don-t-do-DMA-on-stack.patch + patches.suse/media-rc-loopback-return-number-of-emitters-rather-t.patch + patches.suse/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch + patches.suse/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch patches.suse/media-go7007-fix-memory-leak-in-go7007_usb_probe.patch + patches.suse/media-stkwebcam-fix-memory-leak-in-stk_camera_probe.patch patches.suse/0007-drm-gma500-Fix-end-of-loop-tests-for-list_for_each_e.patch + patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch + patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch + patches.suse/drm-protect-drm_master-pointers-in-drm_lease.c.patch + patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch patches.suse/0009-drm-msm-dsi-Fix-some-reference-counted-resource-leak.patch patches.suse/soc-aspeed-lpc-ctrl-Fix-boundary-check-for-mmap.patch patches.suse/ext4-fix-race-writing-to-an-inline_data-file-while-i.patch @@ -60470,6 +60499,7 @@ patches.suse/powerpc-perf-Fix-the-check-for-SIAR-value.patch patches.suse/SUNRPC-Simplify-socket-shutdown-when-not-reusing-TCP.patch patches.suse/fuse-truncate-pagecache-on-atomic_o_trunc.patch + patches.suse/0002-backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch patches.suse/KVM-s390-index-kvm-arch.idle_mask-by-vcpu_idx patches.suse/net-hso-add-failure-handler-for-add_net_device.patch patches.suse/qlcnic-Remove-redundant-unlock-in-qlcnic_pinit_from_.patch @@ -60478,6 +60508,7 @@ patches.suse/SUNRPC-improve-error-response-to-over-size-gss-crede.patch patches.suse/mm-hugetlb-initialize-hugetlb_usage-in-mm_init.patch patches.suse/s390-unwind-use-current_frame_address-to-unwind-current-task.patch + patches.suse/0003-fbmem-don-t-allow-too-huge-resolutions.patch patches.suse/cifs-properly-invalidate-cached-root-handle-when-closing-it.patch patches.suse/time-Handle-negative-seconds-correctly-in-timespec64.patch patches.suse/drivers-base-cacheinfo-Get-rid-of-DEFINE_SMP_CALL_CA.patch @@ -60523,10 +60554,12 @@ patches.suse/ocfs2-drop-acl-cache-for-directories-too.patch patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch patches.suse/Revert-ibmvnic-check-failover_pending-in-login-respo.patch + patches.suse/mac80211-mesh-fix-potentially-unaligned-access.patch patches.suse/scsi-qla2xxx-Fix-excessive-messages-during-device-lo.patch patches.suse/scsi-csiostor-Add-module-softdep-on-cxgb4 patches.suse/ext4-fix-reserved-space-counter-leakage.patch patches.suse/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch + patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch patches.suse/gve-Correct-available-tx-qpl-check.patch patches.suse/gve-Avoid-freeing-NULL-pointer.patch patches.suse/gve-Properly-handle-errors-in-gve_assign_qpl.patch @@ -60550,6 +60583,7 @@ patches.suse/platform-mellanox-mlxreg-io-Fix-argument-base-in-kst.patch patches.suse/nfc-nci-fix-the-UAF-of-rf_conn_info-object.patch patches.suse/mqprio-Correct-stats-in-mqprio_dump_class_stats.patch + patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch patches.suse/msft-hv-2444-net-mana-Fix-error-handling-in-mana_create_rxq.patch patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch patches.suse/USB-xhci-dbc-fix-tty-registration-race.patch @@ -60590,6 +60624,8 @@ patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch patches.suse/edac-amd64-handle-three-rank-interleaving-mode.patch patches.suse/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch + patches.suse/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch + patches.suse/media-v4l2-ioctl-S_CTRL-output-the-right-value.patch patches.suse/tracing-use-ps-format-string-to-print-symbols.patch patches.suse/crypto-qat-detect-PFVF-collision-after-ACK.patch patches.suse/crypto-qat-disregard-spurious-PFVF-interrupts.patch @@ -60605,10 +60641,23 @@ patches.suse/gve-Add-netif_set_xps_queue-call.patch patches.suse/gve-Allow-pageflips-on-larger-pages.patch patches.suse/gve-Track-RX-buffer-allocation-failures.patch + patches.suse/b43legacy-fix-a-lower-bounds-test.patch + patches.suse/b43-fix-a-lower-bounds-test.patch + patches.suse/mwifiex-Read-a-PCI-register-after-writing-the-TX-rin.patch + patches.suse/mwifiex-Send-DELBA-requests-according-to-spec.patch + patches.suse/ath9k-Fix-potential-interrupt-storm-on-queue-reset.patch + patches.suse/ath10k-fix-max-antenna-gain-unit.patch patches.suse/gve-Add-RX-context.patch patches.suse/gve-Implement-packet-continuation-for-RX.patch patches.suse/gve-Add-a-jumbo-frame-device-option.patch patches.suse/msft-hv-2459-net-mana-Allow-setting-the-number-of-queues-while-th.patch + patches.suse/libertas_tf-Fix-possible-memory-leak-in-probe-and-di.patch + patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch + patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch + patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch + patches.suse/ath6kl-fix-control-message-timeout.patch + patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch + patches.suse/rtl8187-fix-control-message-timeouts.patch patches.suse/msft-hv-2473-net-mana-Fix-the-netdev_err-s-vPort-argument-in-mana.patch patches.suse/msft-hv-2475-net-mana-Improve-the-HWC-error-handling.patch patches.suse/msft-hv-2476-net-mana-Support-hibernation-and-kexec.patch @@ -60627,6 +60676,7 @@ patches.suse/USB-chipidea-fix-interrupt-deadlock.patch patches.suse/USB-iowarrior-fix-control-message-timeouts.patch patches.suse/USB-serial-keyspan-fix-memleak-on-probe-errors.patch + patches.suse/0004-video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch patches.suse/powerpc-pseries-cpuhp-cache-node-corrections.patch patches.suse/powerpc-pseries-cpuhp-delete-add-remove_by_count-cod.patch patches.suse/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch @@ -60682,6 +60732,7 @@ patches.suse/soc-fsl-dpio-replace-smp_processor_id-with-raw_smp_p.patch patches.suse/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch patches.suse/pnfs-flexfiles-Fix-misplaced-barrier-in-nfs4_ff_layo.patch + patches.suse/NFSv4-Fix-a-regression-in-nfs_set_open_stateid_locke.patch patches.suse/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch patches.suse/ext4-fix-lazy-initialization-next-schedule-time-comp.patch patches.suse/ext4-check-for-out-of-order-index-extents-in-ext4_va.patch @@ -60723,6 +60774,7 @@ patches.suse/cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch patches.suse/cifs-fix-potential-use-after-free-bugs.patch patches.suse/printk-Remove-printk.h-inclusion-in-percpu.h.patch + patches.suse/0005-parisc-sticon-fix-reverse-colors.patch patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch patches.suse/atlantic-Fix-OOB-read-and-write-in-hw_atl_utils_fw_r.patch patches.suse/iavf-prevent-accidental-free-of-filter-structure.patch @@ -60744,6 +60796,7 @@ patches.suse/xen-don-t-continue-xenstore-initialization-in-case-o.patch patches.suse/xen-detect-uninitialized-xenbus-in-xenbus_init.patch patches.suse/usb-dwc2-hcd_queue-Fix-use-of-floating-point-literal.patch + patches.suse/usb-hub-Fix-usb-enumeration-issue-due-to-address0-ra.patch patches.suse/USB-serial-option-add-Telit-LE910S1-0x9200-compositi.patch patches.suse/USB-serial-option-add-Fibocom-FM101-GL-variants.patch patches.suse/fuse-release-pipe-buf-after-last-use.patch @@ -60762,6 +60815,7 @@ patches.suse/scsi-lpfc-Fix-non-recovery-of-remote-ports-following.patch patches.suse/cifs-fix-missed-refcounting-of-ipc-tcon.patch patches.suse/x86-xen-add-xenpv_restore_regs_and_return_to_usermode.patch + patches.suse/usb-typec-tcpm-Wait-in-SNK_DEBOUNCED-until-disconnec.patch patches.suse/x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch patches.suse/net-cdc_ncm-Allow-for-dwNtbOutMaxSize-to-be-unset-or.patch patches.suse/gve-fix-for-null-pointer-dereference.patch @@ -60801,12 +60855,16 @@ patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch patches.suse/rndis_host-support-Hytera-digital-radios.patch patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch + patches.suse/i40e-Fix-incorrect-netdev-s-real-number-of-RX-TX-que.patch patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch + patches.suse/ieee802154-atusb-fix-uninit-value-in-atusb_set_exten.patch patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch patches.suse/RDMA-core-Don-t-infoleak-GRH-fields.patch patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch + patches.suse/random-fix-data-race-on-crng_node_pool.patch + patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch patches.suse/msft-hv-2486-net-mana-Add-XDP-support.patch patches.suse/ibmvnic-Update-driver-return-codes.patch @@ -60818,6 +60876,7 @@ patches.suse/gve-Implement-suspend-resume-shutdown.patch patches.suse/gve-Add-consumed-counts-to-ethtool-stats.patch patches.suse/msft-hv-2498-net-mana-Add-RX-fencing.patch + patches.suse/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch patches.suse/net-ena-Change-return-value-of-ena_calc_io_queue_siz.patch patches.suse/net-ena-Add-capabilities-field-with-support-for-ENI-.patch patches.suse/net-ena-Change-ENI-stats-support-check-to-use-capabi.patch @@ -60827,6 +60886,9 @@ patches.suse/net-ena-Add-debug-prints-for-invalid-req_id-resets.patch patches.suse/net-ena-Change-the-name-of-bad_csum-variable.patch patches.suse/net-ena-Extract-recurring-driver-reset-code-into-a-f.patch + patches.suse/can-gs_usb-fix-use-of-uninitialized-variable-detach-.patch + patches.suse/ppp-ensure-minimum-packet-size-in-ppp_write.patch + patches.suse/fsl-fman-Check-for-null-pointer-after-calling-devm_i.patch patches.suse/net-mlx5e-Fix-page-DMA-map-unmap-attributes.patch patches.suse/net-mcs7830-handle-usb-read-errors-properly.patch patches.suse/select-Fix-indefinitely-sleeping-task-in-poll_schedu.patch @@ -60844,6 +60906,8 @@ patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch patches.suse/usb-host-xen-hcd-add-missing-unlock-in-error-path.patch patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch + patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch + patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch patches.suse/RDMA-hns-Validate-the-pkey-index.patch patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch @@ -60861,6 +60925,7 @@ patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch patches.suse/powerpc-prom_init-Fix-improper-check-of-prom_getprop.patch + patches.suse/char-mwave-Adjust-io-port-register-size.patch patches.suse/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-88SE9.patch patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch @@ -60908,10 +60973,13 @@ patches.suse/tipc-improve-size-validations-for-received-domain-re.patch patches.suse/ixgbevf-Require-large-buffers-for-build_skb-on-82599.patch patches.suse/gve-Recording-rx-queue-before-sending-to-napi.patch + patches.suse/usb-ulpi-Move-of_node_put-to-ulpi_dev_release.patch + patches.suse/usb-ulpi-Call-of_node_put-correctly.patch patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch patches.suse/USB-serial-ch341-add-support-for-GW-Instek-USB2.0-Se.patch patches.suse/USB-serial-option-add-ZTE-MF286D-modem.patch patches.suse/USB-serial-ftdi_sio-add-support-for-Brainboxes-US-15.patch + patches.suse/USB-serial-cp210x-add-NCR-Retail-IO-box-id.patch patches.suse/USB-serial-cp210x-add-CPI-Bulk-Coin-Recycler-id.patch patches.suse/scsi-lpfc-Remove-NVMe-support-if-kernel-has-NVME_FC-.patch patches.suse/scsi-lpfc-Reduce-log-messages-seen-after-firmware-do.patch @@ -60925,6 +60993,7 @@ patches.suse/ibmvnic-schedule-failover-only-if-vioctl-fails.patch patches.suse/xhci-re-initialize-the-HC-during-resume-if-HCE-was-s.patch patches.suse/xhci-Prevent-futile-URB-re-submissions-due-to-incorr.patch + patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch patches.suse/USB-serial-option-add-support-for-DW5829e.patch patches.suse/USB-serial-option-add-Telit-LE910R1-compositions.patch patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch @@ -60947,6 +61016,7 @@ patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch + patches.suse/fuse-fix-pipe-buffer-lifetime-for-direct_io.patch patches.suse/xen-xenbus-don-t-let-xenbus_grant_ring-remove-grants.patch patches.suse/xen-grant-table-add-gnttab_try_end_foreign_access.patch patches.suse/xen-blkfront-don-t-use-gnttab_query_foreign_access-f.patch @@ -60958,8 +61028,18 @@ patches.suse/xen-gnttab-fix-gnttab_end_foreign_access-without-pag.patch patches.suse/xen-netfront-react-properly-to-failing-gnttab_end_fo.patch patches.suse/esp-Fix-possible-buffer-overflow-in-ESP-transformati.patch + patches.suse/af_key-add-__GFP_ZERO-flag-for-compose_sadb_supporte.patch + patches.suse/hwrng-cavium-HW_RANDOM_CAVIUM-should-depend-on-ARCH_.patch + patches.suse/hwrng-atmel-disable-trng-on-failure-path.patch + patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch patches.suse/printk-Add-panic_in_progress-helper.patch patches.suse/printk-disable-optimistic-spin-during-panic.patch + patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch + patches.suse/0009-video-fbdev-atmel_lcdfb-fix-an-error-code-in-atmel_l.patch + patches.suse/0010-video-fbdev-fbcvt.c-fix-printing-in-fb_cvt_print_nam.patch + patches.suse/0011-video-fbdev-atari-Atari-2-bpp-STe-palette-bugfix.patch + patches.suse/0012-video-fbdev-sm712fb-Fix-crash-in-smtcfb_read.patch + patches.suse/0013-video-fbdev-omapfb-Add-missing-of_node_put-in-dvic_p.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-hw_params-and-hw.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-read-write-and-b.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-prepare-and-hw_p.patch @@ -61037,10 +61117,17 @@ patches.suse/powerpc-xive-fix-return-value-of-__setup-handler.patch patches.suse/powerpc-tm-Fix-more-userspace-r13-corruption.patch patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch + patches.suse/USB-serial-simple-add-Nokia-phone-driver.patch + patches.suse/USB-serial-pl2303-add-IBM-device-IDs.patch patches.suse/USB-storage-ums-realtek-fix-error-code-in-rts51x_rea.patch + patches.suse/USB-usb-storage-Fix-use-of-bitfields-for-hardware-da.patch + patches.suse/mxser-fix-xmit_buf-leak-in-activate-when-LSR-0xff.patch patches.suse/xen-fix-is_xen_pmu.patch patches.suse/livepatch-Don-t-block-removal-of-patches-that-are-safe-to-unload.patch + patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch + patches.suse/ptrace-Check-PTRACE_O_SUSPEND_SECCOMP-permission-on-PTRACE_SEIZE.patch patches.suse/NFS-Return-valid-errors-from-nfs2-3_decode_dirent.patch + patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch patches.suse/NFSv4.1-don-t-retry-BIND_CONN_TO_SESSION-on-session-.patch patches.suse/NFSv4-pNFS-Fix-another-issue-with-a-list-iterator-po.patch patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch @@ -61049,6 +61136,17 @@ patches.suse/cifs-do-not-skip-link-targets-when-an-I-O-fails.patch patches.suse/xen-blkfront-fix-comment-for-need_copy.patch patches.suse/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io + patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch + patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch + patches.suse/random-check-for-signal_pending-outside-of-need_resc.patch + patches.suse/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.patch + patches.suse/NFSv4-fix-open-failure-with-O_ACCMODE-flag.patch + patches.suse/SUNRPC-Handle-low-memory-situations-in-call_status.patch + patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch + patches.suse/0014-video-fbdev-udlfb-properly-check-endpoint-type.patch + patches.suse/bnx2x-fix-napi-API-usage-sequence.patch + patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch + patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -61490,7 +61588,6 @@ patches.suse/SUNRPC-prevent-port-reuse-on-transports-which-don-t-.patch patches.suse/sunrpc-gss-timeout.patch patches.suse/SUNRPC-change-locking-for-xs_swap_enable-disable.patch - patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch ######################################################## # Overlayfs @@ -61583,6 +61680,7 @@ patches.suse/0001-drm-qxl-Return-error-if-fbdev-is-not-32-bpp.patch patches.kabi/drm_connector-registration_state-kABI-workaround.patch patches.suse/drm-fix-spectre-issue-in-vmw_execbuf_ioctl.patch + patches.kabi/drm-drm_file-kabi-workaround.patch ######################################################## # Out-of-tree networking @@ -61938,6 +62036,30 @@ patches.kabi/scsi-fc-kABI-fixes-for-new-ELS_FPIN-definition.patch + # bsc#1191580 + patches.suse/0001-arm64-entry.S-Add-ventry-overflow-sanity-checks.patch + patches.suse/0002-arm64-entry-Make-the-trampoline-cleanup-optional.patch + patches.suse/0003-arm64-entry-Free-up-another-register-on-kpti-s-tramp.patch + patches.suse/0004-arm64-entry-Move-the-trampoline-data-page-before-the.patch + patches.suse/0005-arm64-entry-Allow-tramp_alias-to-access-symbols-afte.patch + patches.suse/0006-arm64-entry-Don-t-assume-tramp_vectors-is-the-start-.patch + patches.suse/0007-arm64-entry-Move-trampoline-macros-out-of-ifdef-d-se.patch + patches.suse/0008-arm64-entry-Make-the-kpti-trampoline-s-kpti-sequence.patch + patches.suse/0009-arm64-entry-Allow-the-trampoline-text-to-occupy-mult.patch + patches.suse/0010-arm64-entry-Add-non-kpti-__bp_harden_el1_vectors-for.patch + patches.suse/0011-arm64-entry-Add-vectors-that-have-the-bhb-mitigation.patch + patches.suse/0012-arm64-entry-Add-macro-for-reading-symbol-addresses-f.patch + patches.suse/0013-arm64-Add-percpu-vectors-for-EL1.patch + patches.suse/0014-arm64-proton-pack-Report-Spectre-BHB-vulnerabilities.patch + patches.suse/0015-arm64-Add-part-number-for-Arm-Cortex-A77.patch + patches.suse/0016-arm64-Add-Neoverse-N2-Cortex-A710-CPU-part-definitio.patch + patches.suse/0017-arm64-Add-Cortex-X2-CPU-part-definition.patch + patches.suse/0018-KVM-arm64-Add-templates-for-BHB-mitigation-sequences.patch + patches.suse/0019-arm64-Mitigate-spectre-style-branch-history-side-cha.patch + patches.suse/0020-KVM-arm64-Allow-SMCCC_ARCH_WORKAROUND_3-to-be-discov.patch + patches.suse/0021-arm64-add-ID_AA64ISAR2_EL1-sys-register.patch + patches.suse/0022-arm64-Use-the-clearbhb-instruction-in-mitigations.patch + # IFU kABI Fix patches.kabi/kABI-Fix-for-IFU-patches.patch @@ -62032,6 +62154,11 @@ patches.kabi/kabi-revert-drop-of-Qdisc-atomic_qlen.patch patches.kabi/kabi-mask-new-member-empty-of-struct-Qdisc.patch patches.kabi/s390-AP-support-new-dynamic-AP-bus-size-limit + patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch + + patches.kabi/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN_kabi.patch + patches.kabi/fuse-handle-kabi-change-in-struct-fuse_req.patch + patches.kabi/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.kabi ######################################################## # You'd better have a good reason for adding a patch