Home| summaryrefslogtreecommitdiff |
diff options
| author | Johannes Thumshirn <jthumshirn@suse.de> | 2018-07-04 09:17:31 +0200 |
|---|---|---|
| committer | Johannes Thumshirn <jthumshirn@suse.de> | 2018-07-04 09:17:31 +0200 |
| commit | b28389e19fc1d717d555f0eb46a7dbcfb479c144 (patch) | |
| tree | 18efa50593ed39c97953dd9527ce3dc4d34827e8 | |
| parent | 206fdad37b78a0fc7a9f0e95621d0ee4edf89a4f (diff) | |
| parent | d721ca913efd6abc9a3de3741e25a4c840de0e14 (diff) | |
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4rpm-4.12.14-94.28--SLE-12-SP4-Server-Beta1rpm-4.12.14-94.28--SLE-12-SP4-SAP-Beta1rpm-4.12.14-94.28--SLE-12-SP4-Desktop-Beta1rpm-4.12.14-94.28
Conflicts:
series.conf
187 files changed, 12799 insertions, 185 deletions
diff --git a/patches.arch/kvm-nvmx-enforce-cpl-0-for-vmx-instructions b/patches.arch/kvm-nvmx-enforce-cpl-0-for-vmx-instructions new file mode 100644 index 0000000000..4919d334f6 --- /dev/null +++ b/patches.arch/kvm-nvmx-enforce-cpl-0-for-vmx-instructions @@ -0,0 +1,68 @@ +From: Felix Wilhelm <fwilhelm@google.com> +Date: Mon, 11 Jun 2018 09:43:44 +0200 +Subject: kvm: nVMX: Enforce cpl=0 for VMX instructions +Git-commit: 727ba748e110b4de50d142edca9d6a9b7e6111d8 +Patch-mainline: v4.18-rc1 +References: bsc#1099183 + +VMX instructions executed inside a L1 VM will always trigger a VM exit +even when executed with cpl 3. This means we must perform the +privilege check in software. + +Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Wilhelm <fwilhelm@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Acked-by: Joerg Roedel <jroedel@suse.de> +--- + arch/x86/kvm/vmx.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 709de996f063..4bf1f9de9332 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7905,6 +7905,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu) + return 1; + } + ++ /* CPL=0 must be checked manually. */ ++ if (vmx_get_cpl(vcpu)) { ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++ } ++ + if (vmx->nested.vmxon) { + nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION); + return kvm_skip_emulated_instruction(vcpu); +@@ -7964,6 +7970,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu) + */ + static int nested_vmx_check_permission(struct kvm_vcpu *vcpu) + { ++ if (vmx_get_cpl(vcpu)) { ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 0; ++ } ++ + if (!to_vmx(vcpu)->nested.vmxon) { + kvm_queue_exception(vcpu, UD_VECTOR); + return 0; +@@ -8283,7 +8294,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, true, &gva)) + return 1; +- /* _system ok, as hardware has verified cpl=0 */ ++ /* _system ok, nested_vmx_check_permission has verified cpl=0 */ + kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, + &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); + } +@@ -8448,7 +8459,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, true, &vmcs_gva)) + return 1; +- /* ok to use *_system, as hardware has verified cpl=0 */ ++ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ + if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, + (void *)&to_vmx(vcpu)->nested.current_vmptr, + sizeof(u64), &e)) { + diff --git a/patches.drivers/ACPI-watchdog-properly-initialize-resources b/patches.drivers/ACPI-watchdog-properly-initialize-resources new file mode 100644 index 0000000000..b6a12ba780 --- /dev/null +++ b/patches.drivers/ACPI-watchdog-properly-initialize-resources @@ -0,0 +1,50 @@ +From 6ce14f6416c84bd9c81777edf899b57ac5000c87 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 19 Sep 2017 01:49:02 +0200 +Subject: [PATCH] ACPI / watchdog: properly initialize resources +Git-commit: 6ce14f6416c84bd9c81777edf899b57ac5000c87 +Patch-mainline: v4.14-rc2 +References: bsc#1051510 + +We copy a local resource structure into a list, but only +initialize some of its members, as pointed out by gcc-4.4: + +Drivers/acpi/acpi_watchdog.c: In function 'acpi_watchdog_init': +drivers/acpi/acpi_watchdog.c:105: error: 'res.child' may be used uninitialized in this function +drivers/acpi/acpi_watchdog.c:105: error: 'res.sibling' may be used uninitialized in this function +drivers/acpi/acpi_watchdog.c:105: error: 'res.parent' may be used uninitialized in this function +drivers/acpi/acpi_watchdog.c:105: error: 'res.desc' may be used uninitialized in this function +drivers/acpi/acpi_watchdog.c:105: error: 'res.name' may be used uninitialized in this function + +Newer compilers can presumably optimize the uninitialized access +away entirely and don't warn at all, but rely on the kzalloc() +to zero the structure first. This adds an explicit initialization +to force consistent behavior. + +Fixes: 058dfc767008 (ACPI / watchdog: Add support for WDAT hardware watchdog) +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Acked-by: Guenter Roeck <linux@roeck-us.net> +Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/acpi/acpi_watchdog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c +index bf22c29d2517..11b113f8e367 100644 +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -66,7 +66,7 @@ void __init acpi_watchdog_init(void) + for (i = 0; i < wdat->entries; i++) { + const struct acpi_generic_address *gas; + struct resource_entry *rentry; +- struct resource res; ++ struct resource res = {}; + bool found; + + gas = &entries[i].register_region; +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Add-PCI-region2-iomap-for-SBZ b/patches.drivers/ALSA-hda-ca0132-Add-PCI-region2-iomap-for-SBZ index fb432b21ca..731c9e6816 100644 --- a/patches.drivers/ALSA-hda-ca0132-Add-PCI-region2-iomap-for-SBZ +++ b/patches.drivers/ALSA-hda-ca0132-Add-PCI-region2-iomap-for-SBZ @@ -25,17 +25,17 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de> --- a/sound/pci/hda/patch_ca0132.c +++ b/sound/pci/hda/patch_ca0132.c -@@ -27,6 +27,9 @@ - #include <linux/mutex.h> +@@ -28,6 +28,9 @@ #include <linux/module.h> #include <linux/firmware.h> + #include <linux/kernel.h> +#include <linux/types.h> +#include <linux/io.h> +#include <linux/pci.h> #include <sound/core.h> #include "hda_codec.h" #include "hda_local.h" -@@ -763,6 +766,11 @@ struct ca0132_spec { +@@ -764,6 +767,11 @@ struct ca0132_spec { #ifdef ENABLE_TUNING_CONTROLS long cur_ctl_vals[TUNING_CTLS_COUNT]; #endif @@ -47,7 +47,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de> }; /* -@@ -4702,6 +4710,8 @@ static void ca0132_free(struct hda_codec +@@ -4700,6 +4708,8 @@ static void ca0132_free(struct hda_codec snd_hda_sequence_write(codec, spec->base_exit_verbs); ca0132_exit_chip(codec); snd_hda_power_down(codec); @@ -56,7 +56,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de> kfree(spec->spec_init_verbs); kfree(codec->spec); } -@@ -4917,6 +4927,15 @@ static int patch_ca0132(struct hda_codec +@@ -4915,6 +4925,15 @@ static int patch_ca0132(struct hda_codec else spec->quirk = QUIRK_NONE; diff --git a/patches.drivers/ALSA-hda-ca0132-Delete-pointless-assignments-to-stru b/patches.drivers/ALSA-hda-ca0132-Delete-pointless-assignments-to-stru new file mode 100644 index 0000000000..2a5fbcdc03 --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Delete-pointless-assignments-to-stru @@ -0,0 +1,73 @@ +From 7919cd82b9f9be97111be386cbaac59958800ef9 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:15 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Delete pointless assignments to struct auto_pin_cfg fields +Git-commit: 7919cd82b9f9be97111be386cbaac59958800ef9 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +ca0132_config() was setting some values in the auto_pin_cfg for +the codec... but it is called prior to snd_hda_parse_pin_defcfg(), +which does a memset() to clear the entire structure as one of its +first actions, making the entire exercise pointless. + +Kill all use of struct auto_pin_cfg from ca0132_config(). + +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 04e949aa01ad..c66834a9bac6 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7343,7 +7343,6 @@ static const struct hda_codec_ops ca0132_patch_ops = { + static void ca0132_config(struct hda_codec *codec) + { + struct ca0132_spec *spec = codec->spec; +- struct auto_pin_cfg *cfg = &spec->autocfg; + + spec->dacs[0] = 0x2; + spec->dacs[1] = 0x3; +@@ -7405,12 +7404,7 @@ static void ca0132_config(struct hda_codec *codec) + /* SPDIF I/O */ + spec->dig_out = 0x05; + spec->multiout.dig_out_nid = spec->dig_out; +- cfg->dig_out_pins[0] = 0x0c; +- cfg->dig_outs = 1; +- cfg->dig_out_type[0] = HDA_PCM_TYPE_SPDIF; + spec->dig_in = 0x09; +- cfg->dig_in_pin = 0x0e; +- cfg->dig_in_type = HDA_PCM_TYPE_SPDIF; + break; + case QUIRK_R3DI: + codec_dbg(codec, "%s: QUIRK_R3DI applied.\n", __func__); +@@ -7438,9 +7432,6 @@ static void ca0132_config(struct hda_codec *codec) + /* SPDIF I/O */ + spec->dig_out = 0x05; + spec->multiout.dig_out_nid = spec->dig_out; +- cfg->dig_out_pins[0] = 0x0c; +- cfg->dig_outs = 1; +- cfg->dig_out_type[0] = HDA_PCM_TYPE_SPDIF; + break; + default: + spec->num_outputs = 2; +@@ -7463,12 +7454,7 @@ static void ca0132_config(struct hda_codec *codec) + /* SPDIF I/O */ + spec->dig_out = 0x05; + spec->multiout.dig_out_nid = spec->dig_out; +- cfg->dig_out_pins[0] = 0x0c; +- cfg->dig_outs = 1; +- cfg->dig_out_type[0] = HDA_PCM_TYPE_SPDIF; + spec->dig_in = 0x09; +- cfg->dig_in_pin = 0x0e; +- cfg->dig_in_type = HDA_PCM_TYPE_SPDIF; + break; + } + } +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Delete-redundant-UNSOL-event-request b/patches.drivers/ALSA-hda-ca0132-Delete-redundant-UNSOL-event-request new file mode 100644 index 0000000000..ef07f5e321 --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Delete-redundant-UNSOL-event-request @@ -0,0 +1,84 @@ +From a3d90d6775e2066a100b9124e40880bd317d2e02 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:16 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Delete redundant UNSOL event requests +Git-commit: a3d90d6775e2066a100b9124e40880bd317d2e02 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +During ca0132_init(), ca0132_init_unsol() is run before the +spec->spec_init_verbs are written. ca0132_init_unsol() calls +snd_hda_jack_detect_enable_callback(), which requests UNSOL events +for three or four nodes, two of which were also (redundantly) +requested by spec_init_verbs. + +Kill the redundant AC_VERB_SET_UNSOLICITED_ENABLE verbs. + +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 32 +++++++++++--------------------- + 1 file changed, 11 insertions(+), 21 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index c66834a9bac6..dba731c0bf53 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7462,7 +7462,7 @@ static void ca0132_config(struct hda_codec *codec) + static int ca0132_prepare_verbs(struct hda_codec *codec) + { + /* Verbs + terminator (an empty element) */ +-#define NUM_SPEC_VERBS 4 ++#define NUM_SPEC_VERBS 2 + struct ca0132_spec *spec = codec->spec; + + spec->chip_init_verbs = ca0132_init_verbs0; +@@ -7474,34 +7474,24 @@ static int ca0132_prepare_verbs(struct hda_codec *codec) + if (!spec->spec_init_verbs) + return -ENOMEM; + +- /* HP jack autodetection */ +- spec->spec_init_verbs[0].nid = spec->unsol_tag_hp; +- spec->spec_init_verbs[0].param = AC_VERB_SET_UNSOLICITED_ENABLE; +- spec->spec_init_verbs[0].verb = AC_USRSP_EN | spec->unsol_tag_hp; +- +- /* MIC1 jack autodetection */ +- spec->spec_init_verbs[1].nid = spec->unsol_tag_amic1; +- spec->spec_init_verbs[1].param = AC_VERB_SET_UNSOLICITED_ENABLE; +- spec->spec_init_verbs[1].verb = AC_USRSP_EN | spec->unsol_tag_amic1; +- + /* config EAPD */ +- spec->spec_init_verbs[2].nid = 0x0b; +- spec->spec_init_verbs[2].param = 0x78D; +- spec->spec_init_verbs[2].verb = 0x00; ++ spec->spec_init_verbs[0].nid = 0x0b; ++ spec->spec_init_verbs[0].param = 0x78D; ++ spec->spec_init_verbs[0].verb = 0x00; + + /* Previously commented configuration */ + /* +- spec->spec_init_verbs[3].nid = 0x0b; +- spec->spec_init_verbs[3].param = AC_VERB_SET_EAPD_BTLENABLE; ++ spec->spec_init_verbs[2].nid = 0x0b; ++ spec->spec_init_verbs[2].param = AC_VERB_SET_EAPD_BTLENABLE; ++ spec->spec_init_verbs[2].verb = 0x02; ++ ++ spec->spec_init_verbs[3].nid = 0x10; ++ spec->spec_init_verbs[3].param = 0x78D; + spec->spec_init_verbs[3].verb = 0x02; + + spec->spec_init_verbs[4].nid = 0x10; +- spec->spec_init_verbs[4].param = 0x78D; ++ spec->spec_init_verbs[4].param = AC_VERB_SET_EAPD_BTLENABLE; + spec->spec_init_verbs[4].verb = 0x02; +- +- spec->spec_init_verbs[5].nid = 0x10; +- spec->spec_init_verbs[5].param = AC_VERB_SET_EAPD_BTLENABLE; +- spec->spec_init_verbs[5].verb = 0x02; + */ + + /* Terminator: spec->spec_init_verbs[NUM_SPEC_VERBS-1] */ +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Don-t-test-for-QUIRK_NONE b/patches.drivers/ALSA-hda-ca0132-Don-t-test-for-QUIRK_NONE new file mode 100644 index 0000000000..da7df24c36 --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Don-t-test-for-QUIRK_NONE @@ -0,0 +1,45 @@ +From 126b75e03894f3053b723130cb9b824e6f15d8e6 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:18 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Don't test for QUIRK_NONE +Git-commit: 126b75e03894f3053b723130cb9b824e6f15d8e6 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +QUIRK_NONE is, quite explicitly, the default case. The entire +point of a quirks system is to allow "programming by difference" +from a given base case, which requires that merely defining a new +quirk for some piece of hardware should not change the behavior of +the driver for that hardware. In turn, this means that testing +for QUIRK_NONE explicitly is a violation of that implicit contract. + +Change a test for QUIRK_NONE and QUIRK_ALIENWARE to default, and +add a test for QUIRK_SBZ to disable the default behavior in that +instance. + +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 25fccce1eff1..49635d1c9c39 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7237,8 +7237,9 @@ static int ca0132_init(struct hda_codec *codec) + case QUIRK_R3DI: + r3di_setup_defaults(codec); + break; +- case QUIRK_NONE: +- case QUIRK_ALIENWARE: ++ case QUIRK_SBZ: ++ break; ++ default: + ca0132_setup_defaults(codec); + ca0132_init_analog_mic2(codec); + ca0132_init_dmic(codec); +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Fix-DMic-data-rate-for-Alienware-M17 b/patches.drivers/ALSA-hda-ca0132-Fix-DMic-data-rate-for-Alienware-M17 new file mode 100644 index 0000000000..d8dd815172 --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Fix-DMic-data-rate-for-Alienware-M17 @@ -0,0 +1,64 @@ +From a57a46b93244a0a916b894d8b2ca2a6cfe1904d3 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:20 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Fix DMic data rate for Alienware M17x R4 +Git-commit: a57a46b93244a0a916b894d8b2ca2a6cfe1904d3 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +The commentary says to use various parameters, and lays out what +the mapping is... The code used a 32KHz rate when the comment +says that it needs to use a 48KHz rate. And this has been the +case since day one. + +On the Alienware M17x R4, the DMic used to have exceptionally quiet +pickup and a lot of noise. Changing the data rate fixes both of +these issues. + +Searching the kernel bug tracker for ca0132-related issues shows no +mention of this being an issue for other hardware, and I have no +other hardware to test with, so a quirk is used to limit the effect +to just the M17x R4. + +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 09ff85c622bb..d62c56feaf7d 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -991,6 +991,7 @@ struct ca0132_spec { + enum { + QUIRK_NONE, + QUIRK_ALIENWARE, ++ QUIRK_ALIENWARE_M17XR4, + QUIRK_SBZ, + QUIRK_R3DI, + }; +@@ -1040,6 +1041,7 @@ static const struct hda_pintbl r3di_pincfgs[] = { + }; + + static const struct snd_pci_quirk ca0132_quirks[] = { ++ SND_PCI_QUIRK(0x1028, 0x057b, "Alienware M17x R4", QUIRK_ALIENWARE_M17XR4), + SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15 2015", QUIRK_ALIENWARE), + SND_PCI_QUIRK(0x1028, 0x0688, "Alienware 17 2015", QUIRK_ALIENWARE), + SND_PCI_QUIRK(0x1028, 0x0708, "Alienware 15 R2 2016", QUIRK_ALIENWARE), +@@ -6130,7 +6132,10 @@ static void ca0132_init_dmic(struct hda_codec *codec) + * Bit 6: set to select Data2, clear for Data1 + * Bit 7: set to enable DMic, clear for AMic + */ +- val = 0x23; ++ if (spec->quirk == QUIRK_ALIENWARE_M17XR4) ++ val = 0x33; ++ else ++ val = 0x23; + /* keep a copy of dmic ctl val for enable/disable dmic purpuse */ + spec->dmic_ctl = val; + snd_hda_codec_write(codec, spec->input_pins[0], 0, +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Restore-PCM-Analog-Mic-In2 b/patches.drivers/ALSA-hda-ca0132-Restore-PCM-Analog-Mic-In2 new file mode 100644 index 0000000000..7381ff7717 --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Restore-PCM-Analog-Mic-In2 @@ -0,0 +1,38 @@ +From 5f8ddc6ee63a9057522923a6b2eb8c51993e1db0 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:19 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Restore PCM Analog Mic-In2 +Git-commit: 5f8ddc6ee63a9057522923a6b2eb8c51993e1db0 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +Commit 009b8f979bf8cb5f7ec6d3dd7683585122ed10f8 conditionalized +adding the "CA0132 Analog Mic-In2" PCM with a comment to the +effect that, "desktops don't use this ADC", but the test was set +up such that the ADC was only created for desktops. Invert the +test. + +Fixes: 009b8f979bf8 ("ALSA: hda/ca0132: update core functions for sbz + r3di") +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 49635d1c9c39..09ff85c622bb 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -5966,7 +5966,7 @@ static int ca0132_build_pcms(struct hda_codec *codec) + info->stream[SNDRV_PCM_STREAM_CAPTURE].nid = spec->adcs[0]; + + /* With the DSP enabled, desktops don't use this ADC. */ +- if (spec->use_alt_functions) { ++ if (!spec->use_alt_functions) { + info = snd_hda_codec_pcm_new(codec, "CA0132 Analog Mic-In2"); + if (!info) + return -ENOMEM; +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-Restore-behavior-of-QUIRK_ALIENWARE b/patches.drivers/ALSA-hda-ca0132-Restore-behavior-of-QUIRK_ALIENWARE new file mode 100644 index 0000000000..c15b9e6c3e --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-Restore-behavior-of-QUIRK_ALIENWARE @@ -0,0 +1,41 @@ +From 365c7f25cd0a72b16979ba948e6c389a9a89818b Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Date: Fri, 15 Jun 2018 21:56:17 -0400 +Subject: [PATCH] ALSA: hda/ca0132: Restore behavior of QUIRK_ALIENWARE +Git-commit: 365c7f25cd0a72b16979ba948e6c389a9a89818b +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +Commit e93ac30a32a6ba7ac3b4b2a4379af1dadb91e505 (ALSA: HDA/ca0132: +add extra init functions for r3di + sbz) introduced an extra +initialization function that was improperly guarded, taking effect +on systems with QUIRK_ALIENWARE, even though such systems were +supposedly not affected. + +It may be that this piece of initialization should be done for all +systems, but that's not a call that I can make. + +Fixes: e93ac30a32a6 ("ALSA: HDA/ca0132: add extra init functions for r3di + sbz") +Signed-off-by: Alastair Bridgewater <alastair.bridgewater@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index dba731c0bf53..25fccce1eff1 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7223,7 +7223,7 @@ static int ca0132_init(struct hda_codec *codec) + + snd_hda_sequence_write(codec, spec->base_init_verbs); + +- if (spec->quirk != QUIRK_NONE) ++ if (spec->use_alt_functions) + ca0132_alt_init(codec); + + ca0132_download_dsp(codec); +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-make-array-ca0132_alt_chmaps-static b/patches.drivers/ALSA-hda-ca0132-make-array-ca0132_alt_chmaps-static new file mode 100644 index 0000000000..f8d5ab2c2f --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-make-array-ca0132_alt_chmaps-static @@ -0,0 +1,38 @@ +From 9c4a665ed83462039461dd34282e22160fb447ca Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Thu, 21 Jun 2018 19:34:57 +0100 +Subject: [PATCH] ALSA: hda/ca0132: make array ca0132_alt_chmaps static +Git-commit: 9c4a665ed83462039461dd34282e22160fb447ca +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +The array ca0132_alt_chmaps is local to the source and does not +need to be in global scope, so make it static. + +Cleans up sparse warning: +Warning: symbol 'ca0132_alt_chmaps' was not declared. Should it be +static? + +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index d62c56feaf7d..4ff5320378e2 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -5665,7 +5665,7 @@ static const char * const ca0132_alt_slave_pfxs[] = { + * I think this has to do with the pin for rear surround being 0x11, + * and the center/lfe being 0x10. Usually the pin order is the opposite. + */ +-const struct snd_pcm_chmap_elem ca0132_alt_chmaps[] = { ++static const struct snd_pcm_chmap_elem ca0132_alt_chmaps[] = { + { .channels = 2, + .map = { SNDRV_CHMAP_FL, SNDRV_CHMAP_FR } }, + { .channels = 4, +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-ca0132-use-ARRAY_SIZE b/patches.drivers/ALSA-hda-ca0132-use-ARRAY_SIZE new file mode 100644 index 0000000000..7754e20e4e --- /dev/null +++ b/patches.drivers/ALSA-hda-ca0132-use-ARRAY_SIZE @@ -0,0 +1,71 @@ +From a9291f461d2e727ac0812d7021653379fea4b782 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lefaure?= <jeremy.lefaure@lse.epita.fr> +Date: Thu, 12 Oct 2017 22:36:31 -0400 +Subject: [PATCH] ALSA: hda/ca0132 - use ARRAY_SIZE +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: a9291f461d2e727ac0812d7021653379fea4b782 +Patch-mainline: v4.15-rc1 +References: bsc#1051510 + +Using the ARRAY_SIZE macro improves the readability of the code. + +Found with Coccinelle with the following semantic patch: +@r depends on (org || report)@ +type T; +T[] E; +position p; +@@ +( + (sizeof(E)@p /sizeof(*E)) +| + (sizeof(E)@p /sizeof(E[...])) +| + (sizeof(E)@p /sizeof(T)) +) + +Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_ca0132.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 3e73d5c6ccfc..768ea8651993 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -27,6 +27,7 @@ + #include <linux/mutex.h> + #include <linux/module.h> + #include <linux/firmware.h> ++#include <linux/kernel.h> + #include <sound/core.h> + #include "hda_codec.h" + #include "hda_local.h" +@@ -3605,8 +3606,7 @@ static int ca0132_vnode_switch_set(struct snd_kcontrol *kcontrol, + static int ca0132_voicefx_info(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_info *uinfo) + { +- unsigned int items = sizeof(ca0132_voicefx_presets) +- / sizeof(struct ct_voicefx_preset); ++ unsigned int items = ARRAY_SIZE(ca0132_voicefx_presets); + + uinfo->type = SNDRV_CTL_ELEM_TYPE_ENUMERATED; + uinfo->count = 1; +@@ -3635,10 +3635,8 @@ static int ca0132_voicefx_put(struct snd_kcontrol *kcontrol, + struct ca0132_spec *spec = codec->spec; + int i, err = 0; + int sel = ucontrol->value.enumerated.item[0]; +- unsigned int items = sizeof(ca0132_voicefx_presets) +- / sizeof(struct ct_voicefx_preset); + +- if (sel >= items) ++ if (sel >= ARRAY_SIZE(ca0132_voicefx_presets)) + return 0; + + codec_dbg(codec, "ca0132_voicefx_put: sel=%d, preset=%s\n", +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210 b/patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210 new file mode 100644 index 0000000000..9c5eb29ba7 --- /dev/null +++ b/patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210 @@ -0,0 +1,34 @@ +From 275ec0cb946cb75ac8977f662e608fce92f8b8a8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 22 Jun 2018 12:17:45 +0200 +Subject: [PATCH] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 +Git-commit: 275ec0cb946cb75ac8977f662e608fce92f8b8a8 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270 +for the correct pin configs. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107 +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 487ceb9fd038..70bf4c30548a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2545,6 +2545,7 @@ static const struct snd_pci_quirk alc262_fixup_tbl[] = { + SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110), + SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ), + SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN), ++ SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270), + SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270), + SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000), + SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ), +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co b/patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co new file mode 100644 index 0000000000..d80b26f968 --- /dev/null +++ b/patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co @@ -0,0 +1,63 @@ +From d5a6cabf02210b896a60eee7c04c670ee9ba6dca Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 13 Jun 2018 12:43:10 +0200 +Subject: [PATCH] ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co +Git-commit: d5a6cabf02210b896a60eee7c04c670ee9ba6dca +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +Some Lenovo laptops, e.g. Lenovo P50, showed the pop noise at resume +or runtime resume. It turned out to be reduced by applying +alc_no_shutup() just like TPT440 quirk does. + +Since there are many Lenovo models showing the same behavior, put this +workaround in ALC269_FIXUP_THINKPAD_ACPI entry so that it's applied +commonly to all such Lenovo machines. + +Reported-by: Hans de Goede <hdegoede@redhat.com> +Tested-by: Benjamin Berg <bberg@redhat.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_realtek.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e9bd33ea538f..487ceb9fd038 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4995,7 +4995,6 @@ static void alc_fixup_tpt440_dock(struct hda_codec *codec, + struct alc_spec *spec = codec->spec; + + if (action == HDA_FIXUP_ACT_PRE_PROBE) { +- spec->shutup = alc_no_shutup; /* reduce click noise */ + spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */ + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; + codec->power_save_node = 0; /* avoid click noises */ +@@ -5394,6 +5393,13 @@ static void alc274_fixup_bind_dacs(struct hda_codec *codec, + /* for hda_fixup_thinkpad_acpi() */ + #include "thinkpad_helper.c" + ++static void alc_fixup_thinkpad_acpi(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ alc_fixup_no_shutup(codec, fix, action); /* reduce click noise */ ++ hda_fixup_thinkpad_acpi(codec, fix, action); ++} ++ + /* for dell wmi mic mute led */ + #include "dell_wmi_helper.c" + +@@ -5946,7 +5952,7 @@ static const struct hda_fixup alc269_fixups[] = { + }, + [ALC269_FIXUP_THINKPAD_ACPI] = { + .type = HDA_FIXUP_FUNC, +- .v.func = hda_fixup_thinkpad_acpi, ++ .v.func = alc_fixup_thinkpad_acpi, + .chained = true, + .chain_id = ALC269_FIXUP_SKU_IGNORE, + }, +-- +2.18.0 + diff --git a/patches.drivers/ALSA-hda-realtek-Fix-the-problem-of-two-front-mics-o b/patches.drivers/ALSA-hda-realtek-Fix-the-problem-of-two-front-mics-o new file mode 100644 index 0000000000..44b1c6ecdd --- /dev/null +++ b/patches.drivers/ALSA-hda-realtek-Fix-the-problem-of-two-front-mics-o @@ -0,0 +1,56 @@ +From e41fc8c5bd41b96bfae5ce4c66bee6edabc932e8 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Mon, 25 Jun 2018 14:40:56 +0800 +Subject: [PATCH] ALSA: hda/realtek - Fix the problem of two front mics on more machines +Git-commit: e41fc8c5bd41b96bfae5ce4c66bee6edabc932e8 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +We have 3 more Lenovo machines, they all have 2 front mics on them, +so they need the fixup to change the location for one of two mics. + +Among these 3 Lenovo machines, one of them has the same pin cfg as the +machine with subid 0x17aa3138, so use the pin cfg table to apply fixup +for them. The rest machines don't share the same pin cfg, so far use +the subid to apply fixup for them. + +Fixes: a3dafb2200bf ("ALSA: hda/realtek - adjust the location of one mic") +Cc: <stable@vger.kernel.org> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + sound/pci/hda/patch_realtek.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 70bf4c30548a..5ad6c7e5f92e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6610,8 +6610,9 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x312a, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +- SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x3136, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +@@ -6789,6 +6790,12 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x14, 0x90170110}, + {0x19, 0x02a11030}, + {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0235, 0x17aa, "Lenovo", ALC294_FIXUP_LENOVO_MIC_LOCATION, ++ {0x14, 0x90170110}, ++ {0x19, 0x02a11030}, ++ {0x1a, 0x02a11040}, ++ {0x1b, 0x01014020}, ++ {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60140}, + {0x14, 0x90170110}, +-- +2.18.0 + diff --git a/patches.drivers/HID-intel-ish-hid-use-put_device-instead-of-kfree b/patches.drivers/HID-intel-ish-hid-use-put_device-instead-of-kfree new file mode 100644 index 0000000000..00f1c3df1f --- /dev/null +++ b/patches.drivers/HID-intel-ish-hid-use-put_device-instead-of-kfree @@ -0,0 +1,36 @@ +From a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c Mon Sep 17 00:00:00 2001 +From: Arvind Yadav <arvind.yadav.cs@gmail.com> +Date: Fri, 30 Mar 2018 16:56:10 +0530 +Subject: [PATCH] HID: intel-ish-hid: use put_device() instead of kfree() +Git-commit: a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c +Patch-mainline: v4.17-rc5 +References: bsc#1051510 + +Never directly free @dev after calling device_register(), even +if it returned an error. Always use put_device() to give up the +reference initialized. + +Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index f272cdd9bd55..2623a567ffba 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -418,7 +418,7 @@ static struct ishtp_cl_device *ishtp_bus_add_device(struct ishtp_device *dev, + list_del(&device->device_link); + spin_unlock_irqrestore(&dev->device_list_lock, flags); + dev_err(dev->devc, "Failed to register ISHTP client device\n"); +- kfree(device); ++ put_device(&device->dev); + return NULL; + } + +-- +2.17.1 + diff --git a/patches.drivers/HID-intel_ish-hid-ipc-register-more-pm-callbacks-to- b/patches.drivers/HID-intel_ish-hid-ipc-register-more-pm-callbacks-to- new file mode 100644 index 0000000000..5f9689a40a --- /dev/null +++ b/patches.drivers/HID-intel_ish-hid-ipc-register-more-pm-callbacks-to- @@ -0,0 +1,114 @@ +From ebeaa367548e9e92dd9374b9464ff6e7d157117b Mon Sep 17 00:00:00 2001 +From: Even Xu <even.xu@intel.com> +Date: Fri, 12 Feb 2016 04:11:34 +0800 +Subject: [PATCH] HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation +Git-commit: ebeaa367548e9e92dd9374b9464ff6e7d157117b +Patch-mainline: v4.18-rc2 +References: bsc#1051510 + +Current ISH driver only registers suspend/resume PM callbacks which don't +support hibernation (suspend to disk). Basically after hiberation, the ISH +can't resume properly and user may not see sensor events (for example: screen + rotation may not work). + +User will not see a crash or panic or anything except the following message +in log: + + hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device + +So this patch adds support for S4/hiberbation to ISH by using the +SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend +and resume functions will now be used for both suspend to RAM and hibernation. + +If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend +and resume related functions won't be used, so mark them as __maybe_unused to +clarify that this is the intended behavior, and remove #ifdefs for power +management. + +Cc: stable@vger.kernel.org +Signed-off-by: Even Xu <even.xu@intel.com> +Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +index 582e449be9fe..a2c53ea3b5ed 100644 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -205,8 +205,7 @@ static void ish_remove(struct pci_dev *pdev) + kfree(ishtp_dev); + } + +-#ifdef CONFIG_PM +-static struct device *ish_resume_device; ++static struct device __maybe_unused *ish_resume_device; + + /* 50ms to get resume response */ + #define WAIT_FOR_RESUME_ACK_MS 50 +@@ -220,7 +219,7 @@ static struct device *ish_resume_device; + * in that case a simple resume message is enough, others we need + * a reset sequence. + */ +-static void ish_resume_handler(struct work_struct *work) ++static void __maybe_unused ish_resume_handler(struct work_struct *work) + { + struct pci_dev *pdev = to_pci_dev(ish_resume_device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -262,7 +261,7 @@ static void ish_resume_handler(struct work_struct *work) + * + * Return: 0 to the pm core + */ +-static int ish_suspend(struct device *device) ++static int __maybe_unused ish_suspend(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -288,7 +287,7 @@ static int ish_suspend(struct device *device) + return 0; + } + +-static DECLARE_WORK(resume_work, ish_resume_handler); ++static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler); + /** + * ish_resume() - ISH resume callback + * @device: device pointer +@@ -297,7 +296,7 @@ static DECLARE_WORK(resume_work, ish_resume_handler); + * + * Return: 0 to the pm core + */ +-static int ish_resume(struct device *device) ++static int __maybe_unused ish_resume(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -311,21 +310,14 @@ static int ish_resume(struct device *device) + return 0; + } + +-static const struct dev_pm_ops ish_pm_ops = { +- .suspend = ish_suspend, +- .resume = ish_resume, +-}; +-#define ISHTP_ISH_PM_OPS (&ish_pm_ops) +-#else +-#define ISHTP_ISH_PM_OPS NULL +-#endif /* CONFIG_PM */ ++static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume); + + static struct pci_driver ish_driver = { + .name = KBUILD_MODNAME, + .id_table = ish_pci_tbl, + .probe = ish_probe, + .remove = ish_remove, +- .driver.pm = ISHTP_ISH_PM_OPS, ++ .driver.pm = &ish_pm_ops, + }; + + module_pci_driver(ish_driver); +-- +2.17.1 + diff --git a/patches.drivers/HID-lenovo-Add-support-for-IBM-Lenovo-Scrollpoint-mi b/patches.drivers/HID-lenovo-Add-support-for-IBM-Lenovo-Scrollpoint-mi new file mode 100644 index 0000000000..46d85cf092 --- /dev/null +++ b/patches.drivers/HID-lenovo-Add-support-for-IBM-Lenovo-Scrollpoint-mi @@ -0,0 +1,134 @@ +From a230cd52b8a2be39cd6e9a13b3e62af57f21372a Mon Sep 17 00:00:00 2001 +From: pgzh <peter.ganzhorn@gmail.com> +Date: Thu, 12 Apr 2018 19:36:47 +0200 +Subject: [PATCH] HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice +Git-commit: a230cd52b8a2be39cd6e9a13b3e62af57f21372a +Patch-mainline: v4.17-rc5 +References: bsc#1051510 + +The IBM/Lenovo Scrollpoint mice feature a trackpoint-like stick instead of a +scrolling wheel capable of 2-D (vertical+horizontal) scrolling. hid-generic +does only expose 1-D (vertical) scrolling functionality for these mice. This +patch adds support for horizontal scrolling for the IBM/Lenovo Scrollpoint mice +to hid-lenovo. + +[jkosina@suse.cz: remove change versioning from git changelog] +Signed-off-by: Peter Ganzhorn <peter.ganzhorn@gmail.com> +Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Peter De Wachter <pdewacht@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/hid/Kconfig | 7 ++++--- + drivers/hid/hid-ids.h | 8 ++++++++ + drivers/hid/hid-lenovo.c | 36 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 3 deletions(-) + +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -429,10 +429,11 @@ config HID_LENOVO + select NEW_LEDS + select LEDS_CLASS + ---help--- +- Support for Lenovo devices that are not fully compliant with HID standard. ++ Support for IBM/Lenovo devices that are not fully compliant with HID standard. + +- Say Y if you want support for the non-compliant features of the Lenovo +- Thinkpad standalone keyboards, e.g: ++ Say Y if you want support for horizontal scrolling of the IBM/Lenovo ++ Scrollpoint mice or the non-compliant features of the Lenovo Thinkpad ++ standalone keyboards, e.g: + - ThinkPad USB Keyboard with TrackPoint (supports extra LEDs and trackpoint + configuration) + - ThinkPad Compact Bluetooth Keyboard with TrackPoint (supports Fn keys) +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -524,6 +524,13 @@ + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e + ++#define USB_VENDOR_ID_IBM 0x04b3 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_III 0x3100 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_PRO 0x3103 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL 0x3105 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL 0x3108 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO 0x3109 ++ + #define USB_VENDOR_ID_IDEACOM 0x1cb6 + #define USB_DEVICE_ID_IDEACOM_IDC6650 0x6650 + #define USB_DEVICE_ID_IDEACOM_IDC6651 0x6651 +@@ -651,6 +658,7 @@ + #define USB_DEVICE_ID_LENOVO_TPKBD 0x6009 + #define USB_DEVICE_ID_LENOVO_CUSBKBD 0x6047 + #define USB_DEVICE_ID_LENOVO_CBTKBD 0x6048 ++#define USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL 0x6049 + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 + +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -6,6 +6,17 @@ + * + * Copyright (c) 2012 Bernhard Seibold + * Copyright (c) 2014 Jamie Lentin <jm@lentin.co.uk> ++ * ++ * Linux IBM/Lenovo Scrollpoint mouse driver: ++ * - IBM Scrollpoint III ++ * - IBM Scrollpoint Pro ++ * - IBM Scrollpoint Optical ++ * - IBM Scrollpoint Optical 800dpi ++ * - IBM Scrollpoint Optical 800dpi Pro ++ * - Lenovo Scrollpoint Optical ++ * ++ * Copyright (c) 2012 Peter De Wachter <pdewacht@gmail.com> ++ * Copyright (c) 2018 Peter Ganzhorn <peter.ganzhorn@gmail.com> + */ + + /* +@@ -160,6 +171,17 @@ static int lenovo_input_mapping_cptkbd(s + return 0; + } + ++static int lenovo_input_mapping_scrollpoint(struct hid_device *hdev, ++ struct hid_input *hi, struct hid_field *field, ++ struct hid_usage *usage, unsigned long **bit, int *max) ++{ ++ if (usage->hid == HID_GD_Z) { ++ hid_map_usage(hi, usage, bit, max, EV_REL, REL_HWHEEL); ++ return 1; ++ } ++ return 0; ++} ++ + static int lenovo_input_mapping(struct hid_device *hdev, + struct hid_input *hi, struct hid_field *field, + struct hid_usage *usage, unsigned long **bit, int *max) +@@ -172,6 +194,14 @@ static int lenovo_input_mapping(struct h + case USB_DEVICE_ID_LENOVO_CBTKBD: + return lenovo_input_mapping_cptkbd(hdev, hi, field, + usage, bit, max); ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_III: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_PRO: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO: ++ case USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL: ++ return lenovo_input_mapping_scrollpoint(hdev, hi, field, ++ usage, bit, max); + default: + return 0; + } +@@ -883,6 +913,12 @@ static const struct hid_device_id lenovo + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CUSBKBD) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CBTKBD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_TPPRODOCK) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_III) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL) }, + { } + }; + diff --git a/patches.drivers/HID-wacom-Correct-logical-maximum-Y-for-2nd-gen-Intu b/patches.drivers/HID-wacom-Correct-logical-maximum-Y-for-2nd-gen-Intu new file mode 100644 index 0000000000..5bd3ffbfcc --- /dev/null +++ b/patches.drivers/HID-wacom-Correct-logical-maximum-Y-for-2nd-gen-Intu @@ -0,0 +1,44 @@ +From d471b6b22d37bf9928c6d0202bdaaf76583b8b61 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke <killertofu@gmail.com> +Date: Tue, 12 Jun 2018 13:42:46 -0700 +Subject: [PATCH] HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large +Git-commit: d471b6b22d37bf9928c6d0202bdaaf76583b8b61 +Patch-mainline: v4.18-rc2 +References: bsc#1051510 + +The HID descriptor for the 2nd-gen Intuos Pro large (PTH-860) contains +a typo which defines an incorrect logical maximum Y value. This causes +a small portion of the bottom of the tablet to become unusable (both +because the area is below the "bottom" of the tablet and because +'wacom_wac_event' ignores out-of-range values). It also results in a +skewed aspect ratio. + +To fix this, we add a quirk to 'wacom_usage_mapping' which overwrites +the data with the correct value. + +Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com> +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/hid/wacom_sys.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -284,6 +284,14 @@ static void wacom_usage_mapping(struct h + } + } + ++ /* 2nd-generation Intuos Pro Large has incorrect Y maximum */ ++ if (hdev->vendor == USB_VENDOR_ID_WACOM && ++ hdev->product == 0x0358 && ++ WACOM_PEN_FIELD(field) && ++ wacom_equivalent_usage(usage->hid) == HID_GD_Y) { ++ field->logical_maximum = 43200; ++ } ++ + switch (usage->hid) { + case HID_GD_X: + features->x_max = field->logical_maximum; diff --git a/patches.drivers/HID-wacom-Release-device-resource-data-obtained-by-d b/patches.drivers/HID-wacom-Release-device-resource-data-obtained-by-d new file mode 100644 index 0000000000..72d7194f57 --- /dev/null +++ b/patches.drivers/HID-wacom-Release-device-resource-data-obtained-by-d @@ -0,0 +1,39 @@ +From 097b8f62dd793e08f1732fc74dbb64596c7fbff9 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav <arvind.yadav.cs@gmail.com> +Date: Tue, 24 Apr 2018 13:33:03 +0530 +Subject: [PATCH] HID: wacom: Release device resource data obtained by devres_alloc() +Git-commit: 097b8f62dd793e08f1732fc74dbb64596c7fbff9 +Patch-mainline: v4.17-rc5 +References: bsc#1051510 + +Free device resource data, if __wacom_devm_sysfs_create_group +is not successful. + +Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> +Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index b54ef1ffcbec..ee7a37eb159a 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -1213,8 +1213,10 @@ static int __wacom_devm_sysfs_create_group(struct wacom *wacom, + devres->root = root; + + error = sysfs_create_group(devres->root, group); +- if (error) ++ if (error) { ++ devres_free(devres); + return error; ++ } + + devres_add(&wacom->hdev->dev, devres); + +-- +2.17.1 + diff --git a/patches.drivers/Input-xpad-fix-GPD-Win-2-controller-name b/patches.drivers/Input-xpad-fix-GPD-Win-2-controller-name new file mode 100644 index 0000000000..9c9bce97eb --- /dev/null +++ b/patches.drivers/Input-xpad-fix-GPD-Win-2-controller-name @@ -0,0 +1,44 @@ +From dd6bee81c942c0ea01030da9356026afb88f9d18 Mon Sep 17 00:00:00 2001 +From: Enno Boland <gottox@voidlinux.eu> +Date: Tue, 19 Jun 2018 11:55:33 -0700 +Subject: [PATCH] Input: xpad - fix GPD Win 2 controller name +Git-commit: dd6bee81c942c0ea01030da9356026afb88f9d18 +Patch-mainline: v4.18-rc3 +References: bsc#1051510 + +This fixes using the controller with SDL2. + +SDL2 has a naive algorithm to apply the correct settings to a controller. +For X-Box compatible controllers it expects that the controller name +contains a variation of a 'XBOX'-string. + +This patch changes the identifier to contain "X-Box" as substring. Tested +with Steam and C-Dogs-SDL which both detect the controller properly after +adding this patch. + +Fixes: c1ba08390a8b ("Input: xpad - add GPD Win 2 Controller USB IDs") +Cc: stable@vger.kernel.org +Signed-off-by: Enno Boland <gottox@voidlinux.eu> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/input/joystick/xpad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 48e36acbeb49..cd620e009bad 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -125,7 +125,7 @@ static const struct xpad_device { + u8 mapping; + u8 xtype; + } xpad_device[] = { +- { 0x0079, 0x18d4, "GPD Win 2 Controller", 0, XTYPE_XBOX360 }, ++ { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +-- +2.18.0 + diff --git a/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-88SE9 b/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-88SE9 new file mode 100644 index 0000000000..be729d1d33 --- /dev/null +++ b/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-88SE9 @@ -0,0 +1,36 @@ +From 832e4e1f76b8a84991e9db56fdcef1ebce839b8b Mon Sep 17 00:00:00 2001 +From: Thomas Vincent-Cross <me@tvc.id.au> +Date: Tue, 27 Feb 2018 20:20:36 +1100 +Subject: [PATCH] PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 +Git-commit: 832e4e1f76b8a84991e9db56fdcef1ebce839b8b +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Signed-off-by: Thomas Vincent-Cross <me@tvc.id.au> +Signed-off-by: Bjorn Helgaas <helgaas@kernel.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 57748a3b83f0..ffdfaac116b2 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3896,6 +3896,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9182, + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); +-- +2.18.0 + diff --git a/patches.drivers/PCI-Mark-Broadcom-HT1100-and-HT2000-Root-Port-Extend b/patches.drivers/PCI-Mark-Broadcom-HT1100-and-HT2000-Root-Port-Extend new file mode 100644 index 0000000000..068f6af3d3 --- /dev/null +++ b/patches.drivers/PCI-Mark-Broadcom-HT1100-and-HT2000-Root-Port-Extend @@ -0,0 +1,51 @@ +From 1b30dfd376e28e7f37eda5e2033f6823cdda222b Mon Sep 17 00:00:00 2001 +From: Sinan Kaya <okaya@codeaurora.org> +Date: Tue, 10 Apr 2018 14:44:21 -0500 +Subject: [PATCH] PCI: Mark Broadcom HT1100 and HT2000 Root Port Extended Tags as broken +Git-commit: 1b30dfd376e28e7f37eda5e2033f6823cdda222b +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +Per PCIe r3.1, sec 2.2.6.2 and 7.8.4, a Requester may not use 8-bit Tags +unless its Extended Tag Field Enable is set, but all Receivers/Completers +must handle 8-bit Tags correctly regardless of their Extended Tag Field +Enable. + +Some devices do not handle 8-bit Tags as Completers, so add a quirk for +them. If we find such a device, we disable Extended Tags for the entire +hierarchy to make peer-to-peer DMA possible. + +The Broadcom HT1100/HT2000/HT2100 seems to have issues with handling 8-bit +tags. Mark it as broken. + +This fixes Xorg hangs and unresponsive keyboards with errors like this: + + radeon 0000:06:00.0: GPU lockup (current fence id 0x000000000000000e last fence id 0x0000000000000 + [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) + [drm:r600_resume [radeon]] *ERROR* r600 startup failed on resume + +Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=196197 +Signed-off-by: Sinan Kaya <okaya@codeaurora.org> +Signed-off-by: Bjorn Helgaas <helgaas@kernel.org> +Cc: stable@vger.kernel.org # v4.11: 62ce94a7a5a5 PCI: Mark Broadcom HT2100 Root Port Extended Tags as broken +Cc: stable@vger.kernel.org # v4.11 +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4853,6 +4853,10 @@ static void quirk_no_ext_tags(struct pci + + pci_walk_bus(bridge->bus, pci_configure_extended_tags, NULL); + } ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0132, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0140, quirk_no_ext_tags); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0141, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0142, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0144, quirk_no_ext_tags); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0420, quirk_no_ext_tags); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0422, quirk_no_ext_tags); diff --git a/patches.drivers/PCI-Restore-config-space-on-runtime-resume-despite-b b/patches.drivers/PCI-Restore-config-space-on-runtime-resume-despite-b new file mode 100644 index 0000000000..5238a0ea34 --- /dev/null +++ b/patches.drivers/PCI-Restore-config-space-on-runtime-resume-despite-b @@ -0,0 +1,86 @@ +From 5775b843a619b3c93f946e2b55a208d9f0f48b59 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" <rjw@rjwysocki.net> +Date: Sat, 3 Mar 2018 10:53:24 +0100 +Subject: [PATCH] PCI: Restore config space on runtime resume despite being unbound +Git-commit: 5775b843a619b3c93f946e2b55a208d9f0f48b59 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +We leave PCI devices not bound to a driver in D0 during runtime suspend. +But they may have a parent which is bound and can be transitioned to +D3cold at runtime. Once the parent goes to D3cold, the unbound child +may go to D3cold as well. When the child goes to D3cold, its internal +state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. + +One example are recent hybrid graphics laptops which cut power to the +discrete GPU when the root port above it goes to ACPI power state D3. +Users may provoke this by unbinding the GPU driver and allowing runtime +PM on the GPU via sysfs: The PM core will then treat the GPU as +"suspended", which in turn allows the root port to runtime suspend, +causing the power resources listed in its _PR3 object to be powered off. +The GPU's BARs will be uninitialized when a driver later probes it. + +Another example are hybrid graphics laptops where the GPU itself (rather +than the root port) is capable of runtime suspending to D3cold. If the +GPU's integrated HDA controller is not bound and the GPU's driver +decides to runtime suspend to D3cold, the HDA controller's BARs will be +uninitialized when a driver later probes it. + +Fix by saving and restoring config space over a runtime suspend cycle +even if the device is not bound. + +Acked-by: Bjorn Helgaas <bhelgaas@google.com> +Tested-by: Peter Wu <peter@lekensteyn.nl> # Nvidia Optimus +Tested-by: Lukas Wunner <lukas@wunner.de> # MacBook Pro +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +[lukas: add commit message, bikeshed code comments for clarity] +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1159,11 +1159,14 @@ static int pci_pm_runtime_suspend(struct + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1211,16 +1214,18 @@ static int pci_pm_runtime_resume(struct + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + __pci_enable_wake(pci_dev, PCI_D0, true, false); + pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/patches.drivers/can-hi311x-Acquire-SPI-lock-on-do_get_berr_counter b/patches.drivers/can-hi311x-Acquire-SPI-lock-on-do_get_berr_counter new file mode 100644 index 0000000000..054a52ca16 --- /dev/null +++ b/patches.drivers/can-hi311x-Acquire-SPI-lock-on-do_get_berr_counter @@ -0,0 +1,94 @@ +From 5cec9425b41dcf834c3d48776900d6acb7e96f38 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner <lukas@wunner.de> +Date: Wed, 9 May 2018 14:38:43 +0200 +Subject: [PATCH] can: hi311x: Acquire SPI lock on ->do_get_berr_counter +Git-commit: 5cec9425b41dcf834c3d48776900d6acb7e96f38 +Patch-mainline: v4.17-rc5 +References: bsc#1051510 + +hi3110_get_berr_counter() may run concurrently to the rest of the driver +but neglects to acquire the lock protecting access to the SPI device. +As a result, it and the rest of the driver may clobber each other's tx +and rx buffers. + +We became aware of this issue because transmission of packets with +"cangen -g 0 -i -x" frequently hung. It turns out that agetty executes +->do_get_berr_counter every few seconds via the following call stack: + + CPU: 2 PID: 1605 Comm: agetty + [<7f3f7500>] (hi3110_get_berr_counter [hi311x]) + [<7f130204>] (can_fill_info [can_dev]) + [<80693bc0>] (rtnl_fill_ifinfo) + [<806949ec>] (rtnl_dump_ifinfo) + [<806b4834>] (netlink_dump) + [<806b4bc8>] (netlink_recvmsg) + [<8065f180>] (sock_recvmsg) + [<80660f90>] (___sys_recvmsg) + [<80661e7c>] (__sys_recvmsg) + [<80661ec0>] (SyS_recvmsg) + [<80108b20>] (ret_fast_syscall+0x0/0x1c) + +agetty listens to netlink messages in order to update the login prompt +when IP addresses change (if /etc/issue contains \4 or \6 escape codes): +https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=e36deb6424e8 + +It's a useful feature, though it seems questionable that it causes CAN +bit error statistics to be queried. + +Be that as it may, if hi3110_get_berr_counter() is invoked while a frame +is sent by hi3110_hw_tx(), bogus SPI transfers like the following may +Occur: + + => 12 00 (hi3110_get_berr_counter() wanted to transmit + EC 00 to query the transmit error counter, + but the first byte was overwritten by + hi3110_hw_tx_frame()) + + => EA 00 3E 80 01 FB (hi3110_hw_tx_frame() wanted to transmit a + frame, but the first byte was overwritten by + hi3110_get_berr_counter() because it wanted + to query the receive error counter) + +This sequence hangs the transmission because the driver believes it has +sent a frame and waits for the interrupt signaling completion, but in +reality the chip has never sent away the frame since the commands it +received were malformed. + +Fix by acquiring the SPI lock in hi3110_get_berr_counter(). + +I've scrutinized the entire driver for further unlocked SPI accesses but +found no others. + +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Akshay Bhat <akshay.bhat@timesys.com> +Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com> +Cc: Stef Walter <stefw@redhat.com> +Cc: Karel Zak <kzak@redhat.com> +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Reviewed-by: Akshay Bhat <akshay.bhat@timesys.com> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/net/can/spi/hi311x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 5590c559a8ca..c2cf254e4e95 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -427,8 +427,10 @@ static int hi3110_get_berr_counter(const struct net_device *net, + struct hi3110_priv *priv = netdev_priv(net); + struct spi_device *spi = priv->spi; + ++ mutex_lock(&priv->hi3110_lock); + bec->txerr = hi3110_read(spi, HI3110_READ_TEC); + bec->rxerr = hi3110_read(spi, HI3110_READ_REC); ++ mutex_unlock(&priv->hi3110_lock); + + return 0; + } +-- +2.17.1 + diff --git a/patches.drivers/can-hi311x-Work-around-TX-complete-interrupt-erratum b/patches.drivers/can-hi311x-Work-around-TX-complete-interrupt-erratum new file mode 100644 index 0000000000..a60aeb4667 --- /dev/null +++ b/patches.drivers/can-hi311x-Work-around-TX-complete-interrupt-erratum @@ -0,0 +1,73 @@ +From 32bee8f48fa048a3198109de50e51c092507ff52 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner <lukas@wunner.de> +Date: Wed, 9 May 2018 14:43:43 +0200 +Subject: [PATCH] can: hi311x: Work around TX complete interrupt erratum +Git-commit: 32bee8f48fa048a3198109de50e51c092507ff52 +Patch-mainline: v4.17-rc5 +References: bsc#1051510 + +When sending packets as fast as possible using "cangen -g 0 -i -x", the +HI-3110 occasionally latches the interrupt pin high on completion of a +packet, but doesn't set the TXCPLT bit in the INTF register. The INTF +register contains 0x00 as if no interrupt has occurred. Even waiting +for a few milliseconds after the interrupt doesn't help. + +Work around this apparent erratum by instead checking the TXMTY bit in +the STATF register ("TX FIFO empty"). We know that we've queued up a +packet for transmission if priv->tx_len is nonzero. If the TX FIFO is +empty, transmission of that packet must have completed. + +Note that this is congruent with our handling of received packets, which +likewise gleans from the STATF register whether a packet is waiting in +the RX FIFO, instead of looking at the INTF register. + +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Akshay Bhat <akshay.bhat@timesys.com> +Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com> +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Acked-by: Akshay Bhat <akshay.bhat@timesys.com> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/net/can/spi/hi311x.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index c2cf254e4e95..53e320c92a8b 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -91,6 +91,7 @@ + #define HI3110_STAT_BUSOFF BIT(2) + #define HI3110_STAT_ERRP BIT(3) + #define HI3110_STAT_ERRW BIT(4) ++#define HI3110_STAT_TXMTY BIT(7) + + #define HI3110_BTR0_SJW_SHIFT 6 + #define HI3110_BTR0_BRP_SHIFT 0 +@@ -737,10 +738,7 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) + } + } + +- if (intf == 0) +- break; +- +- if (intf & HI3110_INT_TXCPLT) { ++ if (priv->tx_len && statf & HI3110_STAT_TXMTY) { + net->stats.tx_packets++; + net->stats.tx_bytes += priv->tx_len - 1; + can_led_event(net, CAN_LED_EVENT_TX); +@@ -750,6 +748,9 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) + } + netif_wake_queue(net); + } ++ ++ if (intf == 0) ++ break; + } + mutex_unlock(&priv->hi3110_lock); + return IRQ_HANDLED; +-- +2.17.1 + diff --git a/patches.drivers/dell_rbu-make-firmware-payload-memory-uncachable b/patches.drivers/dell_rbu-make-firmware-payload-memory-uncachable new file mode 100644 index 0000000000..8f5cad7cdd --- /dev/null +++ b/patches.drivers/dell_rbu-make-firmware-payload-memory-uncachable @@ -0,0 +1,54 @@ +From: Stuart Hayes <stuart.w.hayes@gmail.com> +Subject: [PATCH RESENT v4] dell_rbu: make firmware payload memory uncachable +Message-Id: <20180418054634.10289-1-tiwai@suse.de> +Patch-mainline: Submitted, LKML Wed, 18 Apr 2018 07:46:34 +0200 +References: bsc#1087978 + +The dell_rbu driver takes firmware update payloads and puts them in memory so +the system BIOS can find them after a reboot. This sometimes fails (though +rarely), because the memory containing the payload is in the CPU cache but +never gets written back to main memory before the system is rebooted (CPU +cache contents are lost on reboot). + +With this patch, the payload memory will be changed to uncachable to ensure +that the payload is actually in main memory before the system is rebooted. + +Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com> +Reviewed-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/firmware/dell_rbu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/firmware/dell_rbu.c ++++ b/drivers/firmware/dell_rbu.c +@@ -45,6 +45,7 @@ + #include <linux/moduleparam.h> + #include <linux/firmware.h> + #include <linux/dma-mapping.h> ++#include <asm/set_memory.h> + + MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>"); + MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems"); +@@ -181,6 +182,11 @@ static int create_packet(void *data, siz + packet_data_temp_buf = NULL; + } + } ++ /* ++ * set to uncachable or it may never get written back before reboot ++ */ ++ set_memory_uc((unsigned long)packet_data_temp_buf, 1 << ordernum); ++ + spin_lock(&rbu_data.lock); + + newpacket->data = packet_data_temp_buf; +@@ -349,6 +355,8 @@ static void packet_empty_list(void) + * to make sure there are no stale RBU packets left in memory + */ + memset(newpacket->data, 0, rbu_data.packetsize); ++ set_memory_wb((unsigned long)newpacket->data, ++ 1 << newpacket->ordernum); + free_pages((unsigned long) newpacket->data, + newpacket->ordernum); + kfree(newpacket); diff --git a/patches.drivers/driver-core-Don-t-ignore-class_dir_create_and_add-fa b/patches.drivers/driver-core-Don-t-ignore-class_dir_create_and_add-fa new file mode 100644 index 0000000000..a719b21a35 --- /dev/null +++ b/patches.drivers/driver-core-Don-t-ignore-class_dir_create_and_add-fa @@ -0,0 +1,79 @@ +From 84d0c27d6233a9ba0578b20f5a09701eb66cee42 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Date: Mon, 7 May 2018 19:10:31 +0900 +Subject: [PATCH] driver core: Don't ignore class_dir_create_and_add() failure. +Git-commit: 84d0c27d6233a9ba0578b20f5a09701eb66cee42 +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +syzbot is hitting WARN() at kernfs_add_one() [1]. +This is because kernfs_create_link() is confused by previous device_add() +call which continued without setting dev->kobj.parent field when +get_device_parent() failed by memory allocation fault injection. +Fix this by propagating the error from class_dir_create_and_add() to +the calllers of get_device_parent(). + +[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f + +Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Reported-by: syzbot <syzbot+df47f81c226b31d89fb1@syzkaller.appspotmail.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/base/core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1332,7 +1332,7 @@ class_dir_create_and_add(struct class *c + + dir = kzalloc(sizeof(*dir), GFP_KERNEL); + if (!dir) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + dir->class = class; + kobject_init(&dir->kobj, &class_dir_ktype); +@@ -1342,7 +1342,7 @@ class_dir_create_and_add(struct class *c + retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); + if (retval < 0) { + kobject_put(&dir->kobj); +- return NULL; ++ return ERR_PTR(retval); + } + return &dir->kobj; + } +@@ -1649,6 +1649,10 @@ int device_add(struct device *dev) + + parent = get_device(dev->parent); + kobj = get_device_parent(dev, parent); ++ if (IS_ERR(kobj)) { ++ error = PTR_ERR(kobj); ++ goto parent_error; ++ } + if (kobj) + dev->kobj.parent = kobj; + +@@ -1747,6 +1751,7 @@ done: + kobject_del(&dev->kobj); + Error: + cleanup_glue_dir(dev, glue_dir); ++parent_error: + put_device(parent); + name_error: + kfree(dev->p); +@@ -2566,6 +2571,11 @@ int device_move(struct device *dev, stru + device_pm_lock(); + new_parent = get_device(new_parent); + new_parent_kobj = get_device_parent(dev, new_parent); ++ if (IS_ERR(new_parent_kobj)) { ++ error = PTR_ERR(new_parent_kobj); ++ put_device(new_parent); ++ goto out; ++ } + + pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), + __func__, new_parent ? dev_name(new_parent) : "<NULL>"); diff --git a/patches.drivers/drm-i915-Apply-batch-location-restrictions-before-pi b/patches.drivers/drm-i915-Apply-batch-location-restrictions-before-pi new file mode 100644 index 0000000000..a709973be5 --- /dev/null +++ b/patches.drivers/drm-i915-Apply-batch-location-restrictions-before-pi @@ -0,0 +1,131 @@ +From 7ba33e1c9d1e03f442b161c701d1f811ea13c75e Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Sun, 10 Jun 2018 20:43:09 +0100 +Subject: [PATCH] drm/i915: Apply batch location restrictions before pinning +Git-commit: 7ba33e1c9d1e03f442b161c701d1f811ea13c75e +Patch-mainline: v4.18-rc2 +No-fix: 746c8f143afad7aaa66c484485fc39888d437a3f +References: bsc#1051510 + +We special case the position of the batch within the GTT to prevent +negative self-relocation deltas from underflowing. However, that +restriction is being applied after a trial pin of the batch in its +current position. Thus we are not rejecting an invalid location if the +batch has been used before, leading to an assertion if we happen to need +to rearrange the entire payload. In the worst case, this may cause a GPU +hang on gen7 or perhaps missing state. + +References: https://bugs.freedesktop.org/show_bug.cgi?id=105720 +Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +Cc: Martin Peres <martin.peres@linux.intel.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20180610194325.13467-2-chris@chris-wilson.co.uk +Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +(cherry picked from commit 746c8f143afad7aaa66c484485fc39888d437a3f) + +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 49 ++++++++++++---------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index f627a8c47c58..22df17c8ca9b 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -489,7 +489,9 @@ eb_validate_vma(struct i915_execbuffer *eb, + } + + static int +-eb_add_vma(struct i915_execbuffer *eb, unsigned int i, struct i915_vma *vma) ++eb_add_vma(struct i915_execbuffer *eb, ++ unsigned int i, unsigned batch_idx, ++ struct i915_vma *vma) + { + struct drm_i915_gem_exec_object2 *entry = &eb->exec[i]; + int err; +@@ -522,6 +524,24 @@ eb_add_vma(struct i915_execbuffer *eb, unsigned int i, struct i915_vma *vma) + eb->flags[i] = entry->flags; + vma->exec_flags = &eb->flags[i]; + ++ /* ++ * SNA is doing fancy tricks with compressing batch buffers, which leads ++ * to negative relocation deltas. Usually that works out ok since the ++ * relocate address is still positive, except when the batch is placed ++ * very low in the GTT. Ensure this doesn't happen. ++ * ++ * Note that actual hangs have only been observed on gen7, but for ++ * paranoia do it everywhere. ++ */ ++ if (i == batch_idx) { ++ if (!(eb->flags[i] & EXEC_OBJECT_PINNED)) ++ eb->flags[i] |= __EXEC_OBJECT_NEEDS_BIAS; ++ if (eb->reloc_cache.has_fence) ++ eb->flags[i] |= EXEC_OBJECT_NEEDS_FENCE; ++ ++ eb->batch = vma; ++ } ++ + err = 0; + if (eb_pin_vma(eb, entry, vma)) { + if (entry->offset != vma->node.start) { +@@ -716,7 +736,7 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) + { + struct radix_tree_root *handles_vma = &eb->ctx->handles_vma; + struct drm_i915_gem_object *obj; +- unsigned int i; ++ unsigned int i, batch; + int err; + + if (unlikely(i915_gem_context_is_closed(eb->ctx))) +@@ -728,6 +748,8 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) + INIT_LIST_HEAD(&eb->relocs); + INIT_LIST_HEAD(&eb->unbound); + ++ batch = eb_batch_index(eb); ++ + for (i = 0; i < eb->buffer_count; i++) { + u32 handle = eb->exec[i].handle; + struct i915_lut_handle *lut; +@@ -770,33 +792,16 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) + lut->handle = handle; + + add_vma: +- err = eb_add_vma(eb, i, vma); ++ err = eb_add_vma(eb, i, batch, vma); + if (unlikely(err)) + goto err_vma; + + GEM_BUG_ON(vma != eb->vma[i]); + GEM_BUG_ON(vma->exec_flags != &eb->flags[i]); ++ GEM_BUG_ON(drm_mm_node_allocated(&vma->node) && ++ eb_vma_misplaced(&eb->exec[i], vma, eb->flags[i])); + } + +- /* take note of the batch buffer before we might reorder the lists */ +- i = eb_batch_index(eb); +- eb->batch = eb->vma[i]; +- GEM_BUG_ON(eb->batch->exec_flags != &eb->flags[i]); +- +- /* +- * SNA is doing fancy tricks with compressing batch buffers, which leads +- * to negative relocation deltas. Usually that works out ok since the +- * relocate address is still positive, except when the batch is placed +- * very low in the GTT. Ensure this doesn't happen. +- * +- * Note that actual hangs have only been observed on gen7, but for +- * paranoia do it everywhere. +- */ +- if (!(eb->flags[i] & EXEC_OBJECT_PINNED)) +- eb->flags[i] |= __EXEC_OBJECT_NEEDS_BIAS; +- if (eb->reloc_cache.has_fence) +- eb->flags[i] |= EXEC_OBJECT_NEEDS_FENCE; +- + eb->args->flags |= __EXEC_VALIDATED; + return eb_reserve(eb); + +-- +2.17.1 + diff --git a/patches.drivers/drm-msm-Fix-possible-null-dereference-on-failure-of- b/patches.drivers/drm-msm-Fix-possible-null-dereference-on-failure-of- index d46fe34877..75884ff972 100644 --- a/patches.drivers/drm-msm-Fix-possible-null-dereference-on-failure-of- +++ b/patches.drivers/drm-msm-Fix-possible-null-dereference-on-failure-of- @@ -5,6 +5,7 @@ Subject: [PATCH] drm/msm: Fix possible null dereference on failure of get_pages( Git-commit: 3976626ea3d2011f8fd3f3a47070a8b792018253 Patch-mainline: v4.17-rc3 References: bsc#1051510 +No-fix: 03c94d60261c28689465a16086eb290ab3012aa3 Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise msm_gem_object::sgt, diff --git a/patches.drivers/drm-qxl-Call-qxl_bo_unref-outside-atomic-context b/patches.drivers/drm-qxl-Call-qxl_bo_unref-outside-atomic-context new file mode 100644 index 0000000000..2289ecb392 --- /dev/null +++ b/patches.drivers/drm-qxl-Call-qxl_bo_unref-outside-atomic-context @@ -0,0 +1,64 @@ +From 889ad63d41eea20184b0483e7e585e5b20fb6cfe Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <jcline@redhat.com> +Date: Fri, 1 Jun 2018 16:05:32 -0400 +Subject: [PATCH] drm/qxl: Call qxl_bo_unref outside atomic context +Git-commit: 889ad63d41eea20184b0483e7e585e5b20fb6cfe +Patch-mainline: v4.18-rc2 +References: bsc#1051510 + +"qxl_bo_unref" may sleep, but calling "qxl_release_map" causes +"preempt_disable()" to be called and "preempt_enable()" isn't called +until "qxl_release_unmap" is used. Move the call to "qxl_bo_unref" out +from in between the two to avoid sleeping from an atomic context. + +This issue can be demonstrated on a kernel with CONFIG_LOCKDEP=y by +creating a VM using QXL, using a desktop environment using Xorg, then +moving the cursor on or off a window. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571128 +Fixes: 9428088c90b6 ("drm/qxl: reapply cursor after resetting primary") +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline <jcline@redhat.com> +Link: http://patchwork.freedesktop.org/patch/msgid/20180601200532.13619-1-jcline@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/gpu/drm/qxl/qxl_display.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index ecb35ed0eac8..61e51516fec5 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -630,7 +630,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane, + struct qxl_cursor_cmd *cmd; + struct qxl_cursor *cursor; + struct drm_gem_object *obj; +- struct qxl_bo *cursor_bo = NULL, *user_bo = NULL; ++ struct qxl_bo *cursor_bo = NULL, *user_bo = NULL, *old_cursor_bo = NULL; + int ret; + void *user_ptr; + int size = 64*64*4; +@@ -684,7 +684,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane, + cursor_bo, 0); + cmd->type = QXL_CURSOR_SET; + +- qxl_bo_unref(&qcrtc->cursor_bo); ++ old_cursor_bo = qcrtc->cursor_bo; + qcrtc->cursor_bo = cursor_bo; + cursor_bo = NULL; + } else { +@@ -704,6 +704,9 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane, + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + qxl_release_fence_buffer_objects(release); + ++ if (old_cursor_bo) ++ qxl_bo_unref(&old_cursor_bo); ++ + qxl_bo_unref(&cursor_bo); + + return; +-- +2.17.1 + diff --git a/patches.drivers/i2c-pmcmsp-fix-error-return-from-master_xfer b/patches.drivers/i2c-pmcmsp-fix-error-return-from-master_xfer new file mode 100644 index 0000000000..64b646ac32 --- /dev/null +++ b/patches.drivers/i2c-pmcmsp-fix-error-return-from-master_xfer @@ -0,0 +1,35 @@ +From 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b Mon Sep 17 00:00:00 2001 +From: Peter Rosin <peda@axentia.se> +Date: Wed, 9 May 2018 21:46:30 +0200 +Subject: [PATCH] i2c: pmcmsp: fix error return from master_xfer +Git-commit: 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b +Patch-mainline: v4.17-rc6 +References: bsc#1051510 + +Returning -1 (-EPERM) is not appropriate here, go with -EIO. + +Signed-off-by: Peter Rosin <peda@axentia.se> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-pmcmsp.c b/drivers/i2c/busses/i2c-pmcmsp.c +index ec27e27e8d06..dae8ac618a52 100644 +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -564,7 +564,7 @@ static int pmcmsptwi_master_xfer(struct i2c_adapter *adap, + * TODO: We could potentially loop and retry in the case + * of MSP_TWI_XFER_TIMEOUT. + */ +- return -1; ++ return -EIO; + } + + return num; +-- +2.17.1 + diff --git a/patches.drivers/i2c-pmcmsp-return-message-count-on-master_xfer-succe b/patches.drivers/i2c-pmcmsp-return-message-count-on-master_xfer-succe new file mode 100644 index 0000000000..fc3ab9e675 --- /dev/null +++ b/patches.drivers/i2c-pmcmsp-return-message-count-on-master_xfer-succe @@ -0,0 +1,35 @@ +From de9a8634f1cb4560a35696d472cc7f1383d9b866 Mon Sep 17 00:00:00 2001 +From: Peter Rosin <peda@axentia.se> +Date: Wed, 9 May 2018 21:46:29 +0200 +Subject: [PATCH] i2c: pmcmsp: return message count on master_xfer success +Git-commit: de9a8634f1cb4560a35696d472cc7f1383d9b866 +Patch-mainline: v4.17-rc6 +References: bsc#1051510 + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin <peda@axentia.se> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-pmcmsp.c b/drivers/i2c/busses/i2c-pmcmsp.c +index 2aa0e83174c5..ec27e27e8d06 100644 +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -567,7 +567,7 @@ static int pmcmsptwi_master_xfer(struct i2c_adapter *adap, + return -1; + } + +- return 0; ++ return num; + } + + static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter) +-- +2.17.1 + diff --git a/patches.drivers/i2c-viperboard-return-message-count-on-master_xfer-s b/patches.drivers/i2c-viperboard-return-message-count-on-master_xfer-s new file mode 100644 index 0000000000..959f5156ce --- /dev/null +++ b/patches.drivers/i2c-viperboard-return-message-count-on-master_xfer-s @@ -0,0 +1,35 @@ +From 35cd67a0caf767aba472452865dcb4471fcce2b1 Mon Sep 17 00:00:00 2001 +From: Peter Rosin <peda@axentia.se> +Date: Wed, 9 May 2018 21:47:48 +0200 +Subject: [PATCH] i2c: viperboard: return message count on master_xfer success +Git-commit: 35cd67a0caf767aba472452865dcb4471fcce2b1 +Patch-mainline: v4.17-rc6 +References: bsc#1051510 + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin <peda@axentia.se> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/i2c/busses/i2c-viperboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-viperboard.c b/drivers/i2c/busses/i2c-viperboard.c +index e4be86b3de9a..7235c7302bb7 100644 +--- a/drivers/i2c/busses/i2c-viperboard.c ++++ b/drivers/i2c/busses/i2c-viperboard.c +@@ -337,7 +337,7 @@ static int vprbrd_i2c_xfer(struct i2c_adapter *i2c, struct i2c_msg *msgs, + } + mutex_unlock(&vb->lock); + } +- return 0; ++ return num; + error: + mutex_unlock(&vb->lock); + return error; +-- +2.17.1 + diff --git a/patches.drivers/i40e-Close-client-on-suspend-and-restore-client-MSIx.patch b/patches.drivers/i40e-Close-client-on-suspend-and-restore-client-MSIx.patch new file mode 100644 index 0000000000..973f16d3fd --- /dev/null +++ b/patches.drivers/i40e-Close-client-on-suspend-and-restore-client-MSIx.patch @@ -0,0 +1,101 @@ +From: Shiraz Saleem <shiraz.saleem@intel.com> +Date: Mon, 19 Mar 2018 09:28:03 -0700 +Subject: i40e: Close client on suspend and restore client MSIx on resume +Patch-mainline: v4.17-rc1 +Git-commit: ddbb8d5dd9b7f58293f196eab71449d0242c028d +References: bsc#1088821 + +During suspend client MSIx vectors are freed while they are still +in use causing a crash on entering S3. + +Fix this calling client close before freeing up its MSIx vectors. +Also update the client MSIx vectors on resume before client +open is called. + +Fixes commit b980c0634fe5 ("i40e: shutdown all IRQs and disable MSI-X +when suspended") + +Reported-by: Stefan Assmann <sassmann@redhat.com> +Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de> +--- + drivers/net/ethernet/intel/i40e/i40e.h | 1 + + drivers/net/ethernet/intel/i40e/i40e_client.c | 16 +++++++++++++--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++ + 3 files changed, 22 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -934,6 +934,7 @@ void i40e_notify_client_of_l2_param_chan + void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset); + void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs); + void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id); ++void i40e_client_update_msix_info(struct i40e_pf *pf); + int i40e_vf_client_capable(struct i40e_pf *pf, u32 vf_id); + /** + * i40e_irq_dynamic_enable - Enable default interrupt generation settings +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -287,6 +287,17 @@ out: + return capable; + } + ++void i40e_client_update_msix_info(struct i40e_pf *pf) ++{ ++ struct i40e_client_instance *cdev = pf->cinst; ++ ++ if (!cdev || !cdev->client) ++ return; ++ ++ cdev->lan_info.msix_count = pf->num_iwarp_msix; ++ cdev->lan_info.msix_entries = &pf->msix_entries[pf->iwarp_base_vector]; ++} ++ + /** + * i40e_client_add_instance - add a client instance struct to the instance list + * @pf: pointer to the board struct +@@ -328,9 +339,6 @@ static void i40e_client_add_instance(str + return; + } + +- cdev->lan_info.msix_count = pf->num_iwarp_msix; +- cdev->lan_info.msix_entries = &pf->msix_entries[pf->iwarp_base_vector]; +- + mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, + struct netdev_hw_addr, list); + if (mac) +@@ -340,6 +348,8 @@ static void i40e_client_add_instance(str + + cdev->client = registered_client; + pf->cinst = cdev; ++ ++ i40e_client_update_msix_info(pf); + } + + /** +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -10749,6 +10749,9 @@ static int i40e_add_veb(struct i40e_veb + vsi->veb_idx = veb->idx; + vsi->flags |= I40E_VSI_FLAG_VEB_OWNER; + ++ if (pf->flags & I40E_FLAG_IWARP_ENABLED) ++ i40e_client_update_msix_info(pf); ++ + return 0; + } + +@@ -12115,6 +12118,11 @@ static int i40e_suspend(struct pci_dev * + set_bit(__I40E_SUSPENDED, pf->state); + set_bit(__I40E_DOWN, pf->state); + ++ /* Client close must be called explicitly here because the timer ++ * has been stopped. ++ */ ++ i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); + diff --git a/patches.drivers/i40e-Do-not-allow-use-more-TC-queue-pairs-than-MSI-X.patch b/patches.drivers/i40e-Do-not-allow-use-more-TC-queue-pairs-than-MSI-X.patch new file mode 100644 index 0000000000..876a67ab47 --- /dev/null +++ b/patches.drivers/i40e-Do-not-allow-use-more-TC-queue-pairs-than-MSI-X.patch @@ -0,0 +1,38 @@ +From: =?UTF-8?q?Pawe=C5=82=20Jab=C5=82o=C5=84ski?= +Date: Fri, 29 Dec 2017 08:49:10 -0500 + <pawel.jablonski@intel.com> +Subject: i40e: Do not allow use more TC queue pairs than MSI-X vectors exist +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v4.16-rc1 +Git-commit: 1563f2d2e01242f05dd523ffd56fe104bc1afd58 +References: bsc#1094978 + +This patch suppresses the message about invalid TC mapping and wrong +selected TX queue. The root cause of this bug was setting too many +TC queue pairs on huge multiprocessor machines. When quantity of the +TC queue pairs is exceeding MSI-X vectors count then TX queue number +can be selected beyond actual TX queues amount. + +Signed-off-by: Paweł Jabłoński <pawel.jablonski@intel.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de> +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -1634,6 +1634,10 @@ static void i40e_vsi_setup_queue_map(str + num_tc_qps = qcount / numtc; + num_tc_qps = min_t(int, num_tc_qps, i40e_pf_get_max_q_per_tc(pf)); + ++ /* Do not allow use more TC queue pairs than MSI-X vectors exist */ ++ if (pf->flags & I40E_FLAG_MSIX_ENABLED) ++ num_tc_qps = min_t(int, num_tc_qps, pf->num_lan_msix); ++ + /* Setup queue offset/count for all TCs for given VSI */ + for (i = 0; i < I40E_MAX_TRAFFIC_CLASS; i++) { + /* See if the given TC is enabled for the given VSI */ diff --git a/patches.drivers/i40e-Fix-the-number-of-queues-available-to-be-mapped.patch b/patches.drivers/i40e-Fix-the-number-of-queues-available-to-be-mapped.patch new file mode 100644 index 0000000000..adcc7e68a2 --- /dev/null +++ b/patches.drivers/i40e-Fix-the-number-of-queues-available-to-be-mapped.patch @@ -0,0 +1,85 @@ +From: Amritha Nambiar <amritha.nambiar@intel.com> +Date: Tue, 6 Feb 2018 13:15:20 -0800 +Subject: i40e: Fix the number of queues available to be mapped for use +Patch-mainline: v4.16-rc1 +Git-commit: bc6d33c8d93f5999920e97a8c6330b8910053d4f +References: bsc#1094978 + +Fix the number of queues per enabled TC and report available queues +to the kernel without having to limit them to the max RSS limit so +they are available to be mapped for XPS. This allows a queue per +processing thread available for handling traffic for the given +traffic class. + +Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de> +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -1601,7 +1601,7 @@ static void i40e_vsi_setup_queue_map(str + struct i40e_pf *pf = vsi->back; + u16 sections = 0; + u8 netdev_tc = 0; +- u16 numtc = 0; ++ u16 numtc = 1; + u16 qcount; + u8 offset; + u16 qmap; +@@ -1611,9 +1611,11 @@ static void i40e_vsi_setup_queue_map(str + sections = I40E_AQ_VSI_PROP_QUEUE_MAP_VALID; + offset = 0; + ++ /* Number of queues per enabled TC */ ++ num_tc_qps = vsi->alloc_queue_pairs; + if (enabled_tc && (vsi->back->flags & I40E_FLAG_DCB_ENABLED)) { + /* Find numtc from enabled TC bitmap */ +- for (i = 0; i < I40E_MAX_TRAFFIC_CLASS; i++) { ++ for (i = 0, numtc = 0; i < I40E_MAX_TRAFFIC_CLASS; i++) { + if (enabled_tc & BIT(i)) /* TC is enabled */ + numtc++; + } +@@ -1621,18 +1623,13 @@ static void i40e_vsi_setup_queue_map(str + dev_warn(&pf->pdev->dev, "DCB is enabled but no TC enabled, forcing TC0\n"); + numtc = 1; + } +- } else { +- /* At least TC0 is enabled in case of non-DCB case */ +- numtc = 1; ++ num_tc_qps = num_tc_qps / numtc; ++ num_tc_qps = min_t(int, num_tc_qps, ++ i40e_pf_get_max_q_per_tc(pf)); + } + + vsi->tc_config.numtc = numtc; + vsi->tc_config.enabled_tc = enabled_tc ? enabled_tc : 1; +- /* Number of queues per enabled TC */ +- qcount = vsi->alloc_queue_pairs; +- +- num_tc_qps = qcount / numtc; +- num_tc_qps = min_t(int, num_tc_qps, i40e_pf_get_max_q_per_tc(pf)); + + /* Do not allow use more TC queue pairs than MSI-X vectors exist */ + if (pf->flags & I40E_FLAG_MSIX_ENABLED) +@@ -1647,9 +1644,13 @@ static void i40e_vsi_setup_queue_map(str + + switch (vsi->type) { + case I40E_VSI_MAIN: +- qcount = min_t(int, pf->alloc_rss_size, +- num_tc_qps); +- break; ++ if (!(pf->flags & (I40E_FLAG_FD_SB_ENABLED | ++ I40E_FLAG_FD_ATR_ENABLED)) || ++ vsi->tc_config.enabled_tc != 1) { ++ qcount = min_t(int, pf->alloc_rss_size, ++ num_tc_qps); ++ break; ++ } + case I40E_VSI_FDIR: + case I40E_VSI_SRIOV: + case I40E_VSI_VMDQ2: diff --git a/patches.drivers/iio-ad7793-implement-IIO_CHAN_INFO_SAMP_FREQ b/patches.drivers/iio-ad7793-implement-IIO_CHAN_INFO_SAMP_FREQ new file mode 100644 index 0000000000..fea3bc0a6a --- /dev/null +++ b/patches.drivers/iio-ad7793-implement-IIO_CHAN_INFO_SAMP_FREQ @@ -0,0 +1,152 @@ +From 490fba90a90eb7b741f57fefd2bcf2c1e11eb471 Mon Sep 17 00:00:00 2001 +From: Michael Nosthoff <committed@heine.so> +Date: Fri, 9 Mar 2018 16:13:52 +0100 +Subject: [PATCH] iio: ad7793: implement IIO_CHAN_INFO_SAMP_FREQ +Git-commit: 490fba90a90eb7b741f57fefd2bcf2c1e11eb471 +Patch-mainline: v4.17 +References: bsc#1051510 + +This commit is a follow-up to changes made to ad_sigma_delta.h +in staging: iio: ad7192: implement IIO_CHAN_INFO_SAMP_FREQ +which broke ad7793 as it was not altered to match those changes. + +This driver predates the availability of IIO_CHAN_INFO_SAMP_FREQ +attribute wherein usage has some advantages like it can be accessed by +in-kernel consumers as well as reduces the code size. + +Therefore, use IIO_CHAN_INFO_SAMP_FREQ to implement the +sampling_frequency attribute instead of using IIO_DEV_ATTR_SAMP_FREQ() +macro. + +Move code from the functions associated with IIO_DEV_ATTR_SAMP_FREQ() +into respective read and write hooks with the mask set to +IIO_CHAN_INFO_SAMP_FREQ. + +Fixes: a13e831fcaa7 ("staging: iio: ad7192: implement IIO_CHAN_INFO_SAMP_FREQ") + +Signed-off-by: Michael Nosthoff <committed@heine.so> +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/iio/adc/ad7793.c | 75 +++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 51 deletions(-) + +diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c +index 801afb61310b..d4bbe5b53318 100644 +--- a/drivers/iio/adc/ad7793.c ++++ b/drivers/iio/adc/ad7793.c +@@ -348,55 +348,6 @@ static const u16 ad7793_sample_freq_avail[16] = {0, 470, 242, 123, 62, 50, 39, + static const u16 ad7797_sample_freq_avail[16] = {0, 0, 0, 123, 62, 50, 0, + 33, 0, 17, 16, 12, 10, 8, 6, 4}; + +-static ssize_t ad7793_read_frequency(struct device *dev, +- struct device_attribute *attr, +- char *buf) +-{ +- struct iio_dev *indio_dev = dev_to_iio_dev(dev); +- struct ad7793_state *st = iio_priv(indio_dev); +- +- return sprintf(buf, "%d\n", +- st->chip_info->sample_freq_avail[AD7793_MODE_RATE(st->mode)]); +-} +- +-static ssize_t ad7793_write_frequency(struct device *dev, +- struct device_attribute *attr, +- const char *buf, +- size_t len) +-{ +- struct iio_dev *indio_dev = dev_to_iio_dev(dev); +- struct ad7793_state *st = iio_priv(indio_dev); +- long lval; +- int i, ret; +- +- ret = kstrtol(buf, 10, &lval); +- if (ret) +- return ret; +- +- if (lval == 0) +- return -EINVAL; +- +- for (i = 0; i < 16; i++) +- if (lval == st->chip_info->sample_freq_avail[i]) +- break; +- if (i == 16) +- return -EINVAL; +- +- ret = iio_device_claim_direct_mode(indio_dev); +- if (ret) +- return ret; +- st->mode &= ~AD7793_MODE_RATE(-1); +- st->mode |= AD7793_MODE_RATE(i); +- ad_sd_write_reg(&st->sd, AD7793_REG_MODE, sizeof(st->mode), st->mode); +- iio_device_release_direct_mode(indio_dev); +- +- return len; +-} +- +-static IIO_DEV_ATTR_SAMP_FREQ(S_IWUSR | S_IRUGO, +- ad7793_read_frequency, +- ad7793_write_frequency); +- + static IIO_CONST_ATTR_SAMP_FREQ_AVAIL( + "470 242 123 62 50 39 33 19 17 16 12 10 8 6 4"); + +@@ -424,7 +375,6 @@ static IIO_DEVICE_ATTR_NAMED(in_m_in_scale_available, + ad7793_show_scale_available, NULL, 0); + + static struct attribute *ad7793_attributes[] = { +- &iio_dev_attr_sampling_frequency.dev_attr.attr, + &iio_const_attr_sampling_frequency_available.dev_attr.attr, + &iio_dev_attr_in_m_in_scale_available.dev_attr.attr, + NULL +@@ -435,7 +385,6 @@ static const struct attribute_group ad7793_attribute_group = { + }; + + static struct attribute *ad7797_attributes[] = { +- &iio_dev_attr_sampling_frequency.dev_attr.attr, + &iio_const_attr_sampling_frequency_available_ad7797.dev_attr.attr, + NULL + }; +@@ -505,6 +454,10 @@ static int ad7793_read_raw(struct iio_dev *indio_dev, + *val -= offset; + } + return IIO_VAL_INT; ++ case IIO_CHAN_INFO_SAMP_FREQ: ++ *val = st->chip_info ++ ->sample_freq_avail[AD7793_MODE_RATE(st->mode)]; ++ return IIO_VAL_INT; + } + return -EINVAL; + } +@@ -542,6 +495,26 @@ static int ad7793_write_raw(struct iio_dev *indio_dev, + break; + } + break; ++ case IIO_CHAN_INFO_SAMP_FREQ: ++ if (!val) { ++ ret = -EINVAL; ++ break; ++ } ++ ++ for (i = 0; i < 16; i++) ++ if (val == st->chip_info->sample_freq_avail[i]) ++ break; ++ ++ if (i == 16) { ++ ret = -EINVAL; ++ break; ++ } ++ ++ st->mode &= ~AD7793_MODE_RATE(-1); ++ st->mode |= AD7793_MODE_RATE(i); ++ ad_sd_write_reg(&st->sd, AD7793_REG_MODE, sizeof(st->mode), ++ st->mode); ++ break; + default: + ret = -EINVAL; + } +-- +2.17.1 + diff --git a/patches.drivers/iio-kfifo_buf-check-for-uint-overflow b/patches.drivers/iio-kfifo_buf-check-for-uint-overflow new file mode 100644 index 0000000000..85db3def1f --- /dev/null +++ b/patches.drivers/iio-kfifo_buf-check-for-uint-overflow @@ -0,0 +1,64 @@ +From 3d13de4b027d5f6276c0f9d3a264f518747d83f2 Mon Sep 17 00:00:00 2001 +From: Martin Kelly <mkelly@xevo.com> +Date: Mon, 26 Mar 2018 14:27:52 -0700 +Subject: [PATCH] iio:kfifo_buf: check for uint overflow +Git-commit: 3d13de4b027d5f6276c0f9d3a264f518747d83f2 +Patch-mainline: v4.17 +References: bsc#1051510 + +Currently, the following causes a kernel OOPS in memcpy: + +echo 1073741825 > buffer/length +echo 1 > buffer/enable + +Note that using 1073741824 instead of 1073741825 causes "write error: +Cannot allocate memory" but no OOPS. + +This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo +rounds up to the nearest power of 2, it will actually call kmalloc with +roundup_pow_of_two(length) * bytes_per_datum. + +Using length == 1073741825 and bytes_per_datum == 2, we get: + +kmalloc(roundup_pow_of_two(1073741825) * 2 +or kmalloc(2147483648 * 2) +or kmalloc(4294967296) +or kmalloc(UINT_MAX + 1) + +so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and +subsequent memcpy to fail once the device is enabled. + +Fix this by checking for overflow prior to allocating a kfifo. With this +check added, the above code returns -EINVAL when enabling the buffer, +rather than causing an OOPS. + +Signed-off-by: Martin Kelly <mkelly@xevo.com> +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/iio/buffer/kfifo_buf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c +index ac622edf2486..70c302a93d7f 100644 +--- a/drivers/iio/buffer/kfifo_buf.c ++++ b/drivers/iio/buffer/kfifo_buf.c +@@ -27,6 +27,13 @@ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf, + if ((length == 0) || (bytes_per_datum == 0)) + return -EINVAL; + ++ /* ++ * Make sure we don't overflow an unsigned int after kfifo rounds up to ++ * the next power of 2. ++ */ ++ if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum) ++ return -EINVAL; ++ + return __kfifo_alloc((struct __kfifo *)&buf->kf, length, + bytes_per_datum, GFP_KERNEL); + } +-- +2.17.1 + diff --git a/patches.drivers/iwlwifi-fw-harden-page-loading-code b/patches.drivers/iwlwifi-fw-harden-page-loading-code new file mode 100644 index 0000000000..0cacf0b74d --- /dev/null +++ b/patches.drivers/iwlwifi-fw-harden-page-loading-code @@ -0,0 +1,145 @@ +From 9039d985811d5b109b58b202b7594fd24e433fed Mon Sep 17 00:00:00 2001 +From: Luca Coelho <luciano.coelho@intel.com> +Date: Tue, 13 Feb 2018 11:09:40 +0200 +Subject: [PATCH] iwlwifi: fw: harden page loading code +Git-commit: 9039d985811d5b109b58b202b7594fd24e433fed +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +The page loading code trusts the data provided in the firmware images +a bit too much and may cause a buffer overflow or copy unknown data if +the block sizes don't match what we expect. + +To prevent potential problems, harden the code by checking if the +sizes we are copying are what we expect. + +Cc: stable@vger.kernel.org +Signed-off-by: Luca Coelho <luciano.coelho@intel.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + .../net/wireless/intel/iwlwifi/fw/paging.c | 49 ++++++++++++++++--- + 1 file changed, 41 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/paging.c b/drivers/net/wireless/intel/iwlwifi/fw/paging.c +index 1fec8e3a6b35..6afcfd1f0eec 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/paging.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/paging.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -30,6 +31,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -163,7 +165,7 @@ static int iwl_alloc_fw_paging_mem(struct iwl_fw_runtime *fwrt, + static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + const struct fw_img *image) + { +- int sec_idx, idx; ++ int sec_idx, idx, ret; + u32 offset = 0; + + /* +@@ -190,17 +192,23 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + */ + if (sec_idx >= image->num_sec - 1) { + IWL_ERR(fwrt, "Paging: Missing CSS and/or paging sections\n"); +- iwl_free_fw_paging(fwrt); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; + } + + /* copy the CSS block to the dram */ + IWL_DEBUG_FW(fwrt, "Paging: load paging CSS to FW, sec = %d\n", + sec_idx); + ++ if (image->sec[sec_idx].len > fwrt->fw_paging_db[0].fw_paging_size) { ++ IWL_ERR(fwrt, "CSS block is larger than paging size\n"); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(fwrt->fw_paging_db[0].fw_paging_block), + image->sec[sec_idx].data, +- fwrt->fw_paging_db[0].fw_paging_size); ++ image->sec[sec_idx].len); + dma_sync_single_for_device(fwrt->trans->dev, + fwrt->fw_paging_db[0].fw_paging_phys, + fwrt->fw_paging_db[0].fw_paging_size, +@@ -221,6 +229,14 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + for (idx = 1; idx < fwrt->num_of_paging_blk; idx++) { + struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx]; + ++ if (block->fw_paging_size > image->sec[sec_idx].len - offset) { ++ IWL_ERR(fwrt, ++ "Paging: paging size is larger than remaining data in block %d\n", ++ idx); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, + block->fw_paging_size); +@@ -231,19 +247,32 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + + IWL_DEBUG_FW(fwrt, + "Paging: copied %d paging bytes to block %d\n", +- fwrt->fw_paging_db[idx].fw_paging_size, +- idx); ++ block->fw_paging_size, idx); + +- offset += fwrt->fw_paging_db[idx].fw_paging_size; ++ offset += block->fw_paging_size; ++ ++ if (offset > image->sec[sec_idx].len) { ++ IWL_ERR(fwrt, ++ "Paging: offset goes over section size\n"); ++ ret = -EINVAL; ++ goto err; ++ } + } + + /* copy the last paging block */ + if (fwrt->num_of_pages_in_last_blk > 0) { + struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx]; + ++ if (image->sec[sec_idx].len - offset > block->fw_paging_size) { ++ IWL_ERR(fwrt, ++ "Paging: last block is larger than paging size\n"); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, +- FW_PAGING_SIZE * fwrt->num_of_pages_in_last_blk); ++ image->sec[sec_idx].len - offset); + dma_sync_single_for_device(fwrt->trans->dev, + block->fw_paging_phys, + block->fw_paging_size, +@@ -255,6 +284,10 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + } + + return 0; ++ ++err: ++ iwl_free_fw_paging(fwrt); ++ return ret; + } + + static int iwl_save_fw_paging(struct iwl_fw_runtime *fwrt, +-- +2.17.1 + diff --git a/patches.drivers/iwlwifi-pcie-compare-with-number-of-IRQs-requested-f b/patches.drivers/iwlwifi-pcie-compare-with-number-of-IRQs-requested-f new file mode 100644 index 0000000000..008fc30353 --- /dev/null +++ b/patches.drivers/iwlwifi-pcie-compare-with-number-of-IRQs-requested-f @@ -0,0 +1,75 @@ +From ab1068d6866e28bf6427ceaea681a381e5870a4a Mon Sep 17 00:00:00 2001 +From: Hao Wei Tee <angelsl@in04.sg> +Date: Tue, 29 May 2018 10:25:17 +0300 +Subject: [PATCH] iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs +Git-commit: ab1068d6866e28bf6427ceaea681a381e5870a4a +Patch-mainline: v4.17 +References: bsc#1051510 + +When there are 16 or more logical CPUs, we request for +`IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of +IRQs, but later on we compare the number of IRQs returned to +nr_online_cpus+2 instead of max_irqs, the latter being what we +actually asked for. This ends up setting num_rx_queues to 17 which +causes lots of out-of-bounds array accesses later on. + +Compare to max_irqs instead, and also add an assertion in case +num_rx_queues > IWM_MAX_RX_HW_QUEUES. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551 + +Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX") +Signed-off-by: Hao Wei Tee <angelsl@in04.sg> +Tested-by: Sara Sharon <sara.sharon@intel.com> +Signed-off-by: Luca Coelho <luciano.coelho@intel.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index f8a0234d332c..5517ea4c2aa0 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1590,14 +1590,13 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev, + struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- int max_irqs, num_irqs, i, ret, nr_online_cpus; ++ int max_irqs, num_irqs, i, ret; + u16 pci_cmd; + + if (!trans->cfg->mq_rx_supported) + goto enable_msi; + +- nr_online_cpus = num_online_cpus(); +- max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES); ++ max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES); + for (i = 0; i < max_irqs; i++) + trans_pcie->msix_entries[i].entry = i; + +@@ -1623,16 +1622,17 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev, + * Two interrupts less: non rx causes shared with FBQ and RSS. + * More than two interrupts: we will use fewer RSS queues. + */ +- if (num_irqs <= nr_online_cpus) { ++ if (num_irqs <= max_irqs - 2) { + trans_pcie->trans->num_rx_queues = num_irqs + 1; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX | + IWL_SHARED_IRQ_FIRST_RSS; +- } else if (num_irqs == nr_online_cpus + 1) { ++ } else if (num_irqs == max_irqs - 1) { + trans_pcie->trans->num_rx_queues = num_irqs; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX; + } else { + trans_pcie->trans->num_rx_queues = num_irqs - 1; + } ++ WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES); + + trans_pcie->alloc_vecs = num_irqs; + trans_pcie->msix_enabled = true; +-- +2.18.0 + diff --git a/patches.drivers/media-uvcvideo-Support-realtek-s-UVC-1.5-device b/patches.drivers/media-uvcvideo-Support-realtek-s-UVC-1.5-device new file mode 100644 index 0000000000..714441a2da --- /dev/null +++ b/patches.drivers/media-uvcvideo-Support-realtek-s-UVC-1.5-device @@ -0,0 +1,94 @@ +From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001 +From: ming_qian <ming_qian@realsil.com.cn> +Date: Tue, 8 May 2018 22:13:08 -0400 +Subject: [PATCH] media: uvcvideo: Support realtek's UVC 1.5 device +Git-commit: f620d1d7afc7db57ab59f35000752840c91f67e7 +Patch-mainline: v4.18-rc1 +References: bsc#1099109 + +Media: uvcvideo: Support UVC 1.5 video probe & commit controls + +The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1. +Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be +recognized. + +More changes to the driver are needed for full UVC 1.5 compatibility. +However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been +reported to work well. + +[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks] + +Cc: stable@vger.kernel.org +Signed-off-by: ming_qian <ming_qian@realsil.com.cn> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct + } + } + ++static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) ++{ ++ /* ++ * Return the size of the video probe and commit controls, which depends ++ * on the protocol version. ++ */ ++ if (stream->dev->uvc_version < 0x0110) ++ return 26; ++ else if (stream->dev->uvc_version < 0x0150) ++ return 34; ++ else ++ return 48; ++} ++ + static int uvc_get_video_ctrl(struct uvc_streaming *stream, + struct uvc_streaming_control *ctrl, int probe, __u8 query) + { + __u8 *data; +- __u16 size; ++ __u16 size = uvc_video_ctrl_size(stream); + int ret; + +- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; + if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) && + query == UVC_GET_DEF) + return -EIO; +@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc + ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]); + ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]); + +- if (size == 34) { ++ if (size >= 34) { + ctrl->dwClockFrequency = get_unaligned_le32(&data[26]); + ctrl->bmFramingInfo = data[30]; + ctrl->bPreferedVersion = data[31]; +@@ -255,10 +268,9 @@ static int uvc_set_video_ctrl(struct uvc + struct uvc_streaming_control *ctrl, int probe) + { + __u8 *data; +- __u16 size; ++ __u16 size = uvc_video_ctrl_size(stream); + int ret; + +- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; + data = kzalloc(size, GFP_KERNEL); + if (data == NULL) + return -ENOMEM; +@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc + put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]); + put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]); + +- if (size == 34) { ++ if (size >= 34) { + put_unaligned_le32(ctrl->dwClockFrequency, &data[26]); + data[30] = ctrl->bmFramingInfo; + data[31] = ctrl->bPreferedVersion; diff --git a/patches.drivers/nvme-Set-integrity-flag-for-user-passthrough-command.patch b/patches.drivers/nvme-Set-integrity-flag-for-user-passthrough-command.patch new file mode 100644 index 0000000000..860e41d3a4 --- /dev/null +++ b/patches.drivers/nvme-Set-integrity-flag-for-user-passthrough-command.patch @@ -0,0 +1,33 @@ +From: Keith Busch <keith.busch@intel.com> +Date: Tue, 17 Apr 2018 14:42:44 -0600 +Subject: [PATCH] nvme: Set integrity flag for user passthrough commands +References: bsc#1098706 +Git-commit: f31a21103c03bb62846409fdc60cc9faf2398cfb +Patch-mainline: v4.17-rc4 + +If the command a separate metadata buffer attached, the request needs +to have the integrity flag set so the driver knows to map it. + +Signed-off-by: Keith Busch <keith.busch@intel.com> +Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ed8e6819cd85..1bddf6b62369 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -766,6 +766,7 @@ static int nvme_submit_user_cmd(struct request_queue *q, + ret = PTR_ERR(meta); + goto out_unmap; + } ++ req->cmd_flags |= REQ_INTEGRITY; + } + } + +-- +2.12.3 + diff --git a/patches.drivers/nvme-Skip-checking-heads-without-namespaces.patch b/patches.drivers/nvme-Skip-checking-heads-without-namespaces.patch new file mode 100644 index 0000000000..b93dfc5ef9 --- /dev/null +++ b/patches.drivers/nvme-Skip-checking-heads-without-namespaces.patch @@ -0,0 +1,41 @@ +From: Keith Busch <keith.busch@intel.com> +Date: Mon, 19 Mar 2018 10:53:50 -0600 +Subject: [PATCH] nvme: Skip checking heads without namespaces +References: bsc#1098706 +Git-commit: 2079699c10c8c60a9572540c2f77d045abf036eb +Patch-mainline: v4.17-rc1 + +If a task is holding a reference to a namespace on a removed controller, +the head will not be released. If the same controller is added again +later, its namespaces may not be successfully added. Instead, the user +will see kernel message "Duplicate IDs for nsid <X>". + +This patch fixes that by skipping heads that don't have namespaces when +considering if a new namespace is safe to add. + +Reported-by: Alex Gagniuc <Alex_Gagniuc@Dellteam.com> +Cc: stable@vger.kernel.org +Signed-off-by: Keith Busch <keith.busch@intel.com> +Reviewed-by: Max Gurtovoy <maxg@mellanox.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 181668a0be0d..0bdb1433361d 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2793,6 +2793,7 @@ static int __nvme_check_ids(struct nvme_subsystem *subsys, + + list_for_each_entry(h, &subsys->nsheads, entry) { + if (nvme_ns_ids_valid(&new->ids) && ++ !list_empty(&h->list) && + nvme_ns_ids_equal(&new->ids, &h->ids)) + return -EINVAL; + } +-- +2.12.3 + diff --git a/patches.drivers/nvme-Use-admin-command-effects-for-admin-commands.patch b/patches.drivers/nvme-Use-admin-command-effects-for-admin-commands.patch new file mode 100644 index 0000000000..80adfa42b5 --- /dev/null +++ b/patches.drivers/nvme-Use-admin-command-effects-for-admin-commands.patch @@ -0,0 +1,30 @@ +From: Keith Busch <keith.busch@intel.com> +Date: Thu, 12 Apr 2018 09:16:14 -0600 +Subject: [PATCH] nvme: Use admin command effects for admin commands +References: bsc#1098706 +Git-commit: 62843c2e4226057c83f520c74fe9c81a1891c331 +Patch-mainline: v4.17-rc1 + +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 88286ad1e0fe..54c69f941dfe 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1104,7 +1104,7 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns, + } + + if (ctrl->effects) +- effects = le32_to_cpu(ctrl->effects->iocs[opcode]); ++ effects = le32_to_cpu(ctrl->effects->acs[opcode]); + else + effects = nvme_known_admin_effects(opcode); + +-- +2.12.3 + diff --git a/patches.drivers/nvme-allow-duplicate-controller-if-prior-controller-.patch b/patches.drivers/nvme-allow-duplicate-controller-if-prior-controller-.patch new file mode 100644 index 0000000000..30b5d12811 --- /dev/null +++ b/patches.drivers/nvme-allow-duplicate-controller-if-prior-controller-.patch @@ -0,0 +1,41 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Fri, 25 May 2018 14:02:23 -0700 +Subject: [PATCH] nvme: allow duplicate controller if prior controller being + deleted +References: bsc#1098706 +Git-commit: ab4f47a9f4a12603a1806230d44ead2e54158f85 +Patch-mainline: v4.18-rc1 + +The current checks for whether a new controller request "matches" an +existing controller ignores controller state and checks identity strings. +There are cases where an existing controller may be in its last steps of +deletion when they are "matched" by a new connection. + +Change the behavior so that the new connection ignores controllers that +are deleted. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h +index ef46c915b7b5..0cf0460a5c92 100644 +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -139,7 +139,9 @@ static inline bool + nvmf_ctlr_matches_baseopts(struct nvme_ctrl *ctrl, + struct nvmf_ctrl_options *opts) + { +- if (strcmp(opts->subsysnqn, ctrl->opts->subsysnqn) || ++ if (ctrl->state == NVME_CTRL_DELETING || ++ ctrl->state == NVME_CTRL_DEAD || ++ strcmp(opts->subsysnqn, ctrl->opts->subsysnqn) || + strcmp(opts->host->nqn, ctrl->opts->host->nqn) || + memcmp(&opts->host->id, &ctrl->opts->host->id, sizeof(uuid_t))) + return false; +-- +2.12.3 + diff --git a/patches.drivers/nvme-check-return-value-of-init_srcu_struct-function.patch b/patches.drivers/nvme-check-return-value-of-init_srcu_struct-function.patch new file mode 100644 index 0000000000..e8b30ab2d0 --- /dev/null +++ b/patches.drivers/nvme-check-return-value-of-init_srcu_struct-function.patch @@ -0,0 +1,44 @@ +From: Max Gurtovoy <maxg@mellanox.com> +Date: Thu, 12 Apr 2018 09:16:12 -0600 +Subject: [PATCH] nvme: check return value of init_srcu_struct function +References: bsc#1098706 +Git-commit: fd92c77f58257ae5eb5180afe36e86094e4910f6 +Patch-mainline: v4.17-rc1 + +Also add error flow in case srcu initialization function fails. + +Signed-off-by: Max Gurtovoy <maxg@mellanox.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 0bdb1433361d..88286ad1e0fe 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2815,7 +2815,9 @@ static struct nvme_ns_head *nvme_alloc_ns_head(struct nvme_ctrl *ctrl, + goto out_free_head; + head->instance = ret; + INIT_LIST_HEAD(&head->list); +- init_srcu_struct(&head->srcu); ++ ret = init_srcu_struct(&head->srcu); ++ if (ret) ++ goto out_ida_remove; + head->subsys = ctrl->subsys; + head->ns_id = nsid; + kref_init(&head->ref); +@@ -2837,6 +2839,7 @@ static struct nvme_ns_head *nvme_alloc_ns_head(struct nvme_ctrl *ctrl, + return head; + out_cleanup_srcu: + cleanup_srcu_struct(&head->srcu); ++out_ida_remove: + ida_simple_remove(&ctrl->subsys->ns_ida, head->instance); + out_free_head: + kfree(head); +-- +2.12.3 + diff --git a/patches.drivers/nvme-expand-nvmf_check_if_ready-checks.patch b/patches.drivers/nvme-expand-nvmf_check_if_ready-checks.patch new file mode 100644 index 0000000000..0b2571b21e --- /dev/null +++ b/patches.drivers/nvme-expand-nvmf_check_if_ready-checks.patch @@ -0,0 +1,341 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Thu, 12 Apr 2018 09:16:15 -0600 +Subject: [PATCH] nvme: expand nvmf_check_if_ready checks +References: bsc#1098706 +Git-commit: bb06ec31452fb2da1594f88035c2ecea4e0652f4 +Patch-mainline: v4.17-rc1 + +The nvmf_check_if_ready() checks that were added are very simplistic. +As such, the routine allows a lot of cases to fail ios during windows +of reset or re-connection. In cases where there are not multi-path +options present, the error goes back to the callee - the filesystem +or application. Not good. + +The common routine was rewritten and calling syntax slightly expanded +so that per-transport is_ready routines don't need to be present. +The transports now call the routine directly. The routine is now a +fabrics routine rather than an inline function. + +The routine now looks at controller state to decide the action to +take. Some states mandate io failure. Others define the condition where +a command can be accepted. When the decision is unclear, a generic +queue-or-reject check is made to look for failfast or multipath ios and +only fails the io if it is so marked. Otherwise, the io will be queued +and wait for the controller state to resolve. + +Admin commands issued via ioctl share a live admin queue with commands +from the transport for controller init. The ioctls could be intermixed +with the initialization commands. It's possible for the ioctl cmd to +be issued prior to the controller being enabled. To block this, the +ioctl admin commands need to be distinguished from admin commands used +for controller init. Added a USERCMD nvme_req(req)->rq_flags bit to +reflect this division and set it on ioctls requests. As the +nvmf_check_if_ready() routine is called prior to nvme_setup_cmd(), +ensure that commands allocated by the ioctl path (actually anything +in core.c) preps the nvme_req(req) before starting the io. This will +preserve the USERCMD flag during execution and/or retry. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Reviewed-by: Sagi Grimberg <sagi@grimberg.e> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 17 +++++++--- + drivers/nvme/host/fabrics.c | 79 +++++++++++++++++++++++++++++++++++++++++++++ + drivers/nvme/host/fabrics.h | 33 ++----------------- + drivers/nvme/host/fc.c | 12 ++----- + drivers/nvme/host/nvme.h | 1 + + drivers/nvme/host/rdma.c | 14 ++------ + drivers/nvme/target/loop.c | 11 ++----- + 7 files changed, 101 insertions(+), 66 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 54c69f941dfe..ed8e6819cd85 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -378,6 +378,15 @@ static void nvme_put_ns(struct nvme_ns *ns) + kref_put(&ns->kref, nvme_free_ns); + } + ++static inline void nvme_clear_nvme_request(struct request *req) ++{ ++ if (!(req->rq_flags & RQF_DONTPREP)) { ++ nvme_req(req)->retries = 0; ++ nvme_req(req)->flags = 0; ++ req->rq_flags |= RQF_DONTPREP; ++ } ++} ++ + struct request *nvme_alloc_request(struct request_queue *q, + struct nvme_command *cmd, unsigned int flags, int qid) + { +@@ -394,6 +403,7 @@ struct request *nvme_alloc_request(struct request_queue *q, + return req; + + req->cmd_flags |= REQ_FAILFAST_DRIVER; ++ nvme_clear_nvme_request(req); + nvme_req(req)->cmd = cmd; + + return req; +@@ -610,11 +620,7 @@ blk_status_t nvme_setup_cmd(struct nvme_ns *ns, struct request *req, + { + blk_status_t ret = BLK_STS_OK; + +- if (!(req->rq_flags & RQF_DONTPREP)) { +- nvme_req(req)->retries = 0; +- nvme_req(req)->flags = 0; +- req->rq_flags |= RQF_DONTPREP; +- } ++ nvme_clear_nvme_request(req); + + switch (req_op(req)) { + case REQ_OP_DRV_IN: +@@ -743,6 +749,7 @@ static int nvme_submit_user_cmd(struct request_queue *q, + return PTR_ERR(req); + + req->timeout = timeout ? timeout : ADMIN_TIMEOUT; ++ nvme_req(req)->flags |= NVME_REQ_USERCMD; + + if (ubuffer && bufflen) { + ret = blk_rq_map_user(q, req, NULL, ubuffer, bufflen, +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index a74b372cedc7..297668552983 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -536,6 +536,85 @@ static struct nvmf_transport_ops *nvmf_lookup_transport( + return NULL; + } + ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live, bool is_connected) ++{ ++ struct nvme_command *cmd = nvme_req(rq)->cmd; ++ ++ if (likely(ctrl->state == NVME_CTRL_LIVE && is_connected)) ++ return BLK_STS_OK; ++ ++ switch (ctrl->state) { ++ case NVME_CTRL_DELETING: ++ goto reject_io; ++ ++ case NVME_CTRL_NEW: ++ case NVME_CTRL_CONNECTING: ++ if (!is_connected) ++ /* ++ * This is the case of starting a new ++ * association but connectivity was lost ++ * before it was fully created. We need to ++ * error the commands used to initialize the ++ * controller so the reconnect can go into a ++ * retry attempt. The commands should all be ++ * marked REQ_FAILFAST_DRIVER, which will hit ++ * the reject path below. Anything else will ++ * be queued while the state settles. ++ */ ++ goto reject_or_queue_io; ++ ++ if ((queue_live && ++ !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) || ++ (!queue_live && blk_rq_is_passthrough(rq) && ++ cmd->common.opcode == nvme_fabrics_command && ++ cmd->fabrics.fctype == nvme_fabrics_type_connect)) ++ /* ++ * If queue is live, allow only commands that ++ * are internally generated pass through. These ++ * are commands on the admin queue to initialize ++ * the controller. This will reject any ioctl ++ * admin cmds received while initializing. ++ * ++ * If the queue is not live, allow only a ++ * connect command. This will reject any ioctl ++ * admin cmd as well as initialization commands ++ * if the controller reverted the queue to non-live. ++ */ ++ return BLK_STS_OK; ++ ++ /* ++ * fall-thru to the reject_or_queue_io clause ++ */ ++ break; ++ ++ /* these cases fall-thru ++ * case NVME_CTRL_LIVE: ++ * case NVME_CTRL_RESETTING: ++ */ ++ default: ++ break; ++ } ++ ++reject_or_queue_io: ++ /* ++ * Any other new io is something we're not in a state to send ++ * to the device. Default action is to busy it and retry it ++ * after the controller state is recovered. However, anything ++ * marked for failfast or nvme multipath is immediately failed. ++ * Note: commands used to initialize the controller will be ++ * marked for failfast. ++ * Note: nvme cli/ioctl commands are marked for failfast. ++ */ ++ if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) ++ return BLK_STS_RESOURCE; ++ ++reject_io: ++ nvme_req(rq)->status = NVME_SC_ABORT_REQ; ++ return BLK_STS_IOERR; ++} ++EXPORT_SYMBOL_GPL(nvmf_check_if_ready); ++ + static const match_table_t opt_tokens = { + { NVMF_OPT_TRANSPORT, "transport=%s" }, + { NVMF_OPT_TRADDR, "traddr=%s" }, +diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h +index a3145d90c1d2..ef46c915b7b5 100644 +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -157,36 +157,7 @@ void nvmf_unregister_transport(struct nvmf_transport_ops *ops); + void nvmf_free_options(struct nvmf_ctrl_options *opts); + int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size); + bool nvmf_should_reconnect(struct nvme_ctrl *ctrl); +- +-static inline blk_status_t nvmf_check_init_req(struct nvme_ctrl *ctrl, +- struct request *rq) +-{ +- struct nvme_command *cmd = nvme_req(rq)->cmd; +- +- /* +- * We cannot accept any other command until the connect command has +- * completed, so only allow connect to pass. +- */ +- if (!blk_rq_is_passthrough(rq) || +- cmd->common.opcode != nvme_fabrics_command || +- cmd->fabrics.fctype != nvme_fabrics_type_connect) { +- /* +- * Connecting state means transport disruption or initial +- * establishment, which can take a long time and even might +- * fail permanently, fail fast to give upper layers a chance +- * to failover. +- * Deleting state means that the ctrl will never accept commands +- * again, fail it permanently. +- */ +- if (ctrl->state == NVME_CTRL_CONNECTING || +- ctrl->state == NVME_CTRL_DELETING) { +- nvme_req(rq)->status = NVME_SC_ABORT_REQ; +- return BLK_STS_IOERR; +- } +- return BLK_STS_RESOURCE; /* try again later */ +- } +- +- return BLK_STS_OK; +-} ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, ++ struct request *rq, bool queue_live, bool is_connected); + + #endif /* _NVME_FABRICS_H */ +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index c032e20e283a..3f7be5067bfd 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2287,14 +2287,6 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl *ctrl, struct nvme_fc_queue *queue, + return BLK_STS_RESOURCE; + } + +-static inline blk_status_t nvme_fc_is_ready(struct nvme_fc_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_FC_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t + nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) +@@ -2310,7 +2302,9 @@ nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx, + u32 data_len; + blk_status_t ret; + +- ret = nvme_fc_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_FC_Q_LIVE, &queue->flags), ++ ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE); + if (unlikely(ret)) + return ret; + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 6beafb84bb54..840c686b0d72 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -110,6 +110,7 @@ struct nvme_request { + + enum { + NVME_REQ_CANCELLED = (1 << 0), ++ NVME_REQ_USERCMD = (1 << 1), + }; + + static inline struct nvme_request *nvme_req(struct request *req) +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 4ce578b83262..19fa25dde69a 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1594,17 +1594,6 @@ nvme_rdma_timeout(struct request *rq, bool reserved) + return BLK_EH_HANDLED; + } + +-/* +- * We cannot accept any other command until the Connect command has completed. +- */ +-static inline blk_status_t +-nvme_rdma_is_ready(struct nvme_rdma_queue *queue, struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_RDMA_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -1620,7 +1609,8 @@ static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx, + + WARN_ON_ONCE(rq->tag < 0); + +- ret = nvme_rdma_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_RDMA_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 861d1509b22b..e10987f87603 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -149,14 +149,6 @@ nvme_loop_timeout(struct request *rq, bool reserved) + return BLK_EH_HANDLED; + } + +-static inline blk_status_t nvme_loop_is_ready(struct nvme_loop_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_LOOP_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -166,7 +158,8 @@ static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx, + struct nvme_loop_iod *iod = blk_mq_rq_to_pdu(req); + blk_status_t ret; + +- ret = nvme_loop_is_ready(queue, req); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, req, ++ test_bit(NVME_LOOP_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-allow-duplicate-connections-to-the-disc.patch b/patches.drivers/nvme-fabrics-allow-duplicate-connections-to-the-disc.patch new file mode 100644 index 0000000000..0aefd402fc --- /dev/null +++ b/patches.drivers/nvme-fabrics-allow-duplicate-connections-to-the-disc.patch @@ -0,0 +1,50 @@ +From: Hannes Reinecke <hare@suse.de> +Date: Thu, 24 May 2018 16:18:17 +0200 +Subject: [PATCH] nvme-fabrics: allow duplicate connections to the discovery + controller +References: bsc#1098706 +Git-commit: 181303d03525ea52d2d002fb8ee04e769aaa4ce4 +Patch-mainline: v4.18-rc1 + +The whole point of the discovery controller is that it can accept +multiple connections. Additionally the cmic field is not even defined for +the discovery controller identify page. + +Signed-off-by: Hannes Reinecke <hare@suse.com> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 3 ++- + drivers/nvme/host/fabrics.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 2d32cec747d2..235a0a2e66e0 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2180,7 +2180,8 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + * Verify that the subsystem actually supports multiple + * controllers, else bail out. + */ +- if (nvme_active_ctrls(found) && !(id->cmic & (1 << 1))) { ++ if (!ctrl->opts->discovery_nqn && ++ nvme_active_ctrls(found) && !(id->cmic & (1 << 1))) { + dev_err(ctrl->device, + "ignoring ctrl due to duplicate subnqn (%s).\n", + found->subnqn); +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index a49fa430a935..afdd546ca3e9 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -845,6 +845,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + if (opts->discovery_nqn) { + opts->kato = 0; + opts->nr_io_queues = 0; ++ opts->duplicate_connect = true; + } + if (ctrl_loss_tmo < 0) + opts->max_reconnects = -1; +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-allow-internal-passthrough-command-on-d.patch b/patches.drivers/nvme-fabrics-allow-internal-passthrough-command-on-d.patch new file mode 100644 index 0000000000..16ad7c2afc --- /dev/null +++ b/patches.drivers/nvme-fabrics-allow-internal-passthrough-command-on-d.patch @@ -0,0 +1,133 @@ +From: Christoph Hellwig <hch@lst.de> +Date: Fri, 25 May 2018 15:41:54 +0200 +Subject: [PATCH] nvme-fabrics: allow internal passthrough command on deleting + controllers +References: bsc#1098706 +Git-commit: cc456b65b739e17e8b1e6b61cc2f014f225ba466 +Patch-mainline: v4.18-rc1 + +Without this we can't cleanly shut down. + +Based on analysis an an earlier patch from Hannes Reinecke. + +Fixes: bb06ec31452f ("nvme: expand nvmf_check_if_ready checks") +Reported-by: Hannes Reinecke <hare@suse.de> +Tested-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 79 ++++++++++++++++++--------------------------- + 1 file changed, 31 insertions(+), 48 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index afdd546ca3e9..595040a6ce77 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -545,71 +545,54 @@ blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, + return BLK_STS_OK; + + switch (ctrl->state) { +- case NVME_CTRL_DELETING: +- goto reject_io; +- + case NVME_CTRL_NEW: + case NVME_CTRL_CONNECTING: ++ case NVME_CTRL_DELETING: ++ /* ++ * This is the case of starting a new or deleting an association ++ * but connectivity was lost before it was fully created or torn ++ * down. We need to error the commands used to initialize the ++ * controller so the reconnect can go into a retry attempt. The ++ * commands should all be marked REQ_FAILFAST_DRIVER, which will ++ * hit the reject path below. Anything else will be queued while ++ * the state settles. ++ */ + if (!is_connected) +- /* +- * This is the case of starting a new +- * association but connectivity was lost +- * before it was fully created. We need to +- * error the commands used to initialize the +- * controller so the reconnect can go into a +- * retry attempt. The commands should all be +- * marked REQ_FAILFAST_DRIVER, which will hit +- * the reject path below. Anything else will +- * be queued while the state settles. +- */ +- goto reject_or_queue_io; +- +- if ((queue_live && +- !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) || +- (!queue_live && blk_rq_is_passthrough(rq) && +- cmd->common.opcode == nvme_fabrics_command && +- cmd->fabrics.fctype == nvme_fabrics_type_connect)) +- /* +- * If queue is live, allow only commands that +- * are internally generated pass through. These +- * are commands on the admin queue to initialize +- * the controller. This will reject any ioctl +- * admin cmds received while initializing. +- * +- * If the queue is not live, allow only a +- * connect command. This will reject any ioctl +- * admin cmd as well as initialization commands +- * if the controller reverted the queue to non-live. +- */ ++ break; ++ ++ /* ++ * If queue is live, allow only commands that are internally ++ * generated pass through. These are commands on the admin ++ * queue to initialize the controller. This will reject any ++ * ioctl admin cmds received while initializing. ++ */ ++ if (queue_live && !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) + return BLK_STS_OK; + + /* +- * fall-thru to the reject_or_queue_io clause ++ * If the queue is not live, allow only a connect command. This ++ * will reject any ioctl admin cmd as well as initialization ++ * commands if the controller reverted the queue to non-live. + */ ++ if (!queue_live && blk_rq_is_passthrough(rq) && ++ cmd->common.opcode == nvme_fabrics_command && ++ cmd->fabrics.fctype == nvme_fabrics_type_connect) ++ return BLK_STS_OK; + break; +- +- /* these cases fall-thru +- * case NVME_CTRL_LIVE: +- * case NVME_CTRL_RESETTING: +- */ + default: + break; + } + +-reject_or_queue_io: + /* +- * Any other new io is something we're not in a state to send +- * to the device. Default action is to busy it and retry it +- * after the controller state is recovered. However, anything +- * marked for failfast or nvme multipath is immediately failed. +- * Note: commands used to initialize the controller will be +- * marked for failfast. ++ * Any other new io is something we're not in a state to send to the ++ * device. Default action is to busy it and retry it after the ++ * controller state is recovered. However, anything marked for failfast ++ * or nvme multipath is immediately failed. Note: commands used to ++ * initialize the controller will be marked for failfast. + * Note: nvme cli/ioctl commands are marked for failfast. + */ + if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) + return BLK_STS_RESOURCE; +- +-reject_io: + nvme_req(rq)->status = NVME_SC_ABORT_REQ; + return BLK_STS_IOERR; + } +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-centralize-discovery-controller-default.patch b/patches.drivers/nvme-fabrics-centralize-discovery-controller-default.patch new file mode 100644 index 0000000000..539f0077bb --- /dev/null +++ b/patches.drivers/nvme-fabrics-centralize-discovery-controller-default.patch @@ -0,0 +1,48 @@ +From: Hannes Reinecke <hare@suse.de> +Date: Thu, 24 May 2018 16:18:15 +0200 +Subject: [PATCH] nvme-fabrics: centralize discovery controller defaults +References: bsc#1098706 +Git-commit: 461fbc8f0ed1ac18ce6b7bf7ab0b7444f7c7ff57 +Patch-mainline: v4.18-rc1 + +When connecting to the discovery controller we have certain defaults +to observe, so centralize them to avoid inconsistencies due to argument +ordering. + +Signed-off-by: Hannes Reinecke <hare@suse.com> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index 77de29a22e27..a49fa430a935 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -689,10 +689,6 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + opts->discovery_nqn = + !(strcmp(opts->subsysnqn, + NVME_DISC_SUBSYS_NAME)); +- if (opts->discovery_nqn) { +- opts->kato = 0; +- opts->nr_io_queues = 0; +- } + break; + case NVMF_OPT_TRADDR: + p = match_strdup(args); +@@ -846,6 +842,10 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + } + } + ++ if (opts->discovery_nqn) { ++ opts->kato = 0; ++ opts->nr_io_queues = 0; ++ } + if (ctrl_loss_tmo < 0) + opts->max_reconnects = -1; + else +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-fix-and-refine-state-checks-in-__nvmf_c.patch b/patches.drivers/nvme-fabrics-fix-and-refine-state-checks-in-__nvmf_c.patch new file mode 100644 index 0000000000..7778946182 --- /dev/null +++ b/patches.drivers/nvme-fabrics-fix-and-refine-state-checks-in-__nvmf_c.patch @@ -0,0 +1,88 @@ +From: Christoph Hellwig <hch@lst.de> +Date: Mon, 11 Jun 2018 17:41:11 +0200 +Subject: [PATCH] nvme-fabrics: fix and refine state checks in + __nvmf_check_ready +References: bsc#1098706 +Git-commit: 35897b920c8ab5e23331ad429e0aa235528c63ba +Patch-mainline: v4.18-rc1 + + - make sure we only allow internally generates commands in any non-live + state + - only allow connect commands on non-live queues when actually in the + new or connecting states + - treat all other non-live, non-dead states the same as a default + cach-all + +This fixes a regression where we could not shutdown a controller +orderly as we didn't allow the internal generated Property Set +command, and also ensures we don't accidentally let a Connect command +through in the wrong state. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 39 +++++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 20 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index bc4bb162773c..fa8f153d1d7e 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -556,34 +556,33 @@ EXPORT_SYMBOL_GPL(nvmf_fail_nonready_command); + bool __nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, + bool queue_live) + { +- struct nvme_command *cmd = nvme_req(rq)->cmd; ++ struct nvme_request *req = nvme_req(rq); + ++ /* ++ * If we are in some state of setup or teardown only allow ++ * internally generated commands. ++ */ ++ if (!blk_rq_is_passthrough(rq) || (req->flags & NVME_REQ_USERCMD)) ++ return false; ++ ++ /* ++ * Only allow commands on a live queue, except for the connect command, ++ * which is require to set the queue live in the appropinquate states. ++ */ + switch (ctrl->state) { + case NVME_CTRL_NEW: + case NVME_CTRL_CONNECTING: +- case NVME_CTRL_DELETING: +- /* +- * If queue is live, allow only commands that are internally +- * generated pass through. These are commands on the admin +- * queue to initialize the controller. This will reject any +- * ioctl admin cmds received while initializing. +- */ +- if (queue_live && !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) ++ if (req->cmd->common.opcode == nvme_fabrics_command && ++ req->cmd->fabrics.fctype == nvme_fabrics_type_connect) + return true; +- +- /* +- * If the queue is not live, allow only a connect command. This +- * will reject any ioctl admin cmd as well as initialization +- * commands if the controller reverted the queue to non-live. +- */ +- if (!queue_live && blk_rq_is_passthrough(rq) && +- cmd->common.opcode == nvme_fabrics_command && +- cmd->fabrics.fctype == nvme_fabrics_type_connect) +- return true; +- return false; ++ break; + default: ++ break; ++ case NVME_CTRL_DEAD: + return false; + } ++ ++ return queue_live; + } + EXPORT_SYMBOL_GPL(__nvmf_check_ready); + +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-handle-the-admin-only-case-properly-in-.patch b/patches.drivers/nvme-fabrics-handle-the-admin-only-case-properly-in-.patch new file mode 100644 index 0000000000..48b6f7f5ad --- /dev/null +++ b/patches.drivers/nvme-fabrics-handle-the-admin-only-case-properly-in-.patch @@ -0,0 +1,39 @@ +From: Christoph Hellwig <hch@lst.de> +Date: Mon, 11 Jun 2018 17:37:23 +0200 +Subject: [PATCH] nvme-fabrics: handle the admin-only case properly in + nvmf_check_ready +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1098706 +Git-commit: 278ab3799a2588f97423180947f09ec5b576e79e +Patch-mainline: v4.18-rc1 + +In the ADMIN_ONLY state we don't have any I/O queues, but we should accept +all admin commands without further checks. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h +index 970ed54efc1c..b2a8f6a6c056 100644 +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -166,7 +166,8 @@ bool __nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, + static inline bool nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, + bool queue_live) + { +- if (likely(ctrl->state == NVME_CTRL_LIVE)) ++ if (likely(ctrl->state == NVME_CTRL_LIVE || ++ ctrl->state == NVME_CTRL_ADMIN_ONLY)) + return true; + return __nvmf_check_ready(ctrl, rq, queue_live); + } +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-refactor-queue-ready-check.patch b/patches.drivers/nvme-fabrics-refactor-queue-ready-check.patch new file mode 100644 index 0000000000..ba8a80be10 --- /dev/null +++ b/patches.drivers/nvme-fabrics-refactor-queue-ready-check.patch @@ -0,0 +1,212 @@ +From: Christoph Hellwig <hch@lst.de> +Date: Mon, 11 Jun 2018 17:34:06 +0200 +Subject: [PATCH] nvme-fabrics: refactor queue ready check +References: bsc#1098706 +Git-commit: 3bc32bb1186ccaf3177cbf29caa6cc14dc510b7b +Patch-mainline: v4.18-rc1 + +Move the is_connected check to the fibre channel transport, as it has no +meaning for other transports. To facilitate this split out a new +nvmf_fail_nonready_command helper that is called by the transport when +it is asked to handle a command on a queue that is not ready. + +Also avoid a function call for the queue live fast path by inlining +the check. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 59 ++++++++++++++++++--------------------------- + drivers/nvme/host/fabrics.h | 13 ++++++++-- + drivers/nvme/host/fc.c | 9 +++---- + drivers/nvme/host/rdma.c | 7 +++--- + drivers/nvme/target/loop.c | 7 +++--- + 5 files changed, 45 insertions(+), 50 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index 595040a6ce77..bc4bb162773c 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -536,38 +536,40 @@ static struct nvmf_transport_ops *nvmf_lookup_transport( + return NULL; + } + +-blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, +- bool queue_live, bool is_connected) ++/* ++ * For something we're not in a state to send to the device the default action ++ * is to busy it and retry it after the controller state is recovered. However, ++ * anything marked for failfast or nvme multipath is immediately failed. ++ * ++ * Note: commands used to initialize the controller will be marked for failfast. ++ * Note: nvme cli/ioctl commands are marked for failfast. ++ */ ++blk_status_t nvmf_fail_nonready_command(struct request *rq) + { +- struct nvme_command *cmd = nvme_req(rq)->cmd; ++ if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) ++ return BLK_STS_RESOURCE; ++ nvme_req(rq)->status = NVME_SC_ABORT_REQ; ++ return BLK_STS_IOERR; ++} ++EXPORT_SYMBOL_GPL(nvmf_fail_nonready_command); + +- if (likely(ctrl->state == NVME_CTRL_LIVE && is_connected)) +- return BLK_STS_OK; ++bool __nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live) ++{ ++ struct nvme_command *cmd = nvme_req(rq)->cmd; + + switch (ctrl->state) { + case NVME_CTRL_NEW: + case NVME_CTRL_CONNECTING: + case NVME_CTRL_DELETING: + /* +- * This is the case of starting a new or deleting an association +- * but connectivity was lost before it was fully created or torn +- * down. We need to error the commands used to initialize the +- * controller so the reconnect can go into a retry attempt. The +- * commands should all be marked REQ_FAILFAST_DRIVER, which will +- * hit the reject path below. Anything else will be queued while +- * the state settles. +- */ +- if (!is_connected) +- break; +- +- /* + * If queue is live, allow only commands that are internally + * generated pass through. These are commands on the admin + * queue to initialize the controller. This will reject any + * ioctl admin cmds received while initializing. + */ + if (queue_live && !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) +- return BLK_STS_OK; ++ return true; + + /* + * If the queue is not live, allow only a connect command. This +@@ -577,26 +579,13 @@ blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, + if (!queue_live && blk_rq_is_passthrough(rq) && + cmd->common.opcode == nvme_fabrics_command && + cmd->fabrics.fctype == nvme_fabrics_type_connect) +- return BLK_STS_OK; +- break; ++ return true; ++ return false; + default: +- break; ++ return false; + } +- +- /* +- * Any other new io is something we're not in a state to send to the +- * device. Default action is to busy it and retry it after the +- * controller state is recovered. However, anything marked for failfast +- * or nvme multipath is immediately failed. Note: commands used to +- * initialize the controller will be marked for failfast. +- * Note: nvme cli/ioctl commands are marked for failfast. +- */ +- if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) +- return BLK_STS_RESOURCE; +- nvme_req(rq)->status = NVME_SC_ABORT_REQ; +- return BLK_STS_IOERR; + } +-EXPORT_SYMBOL_GPL(nvmf_check_if_ready); ++EXPORT_SYMBOL_GPL(__nvmf_check_ready); + + static const match_table_t opt_tokens = { + { NVMF_OPT_TRANSPORT, "transport=%s" }, +diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h +index 0cf0460a5c92..970ed54efc1c 100644 +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -159,7 +159,16 @@ void nvmf_unregister_transport(struct nvmf_transport_ops *ops); + void nvmf_free_options(struct nvmf_ctrl_options *opts); + int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size); + bool nvmf_should_reconnect(struct nvme_ctrl *ctrl); +-blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, +- struct request *rq, bool queue_live, bool is_connected); ++blk_status_t nvmf_fail_nonready_command(struct request *rq); ++bool __nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live); ++ ++static inline bool nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live) ++{ ++ if (likely(ctrl->state == NVME_CTRL_LIVE)) ++ return true; ++ return __nvmf_check_ready(ctrl, rq, queue_live); ++} + + #endif /* _NVME_FABRICS_H */ +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 0cd920784b47..6d4e62025d92 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2276,14 +2276,13 @@ nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx, + struct nvme_fc_cmd_iu *cmdiu = &op->cmd_iu; + struct nvme_command *sqe = &cmdiu->sqe; + enum nvmefc_fcp_datadir io_dir; ++ bool queue_ready = test_bit(NVME_FC_Q_LIVE, &queue->flags); + u32 data_len; + blk_status_t ret; + +- ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, +- test_bit(NVME_FC_Q_LIVE, &queue->flags), +- ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE); +- if (unlikely(ret)) +- return ret; ++ if (ctrl->rport->remoteport.port_state != FC_OBJSTATE_ONLINE || ++ !nvmf_check_ready(&queue->ctrl->ctrl, rq, queue_ready)) ++ return nvmf_fail_nonready_command(rq); + + ret = nvme_setup_cmd(ns, rq, sqe); + if (ret) +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 19fa25dde69a..90b57cff72fe 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1604,15 +1604,14 @@ static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx, + struct nvme_rdma_qe *sqe = &req->sqe; + struct nvme_command *c = sqe->data; + struct ib_device *dev; ++ bool queue_ready = test_bit(NVME_RDMA_Q_LIVE, &queue->flags); + blk_status_t ret; + int err; + + WARN_ON_ONCE(rq->tag < 0); + +- ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, +- test_bit(NVME_RDMA_Q_LIVE, &queue->flags), true); +- if (unlikely(ret)) +- return ret; ++ if (!nvmf_check_ready(&queue->ctrl->ctrl, rq, queue_ready)) ++ return nvmf_fail_nonready_command(rq); + + dev = queue->device->dev; + ib_dma_sync_single_for_cpu(dev, sqe->dma, +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index e10987f87603..d58aa5251165 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -156,12 +156,11 @@ static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx, + struct nvme_loop_queue *queue = hctx->driver_data; + struct request *req = bd->rq; + struct nvme_loop_iod *iod = blk_mq_rq_to_pdu(req); ++ bool queue_ready = test_bit(NVME_LOOP_Q_LIVE, &queue->flags); + blk_status_t ret; + +- ret = nvmf_check_if_ready(&queue->ctrl->ctrl, req, +- test_bit(NVME_LOOP_Q_LIVE, &queue->flags), true); +- if (unlikely(ret)) +- return ret; ++ if (!nvmf_check_ready(&queue->ctrl->ctrl, req, queue_ready)) ++ return nvmf_fail_nonready_command(req); + + ret = nvme_setup_cmd(ns, req, &iod->cmd); + if (ret) +-- +2.12.3 + diff --git a/patches.drivers/nvme-fabrics-remove-unnecessary-controller-subnqn-va.patch b/patches.drivers/nvme-fabrics-remove-unnecessary-controller-subnqn-va.patch new file mode 100644 index 0000000000..9f91aeb83a --- /dev/null +++ b/patches.drivers/nvme-fabrics-remove-unnecessary-controller-subnqn-va.patch @@ -0,0 +1,52 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Fri, 11 May 2018 17:50:22 -0700 +Subject: [PATCH] nvme-fabrics: remove unnecessary controller subnqn validation +References: bsc#1098706 +Git-commit: ffecb0b452d5cbdd2ac3614bdf6cd39ba47b0cb8 +Patch-mainline: v4.18-rc1 + +After creating the nvme controller, nvmf_create_ctrl() validates +the newly created subsysnqn vs the one specified by the options. + +In general, this is an unnecessary check as the Connect message +should implicitly ensure this value matches. + +With the change to the FC transport to do an asynchronous connect +for the first association create, the transport will return to +nvmf_create_ctrl() before that first association has been established, +thus the subnqn will not yet be set. + +Remove the unnecessary validation. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index baec1b185f12..77de29a22e27 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -978,16 +978,6 @@ nvmf_create_ctrl(struct device *dev, const char *buf, size_t count) + goto out_module_put; + } + +- if (strcmp(ctrl->subsys->subnqn, opts->subsysnqn)) { +- dev_warn(ctrl->device, +- "controller returned incorrect NQN: \"%s\".\n", +- ctrl->subsys->subnqn); +- module_put(ops->module); +- up_read(&nvmf_transports_rwsem); +- nvme_delete_ctrl_sync(ctrl); +- return ERR_PTR(-EINVAL); +- } +- + module_put(ops->module); + up_read(&nvmf_transports_rwsem); + return ctrl; +-- +2.12.3 + diff --git a/patches.drivers/nvme-fc-change-controllers-first-connect-to-use-reco.patch b/patches.drivers/nvme-fc-change-controllers-first-connect-to-use-reco.patch new file mode 100644 index 0000000000..1963180ab7 --- /dev/null +++ b/patches.drivers/nvme-fc-change-controllers-first-connect-to-use-reco.patch @@ -0,0 +1,262 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Wed, 13 Jun 2018 14:07:37 -0700 +Subject: [PATCH] nvme-fc: change controllers first connect to use reconnect + path +References: bsc#1098706 +Git-commit: 4c984154efa13175bbb1e2aeb1de9fb2960ca28c +Patch-mainline: v4.18-rc1 + +Current code follows the framework that has been in the transports +from the beginning where initial link-side controller connect occurs +as part of "creating the controller". Thus that first connect fully +talks to the controller and obtains values that can then be used in +for blk-mq setup, etc. It also means that everything about the +controller is fully know before the "create controller" call returns. + +This has several weaknesses: +- The initial create_ctrl call made by the cli will block for a long + time as wire transactions are performed synchronously. This delay + becomes longer if errors occur or connectivity is lost and retries + need to be performed. +- Code wise, it means there is a separate connect path for initial + controller connect vs the (same) steps used in the reconnect path. +- And as there's separate paths, it means there's separate error + handling and retry logic. It also plays havoc with the NEW state + (should transition out of it after successful initial connect) vs + the RESETTING and CONNECTING (reconnect) states that want to be + transitioned to on error. +- As there's separate paths, to recover from errors and disruptions, + it requires separate recovery/retry paths as well and can severely + convolute the controller state. + +This patch reworks the fc transport to use the same connect paths +for the initial connection as it uses for reconnect. This makes a +single path for error recovery and handling. + +This patch: +- Removes the driving of the initial connect and replaces it with + a state transition to CONNECTING and initiating the reconnect + thread. A dummy state transition of RESETTING had to be traversed + as a direct transtion of NEW->CONNECTING is not allowed. Given + that the controller is "new", the RESETTING transition is a simple + no-op. Once in the reconnecting thread, the normal behaviors of + ctrl_loss_tmo (max_retries * connect_delay) and dev_loss_tmo will + apply before the controller is torn down. +- Only if the state transitions couldn't be traversed and the + reconnect thread not scheduled, will the controller be torn down + while in create_ctrl. +- The prior code used the controller state of NEW to indicate + whether request queues had been initialized or not. For the admin + queue, the request queue is always created, so there's no need to + check a state. For IO queues, change to tracking whether a successful + io request queue create has occurred (e.g. 1st successful connect). +- The initial controller id is initialized to the dynamic controller + id used in the initial connect message. It will be overwritten by + the real controller id once the controller is connected on the wire. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fc.c | 104 ++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 57 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 46bf6b332167..0794f2707a9a 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -144,6 +144,7 @@ struct nvme_fc_ctrl { + struct nvme_fc_rport *rport; + u32 cnum; + ++ bool ioq_live; + bool assoc_active; + u64 association_id; + +@@ -2473,6 +2474,8 @@ nvme_fc_create_io_queues(struct nvme_fc_ctrl *ctrl) + if (ret) + goto out_delete_hw_queues; + ++ ctrl->ioq_live = true; ++ + return 0; + + out_delete_hw_queues: +@@ -2625,8 +2628,7 @@ nvme_fc_create_association(struct nvme_fc_ctrl *ctrl) + if (ret) + goto out_delete_hw_queue; + +- if (ctrl->ctrl.state != NVME_CTRL_NEW) +- blk_mq_unquiesce_queue(ctrl->ctrl.admin_q); ++ blk_mq_unquiesce_queue(ctrl->ctrl.admin_q); + + ret = nvmf_connect_admin_queue(&ctrl->ctrl); + if (ret) +@@ -2699,7 +2701,7 @@ nvme_fc_create_association(struct nvme_fc_ctrl *ctrl) + */ + + if (ctrl->ctrl.queue_count > 1) { +- if (ctrl->ctrl.state == NVME_CTRL_NEW) ++ if (!ctrl->ioq_live) + ret = nvme_fc_create_io_queues(ctrl); + else + ret = nvme_fc_reinit_io_queues(ctrl); +@@ -2786,8 +2788,7 @@ nvme_fc_delete_association(struct nvme_fc_ctrl *ctrl) + * use blk_mq_tagset_busy_itr() and the transport routine to + * terminate the exchanges. + */ +- if (ctrl->ctrl.state != NVME_CTRL_NEW) +- blk_mq_quiesce_queue(ctrl->ctrl.admin_q); ++ blk_mq_quiesce_queue(ctrl->ctrl.admin_q); + blk_mq_tagset_busy_iter(&ctrl->admin_tag_set, + nvme_fc_terminate_exchange, &ctrl->ctrl); + +@@ -2945,7 +2946,7 @@ nvme_fc_connect_ctrl_work(struct work_struct *work) + nvme_fc_reconnect_or_delete(ctrl, ret); + else + dev_info(ctrl->ctrl.device, +- "NVME-FC{%d}: controller reconnect complete\n", ++ "NVME-FC{%d}: controller connect complete\n", + ctrl->cnum); + } + +@@ -2993,7 +2994,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + { + struct nvme_fc_ctrl *ctrl; + unsigned long flags; +- int ret, idx, retry; ++ int ret, idx; + + if (!(rport->remoteport.port_role & + (FC_PORT_ROLE_NVME_DISCOVERY | FC_PORT_ROLE_NVME_TARGET))) { +@@ -3020,11 +3021,13 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + } + + ctrl->ctrl.opts = opts; ++ ctrl->ctrl.nr_reconnects = 0; + INIT_LIST_HEAD(&ctrl->ctrl_list); + ctrl->lport = lport; + ctrl->rport = rport; + ctrl->dev = lport->dev; + ctrl->cnum = idx; ++ ctrl->ioq_live = false; + ctrl->assoc_active = false; + init_waitqueue_head(&ctrl->ioabort_wait); + +@@ -3043,6 +3046,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.sqsize = opts->queue_size - 1; + ctrl->ctrl.kato = opts->kato; ++ ctrl->ctrl.cntlid = 0xffff; + + ret = -ENOMEM; + ctrl->queues = kcalloc(ctrl->ctrl.queue_count, +@@ -3092,62 +3096,24 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + list_add_tail(&ctrl->ctrl_list, &rport->ctrl_list); + spin_unlock_irqrestore(&rport->lock, flags); + +- /* +- * It's possible that transactions used to create the association +- * may fail. Examples: CreateAssociation LS or CreateIOConnection +- * LS gets dropped/corrupted/fails; or a frame gets dropped or a +- * command times out for one of the actions to init the controller +- * (Connect, Get/Set_Property, Set_Features, etc). Many of these +- * transport errors (frame drop, LS failure) inherently must kill +- * the association. The transport is coded so that any command used +- * to create the association (prior to a LIVE state transition +- * while NEW or CONNECTING) will fail if it completes in error or +- * times out. +- * +- * As such: as the connect request was mostly likely due to a +- * udev event that discovered the remote port, meaning there is +- * not an admin or script there to restart if the connect +- * request fails, retry the initial connection creation up to +- * three times before giving up and declaring failure. +- */ +- for (retry = 0; retry < 3; retry++) { +- ret = nvme_fc_create_association(ctrl); +- if (!ret) +- break; +- } +- +- if (ret) { +- nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_DELETING); +- cancel_work_sync(&ctrl->ctrl.reset_work); +- cancel_delayed_work_sync(&ctrl->connect_work); +- +- /* couldn't schedule retry - fail out */ ++ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RESETTING) || ++ !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) { + dev_err(ctrl->ctrl.device, +- "NVME-FC{%d}: Connect retry failed\n", ctrl->cnum); +- +- ctrl->ctrl.opts = NULL; ++ "NVME-FC{%d}: failed to init ctrl state\n", ctrl->cnum); ++ goto fail_ctrl; ++ } + +- /* initiate nvme ctrl ref counting teardown */ +- nvme_uninit_ctrl(&ctrl->ctrl); ++ nvme_get_ctrl(&ctrl->ctrl); + +- /* Remove core ctrl ref. */ ++ if (!queue_delayed_work(nvme_wq, &ctrl->connect_work, 0)) { + nvme_put_ctrl(&ctrl->ctrl); +- +- /* as we're past the point where we transition to the ref +- * counting teardown path, if we return a bad pointer here, +- * the calling routine, thinking it's prior to the +- * transition, will do an rport put. Since the teardown +- * path also does a rport put, we do an extra get here to +- * so proper order/teardown happens. +- */ +- nvme_fc_rport_get(rport); +- +- if (ret > 0) +- ret = -EIO; +- return ERR_PTR(ret); ++ dev_err(ctrl->ctrl.device, ++ "NVME-FC{%d}: failed to schedule initial connect\n", ++ ctrl->cnum); ++ goto fail_ctrl; + } + +- nvme_get_ctrl(&ctrl->ctrl); ++ flush_delayed_work(&ctrl->connect_work); + + dev_info(ctrl->ctrl.device, + "NVME-FC{%d}: new ctrl: NQN \"%s\"\n", +@@ -3155,6 +3121,30 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + return &ctrl->ctrl; + ++fail_ctrl: ++ nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_DELETING); ++ cancel_work_sync(&ctrl->ctrl.reset_work); ++ cancel_delayed_work_sync(&ctrl->connect_work); ++ ++ ctrl->ctrl.opts = NULL; ++ ++ /* initiate nvme ctrl ref counting teardown */ ++ nvme_uninit_ctrl(&ctrl->ctrl); ++ ++ /* Remove core ctrl ref. */ ++ nvme_put_ctrl(&ctrl->ctrl); ++ ++ /* as we're past the point where we transition to the ref ++ * counting teardown path, if we return a bad pointer here, ++ * the calling routine, thinking it's prior to the ++ * transition, will do an rport put. Since the teardown ++ * path also does a rport put, we do an extra get here to ++ * so proper order/teardown happens. ++ */ ++ nvme_fc_rport_get(rport); ++ ++ return ERR_PTR(-EIO); ++ + out_cleanup_admin_q: + blk_cleanup_queue(ctrl->ctrl.admin_q); + out_free_admin_tag_set: +-- +2.12.3 + diff --git a/patches.drivers/nvme-fc-fix-nulling-of-queue-data-on-reconnect.patch b/patches.drivers/nvme-fc-fix-nulling-of-queue-data-on-reconnect.patch new file mode 100644 index 0000000000..1a383c96a7 --- /dev/null +++ b/patches.drivers/nvme-fc-fix-nulling-of-queue-data-on-reconnect.patch @@ -0,0 +1,83 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Wed, 13 Jun 2018 14:07:38 -0700 +Subject: [PATCH] nvme-fc: fix nulling of queue data on reconnect +References: bsc#1098706 +Git-commit: 3e493c00cedb457c0731399a835f7ba1c6df172b +Patch-mainline: v4.18-rc1 + +The reconnect path is calling the init routines to clear a queue +structure. But the queue structure has state that perhaps needs +to persist as long as the controller is live. + +Remove the nvme_fc_init_queue() calls on reconnect. +The nvme_fc_free_queue() calls will clear state bits and reset +any relevant queue state for a new connection. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fc.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 921011676b0f..0cd920784b47 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -1883,6 +1883,7 @@ nvme_fc_free_queue(struct nvme_fc_queue *queue) + */ + + queue->connection_id = 0; ++ atomic_set(&queue->csn, 1); + } + + static void +@@ -2478,7 +2479,7 @@ nvme_fc_create_io_queues(struct nvme_fc_ctrl *ctrl) + } + + static int +-nvme_fc_reinit_io_queues(struct nvme_fc_ctrl *ctrl) ++nvme_fc_recreate_io_queues(struct nvme_fc_ctrl *ctrl) + { + struct nvmf_ctrl_options *opts = ctrl->ctrl.opts; + unsigned int nr_io_queues; +@@ -2498,8 +2499,6 @@ nvme_fc_reinit_io_queues(struct nvme_fc_ctrl *ctrl) + if (ctrl->ctrl.queue_count == 1) + return 0; + +- nvme_fc_init_io_queues(ctrl); +- + ret = nvme_fc_create_hw_io_queues(ctrl, ctrl->ctrl.sqsize + 1); + if (ret) + goto out_free_io_queues; +@@ -2597,8 +2596,6 @@ nvme_fc_create_association(struct nvme_fc_ctrl *ctrl) + * Create the admin queue + */ + +- nvme_fc_init_queue(ctrl, 0); +- + ret = __nvme_fc_create_hw_queue(ctrl, &ctrl->queues[0], 0, + NVME_AQ_DEPTH); + if (ret) +@@ -2685,7 +2682,7 @@ nvme_fc_create_association(struct nvme_fc_ctrl *ctrl) + if (!ctrl->ioq_live) + ret = nvme_fc_create_io_queues(ctrl); + else +- ret = nvme_fc_reinit_io_queues(ctrl); ++ ret = nvme_fc_recreate_io_queues(ctrl); + if (ret) + goto out_term_aen_ops; + } +@@ -3034,6 +3031,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + if (!ctrl->queues) + goto out_free_ida; + ++ nvme_fc_init_queue(ctrl, 0); ++ + memset(&ctrl->admin_tag_set, 0, sizeof(ctrl->admin_tag_set)); + ctrl->admin_tag_set.ops = &nvme_fc_admin_mq_ops; + ctrl->admin_tag_set.queue_depth = NVME_AQ_MQ_TAG_DEPTH; +-- +2.12.3 + diff --git a/patches.drivers/nvme-fc-remove-reinit_request-routine.patch b/patches.drivers/nvme-fc-remove-reinit_request-routine.patch new file mode 100644 index 0000000000..36a46f905e --- /dev/null +++ b/patches.drivers/nvme-fc-remove-reinit_request-routine.patch @@ -0,0 +1,69 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Wed, 13 Jun 2018 14:07:36 -0700 +Subject: [PATCH] nvme-fc: remove reinit_request routine +References: bsc#1098706 +Git-commit: 587331f71e2748371526597cafc72e5732c67e88 +Patch-mainline: v4.18-rc1 + +The reinit_request routine is not necessary. Remove support for the +op callback. + +As all that nvme_reinit_tagset() does is itterate and call the +reinit routine, it too has no purpose. Remove the call. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fc.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 0794f2707a9a..921011676b0f 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -1475,21 +1475,6 @@ nvme_fc_xmt_disconnect_assoc(struct nvme_fc_ctrl *ctrl) + + static void nvme_fc_error_recovery(struct nvme_fc_ctrl *ctrl, char *errmsg); + +-static int +-nvme_fc_reinit_request(void *data, struct request *rq) +-{ +- struct nvme_fc_fcp_op *op = blk_mq_rq_to_pdu(rq); +- struct nvme_fc_cmd_iu *cmdiu = &op->cmd_iu; +- +- memset(cmdiu, 0, sizeof(*cmdiu)); +- cmdiu->scsi_id = NVME_CMD_SCSI_ID; +- cmdiu->fc_id = NVME_CMD_FC_ID; +- cmdiu->iu_len = cpu_to_be16(sizeof(*cmdiu) / sizeof(u32)); +- memset(&op->rsp_iu, 0, sizeof(op->rsp_iu)); +- +- return 0; +-} +- + static void + __nvme_fc_exit_request(struct nvme_fc_ctrl *ctrl, + struct nvme_fc_fcp_op *op) +@@ -2515,10 +2500,6 @@ nvme_fc_reinit_io_queues(struct nvme_fc_ctrl *ctrl) + + nvme_fc_init_io_queues(ctrl); + +- ret = nvme_reinit_tagset(&ctrl->ctrl, ctrl->ctrl.tagset); +- if (ret) +- goto out_free_io_queues; +- + ret = nvme_fc_create_hw_io_queues(ctrl, ctrl->ctrl.sqsize + 1); + if (ret) + goto out_free_io_queues; +@@ -2929,7 +2910,6 @@ static const struct nvme_ctrl_ops nvme_fc_ctrl_ops = { + .submit_async_event = nvme_fc_submit_async_event, + .delete_ctrl = nvme_fc_delete_ctrl, + .get_address = nvmf_get_address, +- .reinit_request = nvme_fc_reinit_request, + }; + + static void +-- +2.12.3 + diff --git a/patches.drivers/nvme-fc-remove-setting-DNR-on-exception-conditions.patch b/patches.drivers/nvme-fc-remove-setting-DNR-on-exception-conditions.patch new file mode 100644 index 0000000000..6664886066 --- /dev/null +++ b/patches.drivers/nvme-fc-remove-setting-DNR-on-exception-conditions.patch @@ -0,0 +1,44 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Fri, 11 May 2018 17:50:24 -0700 +Subject: [PATCH] nvme-fc: remove setting DNR on exception conditions +References: bsc#1098706 +Git-commit: 90fcaf5d54c57037e9f879f17b58497db7156c3e +Patch-mainline: v4.18-rc1 + +Current code will set DNR if the controller is deleting or there is +an error during controller init. None of this is necessary. + +Remove the code that sets DNR + +Signed-off-by: James Smart <james.smart@broadcom.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fc.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 3f7be5067bfd..f57b9871b802 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -1690,16 +1690,6 @@ nvme_fc_fcpio_done(struct nvmefc_fcp_req *req) + goto check_error; + } + +- /* +- * Force failures of commands if we're killing the controller +- * or have an error on a command used to create an new association +- */ +- if (status && +- (blk_queue_dying(rq->q) || +- ctrl->ctrl.state == NVME_CTRL_NEW || +- ctrl->ctrl.state == NVME_CTRL_CONNECTING)) +- status |= cpu_to_le16(NVME_SC_DNR << 1); +- + __nvme_fc_fcpop_chk_teardowns(ctrl, op, opstate); + nvme_end_request(rq, status, result); + +-- +2.12.3 + diff --git a/patches.drivers/nvme-fix-NULL-pointer-dereference-in-nvme_init_subsy.patch b/patches.drivers/nvme-fix-NULL-pointer-dereference-in-nvme_init_subsy.patch new file mode 100644 index 0000000000..d50b79a1de --- /dev/null +++ b/patches.drivers/nvme-fix-NULL-pointer-dereference-in-nvme_init_subsy.patch @@ -0,0 +1,35 @@ +From: Israel Rukshin <israelr@mellanox.com> +Date: Sun, 10 Jun 2018 10:31:10 +0000 +Subject: [PATCH] nvme: fix NULL pointer dereference in nvme_init_subsystem +References: bsc#1098706 +Git-commit: 16001c10725e11b73b8518f42e414506bf73c291 +Patch-mainline: v4.18-rc1 + +When using nvme-pci driver the nvmf_ctrl_options is NULL. +There is no need to check for discovery_nqn flag at non-fabrics controller. + +Fixes: 181303d0 ("nvme-fabrics: allow duplicate connections to the discovery controller") +Signed-off-by: Israel Rukshin <israelr@mellanox.com> +Reviewed-by: Max Gurtovoy <maxg@mellanox.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 77d1855f3703..75bdbcdcce88 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2174,7 +2174,7 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + * Verify that the subsystem actually supports multiple + * controllers, else bail out. + */ +- if (!ctrl->opts->discovery_nqn && ++ if (!(ctrl->opts && ctrl->opts->discovery_nqn) && + nvme_active_ctrls(found) && !(id->cmic & (1 << 1))) { + dev_err(ctrl->device, + "ignoring ctrl due to duplicate subnqn (%s).\n", +-- +2.12.3 + diff --git a/patches.drivers/nvme-fix-potential-memory-leak-in-option-parsing.patch b/patches.drivers/nvme-fix-potential-memory-leak-in-option-parsing.patch new file mode 100644 index 0000000000..37d355ae08 --- /dev/null +++ b/patches.drivers/nvme-fix-potential-memory-leak-in-option-parsing.patch @@ -0,0 +1,76 @@ +From: Chengguang Xu <cgxu519@gmx.com> +Date: Sat, 14 Apr 2018 20:06:19 +0800 +Subject: [PATCH] nvme: fix potential memory leak in option parsing +References: bsc#1098706 +Git-commit: 59a2f3f00fd744dbad22593f47552037d3154ca6 +Patch-mainline: v4.17-rc4 + +When specifying same string type option several times, +current option parsing may cause memory leak. Hence, +call kfree for previous one in this case. + +Signed-off-by: Chengguang Xu <cgxu519@gmx.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/fabrics.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index 297668552983..baec1b185f12 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -668,6 +668,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -ENOMEM; + goto out; + } ++ kfree(opts->transport); + opts->transport = p; + break; + case NVMF_OPT_NQN: +@@ -676,6 +677,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -ENOMEM; + goto out; + } ++ kfree(opts->subsysnqn); + opts->subsysnqn = p; + nqnlen = strlen(opts->subsysnqn); + if (nqnlen >= NVMF_NQN_SIZE) { +@@ -698,6 +700,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -ENOMEM; + goto out; + } ++ kfree(opts->traddr); + opts->traddr = p; + break; + case NVMF_OPT_TRSVCID: +@@ -706,6 +709,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -ENOMEM; + goto out; + } ++ kfree(opts->trsvcid); + opts->trsvcid = p; + break; + case NVMF_OPT_QUEUE_SIZE: +@@ -787,6 +791,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -EINVAL; + goto out; + } ++ nvmf_host_put(opts->host); + opts->host = nvmf_host_add(p); + kfree(p); + if (!opts->host) { +@@ -812,6 +817,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -ENOMEM; + goto out; + } ++ kfree(opts->host_traddr); + opts->host_traddr = p; + break; + case NVMF_OPT_HOST_ID: +-- +2.12.3 + diff --git a/patches.drivers/nvme-multipath-Fix-multipath-disabled-naming-collisi.patch b/patches.drivers/nvme-multipath-Fix-multipath-disabled-naming-collisi.patch new file mode 100644 index 0000000000..c410ef91aa --- /dev/null +++ b/patches.drivers/nvme-multipath-Fix-multipath-disabled-naming-collisi.patch @@ -0,0 +1,128 @@ +From: Keith Busch <keith.busch@intel.com> +Date: Thu, 26 Apr 2018 14:22:41 -0600 +Subject: [PATCH] nvme/multipath: Fix multipath disabled naming collisions +References: bsc#1098706 +Git-commit: a785dbccd95c37606c720580714f5a7a8b3255f1 +Patch-mainline: v4.17-rc4 + +When CONFIG_NVME_MULTIPATH is set, but we're not using nvme to multipath, +namespaces with multiple paths were not creating unique names due to +reusing the same instance number from the namespace's head. + +This patch fixes this by falling back to the non-multipath naming method +when the parameter disabled using multipath. + +Reported-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Keith Busch <keith.busch@intel.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/host/core.c | 26 +------------------------- + drivers/nvme/host/multipath.c | 22 ++++++++++++++++++++++ + drivers/nvme/host/nvme.h | 12 ++++++++++++ + 3 files changed, 35 insertions(+), 25 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 1bddf6b62369..2d32cec747d2 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2986,31 +2986,7 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid) + if (nvme_init_ns_head(ns, nsid, id, &new)) + goto out_free_id; + nvme_setup_streams_ns(ctrl, ns); +- +-#ifdef CONFIG_NVME_MULTIPATH +- /* +- * If multipathing is enabled we need to always use the subsystem +- * instance number for numbering our devices to avoid conflicts +- * between subsystems that have multiple controllers and thus use +- * the multipath-aware subsystem node and those that have a single +- * controller and use the controller node directly. +- */ +- if (ns->head->disk) { +- sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance, +- ctrl->cntlid, ns->head->instance); +- flags = GENHD_FL_HIDDEN; +- } else { +- sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance, +- ns->head->instance); +- } +-#else +- /* +- * But without the multipath code enabled, multiple controller per +- * subsystems are visible as devices and thus we cannot use the +- * subsystem instance. +- */ +- sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); +-#endif ++ nvme_set_disk_name(disk_name, ns, ctrl, &flags); + + if ((ctrl->quirks & NVME_QUIRK_LIGHTNVM) && id->vs[0] == 0x1) { + if (nvme_nvm_register(ns, disk_name, node)) { +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 0fb560bbadd7..43821caf226e 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -19,6 +19,28 @@ module_param(multipath, bool, 0644); + MODULE_PARM_DESC(multipath, + "turn on native support for multiple controllers per subsystem"); + ++/* ++ * If multipathing is enabled we need to always use the subsystem instance ++ * number for numbering our devices to avoid conflicts between subsystems that ++ * have multiple controllers and thus use the multipath-aware subsystem node ++ * and those that have a single controller and use the controller node ++ * directly. ++ */ ++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags) ++{ ++ if (!multipath) { ++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); ++ } else if (ns->head->disk) { ++ sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance, ++ ctrl->cntlid, ns->head->instance); ++ *flags = GENHD_FL_HIDDEN; ++ } else { ++ sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance, ++ ns->head->instance); ++ } ++} ++ + void nvme_failover_req(struct request *req) + { + struct nvme_ns *ns = req->q->queuedata; +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 840c686b0d72..40695e589646 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -411,6 +411,8 @@ extern const struct attribute_group nvme_ns_id_attr_group; + extern const struct block_device_operations nvme_ns_head_ops; + + #ifdef CONFIG_NVME_MULTIPATH ++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags); + void nvme_failover_req(struct request *req); + bool nvme_req_needs_failover(struct request *req, blk_status_t error); + void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl); +@@ -436,6 +438,16 @@ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns) + } + + #else ++/* ++ * Without the multipath code enabled, multiple controller per subsystems are ++ * visible as devices and thus we cannot use the subsystem instance. ++ */ ++static inline void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags) ++{ ++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); ++} ++ + static inline void nvme_failover_req(struct request *req) + { + } +-- +2.12.3 + diff --git a/patches.drivers/nvmet-fc-increase-LS-buffer-count-per-fc-port.patch b/patches.drivers/nvmet-fc-increase-LS-buffer-count-per-fc-port.patch new file mode 100644 index 0000000000..c477160177 --- /dev/null +++ b/patches.drivers/nvmet-fc-increase-LS-buffer-count-per-fc-port.patch @@ -0,0 +1,36 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Mon, 21 May 2018 16:27:42 -0700 +Subject: [PATCH] nvmet-fc: increase LS buffer count per fc port +References: bsc#1098706 +Git-commit: 17d78252ee568ecf94df6829c81578c0602991eb +Patch-mainline: v4.18-rc1 + +Todays limit on concurrent LS's is very small - 4 buffers. With large +subsystem counts or large numbers of initiators connecting, the limit +may be exceeded. + +Raise the LS buffer count to 256. + +Signed-off-by: James Smart <james.smart@broadcom.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/target/fc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 98a8bb3a00de..b4f99fac2ee1 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -31,7 +31,7 @@ + /* *************************** Data Structures/Defines ****************** */ + + +-#define NVMET_LS_CTX_COUNT 4 ++#define NVMET_LS_CTX_COUNT 256 + + /* for this implementation, assume small single frame rqst/rsp */ + #define NVME_FC_MAX_LS_BUFFER_SIZE 2048 +-- +2.12.3 + diff --git a/patches.drivers/nvmet-switch-loopback-target-state-to-connecting-whe.patch b/patches.drivers/nvmet-switch-loopback-target-state-to-connecting-whe.patch new file mode 100644 index 0000000000..e35e5749bd --- /dev/null +++ b/patches.drivers/nvmet-switch-loopback-target-state-to-connecting-whe.patch @@ -0,0 +1,47 @@ +From: Johannes Thumshirn <jthumshirn@suse.de> +Date: Thu, 3 May 2018 17:00:35 +0200 +Subject: [PATCH] nvmet: switch loopback target state to connecting when + resetting +References: bsc#1098706 +Git-commit: 8bfc3b4c6f9de815de4ab73784b9419348266a65 +Patch-mainline: v4.17-rc4 + +After commit bb06ec31452f ("nvme: expand nvmf_check_if_ready checks") +resetting of the loopback nvme target failed as we forgot to switch +it's state to NVME_CTRL_CONNECTING before we reconnect the admin +queues. Therefore the checks in nvmf_check_if_ready() choose to go to +the reject_io case and thus we couldn't sent out an identify +controller command to reconnect. + +Change the controller state to NVME_CTRL_CONNECTING after tearing down +the old connection and before re-establishing the connection. + +Fixes: bb06ec31452f ("nvme: expand nvmf_check_if_ready checks") +Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Hannes Reinecke <hare@suse.de> +--- + drivers/nvme/target/loop.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index d58aa5251165..04141fd94fa9 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -473,6 +473,12 @@ static void nvme_loop_reset_ctrl_work(struct work_struct *work) + nvme_stop_ctrl(&ctrl->ctrl); + nvme_loop_shutdown_ctrl(ctrl); + ++ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) { ++ /* state change failure should never happen */ ++ WARN_ON_ONCE(1); ++ return; ++ } ++ + ret = nvme_loop_configure_admin_queue(ctrl); + if (ret) + goto out_disable; +-- +2.12.3 + diff --git a/patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no b/patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no index 55f109052e..47cbe4d432 100644 --- a/patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no +++ b/patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no @@ -1,8 +1,9 @@ +From 7caf0c1efd62a755441faa03daa7dd88f0c2150d Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai@suse.de> -Subject: [PATCH] platform/x86: ideapad-laptop: Add MIIX 720-12IKB to no_hw_rfkill Date: Mon, 14 May 2018 15:31:28 +0200 -Message-id: <20180514133128.31578-1-tiwai@suse.de> -Patch-mainline: Submitted, platform-driver-x86 ML +Subject: [PATCH] platform/x86: ideapad-laptop: Add MIIX 720-12IKB to no_hw_rfkill +Git-commit: 7caf0c1efd62a755441faa03daa7dd88f0c2150d +Patch-mainline: v4.18-rc1 References: bsc#1093035 Yet another Lenovo model to be added to the no_hw_rfkill blacklist: @@ -11,6 +12,7 @@ ideapad MIIX 720-12IKB. Otherwise it's always hard-blocked. Reported-by: Robin Roevens <robin.roevens1@pandora.be> Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1093035 Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> --- drivers/platform/x86/ideapad-laptop.c | 7 +++++++ diff --git a/patches.drivers/platform-x86-ideapad-laptop-Apply-no_hw_rfkill-to-Y2 b/patches.drivers/platform-x86-ideapad-laptop-Apply-no_hw_rfkill-to-Y2 new file mode 100644 index 0000000000..912487611e --- /dev/null +++ b/patches.drivers/platform-x86-ideapad-laptop-Apply-no_hw_rfkill-to-Y2 @@ -0,0 +1,38 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 22 Jun 2018 10:59:17 +0200 +Subject: [PATCH] platform/x86: ideapad-laptop: Apply no_hw_rfkill to Y20-15IKBM, too +Message-Id: <20180622085917.22969-1-tiwai@suse.de> +Patch-mainline: Submitted, platform-driver-x86 ML +References: bsc#1098626 + +The commit 5d9f40b56630 ("platform/x86: ideapad-laptop: Add +Y520-15IKBN to no_hw_rfkill") added the entry for Y20-15IKBN, and it +turned out that another variant, Y20-15IKBM, also requires the +no_hw_rfkill. + +Trim the last letter from the string so that it matches to both +Y20-15IKBN and Y20-15IKBM models. + +Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1098626 +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/platform/x86/ideapad-laptop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -1002,10 +1002,10 @@ static const struct dmi_system_id no_hw_ + }, + }, + { +- .ident = "Lenovo Legion Y520-15IKBN", ++ .ident = "Lenovo Legion Y520-15IKB", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKBN"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKB"), + }, + }, + { diff --git a/patches.drivers/serial-8250-omap-Fix-idling-of-clocks-for-unused-uar b/patches.drivers/serial-8250-omap-Fix-idling-of-clocks-for-unused-uar new file mode 100644 index 0000000000..d6a562db30 --- /dev/null +++ b/patches.drivers/serial-8250-omap-Fix-idling-of-clocks-for-unused-uar @@ -0,0 +1,97 @@ +From 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba Mon Sep 17 00:00:00 2001 +From: Tony Lindgren <tony@atomide.com> +Date: Fri, 4 May 2018 10:44:09 -0700 +Subject: [PATCH] serial: 8250: omap: Fix idling of clocks for unused uarts +Git-commit: 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +I noticed that unused UARTs won't necessarily idle properly always +unless at least one byte tx transfer is done first. + +After some debugging I narrowed down the problem to the scr register +dma configuration bits that need to be set before softreset for the +clocks to idle. Unless we do this, the module clkctrl idlest bits +may be set to 1 instead of 3 meaning the clock will never idle and +is blocking deeper idle states for the whole domain. + +This might be related to the configuration done by the bootloader +or kexec booting where certain configurations cause the 8250 or +the clkctrl clock to jam in a way where setting of the scr bits +and reset is needed to clear it. I've tried diffing the 8250 +registers for the various modes, but did not see anything specific. +So far I've only seen this on omap4 but I'm suspecting this might +also happen on the other clkctrl using SoCs considering they +already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE. + +Let's fix the issue by configuring scr before reset for basic dma +even if we don't use it. The scr register will be reset when we do +softreset few lines after, and we restore scr on resume. We should +do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag +set since the ones with UART_ERRATA_CLOCK_DISABLE are all based +using clkctrl similar to omap4. + +Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL +bits are needed for the clkctrl to idle after a softreset. + +And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE +for the related workaround to be enabled. This same compatible +value will also be used for omap5. + +Fixes: cdb929e4452a ("serial: 8250_omap: workaround errata around idling UART after using DMA") +Cc: Keerthy <j-keerthy@ti.com> +Cc: Matthijs van Duin <matthijsvanduin@gmail.com> +Cc: Sekhar Nori <nsekhar@ti.com> +Cc: Tero Kristo <t-kristo@ti.com> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/8250/8250_omap.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 6aaa84355fd1..1b337fee07ed 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1110,13 +1110,14 @@ static int omap8250_no_handle_irq(struct uart_port *port) + return 0; + } + ++static const u8 omap4_habit = UART_ERRATA_CLOCK_DISABLE; + static const u8 am3352_habit = OMAP_DMA_TX_KICK | UART_ERRATA_CLOCK_DISABLE; + static const u8 dra742_habit = UART_ERRATA_CLOCK_DISABLE; + + static const struct of_device_id omap8250_dt_ids[] = { + { .compatible = "ti,omap2-uart" }, + { .compatible = "ti,omap3-uart" }, +- { .compatible = "ti,omap4-uart" }, ++ { .compatible = "ti,omap4-uart", .data = &omap4_habit, }, + { .compatible = "ti,am3352-uart", .data = &am3352_habit, }, + { .compatible = "ti,am4372-uart", .data = &am3352_habit, }, + { .compatible = "ti,dra742-uart", .data = &dra742_habit, }, +@@ -1362,6 +1363,19 @@ static int omap8250_soft_reset(struct device *dev) + int sysc; + int syss; + ++ /* ++ * At least on omap4, unused uarts may not idle after reset without ++ * a basic scr dma configuration even with no dma in use. The ++ * module clkctrl status bits will be 1 instead of 3 blocking idle ++ * for the whole clockdomain. The softreset below will clear scr, ++ * and we restore it on resume so this is safe to do on all SoCs ++ * needing omap8250_soft_reset() quirk. Do it in two writes as ++ * recommended in the comment for omap8250_update_scr(). ++ */ ++ serial_out(up, UART_OMAP_SCR, OMAP_UART_SCR_DMAMODE_1); ++ serial_out(up, UART_OMAP_SCR, ++ OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL); ++ + sysc = serial_in(up, UART_OMAP_SYSC); + + /* softreset the UART */ +-- +2.17.1 + diff --git a/patches.drivers/serial-altera-ensure-port-regshift-is-honored-consis b/patches.drivers/serial-altera-ensure-port-regshift-is-honored-consis new file mode 100644 index 0000000000..41407ccd96 --- /dev/null +++ b/patches.drivers/serial-altera-ensure-port-regshift-is-honored-consis @@ -0,0 +1,78 @@ +From 0e254963b6ba4d63ac911e79537fea38dd03dc50 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de> +Date: Thu, 25 Jan 2018 14:30:43 +0100 +Subject: [PATCH] serial: altera: ensure port->regshift is honored consistently +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 0e254963b6ba4d63ac911e79537fea38dd03dc50 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +Most register accesses in the altera driver honor port->regshift by +using altera_uart_writel(). There are a few accesses however that were +missed when the driver was converted to use port->regshift and some +others were added later in commit 4d9d7d896d77 ("serial: altera_uart: +add earlycon support"). + +Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift") +Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Acked-by: Tobias Klauser <tklauser@distanz.ch> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/altera_uart.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c +index b88b05f8e81e..ae30398fcf56 100644 +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -327,7 +327,7 @@ static int altera_uart_startup(struct uart_port *port) + + /* Enable RX interrupts now */ + pp->imr = ALTERA_UART_CONTROL_RRDY_MSK; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -343,7 +343,7 @@ static void altera_uart_shutdown(struct uart_port *port) + + /* Disable all interrupts now */ + pp->imr = 0; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -432,7 +432,7 @@ static void altera_uart_console_putc(struct uart_port *port, int c) + ALTERA_UART_STATUS_TRDY_MSK)) + cpu_relax(); + +- writel(c, port->membase + ALTERA_UART_TXDATA_REG); ++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG); + } + + static void altera_uart_console_write(struct console *co, const char *s, +@@ -502,13 +502,13 @@ static int __init altera_uart_earlycon_setup(struct earlycon_device *dev, + return -ENODEV; + + /* Enable RX interrupts now */ +- writel(ALTERA_UART_CONTROL_RRDY_MSK, +- port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK, ++ ALTERA_UART_CONTROL_REG); + + if (dev->baud) { + unsigned int baudclk = port->uartclk / dev->baud; + +- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG); ++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG); + } + + dev->con->write = altera_uart_earlycon_write; +-- +2.17.1 + diff --git a/patches.drivers/serial-arc_uart-Fix-out-of-bounds-access-through-DT- b/patches.drivers/serial-arc_uart-Fix-out-of-bounds-access-through-DT- new file mode 100644 index 0000000000..201fa5aaba --- /dev/null +++ b/patches.drivers/serial-arc_uart-Fix-out-of-bounds-access-through-DT- @@ -0,0 +1,45 @@ +From f9f5786987e81d166c60833edcb7d1836aa16944 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:29 +0100 +Subject: [PATCH] serial: arc_uart: Fix out-of-bounds access through DT alias +Git-commit: f9f5786987e81d166c60833edcb7d1836aa16944 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The arc_uart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a +legitimate DTB. + +Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/arc_uart.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 2599f9ecccfe..d904a3a345e7 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -593,6 +593,11 @@ static int arc_serial_probe(struct platform_device *pdev) + if (dev_id < 0) + dev_id = 0; + ++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); ++ return -EINVAL; ++ } ++ + uart = &arc_uart_ports[dev_id]; + port = &uart->port; + +-- +2.17.1 + diff --git a/patches.drivers/serial-fsl_lpuart-Fix-out-of-bounds-access-through-D b/patches.drivers/serial-fsl_lpuart-Fix-out-of-bounds-access-through-D new file mode 100644 index 0000000000..d756c21f8c --- /dev/null +++ b/patches.drivers/serial-fsl_lpuart-Fix-out-of-bounds-access-through-D @@ -0,0 +1,35 @@ +From ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:30 +0100 +Subject: [PATCH] serial: fsl_lpuart: Fix out-of-bounds access through DT alias +Git-commit: ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The lpuart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1987,6 +1987,10 @@ static int lpuart_probe(struct platform_ + dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); + return ret; + } ++ if (ret >= ARRAY_SIZE(lpuart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ret); ++ return -EINVAL; ++ } + sport->port.line = ret; + sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart"); + diff --git a/patches.drivers/serial-imx-Fix-out-of-bounds-access-through-serial-p b/patches.drivers/serial-imx-Fix-out-of-bounds-access-through-serial-p new file mode 100644 index 0000000000..8da62cf148 --- /dev/null +++ b/patches.drivers/serial-imx-Fix-out-of-bounds-access-through-serial-p @@ -0,0 +1,47 @@ +From 5673444821406dda5fc25e4b52aca419f8065a19 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:31 +0100 +Subject: [PATCH] serial: imx: Fix out-of-bounds access through serial port index +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5673444821406dda5fc25e4b52aca419f8065a19 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The imx_ports[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/imx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 689a117943a0..78bacd020221 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2069,6 +2069,12 @@ static int serial_imx_probe(struct platform_device *pdev) + else if (ret < 0) + return ret; + ++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ++ sport->port.line); ++ return -EINVAL; ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) +-- +2.17.1 + diff --git a/patches.drivers/serial-mxs-auart-Fix-out-of-bounds-access-through-se b/patches.drivers/serial-mxs-auart-Fix-out-of-bounds-access-through-se new file mode 100644 index 0000000000..e4b6244421 --- /dev/null +++ b/patches.drivers/serial-mxs-auart-Fix-out-of-bounds-access-through-se @@ -0,0 +1,41 @@ +From dd345a31bfdec350d2593e6de5964e55c7f19c76 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:32 +0100 +Subject: [PATCH] serial: mxs-auart: Fix out-of-bounds access through serial port index +Git-commit: dd345a31bfdec350d2593e6de5964e55c7f19c76 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The auart_port[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/mxs-auart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c +index 079dc47aa142..caa8a41b6e71 100644 +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platform_device *pdev) + s->port.line = pdev->id < 0 ? 0 : pdev->id; + else if (ret < 0) + return ret; ++ if (s->port.line >= ARRAY_SIZE(auart_port)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); ++ return -EINVAL; ++ } + + if (of_id) { + pdev->id_entry = of_id->data; +-- +2.17.1 + diff --git a/patches.drivers/serial-samsung-Fix-out-of-bounds-access-through-seri b/patches.drivers/serial-samsung-Fix-out-of-bounds-access-through-seri new file mode 100644 index 0000000000..95d661b5fd --- /dev/null +++ b/patches.drivers/serial-samsung-Fix-out-of-bounds-access-through-seri @@ -0,0 +1,45 @@ +From 49ee23b71877831ac087d6083f6f397dc19c9664 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:34 +0100 +Subject: [PATCH] serial: samsung: Fix out-of-bounds access through serial port index +Git-commit: 49ee23b71877831ac087d6083f6f397dc19c9664 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The s3c24xx_serial_ports[] array is indexed using a value derived from +the "serialN" alias in DT, or from an incrementing probe index, which +may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using +a legitimate DTB or legitimate board code. + +Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/samsung.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index f9fecc5ed0ce..3f2f8c118ce0 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1818,6 +1818,10 @@ static int s3c24xx_serial_probe(struct platform_device *pdev) + + dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); + ++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", index); ++ return -EINVAL; ++ } + ourport = &s3c24xx_serial_ports[index]; + + ourport->drv_data = s3c24xx_get_driver_data(pdev); +-- +2.17.1 + diff --git a/patches.drivers/serial-samsung-fix-maxburst-parameter-for-DMA-transa b/patches.drivers/serial-samsung-fix-maxburst-parameter-for-DMA-transa new file mode 100644 index 0000000000..1ab940a057 --- /dev/null +++ b/patches.drivers/serial-samsung-fix-maxburst-parameter-for-DMA-transa @@ -0,0 +1,48 @@ +From aa2f80e752c75e593b3820f42c416ed9458fa73e Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Thu, 10 May 2018 08:41:13 +0200 +Subject: [PATCH] serial: samsung: fix maxburst parameter for DMA transactions +Git-commit: aa2f80e752c75e593b3820f42c416ed9458fa73e +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +The best granularity of residue that DMA engine can report is in the BURST +units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE +if it relies on exact number of bytes transferred by DMA engine. + +Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Acked-by: Krzysztof Kozlowski <krzk@kernel.org> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/samsung.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 3f2f8c118ce0..64e96926f1ad 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -862,15 +862,12 @@ static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p) + dma->rx_conf.direction = DMA_DEV_TO_MEM; + dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH; +- dma->rx_conf.src_maxburst = 16; ++ dma->rx_conf.src_maxburst = 1; + + dma->tx_conf.direction = DMA_MEM_TO_DEV; + dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH; +- if (dma_get_cache_alignment() >= 16) +- dma->tx_conf.dst_maxburst = 16; +- else +- dma->tx_conf.dst_maxburst = 1; ++ dma->tx_conf.dst_maxburst = 1; + + dma->rx_chan = dma_request_chan(p->port.dev, "rx"); + +-- +2.17.1 + diff --git a/patches.drivers/serial-sh-sci-Fix-out-of-bounds-access-through-DT-al b/patches.drivers/serial-sh-sci-Fix-out-of-bounds-access-through-DT-al new file mode 100644 index 0000000000..7a3109988e --- /dev/null +++ b/patches.drivers/serial-sh-sci-Fix-out-of-bounds-access-through-DT-al @@ -0,0 +1,44 @@ +From 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:35 +0100 +Subject: [PATCH] serial: sh-sci: Fix out-of-bounds access through DT alias +Git-commit: 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The sci_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a +legitimate DTB. + +Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/sh-sci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index af1c3246cee1..0ec2d938011d 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3109,6 +3109,10 @@ static struct plat_sci_port *sci_parse_dt(struct platform_device *pdev, + dev_err(&pdev->dev, "failed to get alias id (%d)\n", id); + return NULL; + } ++ if (id >= ARRAY_SIZE(sci_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", id); ++ return NULL; ++ } + + sp = &sci_ports[id]; + *dev_id = id; +-- +2.17.1 + diff --git a/patches.drivers/serial-sh-sci-Stop-using-printk-format-pCr b/patches.drivers/serial-sh-sci-Stop-using-printk-format-pCr new file mode 100644 index 0000000000..af7df668cd --- /dev/null +++ b/patches.drivers/serial-sh-sci-Stop-using-printk-format-pCr @@ -0,0 +1,63 @@ +From d63c16f8e1ab761775275adcf54f4bef7c330295 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 1 Jun 2018 11:28:21 +0200 +Subject: [PATCH] serial: sh-sci: Stop using printk format %pCr +Git-commit: d63c16f8e1ab761775275adcf54f4bef7c330295 +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +Printk format "%pCr" will be removed soon, as clk_get_rate() must not be +called in atomic context. + +Replace it by open-coding the operation. This is safe here, as the code +runs in task context. + +Link: http://lkml.kernel.org/r/1527845302-12159-4-git-send-email-geert+renesas@glider.be +To: Jia-Ju Bai <baijiaju1990@gmail.com> +To: Jonathan Corbet <corbet@lwn.net> +To: Michael Turquette <mturquette@baylibre.com> +To: Stephen Boyd <sboyd@kernel.org> +To: Zhang Rui <rui.zhang@intel.com> +To: Eduardo Valentin <edubezval@gmail.com> +To: Eric Anholt <eric@anholt.net> +To: Stefan Wahren <stefan.wahren@i2se.com> +To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> +Cc: Petr Mladek <pmladek@suse.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Steven Rostedt <rostedt@goodmis.org> +Cc: linux-doc@vger.kernel.org +Cc: linux-clk@vger.kernel.org +Cc: linux-pm@vger.kernel.org +Cc: linux-serial@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-renesas-soc@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Geert Uytterhoeven <geert+renesas@glider.be> +Cc: stable@vger.kernel.org # 4.5+ +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Petr Mladek <pmladek@suse.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/sh-sci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index fdbbff547106..a4f82ec665fe 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2704,8 +2704,8 @@ static int sci_init_clocks(struct sci_port *sci_port, struct device *dev) + dev_dbg(dev, "failed to get %s (%ld)\n", clk_names[i], + PTR_ERR(clk)); + else +- dev_dbg(dev, "clk %s is %pC rate %pCr\n", clk_names[i], +- clk, clk); ++ dev_dbg(dev, "clk %s is %pC rate %lu\n", clk_names[i], ++ clk, clk_get_rate(clk)); + sci_port->clks[i] = IS_ERR(clk) ? NULL : clk; + } + return 0; +-- +2.17.1 + diff --git a/patches.drivers/serial-xuartps-Fix-out-of-bounds-access-through-DT-a b/patches.drivers/serial-xuartps-Fix-out-of-bounds-access-through-DT-a new file mode 100644 index 0000000000..4569a275f5 --- /dev/null +++ b/patches.drivers/serial-xuartps-Fix-out-of-bounds-access-through-DT-a @@ -0,0 +1,39 @@ +From e7d75e18d0fc3f7193b65282b651f980c778d935 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Fri, 23 Feb 2018 14:38:37 +0100 +Subject: [PATCH] serial: xuartps: Fix out-of-bounds access through DT alias +Git-commit: e7d75e18d0fc3f7193b65282b651f980c778d935 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The cdns_uart_port[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Reviewed-by: Michal Simek <michal.simek@xilinx.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/tty/serial/xilinx_uartps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index b9b2bc76bcac..abcb4d09a2d8 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_port(int id) + struct uart_port *port; + + /* Try the given port id if failed use default method */ +- if (cdns_uart_port[id].mapbase != 0) { ++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { + /* Find the next unused port */ + for (id = 0; id < CDNS_UART_NR_PORTS; id++) + if (cdns_uart_port[id].mapbase == 0) +-- +2.17.1 + diff --git a/patches.drivers/w1-mxc_w1-Enable-clock-before-calling-clk_get_rate-o b/patches.drivers/w1-mxc_w1-Enable-clock-before-calling-clk_get_rate-o new file mode 100644 index 0000000000..2a30e759d4 --- /dev/null +++ b/patches.drivers/w1-mxc_w1-Enable-clock-before-calling-clk_get_rate-o @@ -0,0 +1,73 @@ +From 955bc61328dc0a297fb3baccd84e9d3aee501ed8 Mon Sep 17 00:00:00 2001 +From: Stefan Potyra <Stefan.Potyra@elektrobit.com> +Date: Wed, 2 May 2018 10:55:31 +0200 +Subject: [PATCH] w1: mxc_w1: Enable clock before calling clk_get_rate() on it +Git-commit: 955bc61328dc0a297fb3baccd84e9d3aee501ed8 +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +According to the API, you may only call clk_get_rate() after actually +enabling it. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31") +Signed-off-by: Stefan Potyra <Stefan.Potyra@elektrobit.com> +Acked-by: Evgeniy Polyakov <zbr@ioremap.net> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/w1/masters/mxc_w1.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c +index 74f2e6e6202a..8851d441e5fd 100644 +--- a/drivers/w1/masters/mxc_w1.c ++++ b/drivers/w1/masters/mxc_w1.c +@@ -112,6 +112,10 @@ static int mxc_w1_probe(struct platform_device *pdev) + if (IS_ERR(mdev->clk)) + return PTR_ERR(mdev->clk); + ++ err = clk_prepare_enable(mdev->clk); ++ if (err) ++ return err; ++ + clkrate = clk_get_rate(mdev->clk); + if (clkrate < 10000000) + dev_warn(&pdev->dev, +@@ -125,12 +129,10 @@ static int mxc_w1_probe(struct platform_device *pdev) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + mdev->regs = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mdev->regs)) +- return PTR_ERR(mdev->regs); +- +- err = clk_prepare_enable(mdev->clk); +- if (err) +- return err; ++ if (IS_ERR(mdev->regs)) { ++ err = PTR_ERR(mdev->regs); ++ goto out_disable_clk; ++ } + + /* Software reset 1-Wire module */ + writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET); +@@ -146,8 +148,12 @@ static int mxc_w1_probe(struct platform_device *pdev) + + err = w1_add_master_device(&mdev->bus_master); + if (err) +- clk_disable_unprepare(mdev->clk); ++ goto out_disable_clk; + ++ return 0; ++ ++out_disable_clk: ++ clk_disable_unprepare(mdev->clk); + return err; + } + +-- +2.17.1 + diff --git a/patches.fixes/0001-NFS-Revert-NFS-Move-the-flock-open-mode-check-into-n.patch b/patches.fixes/0001-NFS-Revert-NFS-Move-the-flock-open-mode-check-into-n.patch new file mode 100644 index 0000000000..2a808f25f1 --- /dev/null +++ b/patches.fixes/0001-NFS-Revert-NFS-Move-the-flock-open-mode-check-into-n.patch @@ -0,0 +1,73 @@ +From: Benjamin Coddington <bcodding@redhat.com> +Date: Fri, 10 Nov 2017 06:27:49 -0500 +Subject: [PATCH] NFS: Revert "NFS: Move the flock open mode check into + nfs_flock()" +Git-commit: fcfa447062b2061e11f68b846d61cbfe60d0d604 +Patch-mainline: v4.15 +References: bsc#1098983 + +Commit e12937279c8b "NFS: Move the flock open mode check into nfs_flock()" +changed NFSv3 behavior for flock() such that the open mode must match the +lock type, however that requirement shouldn't be enforced for flock(). + +Signed-off-by: Benjamin Coddington <bcodding@redhat.com> +Cc: stable@vger.kernel.org # v4.12 +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Acked-by: NeilBrown <neilb@suse.com> + +--- + fs/nfs/file.c | 18 ++---------------- + fs/nfs/nfs4proc.c | 14 ++++++++++++++ + 2 files changed, 16 insertions(+), 16 deletions(-) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -831,23 +831,9 @@ int nfs_flock(struct file *filp, int cmd + if (NFS_SERVER(inode)->flags & NFS_MOUNT_LOCAL_FLOCK) + is_local = 1; + +- /* +- * VFS doesn't require the open mode to match a flock() lock's type. +- * NFS, however, may simulate flock() locking with posix locking which +- * requires the open mode to match the lock type. +- */ +- switch (fl->fl_type) { +- case F_UNLCK: ++ /* We're simulating flock() locks using posix locks on the server */ ++ if (fl->fl_type == F_UNLCK) + return do_unlk(filp, cmd, fl, is_local); +- case F_RDLCK: +- if (!(filp->f_mode & FMODE_READ)) +- return -EBADF; +- break; +- case F_WRLCK: +- if (!(filp->f_mode & FMODE_WRITE)) +- return -EBADF; +- } +- + return do_setlk(filp, cmd, fl, is_local); + } + EXPORT_SYMBOL_GPL(nfs_flock); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6491,6 +6491,20 @@ nfs4_proc_lock(struct file *filp, int cm + !test_bit(NFS_STATE_POSIX_LOCKS, &state->flags)) + return -ENOLCK; + ++ /* ++ * Don't rely on the VFS having checked the file open mode, ++ * since it won't do this for flock() locks. ++ */ ++ switch (request->fl_type) { ++ case F_RDLCK: ++ if (!(filp->f_mode & FMODE_READ)) ++ return -EBADF; ++ break; ++ case F_WRLCK: ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ } ++ + status = nfs4_set_lock_state(state, request); + if (status != 0) + return status; diff --git a/patches.fixes/0001-cifs-Check-for-timeout-on-Negotiate-stage.patch b/patches.fixes/0001-cifs-Check-for-timeout-on-Negotiate-stage.patch new file mode 100644 index 0000000000..b867d56cc8 --- /dev/null +++ b/patches.fixes/0001-cifs-Check-for-timeout-on-Negotiate-stage.patch @@ -0,0 +1,116 @@ +From 3e750143a57a2c724c5e7f91964c034e432753f3 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Tue, 11 Jul 2017 12:44:39 +0200 +Subject: [PATCH] cifs: Check for timeout on Negotiate stage +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 76e752701a8af4404bbd9c45723f7cbd6e4a251e +Patch-mainline: v4.14 +References: bsc#1091171 + +Some servers seem to accept connections while booting but never send +the SMBNegotiate response neither close the connection, causing all +processes accessing the share hang on uninterruptible sleep state. + +This happens when the cifs_demultiplex_thread detects the server is +unresponsive so releases the socket and start trying to reconnect. +At some point, the faulty server will accept the socket and the TCP +status will be set to NeedNegotiate. The first issued command accessing +the share will start the negotiation (pid 5828 below), but the response +will never arrive so other commands will be blocked waiting on the mutex +(pid 55352). + +This patch checks for unresponsive servers also on the negotiate stage +releasing the socket and reconnecting if the response is not received +and checking again the tcp state when the mutex is acquired. + +Pid: 55352 TASK: ffff880fd6cc02c0 CPU: 0 COMMAND: "ls" + #0 [ffff880fd9add9f0] schedule at ffffffff81467eb9 + #1 [ffff880fd9addb38] __mutex_lock_slowpath at ffffffff81468fe0 + #2 [ffff880fd9addba8] mutex_lock at ffffffff81468b1a + #3 [ffff880fd9addbc0] cifs_reconnect_tcon at ffffffffa042f905 [cifs] + #4 [ffff880fd9addc60] smb_init at ffffffffa042faeb [cifs] + #5 [ffff880fd9addca0] CIFSSMBQPathInfo at ffffffffa04360b5 [cifs] + .... + +Which is waiting a mutex owned by: + +Pid: 5828 TASK: ffff880fcc55e400 CPU: 0 COMMAND: "xxxx" + #0 [ffff880fbfdc19b8] schedule at ffffffff81467eb9 + #1 [ffff880fbfdc1b00] wait_for_response at ffffffffa044f96d [cifs] + #2 [ffff880fbfdc1b60] SendReceive at ffffffffa04505ce [cifs] + #3 [ffff880fbfdc1bb0] CIFSSMBNegotiate at ffffffffa0438d79 [cifs] + #4 [ffff880fbfdc1c50] cifs_negotiate_protocol at ffffffffa043b383 [cifs] + #5 [ffff880fbfdc1c80] cifs_reconnect_tcon at ffffffffa042f911 [cifs] + #6 [ffff880fbfdc1d20] smb_init at ffffffffa042faeb [cifs] + #7 [ffff880fbfdc1d60] CIFSSMBQFSInfo at ffffffffa0434eb0 [cifs] + .... + +Signed-off-by: Samuel Cabrero <scabrero@suse.de> +Reviewed-by: Aurélien Aptel <aaptel@suse.de> +Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> +Signed-off-by: Steve French <smfrench@gmail.com> +Signed-off-by: Aurelien Aptel <aaptel@suse.com> +Acked-by: Aurelien Aptel <aaptel@suse.com> + +--- + fs/cifs/cifssmb.c | 12 ++++++++++++ + fs/cifs/connect.c | 3 ++- + fs/cifs/smb2pdu.c | 12 ++++++++++++ + 3 files changed, 26 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -178,6 +178,18 @@ cifs_reconnect_tcon(struct cifs_tcon *tc + * reconnect the same SMB session + */ + mutex_lock(&ses->session_mutex); ++ ++ /* ++ * Recheck after acquire mutex. If another thread is negotiating ++ * and the server never sends an answer the socket will be closed ++ * and tcpStatus set to reconnect. ++ */ ++ if (server->tcpStatus == CifsNeedReconnect) { ++ rc = -EHOSTDOWN; ++ mutex_unlock(&ses->session_mutex); ++ goto out; ++ } ++ + rc = cifs_negotiate_protocol(0, ses); + if (rc == 0 && ses->need_reconnect) + rc = cifs_setup_session(0, ses, nls_codepage); +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -513,7 +513,8 @@ server_unresponsive(struct TCP_Server_In + * 65s kernel_recvmsg times out, and we see that we haven't gotten + * a response in >60s. + */ +- if (server->tcpStatus == CifsGood && ++ if ((server->tcpStatus == CifsGood || ++ server->tcpStatus == CifsNeedNegotiate) && + time_after(jiffies, server->lstrp + 2 * server->echo_interval)) { + cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n", + server->hostname, (2 * server->echo_interval) / HZ); +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -238,6 +238,18 @@ smb2_reconnect(__le16 smb2_command, stru + * the same SMB session + */ + mutex_lock(&tcon->ses->session_mutex); ++ ++ /* ++ * Recheck after acquire mutex. If another thread is negotiating ++ * and the server never sends an answer the socket will be closed ++ * and tcpStatus set to reconnect. ++ */ ++ if (server->tcpStatus == CifsNeedReconnect) { ++ rc = -EHOSTDOWN; ++ mutex_unlock(&tcon->ses->session_mutex); ++ goto out; ++ } ++ + rc = cifs_negotiate_protocol(0, tcon->ses); + if (!rc && tcon->ses->need_reconnect) + rc = cifs_setup_session(0, tcon->ses, nls_codepage); diff --git a/patches.fixes/NFSv4-Revert-commit-5f83d86cf531d-NFSv4.x-Fix-wrapar.patch b/patches.fixes/NFSv4-Revert-commit-5f83d86cf531d-NFSv4.x-Fix-wrapar.patch new file mode 100644 index 0000000000..9976c15faa --- /dev/null +++ b/patches.fixes/NFSv4-Revert-commit-5f83d86cf531d-NFSv4.x-Fix-wrapar.patch @@ -0,0 +1,37 @@ +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Sat, 9 Jun 2018 12:43:06 -0400 +Subject: [PATCH] NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound + issues..") +Git-commit: fc40724fc6731d90cc7fb6d62d66135f85a33dd2 +Patch-mainline: v4.18 +References: git-fixes + +The correct behaviour for NFSv4 sequence IDs is to wrap around +to the value 0 after 0xffffffff. +See https://tools.ietf.org/html/rfc5661#section-2.10.6.1 + +Fixes: 5f83d86cf531d ("NFSv4.x: Fix wraparound issues when validing...") +Cc: stable@vger.kernel.org # 4.6+ +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Acked-by: NeilBrown <neilb@suse.com> + +--- + fs/nfs/callback_proc.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -415,11 +415,8 @@ validate_seqid(const struct nfs4_slot_ta + return htonl(NFS4ERR_SEQ_FALSE_RETRY); + } + +- /* Wraparound */ +- if (unlikely(slot->seq_nr == 0xFFFFFFFFU)) { +- if (args->csa_sequenceid == 1) +- return htonl(NFS4_OK); +- } else if (likely(args->csa_sequenceid == slot->seq_nr + 1)) ++ /* Note: wraparound relies on seq_nr being of type u32 */ ++ if (likely(args->csa_sequenceid == slot->seq_nr + 1)) + return htonl(NFS4_OK); + + /* Misordered request */ diff --git a/patches.fixes/ceph-fix-dentry-leak-in-splice_dentry.patch b/patches.fixes/ceph-fix-dentry-leak-in-splice_dentry.patch new file mode 100644 index 0000000000..c23021c67f --- /dev/null +++ b/patches.fixes/ceph-fix-dentry-leak-in-splice_dentry.patch @@ -0,0 +1,28 @@ +From: "Yan, Zheng" <zyan@redhat.com> +Date: Tue, 19 Jun 2018 18:20:34 +0800 +Subject: ceph: fix dentry leak in splice_dentry() +Git-commit: 8b8f53af1ed9df88a4c0fbfdf3db58f62060edf3 +Patch-mainline: v4.18-rc3 +References: bsc#1098236 + +In any case, d_splice_alias() does not drop reference of original +dentry. + +Signed-off-by: "Yan, Zheng" <zyan@redhat.com> +Reviewed-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Acked-by: Luis Henriques <lhenriques@suse.com> +--- + fs/ceph/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1123,6 +1123,7 @@ static struct dentry *splice_dentry(stru + if (IS_ERR(realdn)) { + pr_err("splice_dentry error %ld %p inode %p ino %llx.%llx\n", + PTR_ERR(realdn), dn, in, ceph_vinop(in)); ++ dput(dn); + dn = realdn; /* note realdn contains the error */ + goto out; + } else if (realdn) { diff --git a/patches.fixes/e1000e-Ignore-TSYNCRXCTL-when-getting-I219-clock-att.patch b/patches.fixes/e1000e-Ignore-TSYNCRXCTL-when-getting-I219-clock-att.patch new file mode 100644 index 0000000000..0caf4fddbd --- /dev/null +++ b/patches.fixes/e1000e-Ignore-TSYNCRXCTL-when-getting-I219-clock-att.patch @@ -0,0 +1,71 @@ +From: Benjamin Poirier <bpoirier@suse.com> +Date: Thu, 10 May 2018 16:28:35 +0900 +Subject: e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes +Patch-mainline: v4.18-rc1 +Git-commit: fff200caf6f9179dd9a7fc67acd659e614c3f72f +References: bsc#1075876 + +There have been multiple reports of crashes that look like +kernel: RIP: 0010:[<ffffffff8110303f>] timecounter_read+0xf/0x50 +[...] +kernel: Call Trace: +kernel: [<ffffffffa0806b0f>] e1000e_phc_gettime+0x2f/0x60 [e1000e] +kernel: [<ffffffffa0806c5d>] e1000e_systim_overflow_work+0x1d/0x80 [e1000e] +kernel: [<ffffffff810992c5>] process_one_work+0x155/0x440 +kernel: [<ffffffff81099e16>] worker_thread+0x116/0x4b0 +kernel: [<ffffffff8109f422>] kthread+0xd2/0xf0 +kernel: [<ffffffff8163184f>] ret_from_fork+0x3f/0x70 + +These can be traced back to the fact that e1000e_systim_reset() skips the +timecounter_init() call if e1000e_get_base_timinca() returns -EINVAL, which +leads to a null deref in timecounter_read(). + +Commit 83129b37ef35 ("e1000e: fix systim issues", v4.2-rc1) reworked +e1000e_get_base_timinca() in such a way that it can return -EINVAL for +e1000_pch_spt if the SYSCFI bit is not set in TSYNCRXCTL. + +Some experimentation has shown that on I219 (e1000_pch_spt, "MAC: 12") +adapters, the E1000_TSYNCRXCTL_SYSCFI flag is unstable; TSYNCRXCTL reads +sometimes don't have the SYSCFI bit set. Retrying the read shortly after +finds the bit to be set. This was observed at boot (probe) but also link up +and link down. + +Moreover, the phc (PTP Hardware Clock) seems to operate normally even after +reads where SYSCFI=0. Therefore, remove this register read and +unconditionally set the clock parameters. + +Reported-by: Achim Mildenberger <admin@fph.physik.uni-karlsruhe.de> +Message-Id: <20180425065243.g5mqewg5irkwgwgv@f2> +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1075876 +Fixes: 83129b37ef35 ("e1000e: fix systim issues") +Signed-off-by: Benjamin Poirier <bpoirier@suse.com> +Tested-by: Aaron Brown <aaron.f.brown@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -3545,15 +3545,12 @@ s32 e1000e_get_base_timinca(struct e1000 + } + break; + case e1000_pch_spt: +- if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) { +- /* Stable 24MHz frequency */ +- incperiod = INCPERIOD_24MHZ; +- incvalue = INCVALUE_24MHZ; +- shift = INCVALUE_SHIFT_24MHZ; +- adapter->cc.shift = shift; +- break; +- } +- return -EINVAL; ++ /* Stable 24MHz frequency */ ++ incperiod = INCPERIOD_24MHZ; ++ incvalue = INCVALUE_24MHZ; ++ shift = INCVALUE_SHIFT_24MHZ; ++ adapter->cc.shift = shift; ++ break; + case e1000_pch_cnp: + if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) { + /* Stable 24MHz frequency */ diff --git a/patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch b/patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch new file mode 100644 index 0000000000..7d654cc8cf --- /dev/null +++ b/patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch @@ -0,0 +1,81 @@ +From 2f8fbf4df80beafa163b398f085957ac1ba1a4b7 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Thu, 7 Jun 2018 17:11:01 -0700 +Subject: fs/binfmt_misc.c: do not allow offset overflow +Git-commit: 5cc41e099504b77014358b58567c5ea6293dd220 +Patch-mainline: v4.18-rc1 +References: bsc#1099142 + +WHen registering a new binfmt_misc handler, it is possible to overflow +the offset to get a negative value, which might crash the system, or +possibly leak kernel data. + +Here is a crash log when 2500000000 was used as an offset: + + BUG: unable to handle kernel paging request at ffff989cfd6edca0 + IP: load_misc_binary+0x22b/0x470 [binfmt_misc] + PGD 1ef3e067 P4D 1ef3e067 PUD 0 + Oops: 0000 [#1] SMP NOPTI + Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy + CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 + RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] + Call Trace: + search_binary_handler+0x97/0x1d0 + do_execveat_common.isra.34+0x667/0x810 + SyS_execve+0x31/0x40 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Use kstrtoint instead of simple_strtoul. It will work as the code +already set the delimiter byte to '\0' and we only do it when the field +is not empty. + +Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested +with examples documented at Documentation/admin-guide/binfmt-misc.rst +and other registrations from packages on Ubuntu. + +Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Acked-by: Luis Henriques <lhenriques@suse.com> +--- + fs/binfmt_misc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index f4718098ac31..1bf786a3a4d5 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -384,8 +384,13 @@ static Node *create_entry(const char __user *buffer, size_t count) + s = strchr(p, del); + if (!s) + goto einval; +- *s++ = '\0'; +- e->offset = simple_strtoul(p, &p, 10); ++ *s = '\0'; ++ if (p != s) { ++ int r = kstrtoint(p, 10, &e->offset); ++ if (r != 0 || e->offset < 0) ++ goto einval; ++ } ++ p = s; + if (*p++) + goto einval; + pr_debug("register: offset: %#x\n", e->offset); +@@ -425,7 +430,8 @@ static Node *create_entry(const char __user *buffer, size_t count) + if (e->mask && + string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) + goto einval; +- if (e->size + e->offset > BINPRM_BUF_SIZE) ++ if (e->size > BINPRM_BUF_SIZE || ++ BINPRM_BUF_SIZE - e->size < e->offset) + goto einval; + pr_debug("register: magic/mask length: %i\n", e->size); + if (USE_DEBUG) { + diff --git a/patches.fixes/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6m.patch b/patches.fixes/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6m.patch new file mode 100644 index 0000000000..9e2619a559 --- /dev/null +++ b/patches.fixes/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6m.patch @@ -0,0 +1,37 @@ +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Tue, 5 Jun 2018 15:01:59 +0200 +Subject: [PATCH] ip6mr: only set ip6mr_table from setsockopt when + ip6mr_new_table succeeds +Git-commit: 848235edb5c93ed086700584c8ff64f6d7fc778d +Patch-mainline: v4.18 +References: git-fixes + +Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during +ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same +setsockopt will fail with -ENOENT, since we haven't actually created +that table. + +A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr: +various fixes and cleanups"). + +Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables") +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Acked-by: NeilBrown <neilb@suse.com> + +--- + net/ipv6/ip6mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1792,7 +1792,8 @@ int ip6_mroute_setsockopt(struct sock *s + ret = 0; + if (!ip6mr_new_table(net, v)) + ret = -ENOMEM; +- raw6_sk(sk)->ip6mr_table = v; ++ else ++ raw6_sk(sk)->ip6mr_table = v; + rtnl_unlock(); + return ret; + } diff --git a/patches.fixes/kconfig-Avoid-format-overflow-warning-from-GCC-8.1 b/patches.fixes/kconfig-Avoid-format-overflow-warning-from-GCC-8.1 new file mode 100644 index 0000000000..b75ccf3eb0 --- /dev/null +++ b/patches.fixes/kconfig-Avoid-format-overflow-warning-from-GCC-8.1 @@ -0,0 +1,56 @@ +From 2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Sat, 2 Jun 2018 09:02:09 -0700 +Subject: [PATCH] kconfig: Avoid format overflow warning from GCC 8.1 +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e +Patch-mainline: v4.18-rc1 +References: bsc#1051510 + +In file included from scripts/kconfig/zconf.tab.c:2485: +Scripts/kconfig/confdata.c: In function ‘conf_write’: +scripts/kconfig/confdata.c:773:22: warning: ‘%s’ directive writing likely 7 or more bytes into a region of size between 1 and 4097 [-Wformat-overflow=] + sprintf(newname, "%s%s", dirname, basename); + ^~ +scripts/kconfig/confdata.c:773:19: note: assuming directive output of 7 bytes + sprintf(newname, "%s%s", dirname, basename); + ^~~~~~ +scripts/kconfig/confdata.c:773:2: note: ‘sprintf’ output 1 or more bytes (assuming 4104) into a destination of size 4097 + sprintf(newname, "%s%s", dirname, basename); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +scripts/kconfig/confdata.c:776:23: warning: ‘.tmpconfig.’ directive writing 11 bytes into a region of size between 1 and 4097 [-Wformat-overflow=] + sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid()); + ^~~~~~~~~~~ +scripts/kconfig/confdata.c:776:3: note: ‘sprintf’ output between 13 and 4119 bytes into a destination of size 4097 + sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid()); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Increase the size of tmpname and newname to make GCC happy. + +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index 5f87ad561b08..39e20974f4a3 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -720,7 +720,7 @@ int conf_write(const char *name) + struct menu *menu; + const char *basename; + const char *str; +- char dirname[PATH_MAX+1], tmpname[PATH_MAX+1], newname[PATH_MAX+1]; ++ char dirname[PATH_MAX+1], tmpname[PATH_MAX+22], newname[PATH_MAX+8]; + char *env; + + dirname[0] = 0; +-- +2.17.1 + diff --git a/patches.fixes/kconfig-Don-t-leak-main-menus-during-parsing b/patches.fixes/kconfig-Don-t-leak-main-menus-during-parsing new file mode 100644 index 0000000000..19a9fd0992 --- /dev/null +++ b/patches.fixes/kconfig-Don-t-leak-main-menus-during-parsing @@ -0,0 +1,119 @@ +From 0724a7c32a54e3e50d28e19e30c59014f61d4e2c Mon Sep 17 00:00:00 2001 +From: Ulf Magnusson <ulfalizer@gmail.com> +Date: Sun, 8 Oct 2017 19:11:21 +0200 +Subject: [PATCH] kconfig: Don't leak main menus during parsing +Git-commit: 0724a7c32a54e3e50d28e19e30c59014f61d4e2c +Patch-mainline: v4.16-rc1 +References: bsc#1051510 + +If a 'mainmenu' entry appeared in the Kconfig files, two things would +Leak: + + - The 'struct property' allocated for the default "Linux Kernel + Configuration" prompt. + + - The string for the T_WORD/T_WORD_QUOTE prompt after the + T_MAINMENU token, allocated on the heap in zconf.l. + +To fix it, introduce a new 'no_mainmenu_stmt' nonterminal that matches +if there's no 'mainmenu' and adds the default prompt. That means the +prompt only gets allocated once regardless of whether there's a +'mainmenu' statement or not, and managing it becomes simple. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,568 bytes in 14,352 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 344,440 bytes in 14,350 blocks + ... + +Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com> +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + scripts/kconfig/zconf.y | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y +index df9cb12111e4..c1e4e82f56b5 100644 +--- a/scripts/kconfig/zconf.y ++++ b/scripts/kconfig/zconf.y +@@ -109,7 +109,27 @@ static struct menu *current_menu, *current_entry; + %% + input: nl start | start; + +-start: mainmenu_stmt stmt_list | stmt_list; ++start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; ++ ++/* mainmenu entry */ ++ ++mainmenu_stmt: T_MAINMENU prompt nl ++{ ++ menu_add_prompt(P_MENU, $2, NULL); ++}; ++ ++/* Default main menu, if there's no mainmenu entry */ ++ ++no_mainmenu_stmt: /* empty */ ++{ ++ /* ++ * Hack: Keep the main menu title on the heap so we can safely free it ++ * later regardless of whether it comes from the 'prompt' in ++ * mainmenu_stmt or here ++ */ ++ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL); ++}; ++ + + stmt_list: + /* empty */ +@@ -352,13 +372,6 @@ if_block: + | if_block choice_stmt + ; + +-/* mainmenu entry */ +- +-mainmenu_stmt: T_MAINMENU prompt nl +-{ +- menu_add_prompt(P_MENU, $2, NULL); +-}; +- + /* menu entry */ + + menu: T_MENU prompt T_EOL +@@ -507,6 +520,7 @@ word_opt: /* empty */ { $$ = NULL; } + + void conf_parse(const char *name) + { ++ const char *tmp; + struct symbol *sym; + int i; + +@@ -514,7 +528,6 @@ void conf_parse(const char *name) + + sym_init(); + _menu_init(); +- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL); + + if (getenv("ZCONF_DEBUG")) + zconfdebug = 1; +@@ -524,8 +537,10 @@ void conf_parse(const char *name) + if (!modules_sym) + modules_sym = sym_find( "n" ); + ++ tmp = rootmenu.prompt->text; + rootmenu.prompt->text = _(rootmenu.prompt->text); + rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text); ++ free((char*)tmp); + + menu_finalize(&rootmenu); + for_all_symbols(i, sym) { +-- +2.17.1 + diff --git a/patches.fixes/kconfig-Fix-automatic-menu-creation-mem-leak b/patches.fixes/kconfig-Fix-automatic-menu-creation-mem-leak new file mode 100644 index 0000000000..cc0722c8f0 --- /dev/null +++ b/patches.fixes/kconfig-Fix-automatic-menu-creation-mem-leak @@ -0,0 +1,62 @@ +From ae7440ef0c8013d68c00dad6900e7cce5311bb1c Mon Sep 17 00:00:00 2001 +From: Ulf Magnusson <ulfalizer@gmail.com> +Date: Sun, 8 Oct 2017 19:35:44 +0200 +Subject: [PATCH] kconfig: Fix automatic menu creation mem leak +Git-commit: ae7440ef0c8013d68c00dad6900e7cce5311bb1c +Patch-mainline: v4.16-rc1 +References: bsc#1051510 + +expr_trans_compare() always allocates and returns a new expression, +giving the following leak outline: + + ... + *Allocate* + basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no); + ... + for (menu = parent->next; menu; menu = menu->next) { + ... + *Copy* + dep2 = expr_copy(basedep); + ... + *Free copy* + expr_free(dep2); + } + *basedep lost!* + +Fix by freeing 'basedep' after the loop. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,376 bytes in 14,349 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com> +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + scripts/kconfig/menu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c +index 2baebe346de9..5b2415991c3e 100644 +--- a/scripts/kconfig/menu.c ++++ b/scripts/kconfig/menu.c +@@ -440,6 +440,7 @@ void menu_finalize(struct menu *parent) + menu->parent = parent; + last_menu = menu; + } ++ expr_free(basedep); + if (last_menu) { + parent->list = parent->next; + parent->next = last_menu->next; +-- +2.17.1 + diff --git a/patches.fixes/kconfig-Fix-expr_free-E_NOT-leak b/patches.fixes/kconfig-Fix-expr_free-E_NOT-leak new file mode 100644 index 0000000000..9f5098fe5a --- /dev/null +++ b/patches.fixes/kconfig-Fix-expr_free-E_NOT-leak @@ -0,0 +1,59 @@ +From 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 Mon Sep 17 00:00:00 2001 +From: Ulf Magnusson <ulfalizer@gmail.com> +Date: Sun, 8 Oct 2017 19:35:45 +0200 +Subject: [PATCH] kconfig: Fix expr_free() E_NOT leak +Git-commit: 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 +Patch-mainline: v4.16-rc1 +References: bsc#1051510 + +Only the E_NOT operand and not the E_NOT node itself was freed, due to +accidentally returning too early in expr_free(). Outline of leak: + + switch (e->type) { + ... + case E_NOT: + expr_free(e->left.expr); + return; + ... + } + *Never reached, 'e' leaked* + free(e); + +Fix by changing the 'return' to a 'break'. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 1,608 bytes in 67 blocks + ... + +Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com> +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + scripts/kconfig/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c +index cbf4996dd9c1..ed29bad1f03a 100644 +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -113,7 +113,7 @@ void expr_free(struct expr *e) + break; + case E_NOT: + expr_free(e->left.expr); +- return; ++ break; + case E_EQUAL: + case E_GEQ: + case E_GTH: +-- +2.17.1 + diff --git a/patches.fixes/kobject-don-t-use-WARN-for-registration-failures b/patches.fixes/kobject-don-t-use-WARN-for-registration-failures new file mode 100644 index 0000000000..a73f98cbf8 --- /dev/null +++ b/patches.fixes/kobject-don-t-use-WARN-for-registration-failures @@ -0,0 +1,51 @@ +From 3e14c6abbfb5c94506edda9d8e2c145d79375798 Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov <dvyukov@google.com> +Date: Wed, 11 Apr 2018 17:22:43 +0200 +Subject: [PATCH] kobject: don't use WARN for registration failures +Git-commit: 3e14c6abbfb5c94506edda9d8e2c145d79375798 +Patch-mainline: v4.17-rc3 +References: bsc#1051510 + +This WARNING proved to be noisy. The function still returns an error +and callers should handle it. That's how most of kernel code works. +Downgrade the WARNING to pr_err() and leave WARNINGs for kernel bugs. + +Signed-off-by: Dmitry Vyukov <dvyukov@google.com> +Reported-by: syzbot+209c0f67f99fec8eb14b@syzkaller.appspotmail.com +Reported-by: syzbot+7fb6d9525a4528104e05@syzkaller.appspotmail.com +Reported-by: syzbot+2e63711063e2d8f9ea27@syzkaller.appspotmail.com +Reported-by: syzbot+de73361ee4971b6e6f75@syzkaller.appspotmail.com +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + lib/kobject.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/lib/kobject.c b/lib/kobject.c +index e1d1f290bf35..18989b5b3b56 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -233,13 +233,12 @@ static int kobject_add_internal(struct kobject *kobj) + + /* be noisy on error issues */ + if (error == -EEXIST) +- WARN(1, +- "%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", +- __func__, kobject_name(kobj)); ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", ++ __func__, kobject_name(kobj)); + else +- WARN(1, "%s failed for %s (error: %d parent: %s)\n", +- __func__, kobject_name(kobj), error, +- parent ? kobject_name(parent) : "'none'"); ++ pr_err("%s failed for %s (error: %d parent: %s)\n", ++ __func__, kobject_name(kobj), error, ++ parent ? kobject_name(parent) : "'none'"); + } else + kobj->state_in_sysfs = 1; + +-- +2.17.1 + diff --git a/patches.fixes/lib-kobject-Join-string-literals-back b/patches.fixes/lib-kobject-Join-string-literals-back new file mode 100644 index 0000000000..1d5e2f831f --- /dev/null +++ b/patches.fixes/lib-kobject-Join-string-literals-back @@ -0,0 +1,140 @@ +From 82d1f1178a8578599fb52e697ee8ce8b68f1efd0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Date: Thu, 15 Mar 2018 15:23:43 +0200 +Subject: [PATCH] lib/kobject: Join string literals back +Git-commit: 82d1f1178a8578599fb52e697ee8ce8b68f1efd0 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +There is no need to split string literals. Moreover, it would be simpler +to grep for an actual code line, when debugging, by using almost any +part of the string literal in question. + +While here, replace printk(LEVEL) by pr_lvl() macros. + +No functional change intended. + +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Takashi Iwai <tiwai@suse.de> + +--- + lib/kobject.c | 39 ++++++++++++++++++--------------------- + 1 file changed, 18 insertions(+), 21 deletions(-) + +diff --git a/lib/kobject.c b/lib/kobject.c +index afd5a3fc6123..e1d1f290bf35 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -204,8 +204,9 @@ static int kobject_add_internal(struct kobject *kobj) + return -ENOENT; + + if (!kobj->name || !kobj->name[0]) { +- WARN(1, "kobject: (%p): attempted to be registered with empty " +- "name!\n", kobj); ++ WARN(1, ++ "kobject: (%p): attempted to be registered with empty name!\n", ++ kobj); + return -EINVAL; + } + +@@ -232,9 +233,8 @@ static int kobject_add_internal(struct kobject *kobj) + + /* be noisy on error issues */ + if (error == -EEXIST) +- WARN(1, "%s failed for %s with " +- "-EEXIST, don't try to register things with " +- "the same name in the same directory.\n", ++ WARN(1, ++ "%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", + __func__, kobject_name(kobj)); + else + WARN(1, "%s failed for %s (error: %d parent: %s)\n", +@@ -334,8 +334,8 @@ void kobject_init(struct kobject *kobj, struct kobj_type *ktype) + } + if (kobj->state_initialized) { + /* do not error out as sometimes we can recover */ +- printk(KERN_ERR "kobject (%p): tried to init an initialized " +- "object, something is seriously wrong.\n", kobj); ++ pr_err("kobject (%p): tried to init an initialized object, something is seriously wrong.\n", ++ kobj); + dump_stack(); + } + +@@ -344,7 +344,7 @@ void kobject_init(struct kobject *kobj, struct kobj_type *ktype) + return; + + error: +- printk(KERN_ERR "kobject (%p): %s\n", kobj, err_str); ++ pr_err("kobject (%p): %s\n", kobj, err_str); + dump_stack(); + } + EXPORT_SYMBOL(kobject_init); +@@ -357,7 +357,7 @@ static __printf(3, 0) int kobject_add_varg(struct kobject *kobj, + + retval = kobject_set_name_vargs(kobj, fmt, vargs); + if (retval) { +- printk(KERN_ERR "kobject: can not set name properly!\n"); ++ pr_err("kobject: can not set name properly!\n"); + return retval; + } + kobj->parent = parent; +@@ -399,8 +399,7 @@ int kobject_add(struct kobject *kobj, struct kobject *parent, + return -EINVAL; + + if (!kobj->state_initialized) { +- printk(KERN_ERR "kobject '%s' (%p): tried to add an " +- "uninitialized object, something is seriously wrong.\n", ++ pr_err("kobject '%s' (%p): tried to add an uninitialized object, something is seriously wrong.\n", + kobject_name(kobj), kobj); + dump_stack(); + return -EINVAL; +@@ -590,9 +589,9 @@ struct kobject *kobject_get(struct kobject *kobj) + { + if (kobj) { + if (!kobj->state_initialized) +- WARN(1, KERN_WARNING "kobject: '%s' (%p): is not " +- "initialized, yet kobject_get() is being " +- "called.\n", kobject_name(kobj), kobj); ++ WARN(1, KERN_WARNING ++ "kobject: '%s' (%p): is not initialized, yet kobject_get() is being called.\n", ++ kobject_name(kobj), kobj); + kref_get(&kobj->kref); + } + return kobj; +@@ -622,8 +621,7 @@ static void kobject_cleanup(struct kobject *kobj) + kobject_name(kobj), kobj, __func__, kobj->parent); + + if (t && !t->release) +- pr_debug("kobject: '%s' (%p): does not have a release() " +- "function, it is broken and must be fixed.\n", ++ pr_debug("kobject: '%s' (%p): does not have a release() function, it is broken and must be fixed.\n", + kobject_name(kobj), kobj); + + /* send "remove" if the caller did not do it but sent "add" */ +@@ -686,9 +684,9 @@ void kobject_put(struct kobject *kobj) + { + if (kobj) { + if (!kobj->state_initialized) +- WARN(1, KERN_WARNING "kobject: '%s' (%p): is not " +- "initialized, yet kobject_put() is being " +- "called.\n", kobject_name(kobj), kobj); ++ WARN(1, KERN_WARNING ++ "kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n", ++ kobject_name(kobj), kobj); + kref_put(&kobj->kref, kobject_release); + } + } +@@ -752,8 +750,7 @@ struct kobject *kobject_create_and_add(const char *name, struct kobject *parent) + + retval = kobject_add(kobj, parent, "%s", name); + if (retval) { +- printk(KERN_WARNING "%s: kobject_add error: %d\n", +- __func__, retval); ++ pr_warn("%s: kobject_add error: %d\n", __func__, retval); + kobject_put(kobj); + kobj = NULL; + } +-- +2.17.1 + diff --git a/patches.fixes/regulator-don-t-return-or-expect-errno-from-of_map_mode.patch b/patches.fixes/regulator-don-t-return-or-expect-errno-from-of_map_mode.patch new file mode 100644 index 0000000000..8d41b9516a --- /dev/null +++ b/patches.fixes/regulator-don-t-return-or-expect-errno-from-of_map_mode.patch @@ -0,0 +1,97 @@ +From: Douglas Anderson <dianders@chromium.org> +Date: Wed, 18 Apr 2018 08:54:18 -0700 +Subject: regulator: Don't return or expect -errno from of_map_mode() +Git-commit: 02f3703934a42417021405ef336fe45add13c3d1 +Patch-mainline: v4.18-rc1 +References: bsc#1099029 + +In of_get_regulation_constraints() we were taking the result of +of_map_mode() (an unsigned int) and assigning it to an int. We were +then checking whether this value was -EINVAL. Some implementers of +of_map_mode() were returning -EINVAL (even though the return type of +their function needed to be unsigned int) because they needed to +signal an error back to of_get_regulation_constraints(). + +In general in the regulator framework the mode is always referred to +as an unsigned int. While we could fix this to be a signed int (the +highest value we store in there right now is 0x8), it's actually +pretty clean to just define the regulator mode 0x0 (the lack of any +bits set) as an invalid mode. Let's do that. + +Fixes: 5e5e3a42c653 ("regulator: of: Add support for parsing initial and suspend modes") +Suggested-by: Javier Martinez Canillas <javierm@redhat.com> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +[luis: dropped changes to cpcap-regulator.c as we don't have + 74ff8e065101 ("regulator: cpcap: Add OF mode mapping") ] +Acked-by: Luis Henriques <lhenriques@suse.com> +--- + drivers/regulator/of_regulator.c | 13 +++++++------ + drivers/regulator/twl-regulator.c | 2 +- + include/linux/regulator/consumer.h | 1 + + 3 files changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -31,6 +31,7 @@ static void of_get_regulation_constraint + struct regulation_constraints *constraints = &(*init_data)->constraints; + struct regulator_state *suspend_state; + struct device_node *suspend_np; ++ unsigned int mode; + int ret, i; + u32 pval; + +@@ -105,11 +106,11 @@ static void of_get_regulation_constraint + + if (!of_property_read_u32(np, "regulator-initial-mode", &pval)) { + if (desc && desc->of_map_mode) { +- ret = desc->of_map_mode(pval); +- if (ret == -EINVAL) ++ mode = desc->of_map_mode(pval); ++ if (mode == REGULATOR_MODE_INVALID) + pr_err("%s: invalid mode %u\n", np->name, pval); + else +- constraints->initial_mode = ret; ++ constraints->initial_mode = mode; + } else { + pr_warn("%s: mapping for mode %d not defined\n", + np->name, pval); +@@ -144,12 +145,12 @@ static void of_get_regulation_constraint + if (!of_property_read_u32(suspend_np, "regulator-mode", + &pval)) { + if (desc && desc->of_map_mode) { +- ret = desc->of_map_mode(pval); +- if (ret == -EINVAL) ++ mode = desc->of_map_mode(pval); ++ if (mode == REGULATOR_MODE_INVALID) + pr_err("%s: invalid mode %u\n", + np->name, pval); + else +- suspend_state->mode = ret; ++ suspend_state->mode = mode; + } else { + pr_warn("%s: mapping for mode %d not defined\n", + np->name, pval); +--- a/drivers/regulator/twl-regulator.c ++++ b/drivers/regulator/twl-regulator.c +@@ -274,7 +274,7 @@ static inline unsigned int twl4030reg_ma + case RES_STATE_SLEEP: + return REGULATOR_MODE_STANDBY; + default: +- return -EINVAL; ++ return REGULATOR_MODE_INVALID; + } + } + +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -80,6 +80,7 @@ struct regmap; + * These modes can be OR'ed together to make up a mask of valid register modes. + */ + ++#define REGULATOR_MODE_INVALID 0x0 + #define REGULATOR_MODE_FAST 0x1 + #define REGULATOR_MODE_NORMAL 0x2 + #define REGULATOR_MODE_IDLE 0x4 + diff --git a/patches.fixes/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches.fixes/vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 0000000000..e8b9418bd0 --- /dev/null +++ b/patches.fixes/vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,41 @@ +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Sat, 12 May 2018 00:33:10 +0300 +Subject: vhost: fix info leak due to uninitialized memory +Git-commit: 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad +Patch-mainline: v4.18-rc1 +References: bsc#1092472 CVE-2018-1118 + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton <kevin@guarana.org> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Acked-by: Borislav Petkov <bp@suse.de> +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index f0be5f35ab28..9beefa6ed1ce 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node; + diff --git a/patches.fixes/xprtrdma-Fix-list-corruption-DMAR-errors-during-MR-r.patch b/patches.fixes/xprtrdma-Fix-list-corruption-DMAR-errors-during-MR-r.patch new file mode 100644 index 0000000000..551cf1b5f1 --- /dev/null +++ b/patches.fixes/xprtrdma-Fix-list-corruption-DMAR-errors-during-MR-r.patch @@ -0,0 +1,125 @@ +From: Chuck Lever <chuck.lever@oracle.com> +Date: Tue, 1 May 2018 11:37:14 -0400 +Subject: [PATCH] xprtrdma: Fix list corruption / DMAR errors during MR + recovery +Git-commit: 054f155721d7af1f343ed52bea246626d8450ca8 +Patch-mainline: v4.17 +References: git-fixes + +The ro_release_mr methods check whether mr->mr_list is empty. +Therefore, be sure to always use list_del_init when removing an MR +linked into a list using that field. Otherwise, when recovering from +transport failures or device removal, list corruption can result, or +MRs can get mapped or unmapped an odd number of times, resulting in +IOMMU-related failures. + +In general this fix is appropriate back to v4.8. However, code +changes since then make it impossible to apply this patch directly +to stable kernels. The fix would have to be applied by hand or +reworked for kernels earlier than v4.16. + +Backport guidance -- there are several cases: +- When creating an MR, initialize mr_list so that using list_empty + on an as-yet-unused MR is safe. +- When an MR is being handled by the remote invalidation path, + ensure that mr_list is reinitialized when it is removed from + rl_registered. +- When an MR is being handled by rpcrdma_destroy_mrs, it is removed + from mr_all, but it may still be on an rl_registered list. In + that case, the MR needs to be removed from that list before being + released. +- Other cases are covered by using list_del_init in rpcrdma_mr_pop. + +Fixes: 9d6b04097882 ('xprtrdma: Place registered MWs on a ... ') +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Acked-by: NeilBrown <neilb@suse.com> + +--- + net/sunrpc/xprtrdma/fmr_ops.c | 5 +---- + net/sunrpc/xprtrdma/frwr_ops.c | 9 +++------ + net/sunrpc/xprtrdma/verbs.c | 5 +++++ + net/sunrpc/xprtrdma/xprt_rdma.h | 2 +- + 4 files changed, 10 insertions(+), 11 deletions(-) + +--- a/net/sunrpc/xprtrdma/fmr_ops.c ++++ b/net/sunrpc/xprtrdma/fmr_ops.c +@@ -71,6 +71,7 @@ fmr_op_init_mr(struct rpcrdma_ia *ia, st + if (IS_ERR(mw->fmr.fm_mr)) + goto out_fmr_err; + ++ INIT_LIST_HEAD(&mw->mw_list); + return 0; + + out_fmr_err: +@@ -101,10 +102,6 @@ fmr_op_release_mr(struct rpcrdma_mw *r) + LIST_HEAD(unmap_list); + int rc; + +- /* Ensure MW is not on any rl_registered list */ +- if (!list_empty(&r->mw_list)) +- list_del(&r->mw_list); +- + kfree(r->fmr.fm_physaddrs); + kfree(r->mw_sg); + +--- a/net/sunrpc/xprtrdma/frwr_ops.c ++++ b/net/sunrpc/xprtrdma/frwr_ops.c +@@ -109,6 +109,7 @@ frwr_op_init_mr(struct rpcrdma_ia *ia, s + if (!r->mw_sg) + goto out_list_err; + ++ INIT_LIST_HEAD(&r->mw_list); + sg_init_table(r->mw_sg, depth); + init_completion(&f->fr_linv_done); + return 0; +@@ -132,10 +133,6 @@ frwr_op_release_mr(struct rpcrdma_mw *r) + { + int rc; + +- /* Ensure MW is not on any rl_registered list */ +- if (!list_empty(&r->mw_list)) +- list_del(&r->mw_list); +- + rc = ib_dereg_mr(r->frmr.fr_mr); + if (rc) + pr_err("rpcrdma: final ib_dereg_mr for %p returned %i\n", +@@ -192,11 +189,11 @@ frwr_op_recover_mr(struct rpcrdma_mw *mw + return; + + out_release: +- pr_err("rpcrdma: FRMR reset failed %d, %p release\n", rc, mw); ++ pr_err("rpcrdma: FRMR reset failed %d, %p released\n", rc, mw); + r_xprt->rx_stats.mrs_orphaned++; + + spin_lock(&r_xprt->rx_buf.rb_mwlock); +- list_del(&mw->mw_all); ++ list_del_init(&mw->mw_all); + spin_unlock(&r_xprt->rx_buf.rb_mwlock); + + frwr_op_release_mr(mw); +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1143,6 +1143,11 @@ rpcrdma_destroy_mrs(struct rpcrdma_buffe + list_del(&mw->mw_all); + + spin_unlock(&buf->rb_mwlock); ++ ++ /* Ensure MW is not on any rl_registered list */ ++ if (!list_empty(&mw->mw_list)) ++ list_del(&mw->mw_list); ++ + ia->ri_ops->ro_release_mr(mw); + count++; + spin_lock(&buf->rb_mwlock); +--- a/net/sunrpc/xprtrdma/xprt_rdma.h ++++ b/net/sunrpc/xprtrdma/xprt_rdma.h +@@ -384,7 +384,7 @@ rpcrdma_pop_mw(struct list_head *list) + struct rpcrdma_mw *mw; + + mw = list_first_entry(list, struct rpcrdma_mw, mw_list); +- list_del(&mw->mw_list); ++ list_del_init(&mw->mw_list); + return mw; + } + diff --git a/patches.fixes/xprtrdma-Return-ENOBUFS-when-no-pages-are-available.patch b/patches.fixes/xprtrdma-Return-ENOBUFS-when-no-pages-are-available.patch new file mode 100644 index 0000000000..b9997893ff --- /dev/null +++ b/patches.fixes/xprtrdma-Return-ENOBUFS-when-no-pages-are-available.patch @@ -0,0 +1,33 @@ +From: Chuck Lever <chuck.lever@oracle.com> +Date: Fri, 4 May 2018 15:35:46 -0400 +Subject: [PATCH] xprtrdma: Return -ENOBUFS when no pages are available +Git-commit: a8f688ec437dc2045cc8f0c89fe877d5803850da +Patch-mainline: v4.18 +References: git-fixes + +The use of -EAGAIN in rpcrdma_convert_iovs() is a latent bug: the +transport never calls xprt_write_space() when more pages become +available. -ENOBUFS will trigger the correct "delay briefly and call +again" logic. + +Fixes: 7a89f9c626e3 ("xprtrdma: Honor ->send_request API contract") +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +Cc: stable@vger.kernel.org # 4.8+ +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Acked-by: NeilBrown <neilb@suse.com> + +--- + net/sunrpc/xprtrdma/rpc_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/rpc_rdma.c ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c +@@ -229,7 +229,7 @@ rpcrdma_convert_iovs(struct rpcrdma_xprt + /* alloc the pagelist for receiving buffer */ + ppages[p] = alloc_page(GFP_ATOMIC); + if (!ppages[p]) +- return -EAGAIN; ++ return -ENOBUFS; + } + seg[n].mr_page = ppages[p]; + seg[n].mr_offset = (void *)(unsigned long) page_base; diff --git a/patches.suse/0001-locking-Remove-smp_read_barrier_depends-from-queued_.patch b/patches.suse/0001-locking-Remove-smp_read_barrier_depends-from-queued_.patch new file mode 100644 index 0000000000..98004f722b --- /dev/null +++ b/patches.suse/0001-locking-Remove-smp_read_barrier_depends-from-queued_.patch @@ -0,0 +1,57 @@ +From 548095dea63ffc016d39c35b32c628d033638aca Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> +Date: Mon, 9 Oct 2017 11:22:50 -0700 +Subject: [PATCH] locking: Remove smp_read_barrier_depends() from queued_spin_lock_slowpath() +Git-commit: 548095dea63ffc016d39c35b32c628d033638aca +Patch-mainline: v4.16-rc1 +References: bsc#1050549 + +Queued spinlocks are not used by DEC Alpha, and furthermore operations +such as READ_ONCE() and release/relaxed RMW atomics are being changed +to imply smp_read_barrier_depends(). This commit therefore removes the +now-redundant smp_read_barrier_depends() from queued_spin_lock_slowpath(), +and adjusts the comments accordingly. + +Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Ingo Molnar <mingo@redhat.com> +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> + +--- + kernel/locking/qspinlock.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/kernel/locking/qspinlock.c b/kernel/locking/qspinlock.c +index 294294c71ba4..38ece035039e 100644 +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -170,7 +170,7 @@ static __always_inline void clear_pending_set_locked(struct qspinlock *lock) + * @tail : The new queue tail code word + * Return: The previous queue tail code word + * +- * xchg(lock, tail) ++ * xchg(lock, tail), which heads an address dependency + * + * p,*,* -> n,*,* ; prev = xchg(lock, node) + */ +@@ -409,13 +409,11 @@ void queued_spin_lock_slowpath(struct qspinlock *lock, u32 val) + if (old & _Q_TAIL_MASK) { + prev = decode_tail(old); + /* +- * The above xchg_tail() is also a load of @lock which generates, +- * through decode_tail(), a pointer. +- * +- * The address dependency matches the RELEASE of xchg_tail() +- * such that the access to @prev must happen after. ++ * The above xchg_tail() is also a load of @lock which ++ * generates, through decode_tail(), a pointer. The address ++ * dependency matches the RELEASE of xchg_tail() such that ++ * the subsequent access to @prev happens after. + */ +- smp_read_barrier_depends(); + + WRITE_ONCE(prev->next, node); + +-- +2.16.4 + diff --git a/patches.suse/0001-locking-qspinlock-Ensure-node-is-initialised-before-.patch b/patches.suse/0001-locking-qspinlock-Ensure-node-is-initialised-before-.patch new file mode 100644 index 0000000000..df8be8a3da --- /dev/null +++ b/patches.suse/0001-locking-qspinlock-Ensure-node-is-initialised-before-.patch @@ -0,0 +1,87 @@ +From 95bcade33a8af38755c9b0636e36a36ad3789fe6 Mon Sep 17 00:00:00 2001 +From: Will Deacon <will.deacon@arm.com> +Date: Tue, 13 Feb 2018 13:22:56 +0000 +Subject: [PATCH 1/2] locking/qspinlock: Ensure node is initialised before updating prev->next +Git-commit: 95bcade33a8af38755c9b0636e36a36ad3789fe6 +Patch-mainline: v4.16-rc2 +References: bsc#1050549 + +When a locker ends up queuing on the qspinlock locking slowpath, we +initialise the relevant mcs node and publish it indirectly by updating +the tail portion of the lock word using xchg_tail. If we find that there +was a pre-existing locker in the queue, we subsequently update their +->next field to point at our node so that we are notified when it's our +turn to take the lock. + +This can be roughly illustrated as follows: + + /* Initialise the fields in node and encode a pointer to node in tail */ + tail = initialise_node(node); + + /* + * Exchange tail into the lockword using an atomic read-modify-write + * operation with release semantics + */ + old = xchg_tail(lock, tail); + + /* If there was a pre-existing waiter ... */ + if (old & _Q_TAIL_MASK) { + prev = decode_tail(old); + smp_read_barrier_depends(); + + /* ... then update their ->next field to point to node. + WRITE_ONCE(prev->next, node); + } + +The conditional update of prev->next therefore relies on the address +dependency from the result of xchg_tail ensuring order against the +prior initialisation of node. However, since the release semantics of +the xchg_tail operation apply only to the write portion of the RmW, +then this ordering is not guaranteed and it is possible for the CPU +to return old before the writes to node have been published, consequently +allowing us to point prev->next to an uninitialised node. + +This patch fixes the problem by making the update of prev->next a RELEASE +operation, which also removes the reliance on dependency ordering. + +Signed-off-by: Will Deacon <will.deacon@arm.com> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/1518528177-19169-2-git-send-email-will.deacon@arm.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> + +--- + kernel/locking/qspinlock.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/kernel/locking/qspinlock.c b/kernel/locking/qspinlock.c +index 38ece035039e..348c8cec1042 100644 +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -408,14 +408,15 @@ void queued_spin_lock_slowpath(struct qspinlock *lock, u32 val) + */ + if (old & _Q_TAIL_MASK) { + prev = decode_tail(old); ++ + /* +- * The above xchg_tail() is also a load of @lock which +- * generates, through decode_tail(), a pointer. The address +- * dependency matches the RELEASE of xchg_tail() such that +- * the subsequent access to @prev happens after. ++ * We must ensure that the stores to @node are observed before ++ * the write to prev->next. The address dependency from ++ * xchg_tail is not sufficient to ensure this because the read ++ * component of xchg_tail is unordered with respect to the ++ * initialisation of @node. + */ +- +- WRITE_ONCE(prev->next, node); ++ smp_store_release(&prev->next, node); + + pv_wait_node(node, prev); + arch_mcs_spin_lock_contended(&node->locked); +-- +2.16.4 + diff --git a/patches.suse/0001-x86-stacktrace-do-now-unwind-after-user-regs.patch b/patches.suse/0001-x86-stacktrace-Do-not-unwind-after-user-regs.patch index f932fa8093..9e01fe0424 100644 --- a/patches.suse/0001-x86-stacktrace-do-now-unwind-after-user-regs.patch +++ b/patches.suse/0001-x86-stacktrace-Do-not-unwind-after-user-regs.patch @@ -1,18 +1,26 @@ From: Jiri Slaby <jslaby@suse.cz> -Date: Fri, 1 Dec 2017 08:20:00 +0100 -Subject: x86/stacktrace: do now unwind after user regs -Patch-mainline: submitted on 2017/12/5 +Date: Fri, 18 May 2018 08:47:08 +0200 +Subject: x86/stacktrace: Do not unwind after user regs +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: 0797a8d0d79769574550caa5ca5d89c237723250 +Patch-mainline: Queued in subsystem maintainer repository References: bnc#1058115 Josh pointed out, that there is no way a frame can be after user regs. So remove the last unwind and the check. Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: x86@kernel.org -Cc: Josh Poimboeuf <jpoimboe@redhat.com> +Link: https://lkml.kernel.org/lkml/20180518064713.26440-1-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/kernel/stacktrace.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/patches.suse/0002-locking-qspinlock-Ensure-node-count-is-updated-befor.patch b/patches.suse/0002-locking-qspinlock-Ensure-node-count-is-updated-befor.patch new file mode 100644 index 0000000000..e6c4dc195c --- /dev/null +++ b/patches.suse/0002-locking-qspinlock-Ensure-node-count-is-updated-befor.patch @@ -0,0 +1,56 @@ +From 11dc13224c975efcec96647a4768a6f1bb7a19a8 Mon Sep 17 00:00:00 2001 +From: Will Deacon <will.deacon@arm.com> +Date: Tue, 13 Feb 2018 13:22:57 +0000 +Subject: [PATCH 2/2] locking/qspinlock: Ensure node->count is updated before initialising node +Git-commit: 11dc13224c975efcec96647a4768a6f1bb7a19a8 +Patch-mainline: v4.16-rc2 +References: bsc#1050549 + +When queuing on the qspinlock, the count field for the current CPU's head +node is incremented. This needn't be atomic because locking in e.g. IRQ +context is balanced and so an IRQ will return with node->count as it +found it. + +However, the compiler could in theory reorder the initialisation of +node[idx] before the increment of the head node->count, causing an +IRQ to overwrite the initialised node and potentially corrupt the lock +state. + +Avoid the potential for this harmful compiler reordering by placing a +barrier() between the increment of the head node->count and the subsequent +node initialisation. + +Signed-off-by: Will Deacon <will.deacon@arm.com> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/1518528177-19169-3-git-send-email-will.deacon@arm.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> + +--- + kernel/locking/qspinlock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/locking/qspinlock.c b/kernel/locking/qspinlock.c +index 348c8cec1042..d880296245c5 100644 +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -379,6 +379,14 @@ void queued_spin_lock_slowpath(struct qspinlock *lock, u32 val) + tail = encode_tail(smp_processor_id(), idx); + + node += idx; ++ ++ /* ++ * Ensure that we increment the head node->count before initialising ++ * the actual node. If the compiler is kind enough to reorder these ++ * stores, then an IRQ could overwrite our assignments. ++ */ ++ barrier(); ++ + node->locked = 0; + node->next = NULL; + pv_init_node(node); +-- +2.16.4 + diff --git a/patches.suse/0002-x86-stacktrace-Remove-STACKTRACE_DUMP_ONCE.patch b/patches.suse/0002-x86-stacktrace-Remove-STACKTRACE_DUMP_ONCE.patch new file mode 100644 index 0000000000..c42d885671 --- /dev/null +++ b/patches.suse/0002-x86-stacktrace-Remove-STACKTRACE_DUMP_ONCE.patch @@ -0,0 +1,74 @@ +From: Jiri Slaby <jslaby@suse.cz> +Date: Fri, 18 May 2018 08:47:09 +0200 +Subject: x86/stacktrace: Remove STACKTRACE_DUMP_ONCE +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: 17426923b03f098da83b8c1e044934a34959f69b +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1058115 + +The stack unwinding can sometimes fail yet. Especially with the +generated debug info. So do not yell at users -- live patching (the only +user of this interface) will inform the user about the failure +gracefully. + +And given this was the only user of the macro, remove the macro proper +too. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/lkml/20180518064713.26440-2-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/kernel/stacktrace.c | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +--- a/arch/x86/kernel/stacktrace.c ++++ b/arch/x86/kernel/stacktrace.c +@@ -81,16 +81,6 @@ EXPORT_SYMBOL_GPL(save_stack_trace_tsk); + + #ifdef CONFIG_HAVE_RELIABLE_STACKTRACE + +-#define STACKTRACE_DUMP_ONCE(task) ({ \ +- static bool __section(.data.unlikely) __dumped; \ +- \ +- if (!__dumped) { \ +- __dumped = true; \ +- WARN_ON(1); \ +- show_stack(task, NULL); \ +- } \ +-}) +- + static int __always_inline + __save_stack_trace_reliable(struct stack_trace *trace, + struct task_struct *task) +@@ -123,20 +113,16 @@ __save_stack_trace_reliable(struct stack + * generated code which __kernel_text_address() doesn't know + * about. + */ +- if (!addr) { +- STACKTRACE_DUMP_ONCE(task); ++ if (!addr) + return -EINVAL; +- } + + if (save_stack_address(trace, addr, false)) + return -EINVAL; + } + + /* Check for stack corruption */ +- if (unwind_error(&state)) { +- STACKTRACE_DUMP_ONCE(task); ++ if (unwind_error(&state)) + return -EINVAL; +- } + + if (trace->nr_entries < trace->max_entries) + trace->entries[trace->nr_entries++] = ULONG_MAX; diff --git a/patches.suse/0002-x86-stacktrace-make-clear-the-success-paths.patch b/patches.suse/0002-x86-stacktrace-make-clear-the-success-paths.patch deleted file mode 100644 index d7591b8607..0000000000 --- a/patches.suse/0002-x86-stacktrace-make-clear-the-success-paths.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Jiri Slaby <jslaby@suse.cz> -Date: Thu, 14 Dec 2017 22:54:20 +0100 -Subject: x86/stacktrace: make clear the success paths -Patch-mainline: submitted on 2017/12/5 -References: bnc#1058115 - -Make clear which path is for user tasks and for kthreads and idle -tasks. This will allow easier plug-in of ORC unwinder in the next -patches. - -Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: x86@kernel.org -Cc: Josh Poimboeuf <jpoimboe@redhat.com> ---- - arch/x86/kernel/stacktrace.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - ---- a/arch/x86/kernel/stacktrace.c -+++ b/arch/x86/kernel/stacktrace.c -@@ -104,16 +104,18 @@ __save_stack_trace_reliable(struct stack - - regs = unwind_get_entry_regs(&state, NULL); - if (regs) { -+ /* Success path for user tasks */ -+ if (user_mode(regs)) -+ goto success; -+ - /* - * Kernel mode registers on the stack indicate an - * in-kernel interrupt or exception (e.g., preemption - * or a page fault), which can make frame pointers - * unreliable. - */ -- if (!user_mode(regs)) -- return -EINVAL; - -- break; -+ return -EINVAL; - } - - addr = unwind_get_return_address(&state); -@@ -138,6 +140,11 @@ __save_stack_trace_reliable(struct stack - return -EINVAL; - } - -+ /* Success path for non-user tasks, i.e. kthreads and idle tasks */ -+ if (!(task->flags & (PF_KTHREAD | PF_IDLE))) -+ return -EINVAL; -+ -+success: - if (trace->nr_entries < trace->max_entries) - trace->entries[trace->nr_entries++] = ULONG_MAX; - diff --git a/patches.suse/0003-x86-stacktrace-Clarify-the-reliable-success-paths.patch b/patches.suse/0003-x86-stacktrace-Clarify-the-reliable-success-paths.patch new file mode 100644 index 0000000000..e94774049d --- /dev/null +++ b/patches.suse/0003-x86-stacktrace-Clarify-the-reliable-success-paths.patch @@ -0,0 +1,75 @@ +From: Jiri Slaby <jslaby@suse.cz> +Date: Fri, 18 May 2018 08:47:10 +0200 +Subject: x86/stacktrace: Clarify the reliable success paths +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: 441ccc3580f45340715fd8f5c4db795b06326404 +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1058115 + +Make clear which path is for user tasks and for kthreads and idle +tasks. This will allow easier plug-in of the ORC unwinder in the next +patches. + +Note that we added a check for unwind error to the top of the loop, so +that an error is returned also for user tasks (the 'goto success' would +skip the check after the loop otherwise). + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/lkml/20180518064713.26440-3-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/kernel/stacktrace.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/stacktrace.c ++++ b/arch/x86/kernel/stacktrace.c +@@ -89,21 +89,24 @@ __save_stack_trace_reliable(struct stack + struct pt_regs *regs; + unsigned long addr; + +- for (unwind_start(&state, task, NULL, NULL); !unwind_done(&state); ++ for (unwind_start(&state, task, NULL, NULL); ++ !unwind_done(&state) && !unwind_error(&state); + unwind_next_frame(&state)) { + + regs = unwind_get_entry_regs(&state, NULL); + if (regs) { ++ /* Success path for user tasks */ ++ if (user_mode(regs)) ++ goto success; ++ + /* + * Kernel mode registers on the stack indicate an + * in-kernel interrupt or exception (e.g., preemption + * or a page fault), which can make frame pointers + * unreliable. + */ +- if (!user_mode(regs)) +- return -EINVAL; + +- break; ++ return -EINVAL; + } + + addr = unwind_get_return_address(&state); +@@ -124,6 +127,11 @@ __save_stack_trace_reliable(struct stack + if (unwind_error(&state)) + return -EINVAL; + ++ /* Success path for non-user tasks, i.e. kthreads and idle tasks */ ++ if (!(task->flags & (PF_KTHREAD | PF_IDLE))) ++ return -EINVAL; ++ ++success: + if (trace->nr_entries < trace->max_entries) + trace->entries[trace->nr_entries++] = ULONG_MAX; + diff --git a/patches.suse/0003-x86-stacktrace-remove-STACKTRACE_DUMP_ONCE-from-__sa.patch b/patches.suse/0003-x86-stacktrace-remove-STACKTRACE_DUMP_ONCE-from-__sa.patch deleted file mode 100644 index a8f9a0068f..0000000000 --- a/patches.suse/0003-x86-stacktrace-remove-STACKTRACE_DUMP_ONCE-from-__sa.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Jiri Slaby <jslaby@suse.cz> -Date: Fri, 1 Dec 2017 08:28:36 +0100 -Subject: x86/stacktrace: remove STACKTRACE_DUMP_ONCE from - __save_stack_trace_reliable -Patch-mainline: submitted on 2017/12/5 -References: bnc#1058115 - -The stack unwinding can sometimes fail yet. Especially with the -generated debug info. So do not yell at users -- live patching (the only -user of this interface) will inform the user about the failure -gracefully. - -Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: x86@kernel.org -Cc: Josh Poimboeuf <jpoimboe@redhat.com> ---- - arch/x86/kernel/stacktrace.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - ---- a/arch/x86/kernel/stacktrace.c -+++ b/arch/x86/kernel/stacktrace.c -@@ -125,20 +125,16 @@ __save_stack_trace_reliable(struct stack - * generated code which __kernel_text_address() doesn't know - * about. - */ -- if (!addr) { -- STACKTRACE_DUMP_ONCE(task); -+ if (!addr) - return -EINVAL; -- } - - if (save_stack_address(trace, addr, false)) - return -EINVAL; - } - - /* Check for stack corruption */ -- if (unwind_error(&state)) { -- STACKTRACE_DUMP_ONCE(task); -+ if (unwind_error(&state)) - return -EINVAL; -- } - - /* Success path for non-user tasks, i.e. kthreads and idle tasks */ - if (!(task->flags & (PF_KTHREAD | PF_IDLE))) diff --git a/patches.suse/0004-x86-stacktrace-Do-not-fail-for-ORC-with-regs-on-stac.patch b/patches.suse/0004-x86-stacktrace-Do-not-fail-for-ORC-with-regs-on-stac.patch new file mode 100644 index 0000000000..6c3a28f13f --- /dev/null +++ b/patches.suse/0004-x86-stacktrace-Do-not-fail-for-ORC-with-regs-on-stac.patch @@ -0,0 +1,49 @@ +From: Jiri Slaby <jslaby@suse.cz> +Date: Fri, 18 May 2018 08:47:11 +0200 +Subject: x86/stacktrace: Do not fail for ORC with regs on stack +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: 0c414367c04eeb00c3ebfee0b74c9e7f3b95fd62 +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1058115 + +save_stack_trace_reliable now returns "non reliable" when there are +kernel pt_regs on stack. This means an interrupt or exception happened +somewhere down the route. It is a problem for the frame pointer +unwinder, because the frame might not have been set up yet when the irq +happened, so the unwinder might fail to unwind from the interrupted +function. + +With ORC, this is not a problem, as ORC has out-of-band data. We can +find ORC data even for the IP in the interrupted function and always +unwind one level up reliably. + +So lift the check to apply only when CONFIG_FRAME_POINTER=y is enabled. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/lkml/20180518064713.26440-4-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/kernel/stacktrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/stacktrace.c ++++ b/arch/x86/kernel/stacktrace.c +@@ -106,7 +106,8 @@ __save_stack_trace_reliable(struct stack + * unreliable. + */ + +- return -EINVAL; ++ if (IS_ENABLED(CONFIG_FRAME_POINTER)) ++ return -EINVAL; + } + + addr = unwind_get_return_address(&state); diff --git a/patches.suse/0004-x86-stacktrace-do-not-fail-for-ORC-with-regs-on-stac.patch b/patches.suse/0004-x86-stacktrace-do-not-fail-for-ORC-with-regs-on-stac.patch deleted file mode 100644 index f59d12eb1c..0000000000 --- a/patches.suse/0004-x86-stacktrace-do-not-fail-for-ORC-with-regs-on-stac.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Jiri Slaby <jslaby@suse.cz> -Date: Wed, 29 Nov 2017 15:43:35 +0100 -Subject: x86/stacktrace: do not fail for ORC with regs on stack -Patch-mainline: submitted on 2017/12/5 -References: bnc#1058115 - -save_stack_trace_reliable now returns "non reliable" when there are -kernel pt_regs on stack. This means an interrupt or exception happened -somewhere down the route. It is a problem for frame pointer unwinder, -because the frame might not have been set up yet when the irq happened, -so the unwinder might fail to unwind from the interrupted function. - -With ORC, this is not a problem, as ORC has out-of-band data. We can -find ORC data even for the IP in the interrupted function and always -unwind one level up reliably. - -So lift the check to apply only when CONFIG_FRAME_POINTER is enabled. - -[v2] -- rewrite the code in favor of Josh's suggestions - -Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: x86@kernel.org -Cc: Josh Poimboeuf <jpoimboe@redhat.com> ---- - arch/x86/kernel/stacktrace.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/arch/x86/kernel/stacktrace.c -+++ b/arch/x86/kernel/stacktrace.c -@@ -115,7 +115,8 @@ __save_stack_trace_reliable(struct stack - * unreliable. - */ - -- return -EINVAL; -+ if (IS_ENABLED(CONFIG_FRAME_POINTER)) -+ return -EINVAL; - } - - addr = unwind_get_return_address(&state); diff --git a/patches.suse/0005-x86-unwind-orc-Detect-the-end-of-the-stack.patch b/patches.suse/0005-x86-unwind-orc-Detect-the-end-of-the-stack.patch new file mode 100644 index 0000000000..8ccfb15bfa --- /dev/null +++ b/patches.suse/0005-x86-unwind-orc-Detect-the-end-of-the-stack.patch @@ -0,0 +1,358 @@ +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 18 May 2018 08:47:12 +0200 +Subject: x86/unwind/orc: Detect the end of the stack +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: d31a580266eeb1f355df90fde8a71f480e30ad70 +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1058115 + +The existing UNWIND_HINT_EMPTY annotations happen to be good indicators +of where entry code calls into C code for the first time. So also use +them to mark the end of the stack for the ORC unwinder. + +Use that information to set unwind->error if the ORC unwinder doesn't +unwind all the way to the end. This will be needed for enabling +HAVE_RELIABLE_STACKTRACE for the ORC unwinder so we can use it with the +livepatch consistency model. + +Thanks to Jiri Slaby for teaching the ORCs about the unwind hints. + +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/lkml/20180518064713.26440-5-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/entry/entry_64.S | 1 + arch/x86/include/asm/orc_types.h | 2 + arch/x86/include/asm/unwind_hints.h | 16 ++++--- + arch/x86/kernel/unwind_orc.c | 52 ++++++++++++++----------- + tools/objtool/arch/x86/include/asm/orc_types.h | 2 + tools/objtool/check.c | 1 + tools/objtool/check.h | 2 + tools/objtool/orc_dump.c | 3 - + tools/objtool/orc_gen.c | 2 + 9 files changed, 52 insertions(+), 29 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -414,6 +414,7 @@ ENTRY(ret_from_fork) + + 1: + /* kernel thread */ ++ UNWIND_HINT_EMPTY + movq %r12, %rdi + CALL_NOSPEC %rbx + /* +--- a/arch/x86/include/asm/orc_types.h ++++ b/arch/x86/include/asm/orc_types.h +@@ -88,6 +88,7 @@ struct orc_entry { + unsigned sp_reg:4; + unsigned bp_reg:4; + unsigned type:2; ++ unsigned end:1; + } __packed; + + /* +@@ -101,6 +102,7 @@ struct unwind_hint { + s16 sp_offset; + u8 sp_reg; + u8 type; ++ u8 end; + }; + #endif /* __ASSEMBLY__ */ + +--- a/arch/x86/include/asm/unwind_hints.h ++++ b/arch/x86/include/asm/unwind_hints.h +@@ -26,7 +26,7 @@ + * the debuginfo as necessary. It will also warn if it sees any + * inconsistencies. + */ +-.macro UNWIND_HINT sp_reg=ORC_REG_SP sp_offset=0 type=ORC_TYPE_CALL ++.macro UNWIND_HINT sp_reg=ORC_REG_SP sp_offset=0 type=ORC_TYPE_CALL end=0 + #ifdef CONFIG_STACK_VALIDATION + .Lunwind_hint_ip_\@: + .pushsection .discard.unwind_hints +@@ -35,12 +35,14 @@ + .short \sp_offset + .byte \sp_reg + .byte \type ++ .byte \end ++ .balign 4 + .popsection + #endif + .endm + + .macro UNWIND_HINT_EMPTY +- UNWIND_HINT sp_reg=ORC_REG_UNDEFINED ++ UNWIND_HINT sp_reg=ORC_REG_UNDEFINED end=1 + .endm + + .macro UNWIND_HINT_REGS base=%rsp offset=0 indirect=0 extra=1 iret=0 +@@ -86,19 +88,21 @@ + + #else /* !__ASSEMBLY__ */ + +-#define UNWIND_HINT(sp_reg, sp_offset, type) \ ++#define UNWIND_HINT(sp_reg, sp_offset, type, end) \ + "987: \n\t" \ + ".pushsection .discard.unwind_hints\n\t" \ + /* struct unwind_hint */ \ + ".long 987b - .\n\t" \ +- ".short " __stringify(sp_offset) "\n\t" \ ++ ".short " __stringify(sp_offset) "\n\t" \ + ".byte " __stringify(sp_reg) "\n\t" \ + ".byte " __stringify(type) "\n\t" \ ++ ".byte " __stringify(end) "\n\t" \ ++ ".balign 4 \n\t" \ + ".popsection\n\t" + +-#define UNWIND_HINT_SAVE UNWIND_HINT(0, 0, UNWIND_HINT_TYPE_SAVE) ++#define UNWIND_HINT_SAVE UNWIND_HINT(0, 0, UNWIND_HINT_TYPE_SAVE, 0) + +-#define UNWIND_HINT_RESTORE UNWIND_HINT(0, 0, UNWIND_HINT_TYPE_RESTORE) ++#define UNWIND_HINT_RESTORE UNWIND_HINT(0, 0, UNWIND_HINT_TYPE_RESTORE, 0) + + #endif /* __ASSEMBLY__ */ + +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -198,7 +198,7 @@ static int orc_sort_cmp(const void *_a, + * whitelisted .o files which didn't get objtool generation. + */ + orc_a = cur_orc_table + (a - cur_orc_ip_table); +- return orc_a->sp_reg == ORC_REG_UNDEFINED ? -1 : 1; ++ return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1; + } + + #ifdef CONFIG_MODULES +@@ -352,7 +352,7 @@ static bool deref_stack_iret_regs(struct + + bool unwind_next_frame(struct unwind_state *state) + { +- unsigned long ip_p, sp, orig_ip, prev_sp = state->sp; ++ unsigned long ip_p, sp, orig_ip = state->ip, prev_sp = state->sp; + enum stack_type prev_type = state->stack_info.type; + struct orc_entry *orc; + bool indirect = false; +@@ -363,9 +363,9 @@ bool unwind_next_frame(struct unwind_sta + /* Don't let modules unload while we're reading their ORC data. */ + preempt_disable(); + +- /* Have we reached the end? */ ++ /* End-of-stack check for user tasks: */ + if (state->regs && user_mode(state->regs)) +- goto done; ++ goto the_end; + + /* + * Find the orc_entry associated with the text address. +@@ -374,9 +374,16 @@ bool unwind_next_frame(struct unwind_sta + * calls and calls to noreturn functions. + */ + orc = orc_find(state->signal ? state->ip : state->ip - 1); +- if (!orc || orc->sp_reg == ORC_REG_UNDEFINED) +- goto done; +- orig_ip = state->ip; ++ if (!orc) ++ goto err; ++ ++ /* End-of-stack check for kernel threads: */ ++ if (orc->sp_reg == ORC_REG_UNDEFINED) { ++ if (!orc->end) ++ goto err; ++ ++ goto the_end; ++ } + + /* Find the previous frame's stack: */ + switch (orc->sp_reg) { +@@ -402,7 +409,7 @@ bool unwind_next_frame(struct unwind_sta + if (!state->regs || !state->full_regs) { + orc_warn("missing regs for base reg R10 at ip %pB\n", + (void *)state->ip); +- goto done; ++ goto err; + } + sp = state->regs->r10; + break; +@@ -411,7 +418,7 @@ bool unwind_next_frame(struct unwind_sta + if (!state->regs || !state->full_regs) { + orc_warn("missing regs for base reg R13 at ip %pB\n", + (void *)state->ip); +- goto done; ++ goto err; + } + sp = state->regs->r13; + break; +@@ -420,7 +427,7 @@ bool unwind_next_frame(struct unwind_sta + if (!state->regs || !state->full_regs) { + orc_warn("missing regs for base reg DI at ip %pB\n", + (void *)state->ip); +- goto done; ++ goto err; + } + sp = state->regs->di; + break; +@@ -429,7 +436,7 @@ bool unwind_next_frame(struct unwind_sta + if (!state->regs || !state->full_regs) { + orc_warn("missing regs for base reg DX at ip %pB\n", + (void *)state->ip); +- goto done; ++ goto err; + } + sp = state->regs->dx; + break; +@@ -437,12 +444,12 @@ bool unwind_next_frame(struct unwind_sta + default: + orc_warn("unknown SP base reg %d for ip %pB\n", + orc->sp_reg, (void *)state->ip); +- goto done; ++ goto err; + } + + if (indirect) { + if (!deref_stack_reg(state, sp, &sp)) +- goto done; ++ goto err; + } + + /* Find IP, SP and possibly regs: */ +@@ -451,7 +458,7 @@ bool unwind_next_frame(struct unwind_sta + ip_p = sp - sizeof(long); + + if (!deref_stack_reg(state, ip_p, &state->ip)) +- goto done; ++ goto err; + + state->ip = ftrace_graph_ret_addr(state->task, &state->graph_idx, + state->ip, (void *)ip_p); +@@ -465,7 +472,7 @@ bool unwind_next_frame(struct unwind_sta + if (!deref_stack_regs(state, sp, &state->ip, &state->sp)) { + orc_warn("can't dereference registers at %p for ip %pB\n", + (void *)sp, (void *)orig_ip); +- goto done; ++ goto err; + } + + state->regs = (struct pt_regs *)sp; +@@ -477,7 +484,7 @@ bool unwind_next_frame(struct unwind_sta + if (!deref_stack_iret_regs(state, sp, &state->ip, &state->sp)) { + orc_warn("can't dereference iret registers at %p for ip %pB\n", + (void *)sp, (void *)orig_ip); +- goto done; ++ goto err; + } + + state->regs = (void *)sp - IRET_FRAME_OFFSET; +@@ -500,18 +507,18 @@ bool unwind_next_frame(struct unwind_sta + + case ORC_REG_PREV_SP: + if (!deref_stack_reg(state, sp + orc->bp_offset, &state->bp)) +- goto done; ++ goto err; + break; + + case ORC_REG_BP: + if (!deref_stack_reg(state, state->bp + orc->bp_offset, &state->bp)) +- goto done; ++ goto err; + break; + + default: + orc_warn("unknown BP base reg %d for ip %pB\n", + orc->bp_reg, (void *)orig_ip); +- goto done; ++ goto err; + } + + /* Prevent a recursive loop due to bad ORC data: */ +@@ -520,13 +527,16 @@ bool unwind_next_frame(struct unwind_sta + state->sp <= prev_sp) { + orc_warn("stack going in the wrong direction? ip=%pB\n", + (void *)orig_ip); +- goto done; ++ goto err; + } + + preempt_enable(); + return true; + +-done: ++err: ++ state->error = true; ++ ++the_end: + preempt_enable(); + state->stack_info.type = STACK_TYPE_UNKNOWN; + return false; +--- a/tools/objtool/arch/x86/include/asm/orc_types.h ++++ b/tools/objtool/arch/x86/include/asm/orc_types.h +@@ -88,6 +88,7 @@ struct orc_entry { + unsigned sp_reg:4; + unsigned bp_reg:4; + unsigned type:2; ++ unsigned end:1; + } __packed; + + /* +@@ -101,6 +102,7 @@ struct unwind_hint { + s16 sp_offset; + u8 sp_reg; + u8 type; ++ u8 end; + }; + #endif /* __ASSEMBLY__ */ + +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -1134,6 +1134,7 @@ static int read_unwind_hints(struct objt + + cfa->offset = hint->sp_offset; + insn->state.type = hint->type; ++ insn->state.end = hint->end; + } + + return 0; +--- a/tools/objtool/check.h ++++ b/tools/objtool/check.h +@@ -31,7 +31,7 @@ struct insn_state { + int stack_size; + unsigned char type; + bool bp_scratch; +- bool drap; ++ bool drap, end; + int drap_reg, drap_offset; + struct cfi_reg vals[CFI_NUM_REGS]; + }; +--- a/tools/objtool/orc_dump.c ++++ b/tools/objtool/orc_dump.c +@@ -203,7 +203,8 @@ int orc_dump(const char *_objname) + + print_reg(orc[i].bp_reg, orc[i].bp_offset); + +- printf(" type:%s\n", orc_type_name(orc[i].type)); ++ printf(" type:%s end:%d\n", ++ orc_type_name(orc[i].type), orc[i].end); + } + + elf_end(elf); +--- a/tools/objtool/orc_gen.c ++++ b/tools/objtool/orc_gen.c +@@ -31,6 +31,8 @@ int create_orc(struct objtool_file *file + struct cfi_reg *cfa = &insn->state.cfa; + struct cfi_reg *bp = &insn->state.regs[CFI_BP]; + ++ orc->end = insn->state.end; ++ + if (cfa->base == CFI_UNDEFINED) { + orc->sp_reg = ORC_REG_UNDEFINED; + continue; diff --git a/patches.suse/0005-x86-stacktrace-orc-mark-it-as-reliable.patch b/patches.suse/0006-x86-stacktrace-Enable-HAVE_RELIABLE_STACKTRACE-for-t.patch index 0be2d42e6e..0563d038f9 100644 --- a/patches.suse/0005-x86-stacktrace-orc-mark-it-as-reliable.patch +++ b/patches.suse/0006-x86-stacktrace-Enable-HAVE_RELIABLE_STACKTRACE-for-t.patch @@ -1,7 +1,9 @@ From: Jiri Slaby <jslaby@suse.cz> -Date: Wed, 4 Oct 2017 11:14:26 +0200 -Subject: x86/stacktrace: orc, mark it as reliable -Patch-mainline: submitted on 2017/12/5 +Date: Fri, 18 May 2018 08:47:13 +0200 +Subject: x86/stacktrace: Enable HAVE_RELIABLE_STACKTRACE for the ORC unwinder +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git#x86/asm +Git-commit: 6415b38bae2641ab6e173ffa4ff6a453b60ba99b +Patch-mainline: Queued in subsystem maintainer repository References: bnc#1058115 In SUSE, we need a reliable stack unwinder for kernel live patching, but @@ -10,18 +12,24 @@ after the previous patches to make the ORC reliable, mark ORC as a reliable stack unwinder on x86. Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Cc: Josh Poimboeuf <jpoimboe@redhat.com> +Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: x86@kernel.org +Link: https://lkml.kernel.org/lkml/20180518064713.26440-6-jslaby@suse.cz +Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -161,7 +161,7 @@ config X86 +@@ -162,7 +162,7 @@ config X86 select HAVE_PERF_REGS select HAVE_PERF_USER_STACK_DUMP select HAVE_REGS_AND_STACK_ACCESS_API diff --git a/patches.suse/amd-xgbe-Restore-PCI-interrupt-enablement-setting-on.patch b/patches.suse/amd-xgbe-Restore-PCI-interrupt-enablement-setting-on.patch new file mode 100644 index 0000000000..b9413a50b2 --- /dev/null +++ b/patches.suse/amd-xgbe-Restore-PCI-interrupt-enablement-setting-on.patch @@ -0,0 +1,28 @@ +From: Tom Lendacky <thomas.lendacky@amd.com> +Date: Tue, 20 Feb 2018 15:22:05 -0600 +Subject: amd-xgbe: Restore PCI interrupt enablement setting on resume +Git-commit: cfd092f2db8b4b6727e1c03ef68a7842e1023573 +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +After resuming from suspend, the PCI device support must re-enable the +interrupt setting so that interrupts are actually delivered. + +Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/amd/xgbe/xgbe-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +@@ -420,6 +420,8 @@ static int xgbe_pci_resume(struct pci_de + struct net_device *netdev = pdata->netdev; + int ret = 0; + ++ XP_IOWRITE(pdata, XP_INT_EN, 0x1fffff); ++ + pdata->lpm_ctrl &= ~MDIO_CTRL1_LPOWER; + XMDIO_WRITE(pdata, MDIO_MMD_PCS, MDIO_CTRL1, pdata->lpm_ctrl); + diff --git a/patches.suse/cpufreq-intel_pstate-Add-HWP-boost-utility-and-sched.patch b/patches.suse/cpufreq-intel_pstate-Add-HWP-boost-utility-and-sched.patch new file mode 100644 index 0000000000..c040817ceb --- /dev/null +++ b/patches.suse/cpufreq-intel_pstate-Add-HWP-boost-utility-and-sched.patch @@ -0,0 +1,229 @@ +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Tue, 5 Jun 2018 14:42:39 -0700 +Subject: cpufreq: intel_pstate: Add HWP boost utility and sched util hooks +Patch-mainline: v4.18-rc1 +Git-commit: e0efd5be63e821066b5e6325cf237eb41367552f +References: bsc#1066110 + +Added two utility functions to HWP boost up gradually and boost down to +the default cached HWP request values. + +Boost up: +Boost up updates HWP request minimum value in steps. This minimum value +can reach upto at HWP request maximum values depends on how frequently, +this boost up function is called. At max, boost up will take three steps +to reach the maximum, depending on the current HWP request levels and HWP +capabilities. For example, if the current settings are: +If P0 (Turbo max) = P1 (Guaranteed max) = min + No boost at all. +If P0 (Turbo max) > P1 (Guaranteed max) = min + Should result in one level boost only for P0. +If P0 (Turbo max) = P1 (Guaranteed max) > min + Should result in two level boost: + (min + p1)/2 and P1. +If P0 (Turbo max) > P1 (Guaranteed max) > min + Should result in three level boost: + (min + p1)/2, P1 and P0. +We don't set any level between P0 and P1 as there is no guarantee that +they will be honored. + +Boost down: +After the system is idle for hold time of 3ms, the HWP request is reset +to the default value from HWP init or user modified one via sysfs. + +Caching of HWP Request and Capabilities +Store the HWP request value last set using MSR_HWP_REQUEST and read +MSR_HWP_CAPABILITIES. This avoid reading of MSRs in the boost utility +functions. + +These boost utility functions calculated limits are based on the latest +HWP request value, which can be modified by setpolicy() callback. So if +user space modifies the minimum perf value, that will be accounted for +every time the boost up is called. There will be case when there can be +contention with the user modified minimum perf, in that case user value +will gain precedence. For example just before HWP_REQUEST MSR is updated +from setpolicy() callback, the boost up function is called via scheduler +tick callback. Here the cached MSR value is already the latest and limits +are updated based on the latest user limits, but on return the MSR write +callback called from setpolicy() callback will update the HWP_REQUEST +value. This will be used till next time the boost up function is called. + +In addition add a variable to control HWP dynamic boosting. When HWP +dynamic boost is active then set the HWP specific update util hook. The +contents in the utility hooks will be filled in the subsequent patches. + +Reported-by: Mel Gorman <mgorman@techsingularity.net> +Tested-by: Giovanni Gherdovich <ggherdovich@suse.cz> +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Acked-by: Giovanni Gherdovich <ggherdovich@suse.cz> +--- + drivers/cpufreq/intel_pstate.c | 100 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 97 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -249,6 +249,9 @@ struct global_params { + * preference/bias + * @epp_saved: Saved EPP/EPB during system suspend or CPU offline + * operation ++ * @hwp_req_cached: Cached value of the last HWP Request MSR ++ * @hwp_cap_cached: Cached value of the last HWP Capabilities MSR ++ * @hwp_boost_min: Last HWP boosted min performance + * + * This structure stores per CPU instance data for all CPUs. + */ +@@ -283,6 +286,9 @@ struct cpudata { + s16 epp_policy; + s16 epp_default; + s16 epp_saved; ++ u64 hwp_req_cached; ++ u64 hwp_cap_cached; ++ u32 hwp_boost_min; + }; + + static struct cpudata **all_cpu_data; +@@ -349,6 +355,7 @@ static struct pstate_adjust_policy pid_p + + static int hwp_active __read_mostly; + static bool per_cpu_limits __read_mostly; ++static bool hwp_boost __read_mostly; + + static struct cpufreq_driver *intel_pstate_driver __read_mostly; + +@@ -803,6 +810,7 @@ static void intel_pstate_get_hwp_max(uns + u64 cap; + + rdmsrl_on_cpu(cpu, MSR_HWP_CAPABILITIES, &cap); ++ WRITE_ONCE(all_cpu_data[cpu]->hwp_cap_cached, cap); + if (global.no_turbo) + *current_max = HWP_GUARANTEED_PERF(cap); + else +@@ -877,6 +885,7 @@ update_epp: + intel_pstate_set_epb(cpu, epp); + } + skip_epp: ++ WRITE_ONCE(cpu_data->hwp_req_cached, value); + wrmsrl_on_cpu(cpu, MSR_HWP_REQUEST, value); + } + +@@ -1566,6 +1575,81 @@ static void intel_pstate_get_cpu_pstates + intel_pstate_set_min_pstate(cpu); + } + ++/* ++ * Long hold time will keep high perf limits for long time, ++ * which negatively impacts perf/watt for some workloads, ++ * like specpower. 3ms is based on experiements on some ++ * workoads. ++ */ ++static int hwp_boost_hold_time_ns = 3 * NSEC_PER_MSEC; ++ ++static inline void intel_pstate_hwp_boost_up(struct cpudata *cpu) ++{ ++ u64 hwp_req = READ_ONCE(cpu->hwp_req_cached); ++ u32 max_limit = (hwp_req & 0xff00) >> 8; ++ u32 min_limit = (hwp_req & 0xff); ++ u32 boost_level1; ++ ++ /* ++ * Cases to consider (User changes via sysfs or boot time): ++ * If, P0 (Turbo max) = P1 (Guaranteed max) = min: ++ * No boost, return. ++ * If, P0 (Turbo max) > P1 (Guaranteed max) = min: ++ * Should result in one level boost only for P0. ++ * If, P0 (Turbo max) = P1 (Guaranteed max) > min: ++ * Should result in two level boost: ++ * (min + p1)/2 and P1. ++ * If, P0 (Turbo max) > P1 (Guaranteed max) > min: ++ * Should result in three level boost: ++ * (min + p1)/2, P1 and P0. ++ */ ++ ++ /* If max and min are equal or already at max, nothing to boost */ ++ if (max_limit == min_limit || cpu->hwp_boost_min >= max_limit) ++ return; ++ ++ if (!cpu->hwp_boost_min) ++ cpu->hwp_boost_min = min_limit; ++ ++ /* level at half way mark between min and guranteed */ ++ boost_level1 = (HWP_GUARANTEED_PERF(cpu->hwp_cap_cached) + min_limit) >> 1; ++ ++ if (cpu->hwp_boost_min < boost_level1) ++ cpu->hwp_boost_min = boost_level1; ++ else if (cpu->hwp_boost_min < HWP_GUARANTEED_PERF(cpu->hwp_cap_cached)) ++ cpu->hwp_boost_min = HWP_GUARANTEED_PERF(cpu->hwp_cap_cached); ++ else if (cpu->hwp_boost_min == HWP_GUARANTEED_PERF(cpu->hwp_cap_cached) && ++ max_limit != HWP_GUARANTEED_PERF(cpu->hwp_cap_cached)) ++ cpu->hwp_boost_min = max_limit; ++ else ++ return; ++ ++ hwp_req = (hwp_req & ~GENMASK_ULL(7, 0)) | cpu->hwp_boost_min; ++ wrmsrl(MSR_HWP_REQUEST, hwp_req); ++ cpu->last_update = cpu->sample.time; ++} ++ ++static inline void intel_pstate_hwp_boost_down(struct cpudata *cpu) ++{ ++ if (cpu->hwp_boost_min) { ++ bool expired; ++ ++ /* Check if we are idle for hold time to boost down */ ++ expired = time_after64(cpu->sample.time, cpu->last_update + ++ hwp_boost_hold_time_ns); ++ if (expired) { ++ wrmsrl(MSR_HWP_REQUEST, cpu->hwp_req_cached); ++ cpu->hwp_boost_min = 0; ++ } ++ } ++ cpu->last_update = cpu->sample.time; ++} ++ ++static inline void intel_pstate_update_util_hwp(struct update_util_data *data, ++ u64 time, unsigned int flags) ++{ ++} ++ + static inline void intel_pstate_calc_avg_perf(struct cpudata *cpu) + { + struct sample *sample = &cpu->sample; +@@ -1958,7 +2042,7 @@ static void intel_pstate_set_update_util + { + struct cpudata *cpu = all_cpu_data[cpu_num]; + +- if (hwp_active) ++ if (hwp_active && !hwp_boost) + return; + + if (cpu->update_util_set) +@@ -1967,7 +2051,9 @@ static void intel_pstate_set_update_util + /* Prevent intel_pstate_update_util() from using stale data. */ + cpu->sample.time = 0; + cpufreq_add_update_util_hook(cpu_num, &cpu->update_util, +- pstate_funcs.update_util); ++ (hwp_active ? ++ intel_pstate_update_util_hwp : ++ intel_pstate_update_util)); + cpu->update_util_set = true; + } + +@@ -2079,8 +2165,16 @@ static int intel_pstate_set_policy(struc + intel_pstate_set_update_util_hook(policy->cpu); + } + +- if (hwp_active) ++ if (hwp_active) { ++ /* ++ * When hwp_boost was active before and dynamically it ++ * was turned off, in that case we need to clear the ++ * update util hook. ++ */ ++ if (!hwp_boost) ++ intel_pstate_clear_update_util_hook(policy->cpu); + intel_pstate_hwp_set(policy->cpu); ++ } + + mutex_unlock(&intel_pstate_limits_lock); + diff --git a/patches.suse/cpufreq-intel_pstate-HWP-boost-performance-on-IO-wak.patch b/patches.suse/cpufreq-intel_pstate-HWP-boost-performance-on-IO-wak.patch new file mode 100644 index 0000000000..f953236afe --- /dev/null +++ b/patches.suse/cpufreq-intel_pstate-HWP-boost-performance-on-IO-wak.patch @@ -0,0 +1,89 @@ +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Tue, 5 Jun 2018 14:42:40 -0700 +Subject: cpufreq: intel_pstate: HWP boost performance on IO wakeup +Patch-mainline: v4.18-rc1 +Git-commit: 52ccc4314293272397b117f3cc6f0f368c81431c +References: bsc#1066110 + +This change uses SCHED_CPUFREQ_IOWAIT flag to boost HWP performance. +Since SCHED_CPUFREQ_IOWAIT flag is set frequently, we don't start +boosting steps unless we see two consecutive flags in two ticks. This +avoids boosting due to IO because of regular system activities. + +To avoid synchronization issues, the actual processing of the flag is +done on the local CPU callback. + +Reported-by: Mel Gorman <mgorman@techsingularity.net> +Tested-by: Giovanni Gherdovich <ggherdovich@suse.cz> +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Acked-by: Giovanni Gherdovich <ggherdovich@suse.cz> +--- + drivers/cpufreq/intel_pstate.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -251,6 +251,8 @@ struct global_params { + * operation + * @hwp_req_cached: Cached value of the last HWP Request MSR + * @hwp_cap_cached: Cached value of the last HWP Capabilities MSR ++ * @last_io_update: Last time when IO wake flag was set ++ * @sched_flags: Store scheduler flags for possible cross CPU update + * @hwp_boost_min: Last HWP boosted min performance + * + * This structure stores per CPU instance data for all CPUs. +@@ -288,6 +290,8 @@ struct cpudata { + s16 epp_saved; + u64 hwp_req_cached; + u64 hwp_cap_cached; ++ u64 last_io_update; ++ unsigned int sched_flags; + u32 hwp_boost_min; + }; + +@@ -1645,9 +1649,44 @@ static inline void intel_pstate_hwp_boos + cpu->last_update = cpu->sample.time; + } + ++static inline void intel_pstate_update_util_hwp_local(struct cpudata *cpu, ++ u64 time) ++{ ++ cpu->sample.time = time; ++ ++ if (cpu->sched_flags & SCHED_CPUFREQ_IOWAIT) { ++ bool do_io = false; ++ ++ cpu->sched_flags = 0; ++ /* ++ * Set iowait_boost flag and update time. Since IO WAIT flag ++ * is set all the time, we can't just conclude that there is ++ * some IO bound activity is scheduled on this CPU with just ++ * one occurrence. If we receive at least two in two ++ * consecutive ticks, then we treat as boost candidate. ++ */ ++ if (time_before64(time, cpu->last_io_update + 2 * TICK_NSEC)) ++ do_io = true; ++ ++ cpu->last_io_update = time; ++ ++ if (do_io) ++ intel_pstate_hwp_boost_up(cpu); ++ ++ } else { ++ intel_pstate_hwp_boost_down(cpu); ++ } ++} ++ + static inline void intel_pstate_update_util_hwp(struct update_util_data *data, + u64 time, unsigned int flags) + { ++ struct cpudata *cpu = container_of(data, struct cpudata, update_util); ++ ++ cpu->sched_flags |= flags; ++ ++ if (smp_processor_id() == cpu->cpu) ++ intel_pstate_update_util_hwp_local(cpu, time); + } + + static inline void intel_pstate_calc_avg_perf(struct cpudata *cpu) diff --git a/patches.suse/cpufreq-intel_pstate-New-sysfs-entry-to-control-HWP-.patch b/patches.suse/cpufreq-intel_pstate-New-sysfs-entry-to-control-HWP-.patch new file mode 100644 index 0000000000..02891dd471 --- /dev/null +++ b/patches.suse/cpufreq-intel_pstate-New-sysfs-entry-to-control-HWP-.patch @@ -0,0 +1,72 @@ +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Tue, 5 Jun 2018 14:42:41 -0700 +Subject: cpufreq: intel_pstate: New sysfs entry to control HWP boost +Patch-mainline: v4.18-rc1 +Git-commit: aaaece3de9d7709d79004dd5d5aa7c9b366f0675 +References: bsc#1066110 + +A new attribute is added to intel_pstate sysfs to enable/disable +HWP dynamic performance boost. + +Reported-by: Mel Gorman <mgorman@techsingularity.net> +Tested-by: Giovanni Gherdovich <ggherdovich@suse.cz> +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Acked-by: Giovanni Gherdovich <ggherdovich@suse.cz> +--- + drivers/cpufreq/intel_pstate.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1218,6 +1218,30 @@ static ssize_t store_min_perf_pct(struct + return count; + } + ++static ssize_t show_hwp_dynamic_boost(struct kobject *kobj, ++ struct attribute *attr, char *buf) ++{ ++ return sprintf(buf, "%u\n", hwp_boost); ++} ++ ++static ssize_t store_hwp_dynamic_boost(struct kobject *a, struct attribute *b, ++ const char *buf, size_t count) ++{ ++ unsigned int input; ++ int ret; ++ ++ ret = kstrtouint(buf, 10, &input); ++ if (ret) ++ return ret; ++ ++ mutex_lock(&intel_pstate_driver_lock); ++ hwp_boost = !!input; ++ intel_pstate_update_policies(); ++ mutex_unlock(&intel_pstate_driver_lock); ++ ++ return count; ++} ++ + show_one(max_perf_pct, max_perf_pct); + show_one(min_perf_pct, min_perf_pct); + +@@ -1227,6 +1251,7 @@ define_one_global_rw(max_perf_pct); + define_one_global_rw(min_perf_pct); + define_one_global_ro(turbo_pct); + define_one_global_ro(num_pstates); ++define_one_global_rw(hwp_dynamic_boost); + + static struct attribute *intel_pstate_attributes[] = { + &status.attr, +@@ -1267,6 +1292,11 @@ static void __init intel_pstate_sysfs_ex + rc = sysfs_create_file(intel_pstate_kobject, &min_perf_pct.attr); + WARN_ON(rc); + ++ if (hwp_active) { ++ rc = sysfs_create_file(intel_pstate_kobject, ++ &hwp_dynamic_boost.attr); ++ WARN_ON(rc); ++ } + } + /************************** sysfs end ************************/ + diff --git a/patches.suse/cpufreq-intel_pstate-enable-boost-for-Skylake-Xeon.patch b/patches.suse/cpufreq-intel_pstate-enable-boost-for-Skylake-Xeon.patch new file mode 100644 index 0000000000..62f390b9b5 --- /dev/null +++ b/patches.suse/cpufreq-intel_pstate-enable-boost-for-Skylake-Xeon.patch @@ -0,0 +1,44 @@ +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Tue, 5 Jun 2018 14:42:42 -0700 +Subject: cpufreq: intel_pstate: enable boost for Skylake Xeon +Patch-mainline: v4.18-rc1 +Git-commit: 41ab43c9c89e06ff08a4750d1b09e227ea97894f +References: bsc#1066110 + +Enable HWP boost on Skylake server and workstations. + +Reported-by: Mel Gorman <mgorman@techsingularity.net> +Tested-by: Giovanni Gherdovich <ggherdovich@suse.cz> +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Acked-by: Giovanni Gherdovich <ggherdovich@suse.cz> +--- + drivers/cpufreq/intel_pstate.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -2066,6 +2066,12 @@ static const struct x86_cpu_id intel_pst + + static bool pid_in_use(void); + ++static const struct x86_cpu_id intel_pstate_hwp_boost_ids[] = { ++ ICPU(INTEL_FAM6_SKYLAKE_X, core_funcs), ++ ICPU(INTEL_FAM6_SKYLAKE_DESKTOP, core_funcs), ++ {} ++}; ++ + static int intel_pstate_init_cpu(unsigned int cpunum) + { + struct cpudata *cpu; +@@ -2096,6 +2102,10 @@ static int intel_pstate_init_cpu(unsigne + intel_pstate_disable_ee(cpunum); + + intel_pstate_hwp_enable(cpu); ++ ++ id = x86_match_cpu(intel_pstate_hwp_boost_ids); ++ if (id) ++ hwp_boost = true; + } else if (pid_in_use()) { + intel_pstate_pid_reset(cpu); + } diff --git a/patches.suse/dccp-don-t-restart-ccid2_hc_tx_rto_expire-if-sk-in-c.patch b/patches.suse/dccp-don-t-restart-ccid2_hc_tx_rto_expire-if-sk-in-c.patch new file mode 100644 index 0000000000..0cc833bb72 --- /dev/null +++ b/patches.suse/dccp-don-t-restart-ccid2_hc_tx_rto_expire-if-sk-in-c.patch @@ -0,0 +1,41 @@ +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Fri, 26 Jan 2018 15:14:16 +0300 +Subject: dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state +Git-commit: dd5684ecae3bd8e44b644f50e2c12c7e57fdfef5 +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +ccid2_hc_tx_rto_expire() timer callback always restarts the timer +again and can run indefinitely (unless it is stopped outside), and after +commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"), +which moved ccid_hc_tx_delete() (also includes sk_stop_timer()) from +dccp_destroy_sock() to sk_destruct(), this started to happen quite often. +The timer prevents releasing the socket, as a result, sk_destruct() won't +be called. + +Found with LTP/dccp_ipsec tests running on the bonding device, +which later couldn't be unloaded after the tests were completed: + + unregister_netdevice: waiting for bond0 to become free. Usage count = 148 + +Fixes: 2a91aa396739 ("[DCCP] CCID2: Initial CCID2 (TCP-Like) implementation") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/dccp/ccids/ccid2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(unsig + + ccid2_pr_debug("RTO_EXPIRE\n"); + ++ if (sk->sk_state == DCCP_CLOSED) ++ goto out; ++ + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) diff --git a/patches.suse/devlink-Remove-redundant-free-on-error-path.patch b/patches.suse/devlink-Remove-redundant-free-on-error-path.patch new file mode 100644 index 0000000000..5073ef9a78 --- /dev/null +++ b/patches.suse/devlink-Remove-redundant-free-on-error-path.patch @@ -0,0 +1,82 @@ +From: Arkadi Sharshevsky <arkadis@mellanox.com> +Date: Sun, 18 Mar 2018 17:37:22 +0200 +Subject: devlink: Remove redundant free on error path +Git-commit: 7fe4d6dcbcb43fe0282d4213fc52be178bb30e91 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The current code performs unneeded free. Remove the redundant skb freeing +during the error path. + +Fixes: 1555d204e743 ("devlink: Support for pipeline debug (dpipe)") +Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com> +Acked-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/devlink.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -1723,7 +1723,7 @@ send_done: + if (!nlh) { + err = devlink_dpipe_send_and_alloc_skb(&skb, info); + if (err) +- goto err_skb_send_alloc; ++ return err; + goto send_done; + } + +@@ -1732,7 +1732,6 @@ send_done: + nla_put_failure: + err = -EMSGSIZE; + err_table_put: +-err_skb_send_alloc: + genlmsg_cancel(skb, hdr); + nlmsg_free(skb); + return err; +@@ -1976,7 +1975,7 @@ static int devlink_dpipe_entries_fill(st + table->counters_enabled, + &dump_ctx); + if (err) +- goto err_entries_dump; ++ return err; + + send_done: + nlh = nlmsg_put(dump_ctx.skb, info->snd_portid, info->snd_seq, +@@ -1984,16 +1983,10 @@ send_done: + if (!nlh) { + err = devlink_dpipe_send_and_alloc_skb(&dump_ctx.skb, info); + if (err) +- goto err_skb_send_alloc; ++ return err; + goto send_done; + } + return genlmsg_reply(dump_ctx.skb, info); +- +-err_entries_dump: +-err_skb_send_alloc: +- genlmsg_cancel(dump_ctx.skb, dump_ctx.hdr); +- nlmsg_free(dump_ctx.skb); +- return err; + } + + static int devlink_nl_cmd_dpipe_entries_get(struct sk_buff *skb, +@@ -2132,7 +2125,7 @@ send_done: + if (!nlh) { + err = devlink_dpipe_send_and_alloc_skb(&skb, info); + if (err) +- goto err_skb_send_alloc; ++ return err; + goto send_done; + } + return genlmsg_reply(skb, info); +@@ -2140,7 +2133,6 @@ send_done: + nla_put_failure: + err = -EMSGSIZE; + err_table_put: +-err_skb_send_alloc: + genlmsg_cancel(skb, hdr); + nlmsg_free(skb); + return err; diff --git a/patches.suse/dpaa_eth-increment-the-RX-dropped-counter-when-neede.patch b/patches.suse/dpaa_eth-increment-the-RX-dropped-counter-when-neede.patch new file mode 100644 index 0000000000..cb272ab735 --- /dev/null +++ b/patches.suse/dpaa_eth-increment-the-RX-dropped-counter-when-neede.patch @@ -0,0 +1,28 @@ +From: Camelia Groza <camelia.groza@nxp.com> +Date: Wed, 14 Mar 2018 08:37:31 -0500 +Subject: dpaa_eth: increment the RX dropped counter when needed +Git-commit: e4d1b37c17d000a3da9368a3e260fb9ea4927c25 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Signed-off-by: Camelia Groza <camelia.groza@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2274,8 +2274,10 @@ static enum qman_cb_dqrr_result rx_defau + + skb_len = skb->len; + +- if (unlikely(netif_receive_skb(skb) == NET_RX_DROP)) ++ if (unlikely(netif_receive_skb(skb) == NET_RX_DROP)) { ++ percpu_stats->rx_dropped++; + return qman_cb_dqrr_consume; ++ } + + percpu_stats->rx_packets++; + percpu_stats->rx_bytes += skb_len; diff --git a/patches.suse/dpaa_eth-remove-duplicate-increment-of-the-tx_errors.patch b/patches.suse/dpaa_eth-remove-duplicate-increment-of-the-tx_errors.patch new file mode 100644 index 0000000000..7c450d3033 --- /dev/null +++ b/patches.suse/dpaa_eth-remove-duplicate-increment-of-the-tx_errors.patch @@ -0,0 +1,27 @@ +From: Camelia Groza <camelia.groza@nxp.com> +Date: Wed, 14 Mar 2018 08:37:32 -0500 +Subject: dpaa_eth: remove duplicate increment of the tx_errors counter +Git-commit: 82d141cd19d088ee41feafde4a6f86eeb40d93c5 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The tx_errors counter is incremented by the dpaa_xmit caller. + +Signed-off-by: Camelia Groza <camelia.groza@nxp.com> +Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -1986,7 +1986,6 @@ static inline int dpaa_xmit(struct dpaa_ + } + + if (unlikely(err < 0)) { +- percpu_stats->tx_errors++; + percpu_stats->tx_fifo_errors++; + return err; + } diff --git a/patches.suse/dpaa_eth-remove-duplicate-initialization.patch b/patches.suse/dpaa_eth-remove-duplicate-initialization.patch new file mode 100644 index 0000000000..acd8e65d42 --- /dev/null +++ b/patches.suse/dpaa_eth-remove-duplicate-initialization.patch @@ -0,0 +1,26 @@ +From: Camelia Groza <camelia.groza@nxp.com> +Date: Wed, 14 Mar 2018 08:37:30 -0500 +Subject: dpaa_eth: remove duplicate initialization +Git-commit: 565186362b73226a288830abe595f05f0cec0bbc +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The fd_format has already been initialized at this point. + +Signed-off-by: Camelia Groza <camelia.groza@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2254,7 +2254,6 @@ static enum qman_cb_dqrr_result rx_defau + /* prefetch the first 64 bytes of the frame or the SGT start */ + prefetch(phys_to_virt(addr) + qm_fd_get_offset(fd)); + +- fd_format = qm_fd_get_format(fd); + /* The only FD types that we may receive are contig and S/G */ + WARN_ON((fd_format != qm_fd_contig) && (fd_format != qm_fd_sg)); + diff --git a/patches.suse/fib_semantics-Don-t-match-route-with-mismatching-tcl.patch b/patches.suse/fib_semantics-Don-t-match-route-with-mismatching-tcl.patch new file mode 100644 index 0000000000..71dda70421 --- /dev/null +++ b/patches.suse/fib_semantics-Don-t-match-route-with-mismatching-tcl.patch @@ -0,0 +1,63 @@ +From: Stefano Brivio <sbrivio@redhat.com> +Date: Thu, 15 Feb 2018 09:46:03 +0100 +Subject: fib_semantics: Don't match route with mismatching tclassid +Git-commit: a8c6db1dfd1b1d18359241372bb204054f2c3174 +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +In fib_nh_match(), if output interface or gateway are passed in +the FIB configuration, we don't have to check next hops of +multipath routes to conclude whether we have a match or not. + +However, we might still have routes with different realms +matching the same output interface and gateway configuration, +and this needs to cause the match to fail. Otherwise the first +route inserted in the FIB will match, regardless of the realms: + + # ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2 + # ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4 + # ip route list table 1234 + 1.1.1.1 dev eth0 scope link realms 1/2 + 1.1.1.1 dev eth0 scope link realms 3/4 + # ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4 + # ip route list table 1234 + 1.1.1.1 dev ens3 scope link realms 3/4 + +whereas route with realms 3/4 should have been deleted instead. + +Explicitly check for fc_flow passed in the FIB configuration +(this comes from RTA_FLOW extracted by rtm_to_fib_config()) and +fail matching if it differs from nh_tclassid. + +The handling of RTA_FLOW for multipath routes later in +fib_nh_match() is still needed, as we can have multiple RTA_FLOW +attributes that need to be matched against the tclassid of each +next hop. + +v2: Check that fc_flow is set before discarding the match, so + that the user can still select the first matching rule by + not specifying any realm, as suggested by David Ahern. + +Reported-by: Jianlin Shi <jishi@redhat.com> +Signed-off-by: Stefano Brivio <sbrivio@redhat.com> +Acked-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/fib_semantics.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -632,6 +632,11 @@ int fib_nh_match(struct fib_config *cfg, + cfg->fc_encap, fi->fib_nh, cfg)) + return 1; + } ++#ifdef CONFIG_IP_ROUTE_CLASSID ++ if (cfg->fc_flow && ++ cfg->fc_flow != fi->fib_nh->nh_tclassid) ++ return 1; ++#endif + if ((!cfg->fc_oif || cfg->fc_oif == fi->fib_nh->nh_oif) && + (!cfg->fc_gw || cfg->fc_gw == fi->fib_nh->nh_gw)) + return 0; diff --git a/patches.suse/flow_dissector-properly-cap-thoff-field.patch b/patches.suse/flow_dissector-properly-cap-thoff-field.patch new file mode 100644 index 0000000000..41ea4111fa --- /dev/null +++ b/patches.suse/flow_dissector-properly-cap-thoff-field.patch @@ -0,0 +1,92 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 17 Jan 2018 14:21:13 -0800 +Subject: flow_dissector: properly cap thoff field +Git-commit: d0c081b49137cd3200f2023c0875723be66e7ce5 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +syzbot reported yet another crash [1] that is caused by +insufficient validation of DODGY packets. + +Two bugs are happening here to trigger the crash. + +1) Flow dissection leaves with incorrect thoff field. + +2) skb_probe_transport_header() sets transport header to this invalid +thoff, even if pointing after skb valid data. + +3) qdisc_pkt_len_init() reads out-of-bound data because it +trusts tcp_hdrlen(skb) + +Possible fixes : + +- Full flow dissector validation before injecting bad DODGY packets in +the stack. + This approach was attempted here : https://patchwork.ozlabs.org/patch/ +861874/ + +- Have more robust functions in the core. + This might be needed anyway for stable versions. + +This patch fixes the flow dissection issue. + +[1] +CPU: 1 PID: 3144 Comm: syzkaller271204 Not tainted 4.15.0-rc4-mm1+ #49 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:355 [inline] + kasan_report+0x23b/0x360 mm/kasan/report.c:413 + __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:432 + __tcp_hdrlen include/linux/tcp.h:35 [inline] + tcp_hdrlen include/linux/tcp.h:40 [inline] + qdisc_pkt_len_init net/core/dev.c:3160 [inline] + __dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465 + dev_queue_xmit+0x17/0x20 net/core/dev.c:3554 + packet_snd net/packet/af_packet.c:2943 [inline] + packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968 + sock_sendmsg_nosec net/socket.c:628 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:638 + sock_write_iter+0x31a/0x5d0 net/socket.c:907 + call_write_iter include/linux/fs.h:1776 [inline] + new_sync_write fs/read_write.c:469 [inline] + __vfs_write+0x684/0x970 fs/read_write.c:482 + vfs_write+0x189/0x510 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0xef/0x220 fs/read_write.c:581 + entry_SYSCALL_64_fastpath+0x1f/0x96 + +Fixes: 34fad54c2537 ("net: __skb_flow_dissect() must cap its return value") +Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Willem de Bruijn <willemb@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/flow_dissector.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -776,8 +776,8 @@ ip_proto_again: + out_good: + ret = true; + +- key_control->thoff = (u16)nhoff; + out: ++ key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); + key_basic->n_proto = proto; + key_basic->ip_proto = ip_proto; + +@@ -785,7 +785,6 @@ out: + + out_bad: + ret = false; +- key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); + goto out; + } + EXPORT_SYMBOL(__skb_flow_dissect); diff --git a/patches.suse/hdlc_ppp-carrier-detect-ok-don-t-turn-off-negotiatio.patch b/patches.suse/hdlc_ppp-carrier-detect-ok-don-t-turn-off-negotiatio.patch new file mode 100644 index 0000000000..235fa3f3fb --- /dev/null +++ b/patches.suse/hdlc_ppp-carrier-detect-ok-don-t-turn-off-negotiatio.patch @@ -0,0 +1,34 @@ +From: Denis Du <dudenis2000@yahoo.ca> +Date: Sat, 24 Feb 2018 16:51:42 -0500 +Subject: hdlc_ppp: carrier detect ok, don't turn off negotiation +Git-commit: b6c3bad1ba83af1062a7ff6986d9edc4f3d7fc8e +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +Sometimes when physical lines have a just good noise to make the protocol +handshaking fail, but the carrier detect still good. Then after remove of +the noise, nobody will trigger this protocol to be start again to cause +the link to never come back. The fix is when the carrier is still on, not +terminate the protocol handshaking. + +Signed-off-by: Denis Du <dudenis2000@yahoo.ca> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/wan/hdlc_ppp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -574,7 +574,10 @@ static void ppp_timer(unsigned long arg) + ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0, + 0, NULL); + proto->restart_counter--; +- } else ++ } else if (netif_carrier_ok(proto->dev)) ++ ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0, ++ 0, NULL); ++ else + ppp_cp_event(proto->dev, proto->pid, TO_BAD, 0, 0, + 0, NULL); + break; diff --git a/patches.suse/ieee802154-6lowpan-fix-possible-NULL-deref-in-lowpan.patch b/patches.suse/ieee802154-6lowpan-fix-possible-NULL-deref-in-lowpan.patch new file mode 100644 index 0000000000..23c0f8d7bb --- /dev/null +++ b/patches.suse/ieee802154-6lowpan-fix-possible-NULL-deref-in-lowpan.patch @@ -0,0 +1,54 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 5 Mar 2018 08:51:03 -0800 +Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() +Git-commit: ca0edb131bdf1e6beaeb2b8289fd6b374b74147d +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +A tun device type can trivially be set to arbitrary value using +TUNSETLINK ioctl(). + +Therefore, lowpan_device_event() must really check that ieee802154_ptr +is not NULL. + +Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Alexander Aring <alex.aring@gmail.com> +Cc: Stefan Schmidt <stefan@osg.samsung.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Stefan Schmidt <stefan@osg.samsung.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ieee802154/6lowpan/core.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ieee802154/6lowpan/core.c ++++ b/net/ieee802154/6lowpan/core.c +@@ -205,9 +205,13 @@ static inline void lowpan_netlink_fini(v + static int lowpan_device_event(struct notifier_block *unused, + unsigned long event, void *ptr) + { +- struct net_device *wdev = netdev_notifier_info_to_dev(ptr); ++ struct net_device *ndev = netdev_notifier_info_to_dev(ptr); ++ struct wpan_dev *wpan_dev; + +- if (wdev->type != ARPHRD_IEEE802154) ++ if (ndev->type != ARPHRD_IEEE802154) ++ return NOTIFY_DONE; ++ wpan_dev = ndev->ieee802154_ptr; ++ if (!wpan_dev) + return NOTIFY_DONE; + + switch (event) { +@@ -216,8 +220,8 @@ static int lowpan_device_event(struct no + * also delete possible lowpan interfaces which belongs + * to the wpan interface. + */ +- if (wdev->ieee802154_ptr->lowpan_dev) +- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL); ++ if (wpan_dev->lowpan_dev) ++ lowpan_dellink(wpan_dev->lowpan_dev, NULL); + break; + default: + return NOTIFY_DONE; diff --git a/patches.suse/ip6_gre-init-dev-mtu-and-dev-hard_header_len-correct.patch b/patches.suse/ip6_gre-init-dev-mtu-and-dev-hard_header_len-correct.patch new file mode 100644 index 0000000000..b2eeba7ed9 --- /dev/null +++ b/patches.suse/ip6_gre-init-dev-mtu-and-dev-hard_header_len-correct.patch @@ -0,0 +1,91 @@ +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Thu, 18 Jan 2018 20:51:12 +0300 +Subject: ip6_gre: init dev->mtu and dev->hard_header_len correctly +Git-commit: 128bb975dc3c25d00de04e503e2fe0a780d04459 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +Commit b05229f44228 ("gre6: Cleanup GREv6 transmit path, +call common GRE functions") moved dev->mtu initialization +from ip6gre_tunnel_setup() to ip6gre_tunnel_init(), as a +result, the previously set values, before ndo_init(), are +reset in the following cases: + +* rtnl_create_link() can update dev->mtu from IFLA_MTU + parameter. + +* ip6gre_tnl_link_config() is invoked before ndo_init() in + netlink and ioctl setup, so ndo_init() can reset MTU + adjustments with the lower device MTU as well, dev->mtu + and dev->hard_header_len. + + Not applicable for ip6gretap because it has one more call + to ip6gre_tnl_link_config(tunnel, 1) in ip6gre_tap_init(). + +Fix the first case by updating dev->mtu with 'tb[IFLA_MTU]' +parameter if a user sets it manually on a device creation, +and fix the second one by moving ip6gre_tnl_link_config() +call after register_netdevice(). + +Fixes: b05229f44228 ("gre6: Cleanup GREv6 transmit path, call common GRE functions") +Fixes: db2ec95d1ba4 ("ip6_gre: Fix MTU setting") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6_gre.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -337,11 +337,12 @@ static struct ip6_tnl *ip6gre_tunnel_loc + + nt->dev = dev; + nt->net = dev_net(dev); +- ip6gre_tnl_link_config(nt, 1); + + if (register_netdevice(dev) < 0) + goto failed_free; + ++ ip6gre_tnl_link_config(nt, 1); ++ + /* Can use a lockless transmit, unless we generate output sequences */ + if (!(nt->parms.o_flags & TUNNEL_SEQ)) + dev->features |= NETIF_F_LLTX; +@@ -1305,7 +1306,6 @@ static void ip6gre_netlink_parms(struct + + static int ip6gre_tap_init(struct net_device *dev) + { +- struct ip6_tnl *tunnel; + int ret; + + ret = ip6gre_tunnel_init_common(dev); +@@ -1314,10 +1314,6 @@ static int ip6gre_tap_init(struct net_de + + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + +- tunnel = netdev_priv(dev); +- +- ip6gre_tnl_link_config(tunnel, 1); +- + return 0; + } + +@@ -1410,12 +1406,16 @@ static int ip6gre_newlink(struct net *sr + + nt->dev = dev; + nt->net = dev_net(dev); +- ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]); + + err = register_netdevice(dev); + if (err) + goto out; + ++ ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]); ++ ++ if (tb[IFLA_MTU]) ++ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU])); ++ + dev_hold(dev); + ip6gre_tunnel_link(ign, nt); + diff --git a/patches.suse/ip6mr-fix-stale-iterator.patch b/patches.suse/ip6mr-fix-stale-iterator.patch new file mode 100644 index 0000000000..4fb4dbfd11 --- /dev/null +++ b/patches.suse/ip6mr-fix-stale-iterator.patch @@ -0,0 +1,111 @@ +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Wed, 31 Jan 2018 16:29:30 +0200 +Subject: ip6mr: fix stale iterator +Git-commit: 4adfa79fc254efb7b0eb3cd58f62c2c3f805f1ba +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +When we dump the ip6mr mfc entries via proc, we initialize an iterator +with the table to dump but we don't clear the cache pointer which might +be initialized from a prior read on the same descriptor that ended. This +can result in lock imbalance (an unnecessary unlock) leading to other +crashes and hangs. Clear the cache pointer like ipmr does to fix the issue. +Thanks for the reliable reproducer. + +Here's syzbot's trace: + WARNING: bad unlock balance detected! + 4.15.0-rc3+ #128 Not tainted + syzkaller971460/3195 is trying to release lock (mrt_lock) at: + [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553 + but there are no more locks to release! + + other info that might help us debug this: + 1 lock held by syzkaller971460/3195: + #0: (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0 + fs/seq_file.c:165 + + stack backtrace: + CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561 + __lock_release kernel/locking/lockdep.c:3775 [inline] + lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023 + __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] + _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255 + ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553 + traverse+0x3bc/0xa00 fs/seq_file.c:135 + seq_read+0x96a/0x13d0 fs/seq_file.c:189 + proc_reg_read+0xef/0x170 fs/proc/inode.c:217 + do_loop_readv_writev fs/read_write.c:673 [inline] + do_iter_read+0x3db/0x5b0 fs/read_write.c:897 + compat_readv+0x1bf/0x270 fs/read_write.c:1140 + do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189 + C_SYSC_preadv fs/read_write.c:1209 [inline] + compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203 + do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] + do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 + entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 + RIP: 0023:0xf7f73c79 + RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d + RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0 + RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + BUG: sleeping function called from invalid context at lib/usercopy.c:25 + in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460 + INFO: lockdep is turned off. + CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060 + __might_sleep+0x95/0x190 kernel/sched/core.c:6013 + __might_fault+0xab/0x1d0 mm/memory.c:4525 + _copy_to_user+0x2c/0xc0 lib/usercopy.c:25 + copy_to_user include/linux/uaccess.h:155 [inline] + seq_read+0xcb4/0x13d0 fs/seq_file.c:279 + proc_reg_read+0xef/0x170 fs/proc/inode.c:217 + do_loop_readv_writev fs/read_write.c:673 [inline] + do_iter_read+0x3db/0x5b0 fs/read_write.c:897 + compat_readv+0x1bf/0x270 fs/read_write.c:1140 + do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189 + C_SYSC_preadv fs/read_write.c:1209 [inline] + compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203 + do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] + do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 + entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 + RIP: 0023:0xf7f73c79 + RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d + RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0 + RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0 + lib/usercopy.c:26 + +Reported-by: syzbot <bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com> +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6mr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -495,6 +495,7 @@ static void *ipmr_mfc_seq_start(struct s + return ERR_PTR(-ENOENT); + + it->mrt = mrt; ++ it->cache = NULL; + return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1) + : SEQ_START_TOKEN; + } diff --git a/patches.suse/ipv4-Make-neigh-lookup-keys-for-loopback-point-to-po.patch b/patches.suse/ipv4-Make-neigh-lookup-keys-for-loopback-point-to-po.patch new file mode 100644 index 0000000000..1a55c54bac --- /dev/null +++ b/patches.suse/ipv4-Make-neigh-lookup-keys-for-loopback-point-to-po.patch @@ -0,0 +1,56 @@ +From: Jim Westfall <jwestfall@surrealistic.net> +Date: Sun, 14 Jan 2018 04:18:51 -0800 +Subject: ipv4: Make neigh lookup keys for loopback/point-to-point devices be + INADDR_ANY +Git-commit: cd9ff4de0107c65d69d02253bb25d6db93c3dbc1 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +Map all lookup neigh keys to INADDR_ANY for loopback/point-to-point devices +to avoid making an entry for every remote ip the device needs to talk to. + +This used the be the old behavior but became broken in a263b3093641f +(ipv4: Make neigh lookups directly in output packet path) and later removed +in 0bb4087cbec0 (ipv4: Fix neigh lookup keying over loopback/point-to-point +devices) because it was broken. + +Signed-off-by: Jim Westfall <jwestfall@surrealistic.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/arp.h | 3 +++ + net/ipv4/arp.c | 7 ++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/include/net/arp.h ++++ b/include/net/arp.h +@@ -19,6 +19,9 @@ static inline u32 arp_hashfn(const void + + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) + { ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) ++ key = INADDR_ANY; ++ + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev); + } + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -223,11 +223,16 @@ static bool arp_key_eq(const struct neig + + static int arp_constructor(struct neighbour *neigh) + { +- __be32 addr = *(__be32 *)neigh->primary_key; ++ __be32 addr; + struct net_device *dev = neigh->dev; + struct in_device *in_dev; + struct neigh_parms *parms; ++ u32 inaddr_any = INADDR_ANY; + ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) ++ memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len); ++ ++ addr = *(__be32 *)neigh->primary_key; + rcu_read_lock(); + in_dev = __in_dev_get_rcu(dev); + if (!in_dev) { diff --git a/patches.suse/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_r.patch b/patches.suse/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_r.patch new file mode 100644 index 0000000000..465fec8521 --- /dev/null +++ b/patches.suse/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_r.patch @@ -0,0 +1,119 @@ +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Date: Thu, 8 Mar 2018 17:00:02 +0100 +Subject: ipv6: fix access to non-linear packet in + ndisc_fill_redirect_hdr_option() +Git-commit: 9f62c15f28b0d1d746734666d88a79f08ba1e43e +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Fix the following slab-out-of-bounds kasan report in +ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not +linear and the accessed data are not in the linear data region of orig_skb. + +[ 1503.122508] ================================================================== +[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990 +[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932 + +[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124 +[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014 +[ 1503.123527] Call Trace: +[ 1503.123579] <IRQ> +[ 1503.123638] print_address_description+0x6e/0x280 +[ 1503.123849] kasan_report+0x233/0x350 +[ 1503.123946] memcpy+0x1f/0x50 +[ 1503.124037] ndisc_send_redirect+0x94e/0x990 +[ 1503.125150] ip6_forward+0x1242/0x13b0 +[...] +[ 1503.153890] Allocated by task 1932: +[ 1503.153982] kasan_kmalloc+0x9f/0xd0 +[ 1503.154074] __kmalloc_track_caller+0xb5/0x160 +[ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70 +[ 1503.154324] __alloc_skb+0x130/0x3e0 +[ 1503.154415] sctp_packet_transmit+0x21a/0x1810 +[ 1503.154533] sctp_outq_flush+0xc14/0x1db0 +[ 1503.154624] sctp_do_sm+0x34e/0x2740 +[ 1503.154715] sctp_primitive_SEND+0x57/0x70 +[ 1503.154807] sctp_sendmsg+0xaa6/0x1b10 +[ 1503.154897] sock_sendmsg+0x68/0x80 +[ 1503.154987] ___sys_sendmsg+0x431/0x4b0 +[ 1503.155078] __sys_sendmsg+0xa4/0x130 +[ 1503.155168] do_syscall_64+0x171/0x3f0 +[ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 1503.155436] Freed by task 1932: +[ 1503.155527] __kasan_slab_free+0x134/0x180 +[ 1503.155618] kfree+0xbc/0x180 +[ 1503.155709] skb_release_data+0x27f/0x2c0 +[ 1503.155800] consume_skb+0x94/0xe0 +[ 1503.155889] sctp_chunk_put+0x1aa/0x1f0 +[ 1503.155979] sctp_inq_pop+0x2f8/0x6e0 +[ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230 +[ 1503.156164] sctp_inq_push+0x117/0x150 +[ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0 +[ 1503.156346] __release_sock+0x142/0x250 +[ 1503.156436] release_sock+0x80/0x180 +[ 1503.156526] sctp_sendmsg+0xbb0/0x1b10 +[ 1503.156617] sock_sendmsg+0x68/0x80 +[ 1503.156708] ___sys_sendmsg+0x431/0x4b0 +[ 1503.156799] __sys_sendmsg+0xa4/0x130 +[ 1503.156889] do_syscall_64+0x171/0x3f0 +[ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600 + which belongs to the cache kmalloc-1024 of size 1024 +[ 1503.157444] The buggy address is located 176 bytes inside of + 1024-byte region [ffff8800298ab600, ffff8800298aba00) +[ 1503.157702] The buggy address belongs to the page: +[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 +[ 1503.158053] flags: 0x4000000000008100(slab|head) +[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e +[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000 +[ 1503.158523] page dumped because: kasan: bad access detected + +[ 1503.158698] Memory state around the buggy address: +[ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 1503.159338] ^ +[ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1503.159785] ================================================================== +[ 1503.159964] Disabling lock debugging due to kernel taint + +The test scenario to trigger the issue consists of 4 devices: +- H0: data sender, connected to LAN0 +- H1: data receiver, connected to LAN1 +- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an + ethernet connection on LAN0 and LAN1 +On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for +data from LAN0 to LAN1. +Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent +data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send +buffer size is set to 16K). While data streams are active flush the route +cache on HA multiple times. +I have not been able to identify a given commit that introduced the issue +since, using the reproducer described above, the kasan report has been +triggered from 4.14 and I have not gone back further. + +Reported-by: Jianlin Shi <jishi@redhat.com> +Reviewed-by: Stefano Brivio <sbrivio@redhat.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ndisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1546,7 +1546,8 @@ static void ndisc_fill_redirect_hdr_opti + *(opt++) = (rd_len >> 3); + opt += 6; + +- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); ++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt, ++ rd_len - 8); + } + + void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) diff --git a/patches.suse/ipv6-fix-udpv6-sendmsg-crash-caused-by-too-small-MTU.patch b/patches.suse/ipv6-fix-udpv6-sendmsg-crash-caused-by-too-small-MTU.patch new file mode 100644 index 0000000000..9349ebf5b2 --- /dev/null +++ b/patches.suse/ipv6-fix-udpv6-sendmsg-crash-caused-by-too-small-MTU.patch @@ -0,0 +1,91 @@ +From: Mike Maloney <maloney@google.com> +Date: Wed, 10 Jan 2018 12:45:10 -0500 +Subject: ipv6: fix udpv6 sendmsg crash caused by too small MTU +Git-commit: 749439bfac6e1a2932c582e2699f91d329658196 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +The logic in __ip6_append_data() assumes that the MTU is at least large +enough for the headers. A device's MTU may be adjusted after being +added while sendmsg() is processing data, resulting in +__ip6_append_data() seeing any MTU. For an mtu smaller than the size of +the fragmentation header, the math results in a negative 'maxfraglen', +which causes problems when refragmenting any previous skb in the +skb_write_queue, leaving it possibly malformed. + +Instead sendmsg returns EINVAL when the mtu is calculated to be less +than IPV6_MIN_MTU. + +Found by syzkaller: +kernel BUG at ./include/linux/skbuff.h:2064! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +task: ffff8801d0b68580 task.stack: ffff8801ac6b8000 +RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline] +RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 +RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216 +RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000 +RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0 +RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000 +R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8 +R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000 +FS: 00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ip6_finish_skb include/net/ipv6.h:911 [inline] + udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093 + udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363 + inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:643 + SYSC_sendto+0x352/0x5a0 net/socket.c:1750 + SyS_sendto+0x40/0x50 net/socket.c:1718 + entry_SYSCALL_64_fastpath+0x1f/0xbe +RIP: 0033:0x4512e9 +RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9 +RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005 +RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c +R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69 +R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000 +Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba +RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570 +RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570 + +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Mike Maloney <maloney@google.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6_output.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1207,14 +1207,16 @@ static int ip6_setup_cork(struct sock *s + v6_cork->tclass = ipc6->tclass; + if (rt->dst.flags & DST_XFRM_TUNNEL) + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ? +- rt->dst.dev->mtu : dst_mtu(&rt->dst); ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst); + else + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ? +- rt->dst.dev->mtu : dst_mtu(rt->dst.path); ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path); + if (np->frag_size < mtu) { + if (np->frag_size) + mtu = np->frag_size; + } ++ if (mtu < IPV6_MIN_MTU) ++ return -EINVAL; + cork->base.fragsize = mtu; + if (dst_allfrag(rt->dst.path)) + cork->base.flags |= IPCORK_ALLFRAG; diff --git a/patches.suse/ipv6-old_dport-should-be-a-__be16-in-__ip6_datagram_.patch b/patches.suse/ipv6-old_dport-should-be-a-__be16-in-__ip6_datagram_.patch new file mode 100644 index 0000000000..c3a2c128aa --- /dev/null +++ b/patches.suse/ipv6-old_dport-should-be-a-__be16-in-__ip6_datagram_.patch @@ -0,0 +1,28 @@ +From: Stefano Brivio <sbrivio@redhat.com> +Date: Mon, 19 Mar 2018 11:24:58 +0100 +Subject: ipv6: old_dport should be a __be16 in __ip6_datagram_connect() +Git-commit: 5f2fb802eee1df0810b47ea251942fe3fd36589a +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Fixes: 2f987a76a977 ("net: ipv6: keep sk status consistent after datagram connect failure") +Signed-off-by: Stefano Brivio <sbrivio@redhat.com> +Acked-by: Paolo Abeni <pabeni@redhat.com> +Acked-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -149,7 +149,7 @@ int __ip6_datagram_connect(struct sock * + struct in6_addr *daddr, old_daddr; + __be32 fl6_flowlabel = 0; + __be32 old_fl6_flowlabel; +- __be32 old_dport; ++ __be16 old_dport; + int addr_type; + int err; + diff --git a/patches.suse/ipv6-sit-work-around-bogus-gcc-8-Wrestrict-warning.patch b/patches.suse/ipv6-sit-work-around-bogus-gcc-8-Wrestrict-warning.patch new file mode 100644 index 0000000000..dd7f1cf238 --- /dev/null +++ b/patches.suse/ipv6-sit-work-around-bogus-gcc-8-Wrestrict-warning.patch @@ -0,0 +1,46 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Thu, 22 Feb 2018 16:55:34 +0100 +Subject: ipv6 sit: work around bogus gcc-8 -Wrestrict warning +Git-commit: ca79bec237f5809a7c3c59bd41cd0880aa889966 +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +gcc-8 has a new warning that detects overlapping input and output arguments +in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(), +which is actually correct: + +net/ipv6/sit.c: In function 'sit_init_net': +net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +The problem here is that the logic detecting the memcpy() arguments finds them +to be the same, but the conditional that tests for the input and output of +ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant. + +We know that netdev_priv(t->dev) is the same as t for a tunnel device, +and comparing "dev" directly here lets the compiler figure out as well +that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so +it no longer warns. + +This code is old, so Cc stable to make sure that we don't get the warning +for older kernels built with new gcc. + +Cc: Martin Sebor <msebor@gmail.com> +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456 +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/sit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -176,7 +176,7 @@ static void ipip6_tunnel_clone_6rd(struc + #ifdef CONFIG_IPV6_SIT_6RD + struct ip_tunnel *t = netdev_priv(dev); + +- if (t->dev == sitn->fb_tunnel_dev) { ++ if (dev == sitn->fb_tunnel_dev) { + ipv6_addr_set(&t->ip6rd.prefix, htonl(0x20020000), 0, 0, 0); + t->ip6rd.relay_prefix = 0; + t->ip6rd.prefixlen = 16; diff --git a/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-in-seg6_do_srh_.patch b/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-in-seg6_do_srh_.patch new file mode 100644 index 0000000000..9d70c4a7d9 --- /dev/null +++ b/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-in-seg6_do_srh_.patch @@ -0,0 +1,93 @@ +From: Ahmed Abdelsalam <amsalam20@gmail.com> +Date: Fri, 20 Apr 2018 15:58:05 +0200 +Subject: ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 + pkts +Git-commit: a957fa190aa9d9168b33d460a5241a6d088c6265 +Patch-mainline: v4.17-rc3 +References: git-fixes + +In case of seg6 in encap mode, seg6_do_srh_encap() calls set_tun_src() +in order to set the src addr of outer IPv6 header. + +The net_device is required for set_tun_src(). However calling ip6_dst_idev() +on dst_entry in case of IPv4 traffic results on the following bug. + +Using just dst->dev should fix this BUG. + +[ 196.242461] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 196.242975] PGD 800000010f076067 P4D 800000010f076067 PUD 10f060067 PMD 0 +[ 196.243329] Oops: 0000 [#1] SMP PTI +[ 196.243468] Modules linked in: nfsd auth_rpcgss nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd input_leds glue_helper led_class pcspkr serio_raw mac_hid video autofs4 hid_generic usbhid hid e1000 i2c_piix4 ahci pata_acpi libahci +[ 196.244362] CPU: 2 PID: 1089 Comm: ping Not tainted 4.16.0+ #1 +[ 196.244606] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 196.244968] RIP: 0010:seg6_do_srh_encap+0x1ac/0x300 +[ 196.245236] RSP: 0018:ffffb2ce00b23a60 EFLAGS: 00010202 +[ 196.245464] RAX: 0000000000000000 RBX: ffff8c7f53eea300 RCX: 0000000000000000 +[ 196.245742] RDX: 0000f10000000000 RSI: ffff8c7f52085a6c RDI: ffff8c7f41166850 +[ 196.246018] RBP: ffffb2ce00b23aa8 R08: 00000000000261e0 R09: ffff8c7f41166800 +[ 196.246294] R10: ffffdce5040ac780 R11: ffff8c7f41166828 R12: ffff8c7f41166808 +[ 196.246570] R13: ffff8c7f52085a44 R14: ffffffffb73211c0 R15: ffff8c7e69e44200 +[ 196.246846] FS: 00007fc448789700(0000) GS:ffff8c7f59d00000(0000) knlGS:0000000000000000 +[ 196.247286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 196.247526] CR2: 0000000000000000 CR3: 000000010f05a000 CR4: 00000000000406e0 +[ 196.247804] Call Trace: +[ 196.247972] seg6_do_srh+0x15b/0x1c0 +[ 196.248156] seg6_output+0x3c/0x220 +[ 196.248341] ? prandom_u32+0x14/0x20 +[ 196.248526] ? ip_idents_reserve+0x6c/0x80 +[ 196.248723] ? __ip_select_ident+0x90/0x100 +[ 196.248923] ? ip_append_data.part.50+0x6c/0xd0 +[ 196.249133] lwtunnel_output+0x44/0x70 +[ 196.249328] ip_send_skb+0x15/0x40 +[ 196.249515] raw_sendmsg+0x8c3/0xac0 +[ 196.249701] ? _copy_from_user+0x2e/0x60 +[ 196.249897] ? rw_copy_check_uvector+0x53/0x110 +[ 196.250106] ? _copy_from_user+0x2e/0x60 +[ 196.250299] ? copy_msghdr_from_user+0xce/0x140 +[ 196.250508] sock_sendmsg+0x36/0x40 +[ 196.250690] ___sys_sendmsg+0x292/0x2a0 +[ 196.250881] ? _cond_resched+0x15/0x30 +[ 196.251074] ? copy_termios+0x1e/0x70 +[ 196.251261] ? _copy_to_user+0x22/0x30 +[ 196.251575] ? tty_mode_ioctl+0x1c3/0x4e0 +[ 196.251782] ? _cond_resched+0x15/0x30 +[ 196.251972] ? mutex_lock+0xe/0x30 +[ 196.252152] ? vvar_fault+0xd2/0x110 +[ 196.252337] ? __do_fault+0x1f/0xc0 +[ 196.252521] ? __handle_mm_fault+0xc1f/0x12d0 +[ 196.252727] ? __sys_sendmsg+0x63/0xa0 +[ 196.252919] __sys_sendmsg+0x63/0xa0 +[ 196.253107] do_syscall_64+0x72/0x200 +[ 196.253305] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +[ 196.253530] RIP: 0033:0x7fc4480b0690 +[ 196.253715] RSP: 002b:00007ffde9f252f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 196.254053] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007fc4480b0690 +[ 196.254331] RDX: 0000000000000000 RSI: 000000000060a360 RDI: 0000000000000003 +[ 196.254608] RBP: 00007ffde9f253f0 R08: 00000000002d1e81 R09: 0000000000000002 +[ 196.254884] R10: 00007ffde9f250c0 R11: 0000000000000246 R12: 0000000000b22070 +[ 196.255205] R13: 20c49ba5e353f7cf R14: 431bde82d7b634db R15: 00007ffde9f278fe +[ 196.255484] Code: a5 0f b6 45 c0 41 88 41 28 41 0f b6 41 2c 48 c1 e0 04 49 8b 54 01 38 49 8b 44 01 30 49 89 51 20 49 89 41 18 48 8b 83 b0 00 00 00 <48> 8b 30 49 8b 86 08 0b 00 00 48 8b 40 20 48 8b 50 08 48 0b 10 +[ 196.256190] RIP: seg6_do_srh_encap+0x1ac/0x300 RSP: ffffb2ce00b23a60 +[ 196.256445] CR2: 0000000000000000 +[ 196.256676] ---[ end trace 71af7d093603885c ]--- + +Fixes: 8936ef7604c11 ("ipv6: sr: fix NULL pointer dereference when setting encap source address") +Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> +Acked-by: David Lebrun <dlebrun@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/seg6_iptunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -128,7 +128,7 @@ static int seg6_do_srh_encap(struct sk_b + isrh->nexthdr = NEXTHDR_IPV6; + + hdr->daddr = isrh->segments[isrh->first_segment]; +- set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr); ++ set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr); + + #ifdef CONFIG_IPV6_SEG6_HMAC + if (sr_has_hmac(isrh)) { diff --git a/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-when-setting-en.patch b/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-when-setting-en.patch new file mode 100644 index 0000000000..a9ee9dc245 --- /dev/null +++ b/patches.suse/ipv6-sr-fix-NULL-pointer-dereference-when-setting-en.patch @@ -0,0 +1,88 @@ +From: David Lebrun <dlebrun@google.com> +Date: Tue, 20 Mar 2018 14:44:56 +0000 +Subject: ipv6: sr: fix NULL pointer dereference when setting encap source + address +Git-commit: 8936ef7604c11b5d701580d779e0f5684abc7b68 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +When using seg6 in encap mode, we call ipv6_dev_get_saddr() to set the +source address of the outer IPv6 header, in case none was specified. +Using skb->dev can lead to BUG() when it is in an inconsistent state. +This patch uses the net_device attached to the skb's dst instead. + +[940807.667429] BUG: unable to handle kernel NULL pointer dereference at 000000000000047c +[940807.762427] IP: ipv6_dev_get_saddr+0x8b/0x1d0 +[940807.815725] PGD 0 P4D 0 +[940807.847173] Oops: 0000 [#1] SMP PTI +[940807.890073] Modules linked in: +[940807.927765] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G W 4.16.0-rc1-seg6bpf+ #2 +[940808.028988] Hardware name: HP ProLiant DL120 G6/ProLiant DL120 G6, BIOS O26 09/06/2010 +[940808.128128] RIP: 0010:ipv6_dev_get_saddr+0x8b/0x1d0 +[940808.187667] RSP: 0018:ffff88043fd836b0 EFLAGS: 00010206 +[940808.251366] RAX: 0000000000000005 RBX: ffff88042cb1c860 RCX: 00000000000000fe +[940808.338025] RDX: 00000000000002c0 RSI: ffff88042cb1c860 RDI: 0000000000004500 +[940808.424683] RBP: ffff88043fd83740 R08: 0000000000000000 R09: ffffffffffffffff +[940808.511342] R10: 0000000000000040 R11: 0000000000000000 R12: ffff88042cb1c850 +[940808.598012] R13: ffffffff8208e380 R14: ffff88042ac8da00 R15: 0000000000000002 +[940808.684675] FS: 0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000 +[940808.783036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[940808.852975] CR2: 000000000000047c CR3: 00000004255fe000 CR4: 00000000000006e0 +[940808.939634] Call Trace: +[940808.970041] <IRQ> +[940808.995250] ? ip6t_do_table+0x265/0x640 +[940809.043341] seg6_do_srh_encap+0x28f/0x300 +[940809.093516] ? seg6_do_srh+0x1a0/0x210 +[940809.139528] seg6_do_srh+0x1a0/0x210 +[940809.183462] seg6_output+0x28/0x1e0 +[940809.226358] lwtunnel_output+0x3f/0x70 +[940809.272370] ip6_xmit+0x2b8/0x530 +[940809.313185] ? ac6_proc_exit+0x20/0x20 +[940809.359197] inet6_csk_xmit+0x7d/0xc0 +[940809.404173] tcp_transmit_skb+0x548/0x9a0 +[940809.453304] __tcp_retransmit_skb+0x1a8/0x7a0 +[940809.506603] ? ip6_default_advmss+0x40/0x40 +[940809.557824] ? tcp_current_mss+0x24/0x90 +[940809.605925] tcp_retransmit_skb+0xd/0x80 +[940809.654016] tcp_xmit_retransmit_queue.part.17+0xf9/0x210 +[940809.719797] tcp_ack+0xa47/0x1110 +[940809.760612] tcp_rcv_established+0x13c/0x570 +[940809.812865] tcp_v6_do_rcv+0x151/0x3d0 +[940809.858879] tcp_v6_rcv+0xa5c/0xb10 +[940809.901770] ? seg6_output+0xdd/0x1e0 +[940809.946745] ip6_input_finish+0xbb/0x460 +[940809.994837] ip6_input+0x74/0x80 +[940810.034612] ? ip6_rcv_finish+0xb0/0xb0 +[940810.081663] ipv6_rcv+0x31c/0x4c0 +... + +Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Reported-by: Tom Herbert <tom@quantonium.net> +Signed-off-by: David Lebrun <dlebrun@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/seg6_iptunnel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -93,7 +93,8 @@ static void set_tun_src(struct net *net, + /* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */ + static int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh) + { +- struct net *net = dev_net(skb_dst(skb)->dev); ++ struct dst_entry *dst = skb_dst(skb); ++ struct net *net = dev_net(dst->dev); + struct ipv6hdr *hdr, *inner_hdr; + struct ipv6_sr_hdr *isrh; + int hdrlen, tot_len, err; +@@ -127,7 +128,7 @@ static int seg6_do_srh_encap(struct sk_b + isrh->nexthdr = NEXTHDR_IPV6; + + hdr->daddr = isrh->segments[isrh->first_segment]; +- set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr); ++ set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr); + + #ifdef CONFIG_IPV6_SEG6_HMAC + if (sr_has_hmac(isrh)) { diff --git a/patches.suse/ipv6-sr-fix-scheduling-in-RCU-when-creating-seg6-lwt.patch b/patches.suse/ipv6-sr-fix-scheduling-in-RCU-when-creating-seg6-lwt.patch new file mode 100644 index 0000000000..6acbafd9ac --- /dev/null +++ b/patches.suse/ipv6-sr-fix-scheduling-in-RCU-when-creating-seg6-lwt.patch @@ -0,0 +1,68 @@ +From: David Lebrun <dlebrun@google.com> +Date: Tue, 20 Mar 2018 14:44:55 +0000 +Subject: ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state +Git-commit: 191f86ca8ef27f7a492fd1c03620498c6e94f0ac +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The seg6_build_state() function is called with RCU read lock held, +so we cannot use GFP_KERNEL. This patch uses GFP_ATOMIC instead. + +[ 92.770271] ============================= +[ 92.770628] WARNING: suspicious RCU usage +[ 92.770921] 4.16.0-rc4+ #12 Not tainted +[ 92.771277] ----------------------------- +[ 92.771585] ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! +[ 92.772279] +[ 92.772279] other info that might help us debug this: +[ 92.772279] +[ 92.773067] +[ 92.773067] rcu_scheduler_active = 2, debug_locks = 1 +[ 92.773514] 2 locks held by ip/2413: +[ 92.773765] #0: (rtnl_mutex){+.+.}, at: [<00000000e5461720>] rtnetlink_rcv_msg+0x441/0x4d0 +[ 92.774377] #1: (rcu_read_lock){....}, at: [<00000000df4f161e>] lwtunnel_build_state+0x59/0x210 +[ 92.775065] +[ 92.775065] stack backtrace: +[ 92.775371] CPU: 0 PID: 2413 Comm: ip Not tainted 4.16.0-rc4+ #12 +[ 92.775791] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc27 04/01/2014 +[ 92.776608] Call Trace: +[ 92.776852] dump_stack+0x7d/0xbc +[ 92.777130] __schedule+0x133/0xf00 +[ 92.777393] ? unwind_get_return_address_ptr+0x50/0x50 +[ 92.777783] ? __sched_text_start+0x8/0x8 +[ 92.778073] ? rcu_is_watching+0x19/0x30 +[ 92.778383] ? kernel_text_address+0x49/0x60 +[ 92.778800] ? __kernel_text_address+0x9/0x30 +[ 92.779241] ? unwind_get_return_address+0x29/0x40 +[ 92.779727] ? pcpu_alloc+0x102/0x8f0 +[ 92.780101] _cond_resched+0x23/0x50 +[ 92.780459] __mutex_lock+0xbd/0xad0 +[ 92.780818] ? pcpu_alloc+0x102/0x8f0 +[ 92.781194] ? seg6_build_state+0x11d/0x240 +[ 92.781611] ? save_stack+0x9b/0xb0 +[ 92.781965] ? __ww_mutex_wakeup_for_backoff+0xf0/0xf0 +[ 92.782480] ? seg6_build_state+0x11d/0x240 +[ 92.782925] ? lwtunnel_build_state+0x1bd/0x210 +[ 92.783393] ? ip6_route_info_create+0x687/0x1640 +[ 92.783846] ? ip6_route_add+0x74/0x110 +[ 92.784236] ? inet6_rtm_newroute+0x8a/0xd0 + +Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Signed-off-by: David Lebrun <dlebrun@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/seg6_iptunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -376,7 +376,7 @@ static int seg6_build_state(struct nlatt + + slwt = seg6_lwt_lwtunnel(newts); + +- err = dst_cache_init(&slwt->cache, GFP_KERNEL); ++ err = dst_cache_init(&slwt->cache, GFP_ATOMIC); + if (err) { + kfree(newts); + return err; diff --git a/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch b/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch new file mode 100644 index 0000000000..259d219594 --- /dev/null +++ b/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch @@ -0,0 +1,83 @@ +From: Tom Herbert <tom@quantonium.net> +Date: Tue, 13 Mar 2018 12:01:43 -0700 +Subject: kcm: lock lower socket in kcm_attach +Git-commit: 2cc683e88c0c993ac3721d9b702cb0630abe2879 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Need to lock lower socket in order to provide mutual exclusion +with kcm_unattach. + +v2: Add Reported-by for syzbot + +Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module") +Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com +Signed-off-by: Tom Herbert <tom@quantonium.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/kcm/kcmsock.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1377,19 +1377,25 @@ static int kcm_attach(struct socket *soc + struct list_head *head; + int index = 0; + struct strp_callbacks cb; +- int err; ++ int err = 0; + + csk = csock->sk; + if (!csk) + return -EINVAL; + ++ lock_sock(csk); ++ + /* We must prevent loops or risk deadlock ! */ +- if (csk->sk_family == PF_KCM) +- return -EOPNOTSUPP; ++ if (csk->sk_family == PF_KCM) { ++ err = -EOPNOTSUPP; ++ goto out; ++ } + + psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); +- if (!psock) +- return -ENOMEM; ++ if (!psock) { ++ err = -ENOMEM; ++ goto out; ++ } + + psock->mux = mux; + psock->sk = csk; +@@ -1403,7 +1409,7 @@ static int kcm_attach(struct socket *soc + err = strp_init(&psock->strp, csk, &cb); + if (err) { + kmem_cache_free(kcm_psockp, psock); +- return err; ++ goto out; + } + + sock_hold(csk); +@@ -1439,7 +1445,10 @@ static int kcm_attach(struct socket *soc + /* Schedule RX work in case there are already bytes queued */ + strp_check_rcv(&psock->strp); + +- return 0; ++out: ++ release_sock(csk); ++ ++ return err; + } + + static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info) +@@ -1491,6 +1500,7 @@ static void kcm_unattach(struct kcm_psoc + + if (WARN_ON(psock->rx_kcm)) { + write_unlock_bh(&csk->sk_callback_lock); ++ release_sock(csk); + return; + } + diff --git a/patches.suse/macvlan-filter-out-unsupported-feature-flags.patch b/patches.suse/macvlan-filter-out-unsupported-feature-flags.patch new file mode 100644 index 0000000000..d39cf3d511 --- /dev/null +++ b/patches.suse/macvlan-filter-out-unsupported-feature-flags.patch @@ -0,0 +1,50 @@ +From: Shannon Nelson <shannon.nelson@oracle.com> +Date: Thu, 8 Mar 2018 16:17:23 -0800 +Subject: macvlan: filter out unsupported feature flags +Git-commit: 13fbcc8dc573482dd3f27568257fd7087f8935f4 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Adding a macvlan device on top of a lowerdev that supports +the xfrm offloads fails with a new regression: + # ip link add link ens1f0 mv0 type macvlan + RTNETLINK answers: Operation not permitted + +Tracing down the failure shows that the macvlan device inherits +the NETIF_F_HW_ESP and NETIF_F_HW_ESP_TX_CSUM feature flags +from the lowerdev, but with no dev->xfrmdev_ops API filled +in, it doesn't actually support xfrm. When the request is +made to add the new macvlan device, the XFRM listener for +NETDEV_REGISTER calls xfrm_api_check() which fails the new +registration because dev->xfrmdev_ops is NULL. + +The macvlan creation succeeds when we filter out the ESP +feature flags in macvlan_fix_features(), so let's filter them +out like we're already filtering out ~NETIF_F_NETNS_LOCAL. +When XFRM support is added in the future, we can add the flags +into MACVLAN_FEATURES. + +This same problem could crop up in the future with any other +new feature flags, so let's filter out any flags that aren't +defined as supported in macvlan. + +Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") +Reported-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1037,7 +1037,7 @@ static netdev_features_t macvlan_fix_fea + lowerdev_features &= (features | ~NETIF_F_LRO); + features = netdev_increment_features(lowerdev_features, features, mask); + features |= ALWAYS_ON_FEATURES; +- features &= ~NETIF_F_NETNS_LOCAL; ++ features &= (ALWAYS_ON_FEATURES | MACVLAN_FEATURES); + + return features; + } diff --git a/patches.suse/mlxsw-spectrum_buffers-Set-a-minimum-quota-for-CPU-p.patch b/patches.suse/mlxsw-spectrum_buffers-Set-a-minimum-quota-for-CPU-p.patch new file mode 100644 index 0000000000..4224ff8bf4 --- /dev/null +++ b/patches.suse/mlxsw-spectrum_buffers-Set-a-minimum-quota-for-CPU-p.patch @@ -0,0 +1,55 @@ +From: Ido Schimmel <idosch@mellanox.com> +Date: Thu, 15 Mar 2018 14:49:56 +0200 +Subject: mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic +Git-commit: bcdd5de80a2275f7879dc278bfc747f1caf94442 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +In commit 9ffcc3725f09 ("mlxsw: spectrum: Allow packets to be trapped +from any PG") I fixed a problem where packets could not be trapped to +the CPU due to exceeded shared buffer quotas. The mentioned commit +explains the problem in detail. + +The problem was fixed by assigning a minimum quota for the CPU port and +the traffic class used for scheduling traffic to the CPU. + +However, commit 117b0dad2d54 ("mlxsw: Create a different trap group list +for each device") assigned different traffic classes to different +packet types and rendered the fix useless. + +Fix the problem by assigning a minimum quota for the CPU port and all +the traffic classes that are currently in use. + +Fixes: 117b0dad2d54 ("mlxsw: Create a different trap group list for each device") +Signed-off-by: Ido Schimmel <idosch@mellanox.com> +Reported-by: Eddie Shklaer <eddies@mellanox.com> +Tested-by: Eddie Shklaer <eddies@mellanox.com> +Acked-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c +@@ -337,13 +337,13 @@ static const struct mlxsw_sp_sb_cm mlxsw + + static const struct mlxsw_sp_sb_cm mlxsw_sp_cpu_port_sb_cms[] = { + MLXSW_SP_CPU_PORT_SB_CM, ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), + MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_CPU_PORT_SB_CM, +- MLXSW_SP_SB_CM(10000, 0, 0), ++ MLXSW_SP_SB_CM(MLXSW_PORT_MAX_MTU, 0, 0), + MLXSW_SP_CPU_PORT_SB_CM, + MLXSW_SP_CPU_PORT_SB_CM, + MLXSW_SP_CPU_PORT_SB_CM, diff --git a/patches.suse/mlxsw-spectrum_router-Don-t-log-an-error-on-missing-.patch b/patches.suse/mlxsw-spectrum_router-Don-t-log-an-error-on-missing-.patch new file mode 100644 index 0000000000..c92db2782e --- /dev/null +++ b/patches.suse/mlxsw-spectrum_router-Don-t-log-an-error-on-missing-.patch @@ -0,0 +1,44 @@ +From: Yuval Mintz <yuvalm@mellanox.com> +Date: Wed, 24 Jan 2018 10:02:09 +0100 +Subject: mlxsw: spectrum_router: Don't log an error on missing neighbor +Git-commit: 1ecdaea02ca6bfacf2ecda500dc1af51e9780c42 +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +Driver periodically samples all neighbors configured in device +in order to update the kernel regarding their state. When finding +an entry configured in HW that doesn't show in neigh_lookup() +driver logs an error message. +This introduces a race when removing multiple neighbors - +it's possible that a given entry would still be configured in HW +as its removal is still being processed but is already removed +from the kernel's neighbor tables. + +Simply remove the error message and gracefully accept such events. + +Fixes: c723c735fa6b ("mlxsw: spectrum_router: Periodically update the kernel's neigh table") +Fixes: 60f040ca11b9 ("mlxsw: spectrum_router: Periodically dump active IPv6 neighbours") +Signed-off-by: Yuval Mintz <yuvalm@mellanox.com> +Reviewed-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -847,11 +847,8 @@ static void mlxsw_sp_router_neigh_ent_ip + dipn = htonl(dip); + dev = mlxsw_sp->rifs[rif]->dev; + n = neigh_lookup(&arp_tbl, &dipn, dev); +- if (!n) { +- netdev_err(dev, "Failed to find matching neighbour for IP=%pI4h\n", +- &dip); ++ if (!n) + return; +- } + + netdev_dbg(dev, "Updating neighbour with IP=%pI4h\n", &dip); + neigh_event_send(n, NULL); diff --git a/patches.suse/mlxsw-spectrum_router-Fix-error-path-in-mlxsw_sp_vr_.patch b/patches.suse/mlxsw-spectrum_router-Fix-error-path-in-mlxsw_sp_vr_.patch new file mode 100644 index 0000000000..3eddc1eb5d --- /dev/null +++ b/patches.suse/mlxsw-spectrum_router-Fix-error-path-in-mlxsw_sp_vr_.patch @@ -0,0 +1,54 @@ +From: Jiri Pirko <jiri@mellanox.com> +Date: Tue, 13 Feb 2018 11:22:42 +0100 +Subject: mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create +Git-commit: 0f2d2b2736b08dafa3bde31d048750fbc8df3a31 +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +Since mlxsw_sp_fib_create() and mlxsw_sp_mr_table_create() +use ERR_PTR macro to propagate int err through return of a pointer, +the return value is not NULL in case of failure. So if one +of the calls fails, one of vr->fib4, vr->fib6 or vr->mr4_table +is not NULL and mlxsw_sp_vr_is_used wrongly assumes +that vr is in use which leads to crash like following one: + +[ 1293.949291] BUG: unable to handle kernel NULL pointer dereference at 00000000000006c9 +[ 1293.952729] IP: mlxsw_sp_mr_table_flush+0x15/0x70 [mlxsw_spectrum] + +Fix this by using local variables to hold the pointers and set vr->* +only in case everything went fine. + +Fixes: 76610ebbde18 ("mlxsw: spectrum_router: Refactor virtual router handling") +Fixes: a3d9bc506d64 ("mlxsw: spectrum_router: Extend virtual routers with IPv6 support") +Fixes: d42b0965b1d4 ("mlxsw: spectrum_router: Add multicast routes notification handling functionality") +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Reviewed-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -595,14 +595,16 @@ static struct mlxsw_sp_fib *mlxsw_sp_vr_ + static struct mlxsw_sp_vr *mlxsw_sp_vr_create(struct mlxsw_sp *mlxsw_sp, + u32 tb_id) + { ++ struct mlxsw_sp_fib *fib4; + struct mlxsw_sp_vr *vr; + + vr = mlxsw_sp_vr_find_unused(mlxsw_sp); + if (!vr) + return ERR_PTR(-EBUSY); +- vr->fib4 = mlxsw_sp_fib_create(vr, MLXSW_SP_L3_PROTO_IPV4); +- if (IS_ERR(vr->fib4)) +- return ERR_CAST(vr->fib4); ++ fib4 = mlxsw_sp_fib_create(vr, MLXSW_SP_L3_PROTO_IPV4); ++ if (IS_ERR(fib4)) ++ return ERR_CAST(fib4); ++ vr->fib4 = fib4; + vr->tb_id = tb_id; + return vr; + } diff --git a/patches.suse/mlxsw-spectrum_switchdev-Check-success-of-FDB-add-op.patch b/patches.suse/mlxsw-spectrum_switchdev-Check-success-of-FDB-add-op.patch new file mode 100644 index 0000000000..a4885ff875 --- /dev/null +++ b/patches.suse/mlxsw-spectrum_switchdev-Check-success-of-FDB-add-op.patch @@ -0,0 +1,101 @@ +From: Shalom Toledo <shalomt@mellanox.com> +Date: Thu, 1 Mar 2018 11:37:05 +0100 +Subject: mlxsw: spectrum_switchdev: Check success of FDB add operation +Git-commit: 0a8a1bf17e3af34f1f8d2368916a6327f8b3bfd5 +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +Until now, we assumed that in case of error when adding FDB entries, the +write operation will fail, but this is not the case. Instead, we need to +check that the number of entries reported in the response is equal to +the number of entries specified in the request. + +Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") +Reported-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: Shalom Toledo <shalomt@mellanox.com> +Reviewed-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 29 +++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -882,6 +882,7 @@ static int __mlxsw_sp_port_fdb_uc_op(str + bool dynamic) + { + char *sfd_pl; ++ u8 num_rec; + int err; + + sfd_pl = kmalloc(MLXSW_REG_SFD_LEN, GFP_KERNEL); +@@ -891,9 +892,16 @@ static int __mlxsw_sp_port_fdb_uc_op(str + mlxsw_reg_sfd_pack(sfd_pl, mlxsw_sp_sfd_op(adding), 0); + mlxsw_reg_sfd_uc_pack(sfd_pl, 0, mlxsw_sp_sfd_rec_policy(dynamic), + mac, fid, action, local_port); ++ num_rec = mlxsw_reg_sfd_num_rec_get(sfd_pl); + err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sfd), sfd_pl); +- kfree(sfd_pl); ++ if (err) ++ goto out; ++ ++ if (num_rec != mlxsw_reg_sfd_num_rec_get(sfd_pl)) ++ err = -EBUSY; + ++out: ++ kfree(sfd_pl); + return err; + } + +@@ -918,6 +926,7 @@ static int mlxsw_sp_port_fdb_uc_lag_op(s + bool adding, bool dynamic) + { + char *sfd_pl; ++ u8 num_rec; + int err; + + sfd_pl = kmalloc(MLXSW_REG_SFD_LEN, GFP_KERNEL); +@@ -928,9 +937,16 @@ static int mlxsw_sp_port_fdb_uc_lag_op(s + mlxsw_reg_sfd_uc_lag_pack(sfd_pl, 0, mlxsw_sp_sfd_rec_policy(dynamic), + mac, fid, MLXSW_REG_SFD_REC_ACTION_NOP, + lag_vid, lag_id); ++ num_rec = mlxsw_reg_sfd_num_rec_get(sfd_pl); + err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sfd), sfd_pl); +- kfree(sfd_pl); ++ if (err) ++ goto out; + ++ if (num_rec != mlxsw_reg_sfd_num_rec_get(sfd_pl)) ++ err = -EBUSY; ++ ++out: ++ kfree(sfd_pl); + return err; + } + +@@ -964,6 +980,7 @@ static int mlxsw_sp_port_mdb_op(struct m + u16 fid, u16 mid, bool adding) + { + char *sfd_pl; ++ u8 num_rec; + int err; + + sfd_pl = kmalloc(MLXSW_REG_SFD_LEN, GFP_KERNEL); +@@ -973,7 +990,15 @@ static int mlxsw_sp_port_mdb_op(struct m + mlxsw_reg_sfd_pack(sfd_pl, mlxsw_sp_sfd_op(adding), 0); + mlxsw_reg_sfd_mc_pack(sfd_pl, 0, addr, fid, + MLXSW_REG_SFD_REC_ACTION_NOP, mid); ++ num_rec = mlxsw_reg_sfd_num_rec_get(sfd_pl); + err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sfd), sfd_pl); ++ if (err) ++ goto out; ++ ++ if (num_rec != mlxsw_reg_sfd_num_rec_get(sfd_pl)) ++ err = -EBUSY; ++ ++out: + kfree(sfd_pl); + return err; + } diff --git a/patches.suse/mmc-version-check-printk-downgrade b/patches.suse/mmc-version-check-printk-downgrade new file mode 100644 index 0000000000..93a656db18 --- /dev/null +++ b/patches.suse/mmc-version-check-printk-downgrade @@ -0,0 +1,28 @@ +From: Takashi Iwai <tiwai@suse.de> +Subject: Downgrade printk level for MMC SDHCI host version error +Patch-mainline: Never, SLE15 only +References: bsc#1097941 + +MMC SDHCI drivers spew an error when the controller returns the +version number greater than 2. This is annoying on the machines with +O2 micro chip like many Dell models, where the chip gives 3. +Since it's the only known error case so far, downgrade the print level +so that it won't appear during boot with quiet option. + +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +--- + drivers/mmc/host/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -3242,7 +3242,7 @@ int sdhci_setup_host(struct sdhci_host * + override_timeout_clk = host->timeout_clk; + + if (host->version > SDHCI_SPEC_300) { +- pr_err("%s: Unknown controller version (%d). You may experience problems.\n", ++ pr_info("%s: Unknown controller version (%d). You may experience problems.\n", + mmc_hostname(mmc), host->version); + } + diff --git a/patches.suse/suse-hv-netvsc-ifup.patch b/patches.suse/msft-hv-1657-hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch index 02203b54d7..3d867f3518 100644 --- a/patches.suse/suse-hv-netvsc-ifup.patch +++ b/patches.suse/msft-hv-1657-hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch @@ -1,8 +1,9 @@ From: Dexuan Cui <decui@microsoft.com> Date: Wed, 6 Jun 2018 21:32:51 +0000 -Patch-mainline: submitted (lkml - https://lkml.org/lkml/2018/6/6/766) -Subject: [PATCH v2] hv_netvsc: Fix a network regression after ifdown/ifup +Patch-mainline: v4.18-rc1 +Subject: hv_netvsc: Fix a network regression after ifdown/ifup References: bsc#1094420 +Git-commit: 52acf73b6e9a6962045feb2ba5a8921da2201915 Recently people reported the NIC stops working after "ifdown eth0; ifup eth0". It turns out in this case the TX queues are not @@ -15,21 +16,16 @@ are enabled. The patch fixes the regression. Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") Signed-off-by: Dexuan Cui <decui@microsoft.com> -Cc: stable@vger.kernel.org Cc: Stephen Hemminger <sthemmin@microsoft.com> Cc: K. Y. Srinivasan <kys@microsoft.com> Cc: Haiyang Zhang <haiyangz@microsoft.com> +Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Olaf Hering <ohering@suse.de> --- - -Changes since v1: -Removed the check and the comment from the code [Stephen Hemminger] - drivers/net/hyperv/netvsc_drv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index da07ccd..eb8dccd 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -126,8 +126,10 @@ static int netvsc_open(struct net_device *net) diff --git a/patches.suse/net-Allow-neigh-contructor-functions-ability-to-modi.patch b/patches.suse/net-Allow-neigh-contructor-functions-ability-to-modi.patch new file mode 100644 index 0000000000..0f96322409 --- /dev/null +++ b/patches.suse/net-Allow-neigh-contructor-functions-ability-to-modi.patch @@ -0,0 +1,38 @@ +From: Jim Westfall <jwestfall@surrealistic.net> +Date: Sun, 14 Jan 2018 04:18:50 -0800 +Subject: net: Allow neigh contructor functions ability to modify the + primary_key +Git-commit: 096b9854c04df86f03b38a97d40b6506e5730919 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +Use n->primary_key instead of pkey to account for the possibility that a neigh +constructor function may have modified the primary_key value. + +Signed-off-by: Jim Westfall <jwestfall@surrealistic.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/neighbour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -533,7 +533,7 @@ struct neighbour *__neigh_create(struct + if (atomic_read(&tbl->entries) > (1 << nht->hash_shift)) + nht = neigh_hash_grow(tbl, nht->hash_shift + 1); + +- hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift); ++ hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift); + + if (n->parms->dead) { + rc = ERR_PTR(-EINVAL); +@@ -545,7 +545,7 @@ struct neighbour *__neigh_create(struct + n1 != NULL; + n1 = rcu_dereference_protected(n1->next, + lockdep_is_held(&tbl->lock))) { +- if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) { ++ if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) { + if (want_ref) + neigh_hold(n1); + rc = n1; diff --git a/patches.suse/net-Fix-hlist-corruptions-in-inet_evict_bucket.patch b/patches.suse/net-Fix-hlist-corruptions-in-inet_evict_bucket.patch new file mode 100644 index 0000000000..dc048b6407 --- /dev/null +++ b/patches.suse/net-Fix-hlist-corruptions-in-inet_evict_bucket.patch @@ -0,0 +1,45 @@ +From: Kirill Tkhai <ktkhai@virtuozzo.com> +Date: Tue, 6 Mar 2018 18:46:39 +0300 +Subject: net: Fix hlist corruptions in inet_evict_bucket() +Git-commit: a560002437d3646dafccecb1bf32d1685112ddda +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +inet_evict_bucket() iterates global list, and +several tasks may call it in parallel. All of +them hash the same fq->list_evictor to different +lists, which leads to list corruption. + +This patch makes fq be hashed to expired list +only if this has not been made yet by another +task. Since inet_frag_alloc() allocates fq +using kmem_cache_zalloc(), we may rely on +list_evictor is initially unhashed. + +The problem seems to exist before async +pernet_operations, as there was possible to have +exit method to be executed in parallel with +inet_frags::frags_work, so I add two Fixes tags. +This also may go to stable. + +Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor" +Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()" +Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/inet_fragment.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -119,6 +119,9 @@ out: + + static bool inet_fragq_should_evict(const struct inet_frag_queue *q) + { ++ if (!hlist_unhashed(&q->list_evictor)) ++ return false; ++ + return q->net->low_thresh == 0 || + frag_mem_limit(q->net) >= q->net->low_thresh; + } diff --git a/patches.suse/net-Only-honor-ifindex-in-IP_PKTINFO-if-non-0.patch b/patches.suse/net-Only-honor-ifindex-in-IP_PKTINFO-if-non-0.patch new file mode 100644 index 0000000000..fe9d5a5fa2 --- /dev/null +++ b/patches.suse/net-Only-honor-ifindex-in-IP_PKTINFO-if-non-0.patch @@ -0,0 +1,39 @@ +From: David Ahern <dsahern@gmail.com> +Date: Fri, 16 Feb 2018 11:03:03 -0800 +Subject: net: Only honor ifindex in IP_PKTINFO if non-0 +Git-commit: 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings +if the index is actually set in the message. + +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/ip_sockglue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -257,7 +257,8 @@ int ip_cmsg_send(struct sock *sk, struct + src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg); + if (!ipv6_addr_v4mapped(&src_info->ipi6_addr)) + return -EINVAL; +- ipc->oif = src_info->ipi6_ifindex; ++ if (src_info->ipi6_ifindex) ++ ipc->oif = src_info->ipi6_ifindex; + ipc->addr = src_info->ipi6_addr.s6_addr32[3]; + continue; + } +@@ -287,7 +288,8 @@ int ip_cmsg_send(struct sock *sk, struct + if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo))) + return -EINVAL; + info = (struct in_pktinfo *)CMSG_DATA(cmsg); +- ipc->oif = info->ipi_ifindex; ++ if (info->ipi_ifindex) ++ ipc->oif = info->ipi_ifindex; + ipc->addr = info->ipi_spec_dst.s_addr; + break; + } diff --git a/patches.suse/net-ethernet-arc-Fix-a-potential-memory-leak-if-an-o.patch b/patches.suse/net-ethernet-arc-Fix-a-potential-memory-leak-if-an-o.patch new file mode 100644 index 0000000000..0ca22819d0 --- /dev/null +++ b/patches.suse/net-ethernet-arc-Fix-a-potential-memory-leak-if-an-o.patch @@ -0,0 +1,34 @@ +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Sun, 18 Mar 2018 23:59:36 +0100 +Subject: net: ethernet: arc: Fix a potential memory leak if an optional + regulator is deferred +Git-commit: 00777fac28ba3e126b9e63e789a613e8bd2cab25 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +If the optional regulator is deferred, we must release some resources. +They will be re-allocated when the probe function will be called again. + +Fixes: 6eacf31139bf ("ethernet: arc: Add support for Rockchip SoC layer device tree bindings") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/arc/emac_rockchip.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/arc/emac_rockchip.c ++++ b/drivers/net/ethernet/arc/emac_rockchip.c +@@ -169,8 +169,10 @@ static int emac_rockchip_probe(struct pl + /* Optional regulator for PHY */ + priv->regulator = devm_regulator_get_optional(dev, "phy"); + if (IS_ERR(priv->regulator)) { +- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) { ++ err = -EPROBE_DEFER; ++ goto out_clk_disable; ++ } + dev_err(dev, "no regulator found\n"); + priv->regulator = NULL; + } diff --git a/patches.suse/net-ethernet-ti-cpsw-add-check-for-in-band-mode-sett.patch b/patches.suse/net-ethernet-ti-cpsw-add-check-for-in-band-mode-sett.patch new file mode 100644 index 0000000000..d9416504e4 --- /dev/null +++ b/patches.suse/net-ethernet-ti-cpsw-add-check-for-in-band-mode-sett.patch @@ -0,0 +1,49 @@ +From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?= + <sz.lin@moxa.com> +Date: Fri, 16 Mar 2018 00:56:01 +0800 +Subject: net: ethernet: ti: cpsw: add check for in-band mode setting with + RGMII PHY interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: f9db50691db4a7d860fce985f080bb3fc23a7ede +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +According to AM335x TRM[1] 14.3.6.2, AM437x TRM[2] 15.3.6.2 and +DRA7 TRM[3] 24.11.4.8.7.3.3, in-band mode in EXT_EN(bit18) register is only +available when PHY is configured in RGMII mode with 10Mbps speed. It will +cause some networking issues without RGMII mode, such as carrier sense +errors and low throughput. TI also mentioned this issue in their forum[4]. + +This patch adds the check mechanism for PHY interface with RGMII interface +type, the in-band mode can only be set in RGMII mode with 10Mbps speed. + +!References: +[1]: https://www.ti.com/lit/ug/spruh73p/spruh73p.pdf +[2]: http://www.ti.com/lit/ug/spruhl7h/spruhl7h.pdf +[3]: http://www.ti.com/lit/ug/spruic2b/spruic2b.pdf +[4]: https://e2e.ti.com/support/arm/sitara_arm/f/791/p/640765/2392155 + +Suggested-by: Holsety Chen (陳憲輝) <Holsety.Chen@moxa.com> +Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com> +Signed-off-by: Schuyler Patton <spatton@ti.com> +Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/ti/cpsw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -996,7 +996,8 @@ static void _cpsw_adjust_link(struct cps + /* set speed_in input in case RMII mode is used in 100Mbps */ + if (phy->speed == 100) + mac_control |= BIT(15); +- else if (phy->speed == 10) ++ /* in band mode only works in 10Mbps RGMII mode */ ++ else if ((phy->speed == 10) && phy_interface_is_rgmii(phy)) + mac_control |= BIT(18); /* In Band mode */ + + if (priv->rx_pause) diff --git a/patches.suse/net-ethernet-ti-cpsw-fix-net-watchdog-timeout.patch b/patches.suse/net-ethernet-ti-cpsw-fix-net-watchdog-timeout.patch new file mode 100644 index 0000000000..299a08a0d1 --- /dev/null +++ b/patches.suse/net-ethernet-ti-cpsw-fix-net-watchdog-timeout.patch @@ -0,0 +1,81 @@ +From: Grygorii Strashko <grygorii.strashko@ti.com> +Date: Tue, 6 Feb 2018 19:17:06 -0600 +Subject: net: ethernet: ti: cpsw: fix net watchdog timeout +Git-commit: 62f94c2101f35cd45775df00ba09bde77580e26a +Patch-mainline: v4.16-rc1 +References: networking-stable-18_03_07 + +It was discovered that simple program which indefinitely sends 200b UDP +packets and runs on TI AM574x SoC (SMP) under RT Kernel triggers network +watchdog timeout in TI CPSW driver (<6 hours run). The network watchdog +timeout is triggered due to race between cpsw_ndo_start_xmit() and +cpsw_tx_handler() [NAPI] + +cpsw_ndo_start_xmit() + if (unlikely(!cpdma_check_free_tx_desc(txch))) { + txq = netdev_get_tx_queue(ndev, q_idx); + netif_tx_stop_queue(txq); + +^^ as per [1] barier has to be used after set_bit() otherwise new value +might not be visible to other cpus + } + +cpsw_tx_handler() + if (unlikely(netif_tx_queue_stopped(txq))) + netif_tx_wake_queue(txq); + +and when it happens ndev TX queue became disabled forever while driver's HW +TX queue is empty. + +Fix this, by adding smp_mb__after_atomic() after netif_tx_stop_queue() +calls and double check for free TX descriptors after stopping ndev TX queue +- if there are free TX descriptors wake up ndev TX queue. + +[1] https://www.kernel.org/doc/html/latest/core-api/atomic_ops.html +Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com> +Reviewed-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -1618,6 +1618,7 @@ static netdev_tx_t cpsw_ndo_start_xmit(s + q_idx = q_idx % cpsw->tx_ch_num; + + txch = cpsw->txv[q_idx].ch; ++ txq = netdev_get_tx_queue(ndev, q_idx); + ret = cpsw_tx_packet_submit(priv, skb, txch); + if (unlikely(ret != 0)) { + cpsw_err(priv, tx_err, "desc submit failed\n"); +@@ -1628,15 +1629,26 @@ static netdev_tx_t cpsw_ndo_start_xmit(s + * tell the kernel to stop sending us tx frames. + */ + if (unlikely(!cpdma_check_free_tx_desc(txch))) { +- txq = netdev_get_tx_queue(ndev, q_idx); + netif_tx_stop_queue(txq); ++ ++ /* Barrier, so that stop_queue visible to other cpus */ ++ smp_mb__after_atomic(); ++ ++ if (cpdma_check_free_tx_desc(txch)) ++ netif_tx_wake_queue(txq); + } + + return NETDEV_TX_OK; + fail: + ndev->stats.tx_dropped++; +- txq = netdev_get_tx_queue(ndev, skb_get_queue_mapping(skb)); + netif_tx_stop_queue(txq); ++ ++ /* Barrier, so that stop_queue visible to other cpus */ ++ smp_mb__after_atomic(); ++ ++ if (cpdma_check_free_tx_desc(txch)) ++ netif_tx_wake_queue(txq); ++ + return NETDEV_TX_BUSY; + } + diff --git a/patches.suse/net-fec-Fix-unbalanced-PM-runtime-calls.patch b/patches.suse/net-fec-Fix-unbalanced-PM-runtime-calls.patch new file mode 100644 index 0000000000..c4a613c0a0 --- /dev/null +++ b/patches.suse/net-fec-Fix-unbalanced-PM-runtime-calls.patch @@ -0,0 +1,35 @@ +From: Florian Fainelli <f.fainelli@gmail.com> +Date: Sun, 18 Mar 2018 12:49:51 -0700 +Subject: net: fec: Fix unbalanced PM runtime calls +Git-commit: a069215cf5985f3aa1bba550264907d6bd05c5f7 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +When unbinding/removing the driver, we will run into the following warnings: + +[ 259.655198] fec 400d1000.ethernet: 400d1000.ethernet supply phy not found, using dummy regulator +[ 259.665065] fec 400d1000.ethernet: Unbalanced pm_runtime_enable! +[ 259.672770] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00 +[ 259.683062] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: f2:3e:93:b7:29:c1 +[ 259.696239] libphy: fec_enet_mii_bus: probed + +Avoid these warnings by balancing the runtime PM calls during fec_drv_remove(). + +Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/freescale/fec_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3539,6 +3539,8 @@ fec_drv_remove(struct platform_device *p + fec_enet_mii_remove(fep); + if (fep->reg_phy) + regulator_disable(fep->reg_phy); ++ pm_runtime_put(&pdev->dev); ++ pm_runtime_disable(&pdev->dev); + if (of_phy_is_fixed_link(np)) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); diff --git a/patches.suse/net-ipv4-avoid-unused-variable-warning-for-sysctl.patch b/patches.suse/net-ipv4-avoid-unused-variable-warning-for-sysctl.patch new file mode 100644 index 0000000000..741813e73b --- /dev/null +++ b/patches.suse/net-ipv4-avoid-unused-variable-warning-for-sysctl.patch @@ -0,0 +1,43 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Wed, 28 Feb 2018 14:32:48 +0100 +Subject: net: ipv4: avoid unused variable warning for sysctl +Git-commit: 773daa3caf5d3f87fdb1ab43e9c1b367a38fa394 +Patch-mainline: v4.16-rc5 +References: git-fixes + +The newly introudced ip_min_valid_pmtu variable is only used when +CONFIG_SYSCTL is set: + +net/ipv4/route.c:135:12: error: 'ip_min_valid_pmtu' defined but not used [-Werror=unused-variable] + +This moves it to the other variables like it, to avoid the harmless +warning. + +Fixes: c7272c2f1229 ("net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Acked-by: Sabrina Dubroca <sd@queasysnail.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/route.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -131,8 +131,6 @@ static int ip_rt_min_advmss __read_mostl + + static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; + +-static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; +- + /* + * Interface to generic destination cache. + */ +@@ -2778,6 +2776,7 @@ void ip_rt_multicast_event(struct in_dev + static int ip_rt_gc_interval __read_mostly = 60 * HZ; + static int ip_rt_gc_min_interval __read_mostly = HZ / 2; + static int ip_rt_gc_elasticity __read_mostly = 8; ++static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; + + static int ipv4_sysctl_rtcache_flush(struct ctl_table *__ctl, int write, + void __user *buffer, diff --git a/patches.suse/net-ipv4-don-t-allow-setting-net.ipv4.route.min_pmtu.patch b/patches.suse/net-ipv4-don-t-allow-setting-net.ipv4.route.min_pmtu.patch new file mode 100644 index 0000000000..fcafe674f6 --- /dev/null +++ b/patches.suse/net-ipv4-don-t-allow-setting-net.ipv4.route.min_pmtu.patch @@ -0,0 +1,61 @@ +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Mon, 26 Feb 2018 16:13:43 +0100 +Subject: net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 +Git-commit: c7272c2f1229125f74f22dcdd59de9bbd804f1c8 +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +According to RFC 1191 sections 3 and 4, ICMP frag-needed messages +indicating an MTU below 68 should be rejected: + + A host MUST never reduce its estimate of the Path MTU below 68 + octets. + +and (talking about ICMP frag-needed's Next-Hop MTU field): + + This field will never contain a value less than 68, since every + router "must be able to forward a datagram of 68 octets without + fragmentation". + +Furthermore, by letting net.ipv4.route.min_pmtu be set to negative +values, we can end up with a very large PMTU when (-1) is cast into u32. + +Let's also make ip_rt_min_pmtu a u32, since it's only ever compared to +unsigned ints. + +Reported-by: Jianlin Shi <jishi@redhat.com> +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Reviewed-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/route.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -126,10 +126,13 @@ static int ip_rt_redirect_silence __read + static int ip_rt_error_cost __read_mostly = HZ; + static int ip_rt_error_burst __read_mostly = 5 * HZ; + static int ip_rt_mtu_expires __read_mostly = 10 * 60 * HZ; +-static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20; ++static u32 ip_rt_min_pmtu __read_mostly = 512 + 20 + 20; + static int ip_rt_min_advmss __read_mostly = 256; + + static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; ++ ++static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; ++ + /* + * Interface to generic destination cache. + */ +@@ -2890,7 +2893,8 @@ static struct ctl_table ipv4_route_table + .data = &ip_rt_min_pmtu, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &ip_min_valid_pmtu, + }, + { + .procname = "min_adv_mss", diff --git a/patches.suse/net-ipv6-keep-sk-status-consistent-after-datagram-co.patch b/patches.suse/net-ipv6-keep-sk-status-consistent-after-datagram-co.patch new file mode 100644 index 0000000000..a4f3295989 --- /dev/null +++ b/patches.suse/net-ipv6-keep-sk-status-consistent-after-datagram-co.patch @@ -0,0 +1,78 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Mon, 12 Mar 2018 14:54:23 +0100 +Subject: net: ipv6: keep sk status consistent after datagram connect failure +Git-commit: 2f987a76a97773beafbc615b9c4d8fe79129a7f4 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +On unsuccesful ip6_datagram_connect(), if the failure is caused by +ip6_datagram_dst_update(), the sk peer information are cleared, but +the sk->sk_state is preserved. + +If the socket was already in an established status, the overall sk +status is inconsistent and fouls later checks in datagram code. + +Fix this saving the old peer information and restoring them in +case of failure. This also aligns ipv6 datagram connect() behavior +with ipv4. + +v1 -> v2: + - added missing Fixes tag + +Fixes: 85cb73ff9b74 ("net: ipv6: reset daddr and dport in sk if connect() fails") +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/datagram.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock * + struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr; + struct inet_sock *inet = inet_sk(sk); + struct ipv6_pinfo *np = inet6_sk(sk); +- struct in6_addr *daddr; ++ struct in6_addr *daddr, old_daddr; ++ __be32 fl6_flowlabel = 0; ++ __be32 old_fl6_flowlabel; ++ __be32 old_dport; + int addr_type; + int err; +- __be32 fl6_flowlabel = 0; + + if (usin->sin6_family == AF_INET) { + if (__ipv6_only_sock(sk)) +@@ -239,9 +241,13 @@ ipv4_connected: + } + } + ++ /* save the current peer information before updating it */ ++ old_daddr = sk->sk_v6_daddr; ++ old_fl6_flowlabel = np->flow_label; ++ old_dport = inet->inet_dport; ++ + sk->sk_v6_daddr = *daddr; + np->flow_label = fl6_flowlabel; +- + inet->inet_dport = usin->sin6_port; + + /* +@@ -251,11 +257,12 @@ ipv4_connected: + + err = ip6_datagram_dst_update(sk, true); + if (err) { +- /* Reset daddr and dport so that udp_v6_early_demux() +- * fails to find this socket ++ /* Restore the socket peer info, to keep it consistent with ++ * the old socket state + */ +- memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr)); +- inet->inet_dport = 0; ++ sk->sk_v6_daddr = old_daddr; ++ np->flow_label = old_fl6_flowlabel; ++ inet->inet_dport = old_dport; + goto out; + } + diff --git a/patches.suse/net-iucv-Free-memory-obtained-by-kzalloc.patch b/patches.suse/net-iucv-Free-memory-obtained-by-kzalloc.patch new file mode 100644 index 0000000000..5f2278382a --- /dev/null +++ b/patches.suse/net-iucv-Free-memory-obtained-by-kzalloc.patch @@ -0,0 +1,35 @@ +From: Arvind Yadav <arvind.yadav.cs@gmail.com> +Date: Tue, 13 Mar 2018 16:50:06 +0100 +Subject: net/iucv: Free memory obtained by kzalloc +Git-commit: fa6a91e9b907231d2e38ea5ed89c537b3525df3d +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Free memory by calling put_device(), if afiucv_iucv_init is not +successful. + +Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> +Reviewed-by: Cornelia Huck <cohuck@redhat.com> +Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/iucv/af_iucv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -2435,9 +2435,11 @@ static int afiucv_iucv_init(void) + af_iucv_dev->driver = &af_iucv_driver; + err = device_register(af_iucv_dev); + if (err) +- goto out_driver; ++ goto out_iucv_dev; + return 0; + ++out_iucv_dev: ++ put_device(af_iucv_dev); + out_driver: + driver_unregister(&af_iucv_driver); + out_iucv: diff --git a/patches.suse/net-phy-Tell-caller-result-of-phy_change.patch b/patches.suse/net-phy-Tell-caller-result-of-phy_change.patch new file mode 100644 index 0000000000..48ba781234 --- /dev/null +++ b/patches.suse/net-phy-Tell-caller-result-of-phy_change.patch @@ -0,0 +1,240 @@ +From: Brad Mouring <brad.mouring@ni.com> +Date: Thu, 8 Mar 2018 16:23:03 -0600 +Subject: net: phy: Tell caller result of phy_change() +Git-commit: a2c054a896b8ac794ddcfc7c92e2dc7ec4ed4ed5 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +In 664fcf123a30e (net: phy: Threaded interrupts allow some simplification) +the phy_interrupt system was changed to use a traditional threaded +interrupt scheme instead of a workqueue approach. + +With this change, the phy status check moved into phy_change, which +did not report back to the caller whether or not the interrupt was +handled. This means that, in the case of a shared phy interrupt, +only the first phydev's interrupt registers are checked (since +phy_interrupt() would always return IRQ_HANDLED). This leads to +interrupt storms when it is a secondary device that's actually the +interrupt source. + +Signed-off-by: Brad Mouring <brad.mouring@ni.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/phy/phy.c | 173 ++++++++++++++++++++++++-------------------------- + include/linux/phy.h | 1 + 2 files changed, 86 insertions(+), 88 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -769,6 +769,91 @@ static void phy_error(struct phy_device + } + + /** ++ * phy_disable_interrupts - Disable the PHY interrupts from the PHY side ++ * @phydev: target phy_device struct ++ */ ++static int phy_disable_interrupts(struct phy_device *phydev) ++{ ++ int err; ++ ++ /* Disable PHY interrupts */ ++ err = phy_config_interrupt(phydev, PHY_INTERRUPT_DISABLED); ++ if (err) ++ goto phy_err; ++ ++ /* Clear the interrupt */ ++ err = phy_clear_interrupt(phydev); ++ if (err) ++ goto phy_err; ++ ++ return 0; ++ ++phy_err: ++ phy_error(phydev); ++ ++ return err; ++} ++ ++/** ++ * phy_change - Called by the phy_interrupt to handle PHY changes ++ * @phydev: phy_device struct that interrupted ++ */ ++static irqreturn_t phy_change(struct phy_device *phydev) ++{ ++ if (phy_interrupt_is_valid(phydev)) { ++ if (phydev->drv->did_interrupt && ++ !phydev->drv->did_interrupt(phydev)) ++ goto ignore; ++ ++ if (phy_disable_interrupts(phydev)) ++ goto phy_err; ++ } ++ ++ mutex_lock(&phydev->lock); ++ if ((PHY_RUNNING == phydev->state) || (PHY_NOLINK == phydev->state)) ++ phydev->state = PHY_CHANGELINK; ++ mutex_unlock(&phydev->lock); ++ ++ if (phy_interrupt_is_valid(phydev)) { ++ atomic_dec(&phydev->irq_disable); ++ enable_irq(phydev->irq); ++ ++ /* Reenable interrupts */ ++ if (PHY_HALTED != phydev->state && ++ phy_config_interrupt(phydev, PHY_INTERRUPT_ENABLED)) ++ goto irq_enable_err; ++ } ++ ++ /* reschedule state queue work to run as soon as possible */ ++ phy_trigger_machine(phydev, true); ++ return IRQ_HANDLED; ++ ++ignore: ++ atomic_dec(&phydev->irq_disable); ++ enable_irq(phydev->irq); ++ return IRQ_NONE; ++ ++irq_enable_err: ++ disable_irq(phydev->irq); ++ atomic_inc(&phydev->irq_disable); ++phy_err: ++ phy_error(phydev); ++ return IRQ_NONE; ++} ++ ++/** ++ * phy_change_work - Scheduled by the phy_mac_interrupt to handle PHY changes ++ * @work: work_struct that describes the work to be done ++ */ ++void phy_change_work(struct work_struct *work) ++{ ++ struct phy_device *phydev = ++ container_of(work, struct phy_device, phy_queue); ++ ++ phy_change(phydev); ++} ++ ++/** + * phy_interrupt - PHY interrupt handler + * @irq: interrupt line + * @phy_dat: phy_device pointer +@@ -786,9 +871,7 @@ static irqreturn_t phy_interrupt(int irq + disable_irq_nosync(irq); + atomic_inc(&phydev->irq_disable); + +- phy_change(phydev); +- +- return IRQ_HANDLED; ++ return phy_change(phydev); + } + + /** +@@ -806,32 +889,6 @@ static int phy_enable_interrupts(struct + } + + /** +- * phy_disable_interrupts - Disable the PHY interrupts from the PHY side +- * @phydev: target phy_device struct +- */ +-static int phy_disable_interrupts(struct phy_device *phydev) +-{ +- int err; +- +- /* Disable PHY interrupts */ +- err = phy_config_interrupt(phydev, PHY_INTERRUPT_DISABLED); +- if (err) +- goto phy_err; +- +- /* Clear the interrupt */ +- err = phy_clear_interrupt(phydev); +- if (err) +- goto phy_err; +- +- return 0; +- +-phy_err: +- phy_error(phydev); +- +- return err; +-} +- +-/** + * phy_start_interrupts - request and enable interrupts for a PHY device + * @phydev: target phy_device struct + * +@@ -882,64 +939,6 @@ int phy_stop_interrupts(struct phy_devic + EXPORT_SYMBOL(phy_stop_interrupts); + + /** +- * phy_change - Called by the phy_interrupt to handle PHY changes +- * @phydev: phy_device struct that interrupted +- */ +-void phy_change(struct phy_device *phydev) +-{ +- if (phy_interrupt_is_valid(phydev)) { +- if (phydev->drv->did_interrupt && +- !phydev->drv->did_interrupt(phydev)) +- goto ignore; +- +- if (phy_disable_interrupts(phydev)) +- goto phy_err; +- } +- +- mutex_lock(&phydev->lock); +- if ((PHY_RUNNING == phydev->state) || (PHY_NOLINK == phydev->state)) +- phydev->state = PHY_CHANGELINK; +- mutex_unlock(&phydev->lock); +- +- if (phy_interrupt_is_valid(phydev)) { +- atomic_dec(&phydev->irq_disable); +- enable_irq(phydev->irq); +- +- /* Reenable interrupts */ +- if (PHY_HALTED != phydev->state && +- phy_config_interrupt(phydev, PHY_INTERRUPT_ENABLED)) +- goto irq_enable_err; +- } +- +- /* reschedule state queue work to run as soon as possible */ +- phy_trigger_machine(phydev, true); +- return; +- +-ignore: +- atomic_dec(&phydev->irq_disable); +- enable_irq(phydev->irq); +- return; +- +-irq_enable_err: +- disable_irq(phydev->irq); +- atomic_inc(&phydev->irq_disable); +-phy_err: +- phy_error(phydev); +-} +- +-/** +- * phy_change_work - Scheduled by the phy_mac_interrupt to handle PHY changes +- * @work: work_struct that describes the work to be done +- */ +-void phy_change_work(struct work_struct *work) +-{ +- struct phy_device *phydev = +- container_of(work, struct phy_device, phy_queue); +- +- phy_change(phydev); +-} +- +-/** + * phy_stop - Bring down the PHY link, and stop checking the status + * @phydev: target phy_device struct + */ +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -851,7 +851,6 @@ int phy_driver_register(struct phy_drive + int phy_drivers_register(struct phy_driver *new_driver, int n, + struct module *owner); + void phy_state_machine(struct work_struct *work); +-void phy_change(struct phy_device *phydev); + void phy_change_work(struct work_struct *work); + void phy_mac_interrupt(struct phy_device *phydev, int new_link); + void phy_start_machine(struct phy_device *phydev); diff --git a/patches.suse/net-phy-fix-phy_start-to-consider-PHY_IGNORE_INTERRU.patch b/patches.suse/net-phy-fix-phy_start-to-consider-PHY_IGNORE_INTERRU.patch new file mode 100644 index 0000000000..50fe732218 --- /dev/null +++ b/patches.suse/net-phy-fix-phy_start-to-consider-PHY_IGNORE_INTERRU.patch @@ -0,0 +1,31 @@ +From: Heiner Kallweit <hkallweit1@gmail.com> +Date: Thu, 8 Feb 2018 21:01:48 +0100 +Subject: net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT +Git-commit: 08f5138512180a479ce6b9d23b825c9f4cd3be77 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_03_07 + +This condition wasn't adjusted when PHY_IGNORE_INTERRUPT (-2) was added +long ago. In case of PHY_IGNORE_INTERRUPT the MAC interrupt indicates +also PHY state changes and we should do what the symbol says. + +Fixes: 84a527a41f38 ("net: phylib: fix interrupts re-enablement in phy_start") +Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/phy/phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -996,7 +996,7 @@ void phy_start(struct phy_device *phydev + break; + case PHY_HALTED: + /* make sure interrupts are re-enabled for the PHY */ +- if (phydev->irq != PHY_POLL) { ++ if (phy_interrupt_is_valid(phydev)) { + err = phy_enable_interrupts(phydev); + if (err < 0) + break; diff --git a/patches.suse/net-qdisc_pkt_len_init-should-be-more-robust.patch b/patches.suse/net-qdisc_pkt_len_init-should-be-more-robust.patch new file mode 100644 index 0000000000..6f76514dca --- /dev/null +++ b/patches.suse/net-qdisc_pkt_len_init-should-be-more-robust.patch @@ -0,0 +1,58 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 18 Jan 2018 19:59:19 -0800 +Subject: net: qdisc_pkt_len_init() should be more robust +Git-commit: 7c68d1a6b4db9012790af7ac0f0fdc0d2083422a +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +Without proper validation of DODGY packets, we might very well +feed qdisc_pkt_len_init() with invalid GSO packets. + +tcp_hdrlen() might access out-of-bound data, so let's use +skb_header_pointer() and proper checks. + +Whole story is described in commit d0c081b49137 ("flow_dissector: +properly cap thoff field") + +We have the goal of validating DODGY packets earlier in the stack, +so we might very well revert this fix in the future. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Willem de Bruijn <willemb@google.com> +Cc: Jason Wang <jasowang@redhat.com> +Reported-by: syzbot+9da69ebac7dddd804552@syzkaller.appspotmail.com +Acked-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/dev.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3131,10 +3131,21 @@ static void qdisc_pkt_len_init(struct sk + hdr_len = skb_transport_header(skb) - skb_mac_header(skb); + + /* + transport layer */ +- if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) +- hdr_len += tcp_hdrlen(skb); +- else +- hdr_len += sizeof(struct udphdr); ++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) { ++ const struct tcphdr *th; ++ struct tcphdr _tcphdr; ++ ++ th = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_tcphdr), &_tcphdr); ++ if (likely(th)) ++ hdr_len += __tcp_hdrlen(th); ++ } else { ++ struct udphdr _udphdr; ++ ++ if (skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_udphdr), &_udphdr)) ++ hdr_len += sizeof(struct udphdr); ++ } + + if (shinfo->gso_type & SKB_GSO_DODGY) + gso_segs = DIV_ROUND_UP(skb->len - hdr_len, diff --git a/patches.suse/net-sched-cls_u32-fix-cls_u32-on-filter-replace.patch b/patches.suse/net-sched-cls_u32-fix-cls_u32-on-filter-replace.patch new file mode 100644 index 0000000000..8076e0f35f --- /dev/null +++ b/patches.suse/net-sched-cls_u32-fix-cls_u32-on-filter-replace.patch @@ -0,0 +1,47 @@ +From: Ivan Vecera <ivecera@redhat.com> +Date: Thu, 8 Feb 2018 16:10:39 +0100 +Subject: net/sched: cls_u32: fix cls_u32 on filter replace +Git-commit: eb53f7af6f15285e2f6ada97285395343ce9f433 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_03_07 + +The following sequence is currently broken: + + # tc qdisc add dev foo ingress + # tc filter replace dev foo protocol all ingress \ + u32 match u8 0 0 action mirred egress mirror dev bar1 + # tc filter replace dev foo protocol all ingress \ + handle 800::800 pref 49152 \ + u32 match u8 0 0 action mirred egress mirror dev bar2 + Error: cls_u32: Key node flags do not match passed flags. + We have an error talking to the kernel, -1 + +The error comes from u32_change() when comparing new and +existing flags. The existing ones always contains one of +TCA_CLS_FLAGS_{,NOT}_IN_HW flag depending on offloading state. +These flags cannot be passed from userspace so the condition +(n->flags != flags) in u32_change() always fails. + +Fix the condition so the flags TCA_CLS_FLAGS_NOT_IN_HW and +TCA_CLS_FLAGS_IN_HW are not taken into account. + +Fixes: 24d3dc6d27ea ("net/sched: cls_u32: Reflect HW offload status") +Signed-off-by: Ivan Vecera <ivecera@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sched/cls_u32.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -875,7 +875,8 @@ static int u32_change(struct net *net, s + if (TC_U32_KEY(n->handle) == 0) + return -EINVAL; + +- if (n->flags != flags) ++ if ((n->flags ^ flags) & ++ ~(TCA_CLS_FLAGS_IN_HW | TCA_CLS_FLAGS_NOT_IN_HW)) + return -EINVAL; + + new = u32_init_knode(tp, n); diff --git a/patches.suse/net-sched-report-if-filter-is-too-large-to-dump.patch b/patches.suse/net-sched-report-if-filter-is-too-large-to-dump.patch new file mode 100644 index 0000000000..0b84595ad0 --- /dev/null +++ b/patches.suse/net-sched-report-if-filter-is-too-large-to-dump.patch @@ -0,0 +1,53 @@ +From: Roman Kapl <code@rkapl.cz> +Date: Mon, 19 Feb 2018 21:32:51 +0100 +Subject: net: sched: report if filter is too large to dump +Git-commit: 5ae437ad5a2ed573b1ebb04e0afa70b8869f88dd +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +So far, if the filter was too large to fit in the allocated skb, the +kernel did not return any error and stopped dumping. Modify the dumper +so that it returns -EMSGSIZE when a filter fails to dump and it is the +first filter in the skb. If we are not first, we will get a next chance +with more room. + +I understand this is pretty near to being an API change, but the +original design (silent truncation) can be considered a bug. + +Note: The error case can happen pretty easily if you create a filter +with 32 actions and have 4kb pages. Also recent versions of iproute try +to be clever with their buffer allocation size, which in turn leads to + +Signed-off-by: Roman Kapl <code@rkapl.cz> +Acked-by: Jiri Pirko <jiri@mellanox.com> +Acked-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sched/cls_api.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -830,8 +830,10 @@ static int tc_dump_tfilter(struct sk_buf + if (tca[TCA_CHAIN] && + nla_get_u32(tca[TCA_CHAIN]) != chain->index) + continue; +- if (!tcf_chain_dump(chain, skb, cb, index_start, &index)) ++ if (!tcf_chain_dump(chain, skb, cb, index_start, &index)) { ++ err = -EMSGSIZE; + break; ++ } + } + + cb->args[0] = index; +@@ -840,6 +842,9 @@ errout: + if (cl) + cops->put(q, cl); + out: ++ /* If we did no progress, the error (EMSGSIZE) is real */ ++ if (skb->len == 0 && err) ++ return err; + return skb->len; + } + diff --git a/patches.suse/net-systemport-Rewrite-__bcm_sysport_tx_reclaim.patch b/patches.suse/net-systemport-Rewrite-__bcm_sysport_tx_reclaim.patch new file mode 100644 index 0000000000..26fa2210e0 --- /dev/null +++ b/patches.suse/net-systemport-Rewrite-__bcm_sysport_tx_reclaim.patch @@ -0,0 +1,119 @@ +From: Florian Fainelli <f.fainelli@gmail.com> +Date: Tue, 13 Mar 2018 14:45:07 -0700 +Subject: net: systemport: Rewrite __bcm_sysport_tx_reclaim() +Git-commit: 484d802d0f2f29c335563fcac2a8facf174a1bbc +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +There is no need for complex checking between the last consumed index +and current consumed index, a simple subtraction will do. + +This also eliminates the possibility of a permanent transmit queue stall +under the following conditions: + +- one CPU bursts ring->size worth of traffic (up to 256 buffers), to the + point where we run out of free descriptors, so we stop the transmit + queue at the end of bcm_sysport_xmit() + +- because of our locking, we have the transmit process disable + interrupts which means we can be blocking the TX reclamation process + +- when TX reclamation finally runs, we will be computing the difference + between ring->c_index (last consumed index by SW) and what the HW + reports through its register + +- this register is masked with (ring->size - 1) = 0xff, which will lead + to stripping the upper bits of the index (register is 16-bits wide) + +- we will be computing last_tx_cn as 0, which means there is no work to + be done, and we never wake-up the transmit queue, leaving it + permanently disabled + +A practical example is e.g: ring->c_index aka last_c_index = 12, we +pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12, +so last_tx_cn == 0, nothing happens. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 33 +++++++++++++---------------- + drivers/net/ethernet/broadcom/bcmsysport.h | 2 - + 2 files changed, 16 insertions(+), 19 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -809,9 +809,11 @@ static unsigned int __bcm_sysport_tx_rec + struct bcm_sysport_tx_ring *ring) + { + struct net_device *ndev = priv->netdev; +- unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs; + unsigned int pkts_compl = 0, bytes_compl = 0; ++ unsigned int txbds_processed = 0; + struct bcm_sysport_cb *cb; ++ unsigned int txbds_ready; ++ unsigned int c_index; + u32 hw_ind; + + /* Clear status before servicing to reduce spurious interrupts */ +@@ -824,29 +826,23 @@ static unsigned int __bcm_sysport_tx_rec + /* Compute how many descriptors have been processed since last call */ + hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index)); + c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK; +- ring->p_index = (hw_ind & RING_PROD_INDEX_MASK); +- +- last_c_index = ring->c_index; +- num_tx_cbs = ring->size; +- +- c_index &= (num_tx_cbs - 1); +- +- if (c_index >= last_c_index) +- last_tx_cn = c_index - last_c_index; +- else +- last_tx_cn = num_tx_cbs - last_c_index + c_index; ++ txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK; + + netif_dbg(priv, tx_done, ndev, +- "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n", +- ring->index, c_index, last_tx_cn, last_c_index); ++ "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n", ++ ring->index, ring->c_index, c_index, txbds_ready); + +- while (last_tx_cn-- > 0) { +- cb = ring->cbs + last_c_index; ++ while (txbds_processed < txbds_ready) { ++ cb = &ring->cbs[ring->clean_index]; + bcm_sysport_tx_reclaim_one(ring, cb, &bytes_compl, &pkts_compl); + + ring->desc_count++; +- last_c_index++; +- last_c_index &= (num_tx_cbs - 1); ++ txbds_processed++; ++ ++ if (likely(ring->clean_index < ring->size - 1)) ++ ring->clean_index++; ++ else ++ ring->clean_index = 0; + } + + ring->c_index = c_index; +@@ -1354,6 +1350,7 @@ static int bcm_sysport_init_tx_ring(stru + netif_tx_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64); + ring->index = index; + ring->size = size; ++ ring->clean_index = 0; + ring->alloc_size = ring->size; + ring->desc_cpu = p; + ring->desc_count = ring->size; +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -689,7 +689,7 @@ struct bcm_sysport_tx_ring { + unsigned int desc_count; /* Number of descriptors */ + unsigned int curr_desc; /* Current descriptor */ + unsigned int c_index; /* Last consumer index */ +- unsigned int p_index; /* Current producer index */ ++ unsigned int clean_index; /* Current clean index */ + struct bcm_sysport_cb *cbs; /* Transmit control blocks */ + struct dma_desc *desc_cpu; /* CPU view of the descriptor */ + struct bcm_sysport_priv *priv; /* private context backpointer */ diff --git a/patches.suse/net-tcp-close-sock-if-net-namespace-is-exiting.patch b/patches.suse/net-tcp-close-sock-if-net-namespace-is-exiting.patch new file mode 100644 index 0000000000..899c204c04 --- /dev/null +++ b/patches.suse/net-tcp-close-sock-if-net-namespace-is-exiting.patch @@ -0,0 +1,117 @@ +From: Dan Streetman <ddstreet@ieee.org> +Date: Thu, 18 Jan 2018 16:14:26 -0500 +Subject: net: tcp: close sock if net namespace is exiting +Git-commit: 4ee806d51176ba7b8ff1efd81f271d7252e03a1d +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +When a tcp socket is closed, if it detects that its net namespace is +exiting, close immediately and do not wait for FIN sequence. + +For normal sockets, a reference is taken to their net namespace, so it will +never exit while the socket is open. However, kernel sockets do not take a +reference to their net namespace, so it may begin exiting while the kernel +socket is still open. In this case if the kernel socket is a tcp socket, +it will stay open trying to complete its close sequence. The sock's dst(s) +hold a reference to their interface, which are all transferred to the +namespace's loopback interface when the real interfaces are taken down. +When the namespace tries to take down its loopback interface, it hangs +waiting for all references to the loopback interface to release, which +results in messages like: + +unregister_netdevice: waiting for lo to become free. Usage count = 1 + +These messages continue until the socket finally times out and closes. +Since the net namespace cleanup holds the net_mutex while calling its +registered pernet callbacks, any new net namespace initialization is +blocked until the current net namespace finishes exiting. + +After this change, the tcp socket notices the exiting net namespace, and +closes immediately, releasing its dst(s) and their reference to the +loopback interface, which lets the net namespace continue exiting. + +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1711407 +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=97811 +Signed-off-by: Dan Streetman <ddstreet@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/net_namespace.h | 10 ++++++++++ + net/ipv4/tcp.c | 3 +++ + net/ipv4/tcp_timer.c | 15 +++++++++++++++ + 3 files changed, 28 insertions(+) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -217,6 +217,11 @@ int net_eq(const struct net *net1, const + return net1 == net2; + } + ++static inline int check_net(const struct net *net) ++{ ++ return atomic_read(&net->count) != 0; ++} ++ + void net_drop_ns(void *); + + #else +@@ -240,6 +245,11 @@ int net_eq(const struct net *net1, const + { + return 1; + } ++ ++static inline int check_net(const struct net *net) ++{ ++ return 1; ++} + + #define net_drop_ns NULL + #endif +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2133,6 +2133,9 @@ adjudge_to_death: + tcp_send_active_reset(sk, GFP_ATOMIC); + __NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPABORTONMEMORY); ++ } else if (!check_net(sock_net(sk))) { ++ /* Not possible to send reset; just close */ ++ tcp_set_state(sk, TCP_CLOSE); + } + } + +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -50,11 +50,19 @@ static void tcp_write_err(struct sock *s + * to prevent DoS attacks. It is called when a retransmission timeout + * or zero probe timeout occurs on orphaned socket. + * ++ * Also close if our net namespace is exiting; in that case there is no ++ * hope of ever communicating again since all netns interfaces are already ++ * down (or about to be down), and we need to release our dst references, ++ * which have been moved to the netns loopback interface, so the namespace ++ * can finish exiting. This condition is only possible if we are a kernel ++ * socket, as those do not hold references to the namespace. ++ * + * Criteria is still not confirmed experimentally and may change. + * We kill the socket, if: + * 1. If number of orphaned sockets exceeds an administratively configured + * limit. + * 2. If we have strong memory pressure. ++ * 3. If our net namespace is exiting. + */ + static int tcp_out_of_resources(struct sock *sk, bool do_reset) + { +@@ -83,6 +91,13 @@ static int tcp_out_of_resources(struct s + __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY); + return 1; + } ++ ++ if (!check_net(sock_net(sk))) { ++ /* Not possible to send reset; just close */ ++ tcp_done(sk); ++ return 1; ++ } ++ + return 0; + } + diff --git a/patches.suse/net-use-skb_to_full_sk-in-skb_update_prio.patch b/patches.suse/net-use-skb_to_full_sk-in-skb_update_prio.patch new file mode 100644 index 0000000000..baaf615872 --- /dev/null +++ b/patches.suse/net-use-skb_to_full_sk-in-skb_update_prio.patch @@ -0,0 +1,79 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 14 Mar 2018 09:04:16 -0700 +Subject: net: use skb_to_full_sk() in skb_update_prio() +Git-commit: 4dcb31d4649df36297296b819437709f5407059c +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +Andrei Vagin reported a KASAN: slab-out-of-bounds error in +skb_update_prio() + +Since SYNACK might be attached to a request socket, we need to +get back to the listener socket. +Since this listener is manipulated without locks, add const +qualifiers to sock_cgroup_prioidx() so that the const can also +be used in skb_update_prio() + +Also add the const qualifier to sock_cgroup_classid() for consistency. + +Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Andrei Vagin <avagin@virtuozzo.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/linux/cgroup-defs.h | 4 ++-- + net/core/dev.c | 22 +++++++++++++++------- + 2 files changed, 17 insertions(+), 9 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -623,13 +623,13 @@ struct sock_cgroup_data { + * updaters and return part of the previous pointer as the prioidx or + * classid. Such races are short-lived and the result isn't critical. + */ +-static inline u16 sock_cgroup_prioidx(struct sock_cgroup_data *skcd) ++static inline u16 sock_cgroup_prioidx(const struct sock_cgroup_data *skcd) + { + /* fallback to 1 which is always the ID of the root cgroup */ + return (skcd->is_data & 1) ? skcd->prioidx : 1; + } + +-static inline u32 sock_cgroup_classid(struct sock_cgroup_data *skcd) ++static inline u32 sock_cgroup_classid(const struct sock_cgroup_data *skcd) + { + /* fallback to 0 which is the unconfigured default classid */ + return (skcd->is_data & 1) ? skcd->classid : 0; +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3244,15 +3244,23 @@ static inline int __dev_xmit_skb(struct + #if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) + static void skb_update_prio(struct sk_buff *skb) + { +- struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap); ++ const struct netprio_map *map; ++ const struct sock *sk; ++ unsigned int prioidx; + +- if (!skb->priority && skb->sk && map) { +- unsigned int prioidx = +- sock_cgroup_prioidx(&skb->sk->sk_cgrp_data); ++ if (skb->priority) ++ return; ++ map = rcu_dereference_bh(skb->dev->priomap); ++ if (!map) ++ return; ++ sk = skb_to_full_sk(skb); ++ if (!sk) ++ return; + +- if (prioidx < map->priomap_len) +- skb->priority = map->priomap[prioidx]; +- } ++ prioidx = sock_cgroup_prioidx(&sk->sk_cgrp_data); ++ ++ if (prioidx < map->priomap_len) ++ skb->priority = map->priomap[prioidx]; + } + #else + #define skb_update_prio(skb) diff --git a/patches.suse/net-vrf-Add-support-for-sends-to-local-broadcast-add.patch b/patches.suse/net-vrf-Add-support-for-sends-to-local-broadcast-add.patch new file mode 100644 index 0000000000..b0bdda8967 --- /dev/null +++ b/patches.suse/net-vrf-Add-support-for-sends-to-local-broadcast-add.patch @@ -0,0 +1,40 @@ +From: David Ahern <dsahern@gmail.com> +Date: Wed, 24 Jan 2018 19:37:37 -0800 +Subject: net: vrf: Add support for sends to local broadcast address +Git-commit: 1e19c4d689dc1e95bafd23ef68fbc0c6b9e05180 +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +Sukumar reported that sends to the local broadcast address +(255.255.255.255) are broken. Check for the address in vrf driver +and do not redirect to the VRF device - similar to multicast +packets. + +With this change sockets can use SO_BINDTODEVICE to specify an +egress interface and receive responses. Note: the egress interface +can not be a VRF device but needs to be the enslaved device. + +https://bugzilla.kernel.org/show_bug.cgi?id=198521 + +Reported-by: Sukumar Gopalakrishnan <sukumarg1973@gmail.com> +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/vrf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -758,8 +758,9 @@ static struct sk_buff *vrf_ip_out(struct + struct sock *sk, + struct sk_buff *skb) + { +- /* don't divert multicast */ +- if (ipv4_is_multicast(ip_hdr(skb)->daddr)) ++ /* don't divert multicast or local broadcast */ ++ if (ipv4_is_multicast(ip_hdr(skb)->daddr) || ++ ipv4_is_lbcast(ip_hdr(skb)->daddr)) + return skb; + + if (qdisc_tx_is_default(vrf_dev)) diff --git a/patches.suse/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch b/patches.suse/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch new file mode 100644 index 0000000000..0344578a94 --- /dev/null +++ b/patches.suse/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch @@ -0,0 +1,30 @@ +From: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Date: Wed, 14 Mar 2018 21:10:23 +0100 +Subject: netlink: avoid a double skb free in genlmsg_mcast() +Git-commit: 02a2385f37a7c6594c9d89b64c4a1451276f08eb +Patch-mainline: v4.16-rc7 +References: git-fixes + +nlmsg_multicast() consumes always the skb, thus the original skb must be +freed only when this function is called with a clone. + +Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()") +Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netlink/genetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1105,7 +1105,7 @@ static int genlmsg_mcast(struct sk_buff + if (!err) + delivered = true; + else if (err != -ESRCH) +- goto error; ++ return err; + return delivered ? 0 : -ESRCH; + error: + kfree_skb(skb); diff --git a/patches.suse/netlink-ensure-to-loop-over-all-netns-in-genlmsg_mul.patch b/patches.suse/netlink-ensure-to-loop-over-all-netns-in-genlmsg_mul.patch new file mode 100644 index 0000000000..99a6ced530 --- /dev/null +++ b/patches.suse/netlink-ensure-to-loop-over-all-netns-in-genlmsg_mul.patch @@ -0,0 +1,59 @@ +From: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Date: Tue, 6 Feb 2018 14:48:32 +0100 +Subject: netlink: ensure to loop over all netns in genlmsg_multicast_allns() +Git-commit: cb9f7a9a5c96a773bbc9c70660dc600cfff82f82 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_03_07 + +Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the +case when commit 134e63756d5f was pushed. +However, there was no reason to stop the loop if a netns does not have +listeners. +Returns -ESRCH only if there was no listeners in all netns. + +To avoid having the same problem in the future, I didn't take the +assumption that nlmsg_multicast() returns only 0 or -ESRCH. + +Fixes: 134e63756d5f ("genetlink: make netns aware") +CC: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netlink/genetlink.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1080,6 +1080,7 @@ static int genlmsg_mcast(struct sk_buff + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; ++ bool delivered = false; + int err; + + for_each_net_rcu(net) { +@@ -1091,14 +1092,21 @@ static int genlmsg_mcast(struct sk_buff + } + err = nlmsg_multicast(prev->genl_sock, tmp, + portid, group, flags); +- if (err) ++ if (!err) ++ delivered = true; ++ else if (err != -ESRCH) + goto error; + } + + prev = net; + } + +- return nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); ++ if (!err) ++ delivered = true; ++ else if (err != -ESRCH) ++ goto error; ++ return delivered ? 0 : -ESRCH; + error: + kfree_skb(skb); + return err; diff --git a/patches.suse/netlink-extack-needs-to-be-reset-each-time-through-l.patch b/patches.suse/netlink-extack-needs-to-be-reset-each-time-through-l.patch new file mode 100644 index 0000000000..a2f37ed63c --- /dev/null +++ b/patches.suse/netlink-extack-needs-to-be-reset-each-time-through-l.patch @@ -0,0 +1,40 @@ +From: David Ahern <dsahern@gmail.com> +Date: Wed, 10 Jan 2018 13:00:39 -0800 +Subject: netlink: extack needs to be reset each time through loop +Git-commit: cbbdf8433a5f117b1a2119ea30fc651b61ef7570 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +syzbot triggered the WARN_ON in netlink_ack testing the bad_attr value. +The problem is that netlink_rcv_skb loops over the skb repeatedly invoking +the callback and without resetting the extack leaving potentially stale +data. Initializing each time through avoids the WARN_ON. + +Fixes: 2d4bc93368f5a ("netlink: extended ACK reporting") +Reported-by: syzbot+315fa6766d0f7c359327@syzkaller.appspotmail.com +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netlink/af_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2385,7 +2385,7 @@ int netlink_rcv_skb(struct sk_buff *skb, + struct nlmsghdr *, + struct netlink_ext_ack *)) + { +- struct netlink_ext_ack extack = {}; ++ struct netlink_ext_ack extack; + struct nlmsghdr *nlh; + int err; + +@@ -2406,6 +2406,7 @@ int netlink_rcv_skb(struct sk_buff *skb, + if (nlh->nlmsg_type < NLMSG_MIN_TYPE) + goto ack; + ++ memset(&extack, 0, sizeof(extack)); + err = cb(skb, nlh, &extack); + if (err == -EINTR) + goto skip; diff --git a/patches.suse/netlink-reset-extack-earlier-in-netlink_rcv_skb.patch b/patches.suse/netlink-reset-extack-earlier-in-netlink_rcv_skb.patch new file mode 100644 index 0000000000..63a5a6ac52 --- /dev/null +++ b/patches.suse/netlink-reset-extack-earlier-in-netlink_rcv_skb.patch @@ -0,0 +1,39 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Thu, 18 Jan 2018 14:48:03 +0800 +Subject: netlink: reset extack earlier in netlink_rcv_skb +Git-commit: cd443f1e91ca600a092e780e8250cd6a2954b763 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +Move up the extack reset/initialization in netlink_rcv_skb, so that +those 'goto ack' will not skip it. Otherwise, later on netlink_ack +may use the uninitialized extack and cause kernel crash. + +Fixes: cbbdf8433a5f ("netlink: extack needs to be reset each time through loop") +Reported-by: syzbot+03bee3680a37466775e7@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2392,6 +2392,7 @@ int netlink_rcv_skb(struct sk_buff *skb, + while (skb->len >= nlmsg_total_size(0)) { + int msglen; + ++ memset(&extack, 0, sizeof(extack)); + nlh = nlmsg_hdr(skb); + err = 0; + +@@ -2406,7 +2407,6 @@ int netlink_rcv_skb(struct sk_buff *skb, + if (nlh->nlmsg_type < NLMSG_MIN_TYPE) + goto ack; + +- memset(&extack, 0, sizeof(extack)); + err = cb(skb, nlh, &extack); + if (err == -EINTR) + goto skip; diff --git a/patches.suse/ppp-avoid-loop-in-xmit-recursion-detection-code.patch b/patches.suse/ppp-avoid-loop-in-xmit-recursion-detection-code.patch new file mode 100644 index 0000000000..83ff910f71 --- /dev/null +++ b/patches.suse/ppp-avoid-loop-in-xmit-recursion-detection-code.patch @@ -0,0 +1,141 @@ +From: Guillaume Nault <g.nault@alphalink.fr> +Date: Tue, 20 Mar 2018 16:49:26 +0100 +Subject: ppp: avoid loop in xmit recursion detection code +Git-commit: 6d066734e9f09cdea4a3b9cb76136db3f29cfb02 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +We already detect situations where a PPP channel sends packets back to +its upper PPP device. While this is enough to avoid deadlocking on xmit +locks, this doesn't prevent packets from looping between the channel +and the unit. + +The problem is that ppp_start_xmit() enqueues packets in ppp->file.xq +before checking for xmit recursion. Therefore, __ppp_xmit_process() +might dequeue a packet from ppp->file.xq and send it on the channel +which, in turn, loops it back on the unit. Then ppp_start_xmit() +queues the packet back to ppp->file.xq and __ppp_xmit_process() picks +it up and sends it again through the channel. Therefore, the packet +will loop between __ppp_xmit_process() and ppp_start_xmit() until some +other part of the xmit path drops it. + +For L2TP, we rapidly fill the skb's headroom and pppol2tp_xmit() drops +the packet after a few iterations. But PPTP reallocates the headroom +if necessary, letting the loop run and exhaust the machine resources +(as reported in https://bugzilla.kernel.org/show_bug.cgi?id=199109). + +Fix this by letting __ppp_xmit_process() enqueue the skb to +ppp->file.xq, so that we can check for recursion before adding it to +the queue. Now ppp_xmit_process() can drop the packet when recursion is +detected. + +__ppp_channel_push() is a bit special. It calls __ppp_xmit_process() +without having any actual packet to send. This is used by +ppp_output_wakeup() to re-enable transmission on the parent unit (for +implementations like ppp_async.c, where the .start_xmit() function +might not consume the skb, leaving it in ppp->xmit_pending and +disabling transmission). +Therefore, __ppp_xmit_process() needs to handle the case where skb is +NULL, dequeuing as many packets as possible from ppp->file.xq. + +Reported-by: xu heng <xuheng333@zoho.com> +Fixes: 55454a565836 ("ppp: avoid dealock on recursive xmit") +Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ppp/ppp_generic.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -256,7 +256,7 @@ struct ppp_net { + /* Prototypes. */ + static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf, + struct file *file, unsigned int cmd, unsigned long arg); +-static void ppp_xmit_process(struct ppp *ppp); ++static void ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb); + static void ppp_send_frame(struct ppp *ppp, struct sk_buff *skb); + static void ppp_push(struct ppp *ppp); + static void ppp_channel_push(struct channel *pch); +@@ -512,13 +512,12 @@ static ssize_t ppp_write(struct file *fi + goto out; + } + +- skb_queue_tail(&pf->xq, skb); +- + switch (pf->kind) { + case INTERFACE: +- ppp_xmit_process(PF_TO_PPP(pf)); ++ ppp_xmit_process(PF_TO_PPP(pf), skb); + break; + case CHANNEL: ++ skb_queue_tail(&pf->xq, skb); + ppp_channel_push(PF_TO_CHANNEL(pf)); + break; + } +@@ -1262,8 +1261,8 @@ ppp_start_xmit(struct sk_buff *skb, stru + put_unaligned_be16(proto, pp); + + skb_scrub_packet(skb, !net_eq(ppp->ppp_net, dev_net(dev))); +- skb_queue_tail(&ppp->file.xq, skb); +- ppp_xmit_process(ppp); ++ ppp_xmit_process(ppp, skb); ++ + return NETDEV_TX_OK; + + outf: +@@ -1415,13 +1414,14 @@ static void ppp_setup(struct net_device + */ + + /* Called to do any work queued up on the transmit side that can now be done */ +-static void __ppp_xmit_process(struct ppp *ppp) ++static void __ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb) + { +- struct sk_buff *skb; +- + ppp_xmit_lock(ppp); + if (!ppp->closing) { + ppp_push(ppp); ++ ++ if (skb) ++ skb_queue_tail(&ppp->file.xq, skb); + while (!ppp->xmit_pending && + (skb = skb_dequeue(&ppp->file.xq))) + ppp_send_frame(ppp, skb); +@@ -1435,7 +1435,7 @@ static void __ppp_xmit_process(struct pp + ppp_xmit_unlock(ppp); + } + +-static void ppp_xmit_process(struct ppp *ppp) ++static void ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb) + { + local_bh_disable(); + +@@ -1443,7 +1443,7 @@ static void ppp_xmit_process(struct ppp + goto err; + + (*this_cpu_ptr(ppp->xmit_recursion))++; +- __ppp_xmit_process(ppp); ++ __ppp_xmit_process(ppp, skb); + (*this_cpu_ptr(ppp->xmit_recursion))--; + + local_bh_enable(); +@@ -1453,6 +1453,8 @@ static void ppp_xmit_process(struct ppp + err: + local_bh_enable(); + ++ kfree_skb(skb); ++ + if (net_ratelimit()) + netdev_err(ppp->dev, "recursion detected\n"); + } +@@ -1937,7 +1939,7 @@ static void __ppp_channel_push(struct ch + if (skb_queue_empty(&pch->file.xq)) { + ppp = pch->ppp; + if (ppp) +- __ppp_xmit_process(ppp); ++ __ppp_xmit_process(ppp, NULL); + } + } + diff --git a/patches.suse/ppp-prevent-unregistered-channels-from-connecting-to.patch b/patches.suse/ppp-prevent-unregistered-channels-from-connecting-to.patch new file mode 100644 index 0000000000..a77f465824 --- /dev/null +++ b/patches.suse/ppp-prevent-unregistered-channels-from-connecting-to.patch @@ -0,0 +1,57 @@ +From: Guillaume Nault <g.nault@alphalink.fr> +Date: Fri, 2 Mar 2018 18:41:16 +0100 +Subject: ppp: prevent unregistered channels from connecting to PPP units +Git-commit: 77f840e3e5f09c6d7d727e85e6e08276dd813d11 +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +PPP units don't hold any reference on the channels connected to it. +It is the channel's responsibility to ensure that it disconnects from +its unit before being destroyed. +In practice, this is ensured by ppp_unregister_channel() disconnecting +the channel from the unit before dropping a reference on the channel. + +However, it is possible for an unregistered channel to connect to a PPP +unit: register a channel with ppp_register_net_channel(), attach a +/dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel +with ppp_unregister_channel() and finally connect the /dev/ppp file to +a PPP unit with ioctl(PPPIOCCONNECT). + +Once in this situation, the channel is only held by the /dev/ppp file, +which can be released at anytime and free the channel without letting +the parent PPP unit know. Then the ppp structure ends up with dangling +pointers in its ->channels list. + +Prevent this scenario by forbidding unregistered channels from +connecting to PPP units. This maintains the code logic by keeping +ppp_unregister_channel() responsible from disconnecting the channel if +necessary and avoids modification on the reference counting mechanism. + +This issue seems to predate git history (successfully reproduced on +Linux 2.6.26 and earlier PPP commits are unrelated). + +Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ppp/ppp_generic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -3156,6 +3156,15 @@ ppp_connect_channel(struct channel *pch, + goto outl; + + ppp_lock(ppp); ++ spin_lock_bh(&pch->downl); ++ if (!pch->chan) { ++ /* Don't connect unregistered channels */ ++ spin_unlock_bh(&pch->downl); ++ ppp_unlock(ppp); ++ ret = -ENOTCONN; ++ goto outl; ++ } ++ spin_unlock_bh(&pch->downl); + if (pch->file.hdrlen > ppp->file.hdrlen) + ppp->file.hdrlen = pch->file.hdrlen; + hdrlen = pch->file.hdrlen + 2; /* for protocol bytes */ diff --git a/patches.suse/ppp-unlock-all_ppp_mutex-before-registering-device.patch b/patches.suse/ppp-unlock-all_ppp_mutex-before-registering-device.patch new file mode 100644 index 0000000000..72193d7cde --- /dev/null +++ b/patches.suse/ppp-unlock-all_ppp_mutex-before-registering-device.patch @@ -0,0 +1,55 @@ +From: Guillaume Nault <g.nault@alphalink.fr> +Date: Wed, 10 Jan 2018 16:24:45 +0100 +Subject: ppp: unlock all_ppp_mutex before registering device +Git-commit: 0171c41835591e9aa2e384b703ef9a6ae367c610 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices, +needs to lock pn->all_ppp_mutex. Therefore we mustn't call +register_netdevice() with pn->all_ppp_mutex already locked, or we'd +deadlock in case register_netdevice() fails and calls .ndo_uninit(). + +Fortunately, we can unlock pn->all_ppp_mutex before calling +register_netdevice(). This lock protects pn->units_idr, which isn't +used in the device registration process. + +However, keeping pn->all_ppp_mutex locked during device registration +did ensure that no device in transient state would be published in +pn->units_idr. In practice, unlocking it before calling +register_netdevice() doesn't change this property: ppp_unit_register() +is called with 'ppp_mutex' locked and all searches done in +pn->units_idr hold this lock too. + +Fixes: 8cb775bc0a34 ("ppp: fix device unregistration upon netns deletion") +Reported-and-tested-by: syzbot+367889b9c9e279219175@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ppp/ppp_generic.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1002,17 +1002,18 @@ static int ppp_unit_register(struct ppp + if (!ifname_is_set) + snprintf(ppp->dev->name, IFNAMSIZ, "ppp%i", ppp->file.index); + ++ mutex_unlock(&pn->all_ppp_mutex); ++ + ret = register_netdevice(ppp->dev); + if (ret < 0) + goto err_unit; + + atomic_inc(&ppp_unit_count); + +- mutex_unlock(&pn->all_ppp_mutex); +- + return 0; + + err_unit: ++ mutex_lock(&pn->all_ppp_mutex); + unit_put(&pn->units_idr, ppp->file.index); + err: + mutex_unlock(&pn->all_ppp_mutex); diff --git a/patches.suse/pppoe-take-needed_headroom-of-lower-device-into-acco.patch b/patches.suse/pppoe-take-needed_headroom-of-lower-device-into-acco.patch new file mode 100644 index 0000000000..34096468a3 --- /dev/null +++ b/patches.suse/pppoe-take-needed_headroom-of-lower-device-into-acco.patch @@ -0,0 +1,123 @@ +From: Guillaume Nault <g.nault@alphalink.fr> +Date: Mon, 22 Jan 2018 18:06:37 +0100 +Subject: pppoe: take ->needed_headroom of lower device into account on xmit +Git-commit: 02612bb05e51df8489db5e94d0cf8d1c81f87b0c +Patch-mainline: v4.15 +References: networking-stable-18_01_28 + +In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom +was probably fine before the introduction of ->needed_headroom in +commit f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom"). + +But now, virtual devices typically advertise the size of their overhead +in dev->needed_headroom, so we must also take it into account in +skb_reserve(). +Allocation size of skb is also updated to take dev->needed_tailroom +into account and replace the arbitrary 32 bytes with the real size of +a PPPoE header. + +This issue was discovered by syzbot, who connected a pppoe socket to a +gre device which had dev->header_ops->create == ipgre_header and +dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any +headroom, and dev_hard_header() crashed when ipgre_header() tried to +prepend its header to skb->data. + +skbuff: skb_under_panic: text:000000001d390b3a len:31 put:24 +head:00000000d8ed776f data:000000008150e823 tail:0x7 end:0xc0 dev:gre0 +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:104! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 3670 Comm: syzkaller801466 Not tainted +4.15.0-rc7-next-20180115+ #97 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:skb_panic+0x162/0x1f0 net/core/skbuff.c:100 +RSP: 0018:ffff8801d9bd7840 EFLAGS: 00010282 +RAX: 0000000000000083 RBX: ffff8801d4f083c0 RCX: 0000000000000000 +RDX: 0000000000000083 RSI: 1ffff1003b37ae92 RDI: ffffed003b37aefc +RBP: ffff8801d9bd78a8 R08: 1ffff1003b37ae8a R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff86200de0 +R13: ffffffff84a981ad R14: 0000000000000018 R15: ffff8801d2d34180 +FS: 00000000019c4880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000208bc000 CR3: 00000001d9111001 CR4: 00000000001606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + skb_under_panic net/core/skbuff.c:114 [inline] + skb_push+0xce/0xf0 net/core/skbuff.c:1714 + ipgre_header+0x6d/0x4e0 net/ipv4/ip_gre.c:879 + dev_hard_header include/linux/netdevice.h:2723 [inline] + pppoe_sendmsg+0x58e/0x8b0 drivers/net/ppp/pppoe.c:890 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:640 + sock_write_iter+0x31a/0x5d0 net/socket.c:909 + call_write_iter include/linux/fs.h:1775 [inline] + do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653 + do_iter_write+0x154/0x540 fs/read_write.c:932 + vfs_writev+0x18a/0x340 fs/read_write.c:977 + do_writev+0xfc/0x2a0 fs/read_write.c:1012 + SYSC_writev fs/read_write.c:1085 [inline] + SyS_writev+0x27/0x30 fs/read_write.c:1082 + entry_SYSCALL_64_fastpath+0x29/0xa0 + +Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like +interfaces, but reserving space for ->needed_headroom is a more +fundamental issue that needs to be addressed first. + +Same problem exists for __pppoe_xmit(), which also needs to take +dev->needed_headroom into account in skb_cow_head(). + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Reported-by: syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> +Reviewed-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ppp/pppoe.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket * + struct pppoe_hdr *ph; + struct net_device *dev; + char *start; ++ int hlen; + + lock_sock(sk); + if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) { +@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket * + if (total_len > (dev->mtu + dev->hard_header_len)) + goto end; + +- +- skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32, +- 0, GFP_KERNEL); ++ hlen = LL_RESERVED_SPACE(dev); ++ skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len + ++ dev->needed_tailroom, 0, GFP_KERNEL); + if (!skb) { + error = -ENOMEM; + goto end; + } + + /* Reserve space for headers. */ +- skb_reserve(skb, dev->hard_header_len); ++ skb_reserve(skb, hlen); + skb_reset_network_header(skb); + + skb->dev = dev; +@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, + /* Copy the data if there is no space for the header or if it's + * read-only. + */ +- if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) ++ if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph))) + goto abort; + + __skb_push(skb, sizeof(*ph)); diff --git a/patches.suse/procfs-add-tunable-for-fd-fdinfo-dentry-retention.patch b/patches.suse/procfs-add-tunable-for-fd-fdinfo-dentry-retention.patch new file mode 100644 index 0000000000..4b20e85b7d --- /dev/null +++ b/patches.suse/procfs-add-tunable-for-fd-fdinfo-dentry-retention.patch @@ -0,0 +1,148 @@ +From 723f449add198ece9539cd1693e36a99fc9ec527 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney <jeffm@suse.com> +Date: Tue, 26 Jun 2018 13:51:20 -0500 +Subject: [PATCH] procfs: add tunable for fd/fdinfo dentry retention +Patch-mainline: Never, should be https://lkml.org/lkml/2018/4/23/1148 +References: bsc#1086652 + + +With a test workload of 4096 threads and 16384 files opened, a simple +find /proc can create about 268 million dentry/inode pairs just to +handle the "fd" and "fdinfo" files. This is due to every thread +in the /proc/tgid/task directory having its own copy of fd and fdinfo. + +On smaller systems, we never have 268M dentry/inode pairs in memory +since memory pressure forces most of them to be dropped. That same +pressure will force writeback and real file system dentries and inodes +to be dropped as well. On large memory systems with many CPU cores, +the full 268M dentry/inode pairs can fit into memory at once and +when a large multithreaded task exits, we can hit soft lockups or +the system can become otherwise unresponsive for minutes at a time. + +The right fix for this is to eliminate all the duplicate entries but +that is a change that needs discussion. For now, we can provide a +workaround that limits the exposure to the largest contingent of +proc files: fd and fdinfo. + +Usually, we'll only drop procfs dentries immediately when the task +has exited. This patch adds a sysctl, procfs-drop-fd-dentries, that +deletes the dentries for fd and fdinfo directories immediately, which +also releases the inodes. The result is that the count never climbs +above a few hundred thousand procfs files and large multithreaded +tasks can exit without causing undue load on the system. + +Signed-off-by: Jeff Mahoney <jeffm@suse.com> +--- + Documentation/sysctl/fs.txt | 36 ++++++++++++++++++++++++++++++++++++ + fs/proc/fd.c | 13 ++++++++++++- + include/linux/proc_fs.h | 2 ++ + kernel/sysctl.c | 9 +++++++++ + 4 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 35e17f748ca7..01274048df7f 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -272,6 +272,42 @@ in a mount namespace. + + ============================================================== + ++procfs-drop-fd-dentries: ++ ++* SUSE-specific; This option may be removed in a future release. ++ ++This option controls when the proc files representing a task's ++opene files are removed. It applies to the following directories: ++- /proc/pid/fd ++- /proc/pid/fdinfo ++- /proc/pid/task/*/fd ++- /proc/pid/task/*/fdinfo ++ ++By default, dentries belonging to tasks that are still running ++will be retained and those belonging to exited tasks will be ++dropped immediately. ++ ++This policy ensures that memory is not wasted, but can run into ++scalability issues on very large systems when a task with thousands ++of threads and many open files exits. When many tasks exit ++simultaneously, substantial contention on the global inode spinlock ++may result in suboptimal performance of the system until the inodes ++are released. ++ ++When set to "0" (default), the policy is to retain dentries for running ++tasks and delete dentries from tasks which have exited immediately. Once ++the dentry is released, the inode will be freed immediately. ++ ++When set to "1", the policy is to delete the dentries immediately after ++the last reference is dropped. Once the dentry is released, the inode ++will be freed immediately. This ensures that the thread which created ++the inodes will also clean them up, eliminating much of the lock ++contention. The tradeoff is that frequent use of fd/fdinfo will be ++slower as these files will need to be recreated each time they ++are accessed. ++ ++============================================================== ++ + + 2. /proc/sys/fs/binfmt_misc + ---------------------------------------------------------- +diff --git a/fs/proc/fd.c b/fs/proc/fd.c +index c330495c3115..ffc8bdd63a11 100644 +--- a/fs/proc/fd.c ++++ b/fs/proc/fd.c +@@ -130,9 +130,20 @@ static int tid_fd_revalidate(struct dentry *dentry, unsigned int flags) + return 0; + } + ++int procfs_drop_fd_dentries = 0; ++ ++static int tid_fd_delete_dentry(const struct dentry *dentry) ++{ ++ /* Always delete immediately */ ++ if (procfs_drop_fd_dentries) ++ return 1; ++ ++ return pid_delete_dentry(dentry); ++} ++ + static const struct dentry_operations tid_fd_dentry_operations = { + .d_revalidate = tid_fd_revalidate, +- .d_delete = pid_delete_dentry, ++ .d_delete = tid_fd_delete_dentry, + }; + + static int proc_fd_link(struct dentry *dentry, struct path *path) +diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h +index 2d2bf592d9db..44c3687fff5a 100644 +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -88,4 +88,6 @@ struct ns_common; + int open_related_ns(struct ns_common *ns, + struct ns_common *(*get_ns)(struct ns_common *ns)); + ++extern int procfs_drop_fd_dentries; ++ + #endif /* _LINUX_PROC_FS_H */ +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 1cd2d943b9b5..98caf74882ac 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1864,6 +1864,15 @@ static struct ctl_table fs_table[] = { + .proc_handler = proc_dointvec_minmax, + .extra1 = &one, + }, ++ { ++ .procname = "procfs-drop-fd-dentries", ++ .data = &procfs_drop_fd_dentries, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &one, ++ }, + { } + }; + +-- +2.16.4 + diff --git a/patches.suse/qmi_wwan-Add-support-for-Quectel-EP06.patch b/patches.suse/qmi_wwan-Add-support-for-Quectel-EP06.patch new file mode 100644 index 0000000000..e947ec2896 --- /dev/null +++ b/patches.suse/qmi_wwan-Add-support-for-Quectel-EP06.patch @@ -0,0 +1,31 @@ +From: Kristian Evensen <kristian.evensen@gmail.com> +Date: Tue, 30 Jan 2018 14:12:55 +0100 +Subject: qmi_wwan: Add support for Quectel EP06 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: c0b91a56a2e57a5a370655b25d677ae0ebf8a2d0 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +The Quectel EP06 is a Cat. 6 LTE modem. It uses the same interface as +the EC20/EC25 for QMI, and requires the same "set DTR"-quirk to work. + +Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> +Acked-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1245,6 +1245,7 @@ static const struct usb_device_id produc + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ + {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ ++ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0306, 4)}, /* Quectel EP06 Mini PCIe */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch b/patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch new file mode 100644 index 0000000000..e3336d7f9c --- /dev/null +++ b/patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch @@ -0,0 +1,74 @@ +From: Jiri Pirko <jiri@mellanox.com> +Date: Thu, 1 Feb 2018 12:21:15 +0100 +Subject: rocker: fix possible null pointer dereference in + rocker_router_fib_event_work +Git-commit: a83165f00f16c0e0ef5b7cec3cbd0d4788699265 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +Currently, rocker user may experience following null pointer +derefence bug: + +[ 3.062141] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0 +[ 3.065163] IP: rocker_router_fib_event_work+0x36/0x110 [rocker] + +The problem is uninitialized rocker->wops pointer that is initialized +only with the first initialized port. So move the port initialization +before registering the fib events. + +Fixes: 936bd486564a ("rocker: use FIB notifications instead of switchdev calls") +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/rocker/rocker_main.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2826,6 +2826,12 @@ static int rocker_probe(struct pci_dev * + goto err_alloc_ordered_workqueue; + } + ++ err = rocker_probe_ports(rocker); ++ if (err) { ++ dev_err(&pdev->dev, "failed to probe ports\n"); ++ goto err_probe_ports; ++ } ++ + /* Only FIBs pointing to our own netdevs are programmed into + * the device, so no need to pass a callback. + */ +@@ -2836,20 +2842,14 @@ static int rocker_probe(struct pci_dev * + + rocker->hw.id = rocker_read64(rocker, SWITCH_ID); + +- err = rocker_probe_ports(rocker); +- if (err) { +- dev_err(&pdev->dev, "failed to probe ports\n"); +- goto err_probe_ports; +- } +- + dev_info(&pdev->dev, "Rocker switch with id %*phN\n", + (int)sizeof(rocker->hw.id), &rocker->hw.id); + + return 0; + +-err_probe_ports: +- unregister_fib_notifier(&rocker->fib_nb); + err_register_fib_notifier: ++ rocker_remove_ports(rocker); ++err_probe_ports: + destroy_workqueue(rocker->rocker_owq); + err_alloc_ordered_workqueue: + free_irq(rocker_msix_vector(rocker, ROCKER_MSIX_VEC_EVENT), rocker); +@@ -2877,8 +2877,8 @@ static void rocker_remove(struct pci_dev + { + struct rocker *rocker = pci_get_drvdata(pdev); + +- rocker_remove_ports(rocker); + unregister_fib_notifier(&rocker->fib_nb); ++ rocker_remove_ports(rocker); + rocker_write32(rocker, CONTROL, ROCKER_CONTROL_RESET); + destroy_workqueue(rocker->rocker_owq); + free_irq(rocker_msix_vector(rocker, ROCKER_MSIX_VEC_EVENT), rocker); diff --git a/patches.suse/rxrpc-Fix-send-in-rxrpc_send_data_packet.patch b/patches.suse/rxrpc-Fix-send-in-rxrpc_send_data_packet.patch new file mode 100644 index 0000000000..c88ea22bd6 --- /dev/null +++ b/patches.suse/rxrpc-Fix-send-in-rxrpc_send_data_packet.patch @@ -0,0 +1,34 @@ +From: David Howells <dhowells@redhat.com> +Date: Thu, 22 Feb 2018 14:38:14 +0000 +Subject: rxrpc: Fix send in rxrpc_send_data_packet() +Git-commit: 93c62c45ed5fad1b87e3a45835b251cd68de9c46 +Patch-mainline: v4.16-rc3 +References: networking-stable-18_03_07 + +All the kernel_sendmsg() calls in rxrpc_send_data_packet() need to send +both parts of the iov[] buffer, but one of them does not. Fix it so that +it does. + +Without this, short IPv6 rxrpc DATA packets may be seen that have the rxrpc +header included, but no payload. + +Fixes: 5a924b8951f8 ("rxrpc: Don't store the rxrpc header in the Tx queue sk_buffs") +Reported-by: Marc Dionne <marc.dionne@auristor.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/rxrpc/output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -391,7 +391,7 @@ send_fragmentable: + (char *)&opt, sizeof(opt)); + if (ret == 0) { + ret = kernel_sendmsg(conn->params.local->socket, &msg, +- iov, 1, iov[0].iov_len); ++ iov, 2, len); + + opt = IPV6_PMTUDISC_DO; + kernel_setsockopt(conn->params.local->socket, diff --git a/patches.suse/s390-qeth-fix-IPA-command-submission-race.patch b/patches.suse/s390-qeth-fix-IPA-command-submission-race.patch new file mode 100644 index 0000000000..030fc354f6 --- /dev/null +++ b/patches.suse/s390-qeth-fix-IPA-command-submission-race.patch @@ -0,0 +1,81 @@ +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Tue, 27 Feb 2018 18:58:17 +0100 +Subject: s390/qeth: fix IPA command submission race +Git-commit: d22ffb5a712f9211ffd104c38fc17cbfb1b5e2b0 +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +If multiple IPA commands are build & sent out concurrently, +fill_ipacmd_header() may assign a seqno value to a command that's +different from what send_control_data() later assigns to this command's +reply. +This is due to other commands passing through send_control_data(), +and incrementing card->seqno.ipa along the way. + +So one IPA command has no reply that's waiting for its seqno, while some +other IPA command has multiple reply objects waiting for it. +Only one of those waiting replies wins, and the other(s) times out and +triggers a recovery via send_ipa_cmd(). + +Fix this by making sure that the same seqno value is assigned to +a command and its reply object. +Do so immediately before submitting the command & while holding the +irq_pending "lock", to produce nicely ascending seqnos. + +As a side effect, *all* IPA commands now use a reply object that's +waiting for its actual seqno. Previously, early IPA commands that were +submitted while the card was still DOWN used the "catch-all" IDX seqno. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/net/qeth_core_main.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2087,25 +2087,26 @@ int qeth_send_control_data(struct qeth_c + } + reply->callback = reply_cb; + reply->param = reply_param; +- if (card->state == CARD_STATE_DOWN) +- reply->seqno = QETH_IDX_COMMAND_SEQNO; +- else +- reply->seqno = card->seqno.ipa++; ++ + init_waitqueue_head(&reply->wait_q); +- spin_lock_irqsave(&card->lock, flags); +- list_add_tail(&reply->list, &card->cmd_waiter_list); +- spin_unlock_irqrestore(&card->lock, flags); + QETH_DBF_HEX(CTRL, 2, iob->data, QETH_DBF_CTRL_LEN); + + while (atomic_cmpxchg(&card->write.irq_pending, 0, 1)) ; +- qeth_prepare_control_data(card, len, iob); + + if (IS_IPA(iob->data)) { + cmd = __ipa_cmd(iob); ++ cmd->hdr.seqno = card->seqno.ipa++; ++ reply->seqno = cmd->hdr.seqno; + event_timeout = QETH_IPA_TIMEOUT; + } else { ++ reply->seqno = QETH_IDX_COMMAND_SEQNO; + event_timeout = QETH_TIMEOUT; + } ++ qeth_prepare_control_data(card, len, iob); ++ ++ spin_lock_irqsave(&card->lock, flags); ++ list_add_tail(&reply->list, &card->cmd_waiter_list); ++ spin_unlock_irqrestore(&card->lock, flags); + + timeout = jiffies + event_timeout; + +@@ -2896,7 +2897,7 @@ static void qeth_fill_ipacmd_header(stru + memset(cmd, 0, sizeof(struct qeth_ipa_cmd)); + cmd->hdr.command = command; + cmd->hdr.initiator = IPA_CMD_INITIATOR_HOST; +- cmd->hdr.seqno = card->seqno.ipa; ++ /* cmd->hdr.seqno is set by qeth_send_control_data() */ + cmd->hdr.adapter_type = qeth_get_ipa_adp_type(card->info.link_type); + cmd->hdr.rel_adapter_no = (__u8) card->info.portno; + if (card->options.layer2) diff --git a/patches.suse/s390-qeth-fix-overestimated-count-of-buffer-elements.patch b/patches.suse/s390-qeth-fix-overestimated-count-of-buffer-elements.patch new file mode 100644 index 0000000000..2d2a805463 --- /dev/null +++ b/patches.suse/s390-qeth-fix-overestimated-count-of-buffer-elements.patch @@ -0,0 +1,71 @@ +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Tue, 27 Feb 2018 18:58:12 +0100 +Subject: s390/qeth: fix overestimated count of buffer elements +Git-commit: 12472af89632beb1ed8dea29d4efe208ca05b06a +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +qeth_get_elements_for_range() doesn't know how to handle a 0-length +range (ie. start == end), and returns 1 when it should return 0. +Such ranges occur on TSO skbs, where the L2/L3/L4 headers (and thus all +of the skb's linear data) are skipped when mapping the skb into regular +buffer elements. + +This overestimation may cause several performance-related issues: +1. sub-optimal IO buffer selection, where the next buffer gets selected + even though the skb would actually still fit into the current buffer. +2. forced linearization, if the element count for a non-linear skb + exceeds QETH_MAX_BUFFER_ELEMENTS. + +Rather than modifying qeth_get_elements_for_range() and adding overhead +to every caller, fix up those callers that are in risk of passing a +0-length range. + +Fixes: 2863c61334aa ("qeth: refactor calculation of SBALE count") +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/net/qeth_core_main.c | 10 ++++++---- + drivers/s390/net/qeth_l3_main.c | 11 ++++++----- + 2 files changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -3861,10 +3861,12 @@ EXPORT_SYMBOL_GPL(qeth_get_elements_for_ + int qeth_get_elements_no(struct qeth_card *card, + struct sk_buff *skb, int extra_elems, int data_offset) + { +- int elements = qeth_get_elements_for_range( +- (addr_t)skb->data + data_offset, +- (addr_t)skb->data + skb_headlen(skb)) + +- qeth_get_elements_for_frags(skb); ++ addr_t end = (addr_t)skb->data + skb_headlen(skb); ++ int elements = qeth_get_elements_for_frags(skb); ++ addr_t start = (addr_t)skb->data + data_offset; ++ ++ if (start != end) ++ elements += qeth_get_elements_for_range(start, end); + + if ((elements + extra_elems) > QETH_MAX_BUFFER_ELEMENTS(card)) { + QETH_DBF_MESSAGE(2, "Invalid size of IP packet " +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -2641,11 +2641,12 @@ static void qeth_tso_fill_header(struct + static int qeth_l3_get_elements_no_tso(struct qeth_card *card, + struct sk_buff *skb, int extra_elems) + { +- addr_t tcpdptr = (addr_t)tcp_hdr(skb) + tcp_hdrlen(skb); +- int elements = qeth_get_elements_for_range( +- tcpdptr, +- (addr_t)skb->data + skb_headlen(skb)) + +- qeth_get_elements_for_frags(skb); ++ addr_t start = (addr_t)tcp_hdr(skb) + tcp_hdrlen(skb); ++ addr_t end = (addr_t)skb->data + skb_headlen(skb); ++ int elements = qeth_get_elements_for_frags(skb); ++ ++ if (start != end) ++ elements += qeth_get_elements_for_range(start, end); + + if ((elements + extra_elems) > QETH_MAX_BUFFER_ELEMENTS(card)) { + QETH_DBF_MESSAGE(2, diff --git a/patches.suse/s390-qeth-free-netdevice-when-removing-a-card.patch b/patches.suse/s390-qeth-free-netdevice-when-removing-a-card.patch new file mode 100644 index 0000000000..4e6b7d446d --- /dev/null +++ b/patches.suse/s390-qeth-free-netdevice-when-removing-a-card.patch @@ -0,0 +1,70 @@ +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Tue, 20 Mar 2018 07:59:12 +0100 +Subject: s390/qeth: free netdevice when removing a card +Git-commit: 6be687395b3124f002a653c1a50b3260222b3cd7 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +On removal, a qeth card's netdevice is currently not properly freed +because the call chain looks as follows: + +qeth_core_remove_device(card) + lx_remove_device(card) + unregister_netdev(card->dev) + card->dev = NULL !!! + qeth_core_free_card(card) + if (card->dev) !!! + free_netdev(card->dev) + +Fix it by free'ing the netdev straight after unregistering. This also +fixes the sysfs-driven layer switch case (qeth_dev_layer2_store()), +where the need to free the current netdevice was not considered at all. + +Note that free_netdev() takes care of the netif_napi_del() for us too. + +Fixes: 4a71df50047f ("qeth: new qeth device driver") +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/net/qeth_core_main.c | 2 -- + drivers/s390/net/qeth_l2_main.c | 2 +- + drivers/s390/net/qeth_l3_main.c | 2 +- + 3 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -5061,8 +5061,6 @@ static void qeth_core_free_card(struct q + QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *)); + qeth_clean_channel(&card->read); + qeth_clean_channel(&card->write); +- if (card->dev) +- free_netdev(card->dev); + qeth_free_qdio_buffers(card); + unregister_service_level(&card->qeth_service_level); + kfree(card); +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -963,8 +963,8 @@ static void qeth_l2_remove_device(struct + qeth_l2_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + return; +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -3056,8 +3056,8 @@ static void qeth_l3_remove_device(struct + qeth_l3_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + diff --git a/patches.suse/s390-qeth-lock-read-device-while-queueing-next-buffe.patch b/patches.suse/s390-qeth-lock-read-device-while-queueing-next-buffe.patch new file mode 100644 index 0000000000..b2757e06ee --- /dev/null +++ b/patches.suse/s390-qeth-lock-read-device-while-queueing-next-buffe.patch @@ -0,0 +1,59 @@ +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Tue, 20 Mar 2018 07:59:14 +0100 +Subject: s390/qeth: lock read device while queueing next buffer +Git-commit: 17bf8c9b3d499d5168537c98b61eb7a1fcbca6c2 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +For calling ccw_device_start(), issue_next_read() needs to hold the +device's ccwlock. +This is satisfied for the IRQ handler path (where qeth_irq() gets called +under the ccwlock), but we need explicit locking for the initial call by +the MPC initialization. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/net/qeth_core_main.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -526,8 +526,7 @@ static inline int qeth_is_cq(struct qeth + queue == card->qdio.no_in_queues - 1; + } + +- +-static int qeth_issue_next_read(struct qeth_card *card) ++static int __qeth_issue_next_read(struct qeth_card *card) + { + int rc; + struct qeth_cmd_buffer *iob; +@@ -558,6 +557,17 @@ static int qeth_issue_next_read(struct q + return rc; + } + ++static int qeth_issue_next_read(struct qeth_card *card) ++{ ++ int ret; ++ ++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ret = __qeth_issue_next_read(card); ++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ++ return ret; ++} ++ + static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card) + { + struct qeth_reply *reply; +@@ -1183,7 +1193,7 @@ static void qeth_irq(struct ccw_device * + return; + if (channel == &card->read && + channel->state == CH_STATE_UP) +- qeth_issue_next_read(card); ++ __qeth_issue_next_read(card); + + iob = channel->iob; + index = channel->buf_no; diff --git a/patches.suse/s390-qeth-when-thread-completes-wake-up-all-waiters.patch b/patches.suse/s390-qeth-when-thread-completes-wake-up-all-waiters.patch new file mode 100644 index 0000000000..e3b1e6adf3 --- /dev/null +++ b/patches.suse/s390-qeth-when-thread-completes-wake-up-all-waiters.patch @@ -0,0 +1,30 @@ +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Tue, 20 Mar 2018 07:59:13 +0100 +Subject: s390/qeth: when thread completes, wake up all waiters +Git-commit: 1063e432bb45be209427ed3f1ca3908e4aa3c7d7 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +qeth_wait_for_threads() is potentially called by multiple users, make +sure to notify all of them after qeth_clear_thread_running_bit() +adjusted the thread_running_mask. With no timeout, callers would +otherwise stall. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/net/qeth_core_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -961,7 +961,7 @@ void qeth_clear_thread_running_bit(struc + spin_lock_irqsave(&card->thread_mask_lock, flags); + card->thread_running_mask &= ~thread; + spin_unlock_irqrestore(&card->thread_mask_lock, flags); +- wake_up(&card->wait_q); ++ wake_up_all(&card->wait_q); + } + EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit); + diff --git a/patches.suse/sch_netem-fix-skb-leak-in-netem_enqueue.patch b/patches.suse/sch_netem-fix-skb-leak-in-netem_enqueue.patch new file mode 100644 index 0000000000..c4cb565ef1 --- /dev/null +++ b/patches.suse/sch_netem-fix-skb-leak-in-netem_enqueue.patch @@ -0,0 +1,95 @@ +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Mon, 5 Mar 2018 20:52:54 +0300 +Subject: sch_netem: fix skb leak in netem_enqueue() +Git-commit: 35d889d10b649fda66121891ec05eca88150059d +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +When we exceed current packets limit and we have more than one +segment in the list returned by skb_gso_segment(), netem drops +only the first one, skipping the rest, hence kmemleak reports: + +unreferenced object 0xffff880b5d23b600 (size 1024): + comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s) + hex dump (first 32 bytes): + 00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d8a19b9d>] __alloc_skb+0xc9/0x520 + [<000000001709b32f>] skb_segment+0x8c8/0x3710 + [<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830 + [<00000000c921cba1>] inet_gso_segment+0x476/0x1370 + [<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510 + [<000000002182660a>] __skb_gso_segment+0x1dd/0x620 + [<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem] + [<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120 + [<00000000fc5f7327>] ip_finish_output2+0x998/0xf00 + [<00000000d309e9d3>] ip_output+0x1aa/0x2c0 + [<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670 + [<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0 + [<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540 + [<0000000013d06d02>] tasklet_action+0x1ca/0x250 + [<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3 + [<00000000e7ed027c>] irq_exit+0x1e2/0x210 + +Fix it by adding the rest of the segments, if any, to skb 'to_free' +list. Add new __qdisc_drop_all() and qdisc_drop_all() functions +because they can be useful in the future if we need to drop segmented +GSO packets in other places. + +Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/sch_generic.h | 19 +++++++++++++++++++ + net/sched/sch_netem.c | 2 +- + 2 files changed, 20 insertions(+), 1 deletion(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -712,6 +712,16 @@ static inline void __qdisc_drop(struct s + *to_free = skb; + } + ++static inline void __qdisc_drop_all(struct sk_buff *skb, ++ struct sk_buff **to_free) ++{ ++ if (skb->prev) ++ skb->prev->next = *to_free; ++ else ++ skb->next = *to_free; ++ *to_free = skb; ++} ++ + static inline unsigned int __qdisc_queue_drop_head(struct Qdisc *sch, + struct qdisc_skb_head *qh, + struct sk_buff **to_free) +@@ -830,6 +840,15 @@ static inline int qdisc_drop(struct sk_b + qdisc_qstats_drop(sch); + + return NET_XMIT_DROP; ++} ++ ++static inline int qdisc_drop_all(struct sk_buff *skb, struct Qdisc *sch, ++ struct sk_buff **to_free) ++{ ++ __qdisc_drop_all(skb, to_free); ++ qdisc_qstats_drop(sch); ++ ++ return NET_XMIT_DROP; + } + + /* Length to Time (L2T) lookup in a qdisc_rate_table, to determine how +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -513,7 +513,7 @@ static int netem_enqueue(struct sk_buff + } + + if (unlikely(sch->q.qlen >= sch->limit)) +- return qdisc_drop(skb, sch, to_free); ++ return qdisc_drop_all(skb, sch, to_free); + + qdisc_qstats_backlog_inc(sch, skb); + diff --git a/patches.suse/sctp-fix-dst-refcnt-leak-in-sctp_v6_get_dst.patch b/patches.suse/sctp-fix-dst-refcnt-leak-in-sctp_v6_get_dst.patch new file mode 100644 index 0000000000..12ae9611b8 --- /dev/null +++ b/patches.suse/sctp-fix-dst-refcnt-leak-in-sctp_v6_get_dst.patch @@ -0,0 +1,54 @@ +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Mon, 5 Feb 2018 15:10:35 +0300 +Subject: sctp: fix dst refcnt leak in sctp_v6_get_dst() +Git-commit: 957d761cf91cdbb175ad7d8f5472336a4d54dbf2 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_03_07 + +When going through the bind address list in sctp_v6_get_dst() and +the previously found address is better ('matchlen > bmatchlen'), +the code continues to the next iteration without releasing currently +held destination. + +Fix it by releasing 'bdst' before continue to the next iteration, and +instead of introducing one more '!IS_ERR(bdst)' check for dst_release(), +move the already existed one right after ip6_dst_lookup_flow(), i.e. we +shouldn't proceed further if we get an error for the route lookup. + +Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sctp/ipv6.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -324,8 +324,10 @@ static void sctp_v6_get_dst(struct sctp_ + final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); + bdst = ip6_dst_lookup_flow(sk, fl6, final_p); + +- if (!IS_ERR(bdst) && +- ipv6_chk_addr(dev_net(bdst->dev), ++ if (IS_ERR(bdst)) ++ continue; ++ ++ if (ipv6_chk_addr(dev_net(bdst->dev), + &laddr->a.v6.sin6_addr, bdst->dev, 1)) { + if (!IS_ERR_OR_NULL(dst)) + dst_release(dst); +@@ -334,8 +336,10 @@ static void sctp_v6_get_dst(struct sctp_ + } + + bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a); +- if (matchlen > bmatchlen) ++ if (matchlen > bmatchlen) { ++ dst_release(bdst); + continue; ++ } + + if (!IS_ERR_OR_NULL(dst)) + dst_release(dst); diff --git a/patches.suse/skbuff-Fix-not-waking-applications-when-errors-are-e.patch b/patches.suse/skbuff-Fix-not-waking-applications-when-errors-are-e.patch new file mode 100644 index 0000000000..90709899ad --- /dev/null +++ b/patches.suse/skbuff-Fix-not-waking-applications-when-errors-are-e.patch @@ -0,0 +1,34 @@ +From: Vinicius Costa Gomes <vinicius.gomes@intel.com> +Date: Wed, 14 Mar 2018 13:32:09 -0700 +Subject: skbuff: Fix not waking applications when errors are enqueued +Git-commit: 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +When errors are enqueued to the error queue via sock_queue_err_skb() +function, it is possible that the waiting application is not notified. + +Calling 'sk->sk_data_ready()' would not notify applications that +selected only POLLERR events in poll() (for example). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Randy E. Witt <randy.e.witt@intel.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3754,7 +3754,7 @@ int sock_queue_err_skb(struct sock *sk, + + skb_queue_tail(&sk->sk_error_queue, skb); + if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk); ++ sk->sk_error_report(sk); + return 0; + } + EXPORT_SYMBOL(sock_queue_err_skb); diff --git a/patches.suse/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch b/patches.suse/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch new file mode 100644 index 0000000000..0ca50302a0 --- /dev/null +++ b/patches.suse/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch @@ -0,0 +1,66 @@ +From: Madalin Bucur <madalin.bucur@nxp.com> +Date: Wed, 14 Mar 2018 08:37:28 -0500 +Subject: soc/fsl/qbman: fix issue in qman_delete_cgr_safe() +Git-commit: 96f413f47677366e0ae03797409bfcc4151dbf9e +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The wait_for_completion() call in qman_delete_cgr_safe() +was triggering a scheduling while atomic bug, replacing the +kthread with a smp_call_function_single() call to fix it. + +Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com> +Signed-off-by: Roy Pledge <roy.pledge@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/soc/fsl/qbman/qman.c | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -2414,39 +2414,21 @@ struct cgr_comp { + struct completion completion; + }; + +-static int qman_delete_cgr_thread(void *p) ++static void qman_delete_cgr_smp_call(void *p) + { +- struct cgr_comp *cgr_comp = (struct cgr_comp *)p; +- int ret; +- +- ret = qman_delete_cgr(cgr_comp->cgr); +- complete(&cgr_comp->completion); +- +- return ret; ++ qman_delete_cgr((struct qman_cgr *)p); + } + + void qman_delete_cgr_safe(struct qman_cgr *cgr) + { +- struct task_struct *thread; +- struct cgr_comp cgr_comp; +- + preempt_disable(); + if (qman_cgr_cpus[cgr->cgrid] != smp_processor_id()) { +- init_completion(&cgr_comp.completion); +- cgr_comp.cgr = cgr; +- thread = kthread_create(qman_delete_cgr_thread, &cgr_comp, +- "cgr_del"); +- +- if (IS_ERR(thread)) +- goto out; +- +- kthread_bind(thread, qman_cgr_cpus[cgr->cgrid]); +- wake_up_process(thread); +- wait_for_completion(&cgr_comp.completion); ++ smp_call_function_single(qman_cgr_cpus[cgr->cgrid], ++ qman_delete_cgr_smp_call, cgr, true); + preempt_enable(); + return; + } +-out: ++ + qman_delete_cgr(cgr); + preempt_enable(); + } diff --git a/patches.suse/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch b/patches.suse/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch new file mode 100644 index 0000000000..82342d31f7 --- /dev/null +++ b/patches.suse/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch @@ -0,0 +1,121 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 2 Feb 2018 10:27:27 -0800 +Subject: soreuseport: fix mem leak in reuseport_add_sock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 4db428a7c9ab07e08783e0fcdc4ca0f555da0567 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +reuseport_add_sock() needs to deal with attaching a socket having +its own sk_reuseport_cb, after a prior +setsockopt(SO_ATTACH_REUSEPORT_?BPF) + +Without this fix, not only a WARN_ONCE() was issued, but we were also +leaking memory. + +Thanks to sysbot and Eric Biggers for providing us nice C repros. + +------------[ cut here ]------------ +socket already in reuseport group +WARNING: CPU: 0 PID: 3496 at net/core/sock_reuseport.c:119 +reuseport_add_sock+0x742/0x9b0 net/core/sock_reuseport.c:117 +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 0 PID: 3496 Comm: syzkaller869503 Not tainted 4.15.0-rc6+ #245 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + panic+0x1e4/0x41c kernel/panic.c:183 + __warn+0x1dc/0x200 kernel/panic.c:547 + report_bug+0x211/0x2d0 lib/bug.c:184 + fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 + fixup_bug arch/x86/kernel/traps.c:247 [inline] + do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 + do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 + invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079 + +Fixes: ef456144da8e ("soreuseport: define reuseport groups") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot+c0ea2226f77a42936bf7@syzkaller.appspotmail.com +Acked-by: Craig Gallek <kraig@google.com> + +Signed-off-by: David S. Miller <davem@davemloft.net> + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/core/sock_reuseport.c | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +--- a/net/core/sock_reuseport.c ++++ b/net/core/sock_reuseport.c +@@ -93,6 +93,16 @@ static struct sock_reuseport *reuseport_ + return more_reuse; + } + ++static void reuseport_free_rcu(struct rcu_head *head) ++{ ++ struct sock_reuseport *reuse; ++ ++ reuse = container_of(head, struct sock_reuseport, rcu); ++ if (reuse->prog) ++ bpf_prog_destroy(reuse->prog); ++ kfree(reuse); ++} ++ + /** + * reuseport_add_sock - Add a socket to the reuseport group of another. + * @sk: New socket to add to the group. +@@ -101,7 +111,7 @@ static struct sock_reuseport *reuseport_ + */ + int reuseport_add_sock(struct sock *sk, struct sock *sk2) + { +- struct sock_reuseport *reuse; ++ struct sock_reuseport *old_reuse, *reuse; + + if (!rcu_access_pointer(sk2->sk_reuseport_cb)) { + int err = reuseport_alloc(sk2); +@@ -112,10 +122,13 @@ int reuseport_add_sock(struct sock *sk, + + spin_lock_bh(&reuseport_lock); + reuse = rcu_dereference_protected(sk2->sk_reuseport_cb, +- lockdep_is_held(&reuseport_lock)), +- WARN_ONCE(rcu_dereference_protected(sk->sk_reuseport_cb, +- lockdep_is_held(&reuseport_lock)), +- "socket already in reuseport group"); ++ lockdep_is_held(&reuseport_lock)); ++ old_reuse = rcu_dereference_protected(sk->sk_reuseport_cb, ++ lockdep_is_held(&reuseport_lock)); ++ if (old_reuse && old_reuse->num_socks != 1) { ++ spin_unlock_bh(&reuseport_lock); ++ return -EBUSY; ++ } + + if (reuse->num_socks == reuse->max_socks) { + reuse = reuseport_grow(reuse); +@@ -133,19 +146,11 @@ int reuseport_add_sock(struct sock *sk, + + spin_unlock_bh(&reuseport_lock); + ++ if (old_reuse) ++ call_rcu(&old_reuse->rcu, reuseport_free_rcu); + return 0; + } + +-static void reuseport_free_rcu(struct rcu_head *head) +-{ +- struct sock_reuseport *reuse; +- +- reuse = container_of(head, struct sock_reuseport, rcu); +- if (reuse->prog) +- bpf_prog_destroy(reuse->prog); +- kfree(reuse); +-} +- + void reuseport_detach_sock(struct sock *sk) + { + struct sock_reuseport *reuse; diff --git a/patches.suse/tcp-release-sk_frag.page-in-tcp_disconnect.patch b/patches.suse/tcp-release-sk_frag.page-in-tcp_disconnect.patch new file mode 100644 index 0000000000..23cf6fc34b --- /dev/null +++ b/patches.suse/tcp-release-sk_frag.page-in-tcp_disconnect.patch @@ -0,0 +1,35 @@ +From: Li RongQing <lirongqing@baidu.com> +Date: Fri, 26 Jan 2018 16:40:41 +0800 +Subject: tcp: release sk_frag.page in tcp_disconnect +Git-commit: 9b42d55a66d388e4dd5550107df051a9637564fc +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +socket can be disconnected and gets transformed back to a listening +socket, if sk_frag.page is not released, which will be cloned into +a new socket by sk_clone_lock, but the reference count of this page +is increased, lead to a use after free or double free issue + +Signed-off-by: Li RongQing <lirongqing@baidu.com> +Cc: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/tcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2239,6 +2239,12 @@ int tcp_disconnect(struct sock *sk, int + + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); + ++ if (sk->sk_frag.page) { ++ put_page(sk->sk_frag.page); ++ sk->sk_frag.page = NULL; ++ sk->sk_frag.offset = 0; ++ } ++ + sk->sk_error_report(sk); + return err; + } diff --git a/patches.suse/tcp-revert-F-RTO-extension-to-detect-more-spurious-t.patch b/patches.suse/tcp-revert-F-RTO-extension-to-detect-more-spurious-t.patch new file mode 100644 index 0000000000..dd95705423 --- /dev/null +++ b/patches.suse/tcp-revert-F-RTO-extension-to-detect-more-spurious-t.patch @@ -0,0 +1,81 @@ +From: Yuchung Cheng <ycheng@google.com> +Date: Tue, 27 Feb 2018 14:15:02 -0800 +Subject: tcp: revert F-RTO extension to detect more spurious timeouts +Git-commit: fc68e171d376c322e6777a3d7ac2f0278b68b17f +Patch-mainline: v4.16-rc5 +References: networking-stable-18_03_07 + +This reverts commit 89fe18e44f7ee5ab1c90d0dff5835acee7751427. + +While the patch could detect more spurious timeouts, it could cause +poor TCP performance on broken middle-boxes that modifies TCP packets +(e.g. receive window, SACK options). Since the performance gain is +much smaller compared to the potential loss. The best solution is +to fully revert the change. + +Fixes: 89fe18e44f7e ("tcp: extend F-RTO to catch more spurious timeouts") +Reported-by: Teodor Milkov <tm@del.bg> +Signed-off-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: Neal Cardwell <ncardwell@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/tcp_input.c | 30 ++++++++++++------------------ + 1 file changed, 12 insertions(+), 18 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1946,6 +1946,7 @@ void tcp_enter_loss(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + struct net *net = sock_net(sk); + struct sk_buff *skb; ++ bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery; + bool is_reneg; /* is receiver reneging on SACKs? */ + bool mark_lost; + +@@ -2007,15 +2008,12 @@ void tcp_enter_loss(struct sock *sk) + tp->high_seq = tp->snd_nxt; + tcp_ecn_queue_cwr(tp); + +- /* F-RTO RFC5682 sec 3.1 step 1 mandates to disable F-RTO +- * if a previous recovery is underway, otherwise it may incorrectly +- * call a timeout spurious if some previously retransmitted packets +- * are s/acked (sec 3.2). We do not apply that retriction since +- * retransmitted skbs are permanently tagged with TCPCB_EVER_RETRANS +- * so FLAG_ORIG_SACK_ACKED is always correct. But we do disable F-RTO +- * on PTMU discovery to avoid sending new data. ++ /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous ++ * loss recovery is underway except recurring timeout(s) on ++ * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing + */ + tp->frto = sysctl_tcp_frto && ++ (new_recovery || icsk->icsk_retransmits) && + !inet_csk(sk)->icsk_mtup.probe_size; + } + +@@ -2694,18 +2692,14 @@ static void tcp_process_loss(struct sock + tcp_try_undo_loss(sk, false)) + return; + +- /* The ACK (s)acks some never-retransmitted data meaning not all +- * the data packets before the timeout were lost. Therefore we +- * undo the congestion window and state. This is essentially +- * the operation in F-RTO (RFC5682 section 3.1 step 3.b). Since +- * a retransmitted skb is permantly marked, we can apply such an +- * operation even if F-RTO was not used. +- */ +- if ((flag & FLAG_ORIG_SACK_ACKED) && +- tcp_try_undo_loss(sk, tp->undo_marker)) +- return; +- + if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */ ++ /* Step 3.b. A timeout is spurious if not all data are ++ * lost, i.e., never-retransmitted data are (s)acked. ++ */ ++ if ((flag & FLAG_ORIG_SACK_ACKED) && ++ tcp_try_undo_loss(sk, true)) ++ return; ++ + if (after(tp->snd_nxt, tp->high_seq)) { + if (flag & FLAG_DATA_SACKED || is_dupack) + tp->frto = 0; /* Step 3.a. loss was real */ diff --git a/patches.suse/team-Fix-double-free-in-error-path.patch b/patches.suse/team-Fix-double-free-in-error-path.patch new file mode 100644 index 0000000000..5678af59c9 --- /dev/null +++ b/patches.suse/team-Fix-double-free-in-error-path.patch @@ -0,0 +1,44 @@ +From: Arkadi Sharshevsky <arkadis@mellanox.com> +Date: Thu, 8 Mar 2018 12:42:10 +0200 +Subject: team: Fix double free in error path +Git-commit: cbcc607e18422555db569b593608aec26111cb0b +Patch-mainline: v4.16-rc7 +References: networking-stable-18_03_28 + +The __send_and_alloc_skb() receives a skb ptr as a parameter but in +case it fails the skb is not valid: +- Send failed and released the skb internally. +- Allocation failed. + +The current code tries to release the skb in case of failure which +causes redundant freeing. + +Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers") +Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com> +Acked-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/team/team.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2399,7 +2399,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } + +@@ -2685,7 +2685,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } + diff --git a/patches.suse/tipc-fix-a-memory-leak-in-tipc_nl_node_get_link.patch b/patches.suse/tipc-fix-a-memory-leak-in-tipc_nl_node_get_link.patch new file mode 100644 index 0000000000..b6ded270e7 --- /dev/null +++ b/patches.suse/tipc-fix-a-memory-leak-in-tipc_nl_node_get_link.patch @@ -0,0 +1,78 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Wed, 10 Jan 2018 12:50:25 -0800 +Subject: tipc: fix a memory leak in tipc_nl_node_get_link() +Git-commit: 59b36613e85fb16ebf9feaf914570879cd5c2a21 +Patch-mainline: v4.15-rc9 +References: networking-stable-18_01_28 + +When tipc_node_find_by_name() fails, the nlmsg is not +freed. + +While on it, switch to a goto label to properly +free it. + +Fixes: be9c086715c ("tipc: narrow down exposure of struct tipc_node") +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Cc: Jon Maloy <jon.maloy@ericsson.com> +Cc: Ying Xue <ying.xue@windriver.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Acked-by: Ying Xue <ying.xue@windriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/tipc/node.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1854,36 +1854,38 @@ int tipc_nl_node_get_link(struct sk_buff + + if (strcmp(name, tipc_bclink_name) == 0) { + err = tipc_nl_add_bc_link(net, &msg); +- if (err) { +- nlmsg_free(msg.skb); +- return err; +- } ++ if (err) ++ goto err_free; + } else { + int bearer_id; + struct tipc_node *node; + struct tipc_link *link; + + node = tipc_node_find_by_name(net, name, &bearer_id); +- if (!node) +- return -EINVAL; ++ if (!node) { ++ err = -EINVAL; ++ goto err_free; ++ } + + tipc_node_read_lock(node); + link = node->links[bearer_id].link; + if (!link) { + tipc_node_read_unlock(node); +- nlmsg_free(msg.skb); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_free; + } + + err = __tipc_nl_add_link(net, &msg, link, 0); + tipc_node_read_unlock(node); +- if (err) { +- nlmsg_free(msg.skb); +- return err; +- } ++ if (err) ++ goto err_free; + } + + return genlmsg_reply(msg.skb, info); ++ ++err_free: ++ nlmsg_free(msg.skb); ++ return err; + } + + int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) diff --git a/patches.suse/vhost_net-stop-device-during-reset-owner.patch b/patches.suse/vhost_net-stop-device-during-reset-owner.patch new file mode 100644 index 0000000000..310e877b99 --- /dev/null +++ b/patches.suse/vhost_net-stop-device-during-reset-owner.patch @@ -0,0 +1,31 @@ +From: Jason Wang <jasowang@redhat.com> +Date: Thu, 25 Jan 2018 22:03:52 +0800 +Subject: vhost_net: stop device during reset owner +Git-commit: 4cd879515d686849eec5f718aeac62a70b067d82 +Patch-mainline: v4.16-rc1 +References: networking-stable-18_02_06 + +We don't stop device before reset owner, this means we could try to +serve any virtqueue kick before reset dev->worker. This will result a +warn since the work was pending at llist during owner resetting. Fix +this by stopping device during owner reset. + +Reported-by: syzbot+eb17c6162478cc50632c@syzkaller.appspotmail.com +Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") +Signed-off-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/vhost/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1095,6 +1095,7 @@ static long vhost_net_reset_owner(struct + } + vhost_net_stop(n, &tx_sock, &rx_sock); + vhost_net_flush(n); ++ vhost_dev_stop(&n->dev); + vhost_dev_reset_owner(&n->dev, umem); + vhost_net_vq_reset(n); + done: diff --git a/patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch b/patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch new file mode 100644 index 0000000000..a973393e0f --- /dev/null +++ b/patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch @@ -0,0 +1,79 @@ +From: Dan Williams <dan.j.williams@intel.com> +Date: Thu, 7 Jun 2018 09:13:48 -0700 +Subject: x86/spectre_v1: Disable compiler optimizations over + array_index_mask_nospec() +Git-commit: eab6870fee877258122a042bfd99ee7908c40280 +Patch-mainline: v4.18-rc2 +References: bsc#1068032 CVE-2017-5753 + +Mark Rutland noticed that GCC optimization passes have the potential to elide +necessary invocations of the array_index_mask_nospec() instruction sequence, +so mark the asm() volatile. + +Mark explains: + +"The volatile will inhibit *some* cases where the compiler could lift the + array_index_nospec() call out of a branch, e.g. where there are multiple + invocations of array_index_nospec() with the same arguments: + + if (idx < foo) { + idx1 = array_idx_nospec(idx, foo) + do_something(idx1); + } + + < some other code > + + if (idx < foo) { + idx2 = array_idx_nospec(idx, foo); + do_something_else(idx2); + } + + ... since the compiler can determine that the two invocations yield the same + result, and reuse the first result (likely the same register as idx was in + originally) for the second branch, effectively re-writing the above as: + + if (idx < foo) { + idx = array_idx_nospec(idx, foo); + do_something(idx); + } + + < some other code > + + if (idx < foo) { + do_something_else(idx); + } + + ... if we don't take the first branch, then speculatively take the second, we + lose the nospec protection. + + There's more info on volatile asm in the GCC docs: + + https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Volatile + " + +Reported-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Dan Williams <dan.j.williams@intel.com> +Acked-by: Mark Rutland <mark.rutland@arm.com> +Acked-by: Thomas Gleixner <tglx@linutronix.de> +Acked-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: <stable@vger.kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec") +Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/include/asm/barrier.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -37,7 +37,7 @@ static inline unsigned long array_index_ + { + unsigned long mask; + +- asm ("cmp %1,%2; sbb %0,%0;" ++ asm volatile ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) + :"g"(size),"r" (index) + :"cc"); diff --git a/series.conf b/series.conf index 1fc289b799..3d5ae4c4b5 100644 --- a/series.conf +++ b/series.conf @@ -5948,6 +5948,7 @@ patches.drivers/drm-i915-Re-enable-GTT-following-a-device-reset patches.drivers/drm-i915-gvt-Remove-one-duplicated-MMIO patches.fixes/fs-aio-fix-the-increment-of-aio-nr-and-counting-agai.patch + patches.fixes/0001-cifs-Check-for-timeout-on-Negotiate-stage.patch patches.suse/audit-Reduce-overhead-using-a-coarse-clock.patch patches.fixes/printk-console-Always-disable-boot-consoles-that-use.patch patches.fixes/printk-console-Enhance-the-check-for-consoles-using-.patch @@ -6579,6 +6580,7 @@ patches.drivers/Input-uinput-avoid-crash-when-sending-FF-request-to- patches.drivers/PM-core-Fix-device_pm_check_callbacks patches.drivers/PM-docs-Drop-an-excess-character-from-devices.rst + patches.drivers/ACPI-watchdog-properly-initialize-resources patches.apparmor/0001-apparmor-Fix-shadowed-local-variable-in-unpack_trans.patch patches.apparmor/0002-apparmor-Fix-logical-error-in-verify_header.patch patches.apparmor/0003-apparmor-Fix-an-error-code-in-aafs_create.patch @@ -7989,6 +7991,7 @@ patches.drivers/ALSA-hiface-Add-sanity-checks-for-invalid-EPs patches.drivers/ALSA-caiaq-Add-yet-more-sanity-checks-for-invalid-EP patches.drivers/ALSA-line6-Add-yet-more-sanity-checks-for-invalid-EP + patches.drivers/ALSA-hda-ca0132-use-ARRAY_SIZE patches.drivers/ALSA-hda-silence-uninitialized-variable-warning-in-a patches.drivers/ALSA-hda-Add-model-string-for-Intel-reference-board- patches.drivers/ALSA-hda-Avoid-racy-recreation-of-widget-kobjects @@ -9149,6 +9152,7 @@ patches.fixes/0002-NFS-revalidate-.-etc-correctly-on-open.patch patches.fixes/0002-xprtrdma-Throw-away-reply-when-version-is-unrecogniz.patch patches.fixes/0002-nfs-Fix-ugly-referral-attributes.patch + patches.fixes/0001-NFS-Revert-NFS-Move-the-flock-open-mode-check-into-n.patch patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch patches.drivers/thermal-enable-broadcom-menu-for-arm64-bcm2835.patch patches.drivers/thermal-drivers-step_wise-Fix-temperature-regulation @@ -10165,7 +10169,13 @@ patches.fixes/bpf-arsh-is-not-supported-in-32-bit-alu-thus-reject-.patch patches.suse/bpf-array-fix-overflow-in-max_entries-and-undefined-.patch patches.fixes/9p-add-missing-module-license-for-xen-transport.patch + patches.suse/ppp-unlock-all_ppp_mutex-before-registering-device.patch + patches.suse/ipv6-fix-udpv6-sendmsg-crash-caused-by-too-small-MTU.patch + patches.suse/tipc-fix-a-memory-leak-in-tipc_nl_node_get_link.patch + patches.suse/netlink-extack-needs-to-be-reset-each-time-through-l.patch patches.fixes/ipv6-ip6_make_skb-needs-to-clear-cork.base.dst.patch + patches.suse/net-Allow-neigh-contructor-functions-ability-to-modi.patch + patches.suse/ipv4-Make-neigh-lookup-keys-for-loopback-point-to-po.patch patches.drivers/ibmvnic-Fix-pending-MAC-address-changes.patch patches.fixes/sctp-reinit-stream-if-stream-outcnt-has-been-change-.patch patches.fixes/sctp-do-not-allow-the-v4-socket-to-bind-a-v4mapped-v.patch @@ -10204,7 +10214,10 @@ patches.fixes/bpf-arm64-fix-stack_depth-tracking-in-combination-wi.patch patches.fixes/bpf-reject-stores-into-ctx-via-st-and-xadd.patch patches.fixes/bpf-mark-dst-unknown-on-inconsistent-s-u-bounds-adju.patch + patches.suse/netlink-reset-extack-earlier-in-netlink_rcv_skb.patch patches.drivers/cfg80211-fix-station-info-handling-bugs + patches.suse/flow_dissector-properly-cap-thoff-field.patch + patches.suse/ip6_gre-init-dev-mtu-and-dev-hard_header_len-correct.patch patches.drivers/can-af_can-can_rcv-replace-WARN_ONCE-by-pr_warn_once patches.drivers/can-af_can-canfd_rcv-replace-WARN_ONCE-by-pr_warn_on patches.drivers/ibmvnic-Fix-IP-offload-control-buffer.patch @@ -10250,22 +10263,28 @@ patches.drivers/ibmvnic-Modify-buffer-size-and-number-of-queues-on-f.patch patches.drivers/ibmvnic-Revert-to-previous-mtu-when-unsupported-valu.patch patches.drivers/ibmvnic-Allocate-and-request-vpd-in-init_resources.patch + patches.suse/net-qdisc_pkt_len_init-should-be-more-robust.patch patches.fixes/gso-validate-gso_type-in-GSO-handlers.patch patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch patches.drivers/be2net-restore-properly-promisc-mode-after-queues-re.patch patches.suse/x86-ftrace-Fix-ORC-unwinding-from-ftrace-handlers.patch patches.suse/0001-ftrace-orc-x86-Handle-ftrace-dynamically-allocated-t.patch patches.suse/0002-tracing-Update-stack-trace-skipping-for-ORC-unwinder.patch + patches.suse/pppoe-take-needed_headroom-of-lower-device-into-acco.patch patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch patches.drivers/vmxnet3-repair-memory-leak patches.fixes/xfrm-Add-SA-to-hardware-at-the-end-of-xfrm_state_con.patch + patches.suse/mlxsw-spectrum_router-Don-t-log-an-error-on-missing-.patch patches.suse/btrfs-fix-stale-entries-in-readdir.patch patches.drivers/KVM-s390-add-proper-locking-for-CMMA-migration-bitma.patch patches.drivers/Input-xpad-add-support-for-PDP-Xbox-One-controllers patches.drivers/Input-trackpoint-force-3-buttons-if-0-button-is-repo patches.drivers/drm-vc4-Flush-the-caches-before-the-bin-jobs-as-well patches.drivers/drm-vc4-Fix-NULL-pointer-dereference-in-vc4_save_han + patches.suse/net-tcp-close-sock-if-net-namespace-is-exiting.patch patches.drivers/r8169-fix-memory-corruption-on-retrieval-of-hardware.patch + patches.suse/net-vrf-Add-support-for-sends-to-local-broadcast-add.patch + patches.suse/dccp-don-t-restart-ccid2_hc_tx_rto_expire-if-sk-in-c.patch patches.fixes/0002-futex-Fix-OWNER_DEAD-fixup.patch patches.suse/hrtimer-Reset-hrtimer-cpu-base-proper-on-CPU-hotplug.patch patches.arch/perf-x86-amd-power-do-not-load-amd-power-module-on-amd-platforms.patch @@ -10437,6 +10456,7 @@ patches.arch/x86-cpufeatures-clean-up-spectre-v2-related-cpuid-flags.patch patches.fixes/sched-Stop-resched_cpu-from-sending-IPIs-to-offline-CPUs.patch patches.fixes/sched-Stop-switched_to_rt-from-sending-IPIs-to-offline-CPUs.patch + patches.suse/0001-locking-Remove-smp_read_barrier_depends-from-queued_.patch patches.suse/sched-Only-immediately-migrate-tasks-due-to-interrupts-if-prev-and-target-CPUs-share-cache.patch patches.suse/msft-hv-1553-x86-hyperv-Stop-suppressing-X86_FEATURE_PCID.patch patches.arch/0004-arm64-mm-Use-non-global-mappings-for-kernel-space.patch @@ -10910,14 +10930,19 @@ patches.fixes/selftests-bpf-make-dubious-pointer-arithmetic-test-u.patch patches.drivers/i40e-program-fragmented-IPv4-filter-input-set.patch patches.drivers/i40e-fix-reported-mask-for-ntuple-filters.patch + patches.drivers/i40e-Do-not-allow-use-more-TC-queue-pairs-than-MSI-X.patch patches.fixes/ipv6-Fix-SO_REUSEPORT-UDP-socket-with-implicit-sk_ip.patch patches.fixes/tap-fix-use-after-free.patch patches.suse/0001-net-ethernet-cavium-Correct-Cavium-Thunderx-NIC-driv.patch + patches.suse/vhost_net-stop-device-during-reset-owner.patch patches.fixes/net-ipv6-send-unsolicited-NA-after-DAD.patch patches.drivers/net_sched-gen_estimator-fix-lockdep-splat.patch + patches.suse/tcp-release-sk_frag.page-in-tcp_disconnect.patch patches.drivers/qlcnic-fix-deadlock-bug.patch patches.drivers/ibmvnic-Wait-for-device-response-when-changing-MAC.patch + patches.suse/qmi_wwan-Add-support-for-Quectel-EP06.patch patches.drivers/r8169-fix-RTL8168EP-take-too-long-to-complete-driver.patch + patches.suse/ip6mr-fix-stale-iterator.patch patches.fixes/fs-dax.c-release-PMD-lock-even-when-there-is-no-PMD-.patch patches.fixes/ocfs2-return-EROFS-to-mount.ocfs2-if-inode-block-is-.patch patches.fixes/ocfs2-try-a-blocking-lock-before-return-AOP_TRUNCATE.patch @@ -10969,6 +10994,9 @@ patches.drivers/Input-synaptics-reset-the-ABS_X-Y-fuzz-after-initial patches.drivers/Input-synaptics-rmi4-do-not-delete-interrupt-memory- patches.fixes/Input-synaptics-rmi4-unmask-F03-interrupts-when-port + patches.fixes/kconfig-Don-t-leak-main-menus-during-parsing + patches.fixes/kconfig-Fix-automatic-menu-creation-mem-leak + patches.fixes/kconfig-Fix-expr_free-E_NOT-leak patches.fixes/printk-Add-console-owner-and-waiter-logic-to-load-ba.patch patches.fixes/printk-Hide-console-waiter-logic-into-helpers.patch patches.fixes/printk-Never-set-console_may_schedule-in-console_try.patch @@ -11475,11 +11503,13 @@ patches.drivers/net-create-skb_gso_validate_mac_len.patch patches.drivers/bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch patches.fixes/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-usin.patch + patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch patches.fixes/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch patches.fixes/netfilter-ipt_CLUSTERIP-fix-out-of-bounds-accesses-i.patch patches.fixes/netfilter-on-sockopt-acquire-sock-lock-only-in-the-r.patch patches.drivers/ibmvnic-fix-firmware-version-when-no-firmware-level-.patch patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch + patches.suse/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch patches.fixes/Revert-defer-call-to-mem_cgroup_sk_alloc.patch patches.drivers/firmware-dmi_scan-Fix-handling-of-empty-DMI-strings patches.fixes/mbcache-initialize-entry-e_referenced-in-mb_cache_en.patch @@ -11587,6 +11617,7 @@ patches.drivers/Revert-apple-gmux-lock-iGP-IO-to-protect-from-vgaarb patches.drivers/platform-x86-mlx-platform-fix-module-aliases patches.fixes/doc-Change-the-min-default-value-of-tcp_wmem-tcp_rme.patch + patches.suse/sctp-fix-dst-refcnt-leak-in-sctp_v6_get_dst.patch patches.fixes/sctp-fix-dst-refcnt-leak-in-sctp_v4_get_dst.patch patches.drivers/ibmvnic-fix-empty-firmware-version-and-errors-cleanu.patch patches.drivers/be2net-Fix-HW-stall-issue-in-Lancer.patch @@ -11711,10 +11742,15 @@ patches.fixes/0013-xprtrdma-Fix-BUG-after-a-device-removal.patch patches.fixes/netfilter-xt_cgroup-initialize-info-priv-in-cgroup_m.patch patches.fixes/netfilter-xt_RATEEST-acquire-xt_rateest_mutex-for-ha.patch + patches.drivers/i40e-Fix-the-number-of-queues-available-to-be-mapped.patch patches.drivers/ibmvnic-Fix-rx-queue-cleanup-for-non-fatal-resets.patch patches.drivers/ibmvnic-Ensure-that-buffers-are-NULL-after-free.patch + patches.suse/net-ethernet-ti-cpsw-fix-net-watchdog-timeout.patch + patches.suse/netlink-ensure-to-loop-over-all-netns-in-genlmsg_mul.patch patches.drivers/ibmvnic-queue-reset-when-CRQ-gets-closed-during-rese.patch + patches.suse/net-sched-cls_u32-fix-cls_u32-on-filter-replace.patch patches.fixes/rtlwifi-rtl8821ae-Fix-connection-lost-problem-correc + patches.suse/net-phy-fix-phy_start-to-consider-PHY_IGNORE_INTERRU.patch patches.fixes/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-CONF.patch patches.drivers/ibmvnic-Reset-long-term-map-ID-counter.patch patches.drivers/s390-qeth-fix-underestimated-count-of-buffer-element.patch @@ -11827,6 +11863,8 @@ patches.arch/x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch patches.arch/x86-platform-uv-fix-gam-range-table-entries-less-than-1gb patches.fixes/x86-mm-mm-hwpoison-don-t-unconditionally-unmap-kernel-1-1-pages.patch + patches.suse/0001-locking-qspinlock-Ensure-node-is-initialised-before-.patch + patches.suse/0002-locking-qspinlock-Ensure-node-count-is-updated-befor.patch patches.fixes/9p-trans_virtio-discard-zero-length-reply.patch patches.drivers/PM-wakeirq-Fix-unbalanced-IRQ-enable-for-wakeirq patches.drivers/PM-runtime-Update-links_count-also-if-CONFIG_SRCU @@ -11881,12 +11919,14 @@ patches.fixes/bridge-check-brport-attr-show-in-brport_show.patch patches.fixes/sctp-do-not-pr_err-for-the-duplicated-node-in-transp.patch patches.fixes/tcp-Honor-the-eor-bit-in-tcp_mtu_probe.patch + patches.suse/mlxsw-spectrum_router-Fix-error-path-in-mlxsw_sp_vr_.patch patches.drivers/net-fix-race-on-decreasing-number-of-TX-queues.patch patches.drivers/ibmvnic-Wait-until-reset-is-complete-to-set-carrier-.patch patches.drivers/ibmvnic-Fix-login-buffer-memory-leaks.patch patches.drivers/ibmvnic-Fix-NAPI-structures-memory-leak.patch patches.drivers/ibmvnic-Free-RX-socket-buffer-in-case-of-adapter-err.patch patches.drivers/ibmvnic-Clean-RX-pool-buffers-during-device-close.patch + patches.suse/fib_semantics-Don-t-match-route-with-mismatching-tcl.patch patches.drivers/cxgb4-fix-trailing-zero-in-CIM-LA-dump.patch patches.drivers/PCI-cxgb4-Extend-T3-PCI-quirk-to-T4-devices.patch patches.fixes/dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside.patch @@ -11957,6 +11997,7 @@ patches.drivers/X.509-fix-NULL-dereference-when-restricting-key-with patches.drivers/KEYS-Use-individual-pages-in-big_key-for-crypto-buff patches.drivers/ibmvnic-Check-for-NULL-skb-s-in-NAPI-poll-routine.patch + patches.suse/net-sched-report-if-filter-is-too-large-to-dump.patch patches.fixes/netfilter-ipt_CLUSTERIP-fix-a-race-condition-of-proc.patch patches.fixes/netfilter-drop-outermost-socket-lock-in-getsockopt.patch patches.fixes/netfilter-add-back-stackpointer-size-checks.patch @@ -11973,6 +12014,7 @@ patches.drivers/net-mlx5-Add-header-re-write-to-the-checks-for-confl.patch patches.fixes/bpf-fix-memory-leak-in-lpm_trie-map_free-callback-fu.patch patches.fixes/bpf-fix-mlock-precharge-on-arraymaps.patch + patches.suse/amd-xgbe-Restore-PCI-interrupt-enablement-setting-on.patch patches.suse/netlink-put-module-reference-if-dump-start-fails.patch patches.fixes/tcp_bbr-better-deal-with-suboptimal-GSO.patch patches.fixes/net-ipv4-Set-addr_type-in-hash_keys-for-forwarded-ca.patch @@ -11986,6 +12028,8 @@ patches.drivers/mac80211-Do-not-disconnect-on-invalid-operating-clas patches.drivers/mac80211-Fix-sending-ADDBA-response-for-an-ongoing-s patches.fixes/regulatory-add-NUL-to-request-alpha2.patch + patches.suse/rxrpc-Fix-send-in-rxrpc_send_data_packet.patch + patches.suse/ipv6-sit-work-around-bogus-gcc-8-Wrestrict-warning.patch patches.fixes/bpf-add-schedule-points-in-percpu-arrays-management.patch patches.fixes/bpf-fix-rcu-lockdep-warning-for-lpm_trie-map_free-ca.patch patches.fixes/bpf-x64-implement-retpoline-for-tail-call.patch @@ -12088,12 +12132,18 @@ patches.fixes/l2tp-fix-race-in-pppol2tp_release-with-session-objec.patch patches.fixes/l2tp-fix-tunnel-lookup-use-after-free-race.patch patches.drivers/ixgbe-fix-crash-in-build_skb-Rx-code-path.patch + patches.suse/hdlc_ppp-carrier-detect-ok-don-t-turn-off-negotiatio.patch patches.drivers/Bluetooth-btusb-Use-DMI-matching-for-QCA-reset_resum + patches.suse/net-ipv4-don-t-allow-setting-net.ipv4.route.min_pmtu.patch patches.fixes/ip_gre-fix-IFLA_MTU-ignored-on-NEWLINK.patch + patches.suse/s390-qeth-fix-overestimated-count-of-buffer-elements.patch patches.arch/s390-qeth-fix-ip-removal-on-offline-cards.patch patches.arch/s390-qeth-fix-double-free-on-ip-add-remove-race.patch patches.arch/s390-qeth-fix-ip-address-lookup-for-l3-devices.patch + patches.suse/s390-qeth-fix-IPA-command-submission-race.patch patches.fixes/tcp-revert-F-RTO-middle-box-workaround.patch + patches.suse/tcp-revert-F-RTO-extension-to-detect-more-spurious-t.patch + patches.suse/net-ipv4-avoid-unused-variable-warning-for-sysctl.patch patches.drivers/net-ethtool-don-t-ignore-return-from-driver-get_fecp.patch patches.fixes/bpf-allow-xadd-only-on-aligned-memory.patch patches.fixes/bpf-ppc64-fix-out-of-bounds-access-in-tail-call.patch @@ -12101,6 +12151,8 @@ patches.drivers/mac80211-drop-frames-with-unexpected-DS-bits-from-fa patches.fixes/netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch patches.fixes/netfilter-use-skb_to_full_sk-in-ip6_route_me_harder.patch + patches.suse/mlxsw-spectrum_switchdev-Check-success-of-FDB-add-op.patch + patches.suse/ppp-prevent-unregistered-channels-from-connecting-to.patch patches.suse/msft-hv-1565-hv_netvsc-avoid-retry-on-send-during-shutdown.patch patches.suse/msft-hv-1566-hv_netvsc-only-wake-transmit-queue-if-link-is-up.patch patches.suse/msft-hv-1567-hv_netvsc-fix-error-unwind-handling-if-vmbus_open-fa.patch @@ -12253,10 +12305,12 @@ patches.drivers/mmc-block-fix-updating-ext_csd-caches-on-ioctl-call patches.drivers/mmc-core-Disable-HPI-for-certain-Micron-Numonyx-eMMC patches.drivers/mmc-dw_mmc-fix-falling-from-idmac-to-PIO-mode-when-d + patches.suse/net-Only-honor-ifindex-in-IP_PKTINFO-if-non-0.patch patches.drivers/rhashtable-Fix-rhlist-duplicates-insertion patches.drivers/Bluetooth-btusb-Remove-Yoga-920-from-the-btusb_needs patches.drivers/Bluetooth-btusb-Add-Dell-OptiPlex-3060-to-btusb_need patches.drivers/Bluetooth-Fix-missing-encryption-refresh-on-Security + patches.suse/sch_netem-fix-skb-leak-in-netem_enqueue.patch patches.drivers/e1000e-Remove-Other-from-EIAC.patch patches.drivers/Partial-revert-e1000e-Avoid-receiver-overrun-interru.patch patches.drivers/e1000e-Fix-queue-interrupt-re-raising-in-Other-inter.patch @@ -12264,10 +12318,12 @@ patches.drivers/e1000e-Fix-check_for_link-return-value-with-autoneg-.patch patches.drivers/e1000e-allocate-ring-descriptors-with-dma_zalloc_coh.patch patches.drivers/qed-Free-RoCE-ILT-Memory-on-rmmod-qedr.patch + patches.suse/net-Fix-hlist-corruptions-in-inet_evict_bucket.patch patches.fixes/l2tp-do-not-accept-arbitrary-sockets.patch patches.fixes/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch patches.fixes/bpf-fix-bpf_skb_adjust_net-bpf_skb_proto_xlat-to-dea.patch patches.fixes/bpf-x64-increase-number-of-passes.patch + patches.suse/team-Fix-double-free-in-error-path.patch patches.drivers/iwlwifi-mvm-fix-security-bug-in-PN-checking patches.drivers/iwlwifi-mvm-fix-IBSS-for-devices-that-support-statio patches.drivers/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rate @@ -12284,6 +12340,10 @@ patches.suse/msft-hv-1576-hv_netvsc-avoid-repeated-updates-of-packet-filter.patch patches.suse/msft-hv-1577-hv_netvsc-fix-locking-for-rx_mode.patch patches.suse/msft-hv-1578-hv_netvsc-fix-locking-during-VF-setup.patch + patches.suse/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_r.patch + patches.suse/ieee802154-6lowpan-fix-possible-NULL-deref-in-lowpan.patch + patches.suse/macvlan-filter-out-unsupported-feature-flags.patch + patches.suse/net-phy-Tell-caller-result-of-phy_change.patch patches.drivers/bnxt_en-Remove-unwanted-ovs-offload-messages-in-some.patch patches.drivers/bnxt_en-Return-standard-Linux-error-codes-for-hwrm-f.patch patches.drivers/bnxt_en-Check-valid-VNIC-ID-in-bnxt_hwrm_vnic_set_tp.patch @@ -12292,23 +12352,46 @@ patches.drivers/can-peak-pcie_fd-fix-echo_skb-is-occupied-bug patches.drivers/can-peak-pcie_fd-remove-useless-code-when-interface- patches.fixes/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch + patches.suse/net-ipv6-keep-sk-status-consistent-after-datagram-co.patch patches.drivers/Revert-e1000e-Separate-signaling-for-link-check-link.patch patches.drivers/e1000e-Fix-link-check-race-condition.patch patches.drivers/qed-Use-after-free-in-qed_rdma_free.patch + patches.suse/net-use-skb_to_full_sk-in-skb_update_prio.patch + patches.suse/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch + patches.suse/dpaa_eth-remove-duplicate-initialization.patch + patches.suse/dpaa_eth-increment-the-RX-dropped-counter-when-neede.patch + patches.suse/dpaa_eth-remove-duplicate-increment-of-the-tx_errors.patch patches.drivers/can-cc770-Fix-stalls-on-rt-linux-remove-redundant-IR patches.drivers/can-cc770-Fix-queue-stall-dropped-RTR-reply patches.drivers/net-sched-actions-return-explicit-error-when-tunnel_.patch + patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch + patches.suse/net-systemport-Rewrite-__bcm_sysport_tx_reclaim.patch + patches.suse/net-iucv-Free-memory-obtained-by-kzalloc.patch patches.drivers/qed-Fix-MPA-unalign-flow-in-case-header-is-split-acr.patch patches.drivers/qed-Fix-non-TCP-packets-should-be-dropped-on-iWARP-l.patch patches.drivers/qede-Fix-qedr-link-update.patch + patches.suse/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch + patches.suse/skbuff-Fix-not-waking-applications-when-errors-are-e.patch + patches.suse/mlxsw-spectrum_buffers-Set-a-minimum-quota-for-CPU-p.patch patches.drivers/net-hns-Fix-ethtool-private-flags.patch + patches.suse/net-ethernet-ti-cpsw-add-check-for-in-band-mode-sett.patch patches.drivers/net-sched-fix-NULL-dereference-in-the-error-path-of-.patch patches.drivers/net-sched-fix-NULL-dereference-on-the-error-path-of-.patch + patches.suse/net-fec-Fix-unbalanced-PM-runtime-calls.patch patches.drivers/Bluetooth-btusb-Fix-quirk-for-Atheros-1525-QCA6174 + patches.suse/devlink-Remove-redundant-free-on-error-path.patch + patches.suse/net-ethernet-arc-Fix-a-potential-memory-leak-if-an-o.patch patches.drivers/can-cc770-Fix-use-after-free-in-cc770_tx_interrupt + patches.suse/ipv6-old_dport-should-be-a-__be16-in-__ip6_datagram_.patch patches.fixes/test_bpf-Fix-testing-with-CONFIG_BPF_JIT_ALWAYS_ON-y.patch patches.fixes/bpf-skip-unnecessary-capability-check.patch + patches.suse/s390-qeth-free-netdevice-when-removing-a-card.patch + patches.suse/s390-qeth-when-thread-completes-wake-up-all-waiters.patch + patches.suse/s390-qeth-lock-read-device-while-queueing-next-buffe.patch patches.drivers/s390-qeth-on-channel-error-reject-further-cmd-requests.patch + patches.suse/ipv6-sr-fix-scheduling-in-RCU-when-creating-seg6-lwt.patch + patches.suse/ipv6-sr-fix-NULL-pointer-dereference-when-setting-en.patch + patches.suse/ppp-avoid-loop-in-xmit-recursion-detection-code.patch patches.suse/msft-hv-1579-hv_netvsc-disable-NAPI-before-channel-close.patch patches.suse/msft-hv-1580-hv_netvsc-use-RCU-to-fix-concurrent-rx-and-queue-cha.patch patches.suse/msft-hv-1581-hv_netvsc-change-GPAD-teardown-order-on-older-versio.patch @@ -12421,6 +12504,7 @@ patches.drivers/drm-panel-simple-Fix-the-bus-format-for-the-Ontat-pa patches.drivers/drm-meson-Fix-an-un-handled-error-path-in-meson_drv_ patches.drivers/drm-meson-Fix-some-error-handling-paths-in-meson_drv + patches.drivers/PCI-Restore-config-space-on-runtime-resume-despite-b patches.drivers/drm-rockchip-Clear-all-interrupts-before-requesting- patches.drivers/drm-rcar-du-lvds-Fix-LVDS-startup-on-R-Car-Gen2 patches.drivers/drm-rcar-du-lvds-Fix-LVDS-startup-on-R-Car-Gen3 @@ -12499,6 +12583,7 @@ patches.drivers/ibmvnic-Improve-TX-buffer-accounting.patch patches.drivers/ibmvnic-Update-TX-pool-cleaning-routine.patch patches.drivers/ibmvnic-Remove-unused-TSO-resources-in-TX-pool-struc.patch + patches.drivers/i40e-Close-client-on-suspend-and-restore-client-MSIx.patch patches.drivers/ibmvnic-Potential-NULL-dereference-in-clean_one_tx_p.patch patches.drivers/rtlwifi-rtl8192cu-Remove-variable-self-assignment-in patches.drivers/rtl8187-Fix-NULL-pointer-dereference-in-priv-conf_mu @@ -12574,10 +12659,19 @@ patches.drivers/nfp-use-full-40-bits-of-the-NSP-buffer-address.patch patches.fixes/0001-xhci-zero-usb-device-slot_id-member-when-disabling-a.patch patches.fixes/0001-USB-fix-USB3-devices-behind-USB3-hubs-not-resuming-a.patch + patches.drivers/serial-altera-ensure-port-regshift-is-honored-consis + patches.drivers/serial-arc_uart-Fix-out-of-bounds-access-through-DT- + patches.drivers/serial-fsl_lpuart-Fix-out-of-bounds-access-through-D + patches.drivers/serial-imx-Fix-out-of-bounds-access-through-serial-p + patches.drivers/serial-mxs-auart-Fix-out-of-bounds-access-through-se + patches.drivers/serial-samsung-Fix-out-of-bounds-access-through-seri + patches.drivers/serial-sh-sci-Fix-out-of-bounds-access-through-DT-al + patches.drivers/serial-xuartps-Fix-out-of-bounds-access-through-DT-a patches.drivers/vt-change-SGR-21-to-follow-the-standards patches.drivers/staging-rtl8192u-return-ENOMEM-on-failed-allocation- patches.drivers/staging-comedi-ni_mio_common-ack-ai-fifo-error-inter patches.drivers/staging-bcm2835-audio-Release-resources-on-module_ex + patches.fixes/lib-kobject-Join-string-literals-back patches.drivers/firmware-fix-checking-for-return-values-for-fw_add_d patches.suse/suse-hv-hv_balloon-fix-printk-loglevel.patch patches.suse/suse-hv-hv_balloon-simplify-hv_online_page-hv_page_online_on.patch @@ -12645,6 +12739,7 @@ patches.drivers/nvmet_fc-prevent-new-io-rqsts-in-possible-isr-comple.patch patches.drivers/nvmet-rdma-Don-t-flush-system_wq-by-default-during-r.patch patches.drivers/nvme-rdma-Don-t-flush-delete_wq-by-default-during-re.patch + patches.drivers/nvme-Skip-checking-heads-without-namespaces.patch patches.drivers/scsi-lpfc-Fix-frequency-of-Release-WQE-CQEs.patch patches.drivers/scsi-lpfc-Increase-CQ-and-WQ-sizes-for-SCSI.patch patches.drivers/scsi-lpfc-move-placement-of-target-destroy-on-driver.patch @@ -12745,6 +12840,7 @@ patches.drivers/iw_cxgb4-print-mapped-ports-correctly.patch patches.drivers/ACPI-hotplug-PCI-Check-presence-of-slot-itself-in-ge patches.drivers/pci-dpc-do-not-enable-dpc-if-aer-control-is-not-allowed-by-the-bios + patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-88SE9 patches.suse/suse-hv-PCI-hv-Serialize-the-present-and-eject-work-items.patch patches.suse/suse-hv-PCI-hv-Fix-2-hang-issues-in-hv_compose_msi_msg.patch patches.suse/suse-hv-PCI-hv-Fix-a-comment-typo-in-_hv_pcifront_read_confi.patch @@ -12893,6 +12989,7 @@ patches.drivers/bnxt_en-Ignore-src-port-field-in-decap-filter-nodes.patch patches.fixes/0002-xprtrdma-Fix-corner-cases-when-handling-device-remov.patch patches.fixes/xfs-fix-intent-use-after-free-on-abort.patch + patches.drivers/PCI-Mark-Broadcom-HT1100-and-HT2000-Root-Port-Extend patches.drivers/PCI-Remove-messages-about-reassigning-resources patches.drivers/drm-amdgpu-sdma-fix-mask-in-emit_pipeline_sync patches.drivers/drm-amdgpu-si-implement-get-set-pcie_lanes-asic-call @@ -12906,7 +13003,10 @@ patches.fixes/block-loop-fix-deadlock-after-loop_set_status.patch patches.drivers/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch patches.drivers/nvme-target-fix-buffer-overflow.patch + patches.drivers/nvme-check-return-value-of-init_srcu_struct-function.patch patches.drivers/nvmet-fix-space-padding-in-serial-number.patch + patches.drivers/nvme-Use-admin-command-effects-for-admin-commands.patch + patches.drivers/nvme-expand-nvmf_check_if_ready-checks.patch patches.apparmor/apparmor-fix-display-of-.ns_name-for-containers.patch patches.apparmor/apparmor-fix-resource-audit-messages-when-auditing-peer.patch patches.apparmor/apparmor-fix-dangling-symlinks-to-policy-rawdata-aft.patch @@ -12967,6 +13067,7 @@ patches.drivers/drm-i915-Call-i915_perf_fini-on-init_hw-error-unwind patches.drivers/drm-i915-audio-Fix-audio-detection-issue-on-GLK patches.arch/s390-qeth-fix-MAC-address-update-sequence.patch + patches.suse/ipv6-sr-fix-NULL-pointer-dereference-in-seg6_do_srh_.patch patches.drivers/ibmvnic-Clean-actual-number-of-RX-or-TX-pools.patch patches.drivers/net-ethtool-Add-missing-kernel-doc-for-FEC-parameter.patch patches.fixes/loop-handle-short-DIO-reads.patch @@ -13014,6 +13115,7 @@ patches.fixes/0001-usb-core-Add-quirk-for-HP-v222w-16GB-Mini.patch patches.fixes/0001-usb-typec-ucsi-Increase-command-completion-timeout-v.patch patches.drivers/0001-xhci-Fix-Kernel-oops-in-xhci-dbgtty.patch + patches.fixes/kobject-don-t-use-WARN-for-registration-failures patches.fixes/ceph-check-if-mds-create-snaprealm-when-setting-quota.patch patches.fixes/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch patches.fixes/libceph-reschedule-a-tick-in-finish_hunting.patch @@ -13047,6 +13149,10 @@ patches.suse/0225-bcache-set-dc-io_disable-to-true-in-conditional_stop.patch patches.suse/0226-bcache-use-pr_info-to-inform-duplicated-CACHE_SET_IO.patch patches.fixes/bdi-wake-up-concurrent-wb_shutdown-callers.patch + patches.drivers/nvme-fix-potential-memory-leak-in-option-parsing.patch + patches.drivers/nvme-Set-integrity-flag-for-user-passthrough-command.patch + patches.drivers/nvme-multipath-Fix-multipath-disabled-naming-collisi.patch + patches.drivers/nvmet-switch-loopback-target-state-to-connecting-whe.patch patches.fixes/bdi-Fix-oops-in-wb_workfn.patch patches.drivers/RDMA-ucma-Allow-resolving-address-w-o-specifying-sou.patch patches.drivers/IB-mlx5-Use-unlimited-rate-when-static-rate-is-not-s.patch @@ -13063,6 +13169,9 @@ patches.drivers/gpio-fix-aspeed_gpio-unmask-irq patches.drivers/gpioib-do-not-free-unrequested-descriptors patches.drivers/gpio-fix-error-path-in-lineevent_create + patches.drivers/HID-lenovo-Add-support-for-IBM-Lenovo-Scrollpoint-mi + patches.drivers/HID-wacom-Release-device-resource-data-obtained-by-d + patches.drivers/HID-intel-ish-hid-use-put_device-instead-of-kfree patches.suse/0228-dm-bufio-fix-buffer-alignment.patch patches.drivers/drm-i915-Adjust-eDP-s-logical-vco-in-a-reliable-plac patches.drivers/drm-i915-Fix-drm-intel_enable_lvds-ERROR-message-in- @@ -13076,6 +13185,7 @@ patches.drivers/drm-nouveau-Fix-deadlock-in-nv50_mstm_register_conne patches.fixes/cpufreq-schedutil-Avoid-using-invalid-next_freq.patch patches.fixes/ceph-fix-rsize-wsize-capping-in-ceph_direct_read_write.patch + patches.fixes/xprtrdma-Fix-list-corruption-DMAR-errors-during-MR-r.patch patches.drivers/Revert-Bluetooth-btusb-Fix-quirk-for-Atheros-1525-QC patches.drivers/Bluetooth-btusb-Only-check-needs_reset_resume-DMI-ta patches.drivers/Bluetooth-btusb-Add-Dell-XPS-13-9360-to-btusb_needs_ @@ -13089,6 +13199,8 @@ patches.drivers/rfkill-gpio-fix-memory-leak-in-probe-error-path patches.drivers/mac80211-Adjust-SAE-authentication-timeout patches.drivers/mac80211-use-timeout-from-the-AddBA-response-instead + patches.drivers/can-hi311x-Acquire-SPI-lock-on-do_get_berr_counter + patches.drivers/can-hi311x-Work-around-TX-complete-interrupt-erratum patches.fixes/0001-mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch patches.drivers/nvme-add-quirk-to-force-medium-priority-for-sq-creation.patch patches.drivers/drm-set-FMODE_UNSIGNED_OFFSET-for-drm-files @@ -13111,6 +13223,9 @@ patches.fixes/0001-usbip-usbip_host-fix-NULL-ptr-deref-and-use-after-fr.patch patches.fixes/0001-usbip-usbip_host-fix-bad-unlock-balance-during-stub_.patch patches.drivers/i2c-designware-fix-poll-after-enable-regression + patches.drivers/i2c-pmcmsp-return-message-count-on-master_xfer-succe + patches.drivers/i2c-pmcmsp-fix-error-return-from-master_xfer + patches.drivers/i2c-viperboard-return-message-count-on-master_xfer-s patches.drivers/radix-tree-test-suite-fix-mapshift-build-target.patch patches.drivers/radix-tree-test-suite-fix-compilation-issue.patch patches.drivers/radix-tree-test-suite-add-item_delete_rcu.patch @@ -13147,13 +13262,23 @@ patches.drivers/nvme-fix-extended-data-LBA-supported-setting.patch patches.fixes/mm-huge_memory-c-_split_huge_page-use-atomic-clearpagedirty.patch patches.suse/mm-fix-the-NULL-mapping-case-in-__isolate_lru_page.patch + patches.drivers/iio-ad7793-implement-IIO_CHAN_INFO_SAMP_FREQ + patches.drivers/iio-kfifo_buf-check-for-uint-overflow patches.drivers/intel_th-Use-correct-device-when-freeing-buffers patches.drivers/drm-i915-Disable-LVDS-on-Radiant-P845 patches.drivers/drm-i915-lvds-Move-acpi-lid-notification-registratio patches.drivers/drm-psr-Fix-missed-entry-in-PSR-setup-time-table patches.drivers/be2net-Fix-error-detection-logic-for-BE3.patch patches.drivers/Revert-rt2800-use-TXOP_BACKOFF-for-probe-frames + patches.drivers/iwlwifi-pcie-compare-with-number-of-IRQs-requested-f patches.drivers/nvme-fix-lockdep-warning-in-nvme_mpath_clear_current_path.patch + patches.drivers/nvme-fc-remove-setting-DNR-on-exception-conditions.patch + patches.drivers/nvme-fabrics-remove-unnecessary-controller-subnqn-va.patch + patches.drivers/nvme-fabrics-centralize-discovery-controller-default.patch + patches.drivers/nvme-fabrics-allow-duplicate-connections-to-the-disc.patch + patches.drivers/nvmet-fc-increase-LS-buffer-count-per-fc-port.patch + patches.drivers/nvme-allow-duplicate-controller-if-prior-controller-.patch + patches.drivers/nvme-fabrics-allow-internal-passthrough-command-on-d.patch patches.suse/btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch patches.fixes/0001-dlm-fix-a-clerical-error-when-set-SCTP_NODELAY.patch patches.fixes/0002-dlm-make-sctp_connect_to_sock-return-in-specified-ti.patch @@ -13175,6 +13300,10 @@ patches.drivers/0001-xhci-set-hcd-pointers-for-xhci-usb2-and-usb3-roothub.patch patches.drivers/0001-xhci-Add-helper-to-get-xhci-roothub-from-hcd.patch patches.drivers/0001-xhci-debugfs-add-usb-ports-to-xhci-debugfs.patch + patches.drivers/w1-mxc_w1-Enable-clock-before-calling-clk_get_rate-o + patches.drivers/driver-core-Don-t-ignore-class_dir_create_and_add-fa + patches.drivers/serial-samsung-fix-maxburst-parameter-for-DMA-transa + patches.drivers/serial-8250-omap-Fix-idling-of-clocks-for-unused-uar patches.drivers/drm-i915-Restore-planes-after-load-detection patches.drivers/drm-exynos-Allow-DRM_EXYNOS-on-s5pv210 patches.drivers/drm-i915-Don-t-request-a-bug-report-for-unsafe-modul @@ -13221,9 +13350,12 @@ patches.drivers/ALSA-hda-realtek-Enable-mic-mute-hotkey-for-several- patches.drivers/ALSA-hda-Handle-kzalloc-failure-in-snd_hda_attach_pc patches.drivers/ASoC-omap-Remove-OMAP_MUX-dependency-from-Nokia-N810 + patches.fixes/kconfig-Avoid-format-overflow-warning-from-GCC-8.1 + patches.drivers/serial-sh-sci-Stop-using-printk-format-pCr patches.drivers/mwifiex-pcie-tighten-a-check-in-mwifiex_pcie_process patches.drivers/ath10k-correct-target-assert-problem-due-to-CE5-stuc patches.drivers/ath10k-search-all-IEs-for-variant-before-falling-bac + patches.drivers/iwlwifi-fw-harden-page-loading-code patches.drivers/ibmvnic-Mark-NAPI-flag-as-disabled-when-released.patch patches.drivers/ibmvnic-Introduce-active-CRQ-state.patch patches.drivers/ibmvnic-Check-CRQ-command-return-codes.patch @@ -13239,6 +13371,8 @@ patches.drivers/iwlwifi-fix-non_shared_ant-for-9000-devices patches.fixes/ipv6-omit-traffic-class-when-calculating-flow-hash.patch patches.drivers/Bluetooth-btusb-Apply-QCA-Rome-patches-for-some-ATH3 + patches.fixes/e1000e-Ignore-TSYNCRXCTL-when-getting-I219-clock-att.patch + patches.fixes/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6m.patch patches.arch/powerpc64-ftrace-Add-a-field-in-paca-to-disable-ftra.patch patches.arch/powerpc64-ftrace-Rearrange-ifdef-sections-in-ftrace..patch patches.arch/powerpc64-ftrace-Add-helpers-to-hard-disable-ftrace.patch @@ -13263,13 +13397,25 @@ patches.arch/powerpc-Use-barrier_nospec-in-copy_from_user.patch patches.arch/powerpc-64-Use-barrier_nospec-in-syscall-entry.patch patches.suse/powerpc-64s-Enhance-the-information-in-cpu_show_spec.patch + patches.drivers/media-uvcvideo-Support-realtek-s-UVC-1.5-device patches.fixes/mm-page_alloc-do-not-break-_gfp_thisnode-by-zonelist-reset.patch + patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch + patches.fixes/regulator-don-t-return-or-expect-errno-from-of_map_mode.patch patches.drivers/0001-raid10-check-bio-in-r10buf_pool_free-to-void-NULL-po.patch patches.drivers/0001-md-fix-two-problems-with-setting-the-re-add-device-s.patch patches.drivers/scsi-lpfc-fix-wq-cq-creation-for-older-asic-s.patch patches.drivers/scsi-qla2xxx-Delete-session-for-nport-id-change.patch patches.drivers/ubi-fastmap-Cancel-work-upon-detach + patches.suse/msft-hv-1657-hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch patches.drivers/drm-i915-Remove-stale-asserts-from-i915_gem_find_act + patches.fixes/xprtrdma-Return-ENOBUFS-when-no-pages-are-available.patch + patches.fixes/NFSv4-Revert-commit-5f83d86cf531d-NFSv4.x-Fix-wrapar.patch + patches.arch/kvm-nvmx-enforce-cpl-0-for-vmx-instructions + patches.suse/cpufreq-intel_pstate-Add-HWP-boost-utility-and-sched.patch + patches.suse/cpufreq-intel_pstate-HWP-boost-performance-on-IO-wak.patch + patches.suse/cpufreq-intel_pstate-New-sysfs-entry-to-control-HWP-.patch + patches.suse/cpufreq-intel_pstate-enable-boost-for-Skylake-Xeon.patch + patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no patches.drivers/0001-qla2xxx-Mask-off-Scope-bits-in-retry-delay.patch patches.fixes/ceph-support-file-lock-on-directory.patch patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch @@ -13285,8 +13431,33 @@ patches.drivers/ALSA-usb-audio-Add-native-DSD-support-for-Mytek-DACs patches.drivers/ALSA-usb-audio-Generic-DSD-detection-for-XMOS-based- patches.drivers/ALSA-usb-audio-Remove-explicitly-listed-Mytek-device + patches.fixes/vhost-fix-info-leak-due-to-uninitialized-memory.patch patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch + patches.drivers/nvme-fix-NULL-pointer-dereference-in-nvme_init_subsy.patch + patches.drivers/nvme-fc-change-controllers-first-connect-to-use-reco.patch + patches.drivers/nvme-fc-remove-reinit_request-routine.patch + patches.drivers/nvme-fc-fix-nulling-of-queue-data-on-reconnect.patch + patches.drivers/nvme-fabrics-refactor-queue-ready-check.patch + patches.drivers/nvme-fabrics-handle-the-admin-only-case-properly-in-.patch + patches.drivers/nvme-fabrics-fix-and-refine-state-checks-in-__nvmf_c.patch patches.fixes/jfs-fix-inconsistency-between-memory-allocation-and-ea_buf-max_size.patch + patches.drivers/HID-intel_ish-hid-ipc-register-more-pm-callbacks-to- + patches.drivers/HID-wacom-Correct-logical-maximum-Y-for-2nd-gen-Intu + patches.drivers/drm-qxl-Call-qxl_bo_unref-outside-atomic-context + patches.drivers/drm-i915-Apply-batch-location-restrictions-before-pi + patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch + patches.drivers/Input-xpad-fix-GPD-Win-2-controller-name + patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co + patches.drivers/ALSA-hda-ca0132-Delete-pointless-assignments-to-stru + patches.drivers/ALSA-hda-ca0132-Delete-redundant-UNSOL-event-request + patches.drivers/ALSA-hda-ca0132-Restore-behavior-of-QUIRK_ALIENWARE + patches.drivers/ALSA-hda-ca0132-Don-t-test-for-QUIRK_NONE + patches.drivers/ALSA-hda-ca0132-Restore-PCM-Analog-Mic-In2 + patches.drivers/ALSA-hda-ca0132-Fix-DMic-data-rate-for-Alienware-M17 + patches.drivers/ALSA-hda-ca0132-make-array-ca0132_alt_chmaps-static + patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210 + patches.drivers/ALSA-hda-realtek-Fix-the-problem-of-two-front-mics-o + patches.fixes/ceph-fix-dentry-leak-in-splice_dentry.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -13506,7 +13677,6 @@ patches.suse/suse-hv-guest-os-id.patch patches.suse/suse-hv-kvp_on_msg.dbg.patch patches.suse/suse-hv-hv_compose_msi_msg.patch - patches.suse/suse-hv-netvsc-ifup.patch # bsc#1056592 patches.suse/ras-cec-disable-cec.patch @@ -13582,7 +13752,12 @@ patches.arch/0012-arm64-ssbd-Add-prctl-interface-for-per-thread-mitiga.patch ######################################################## - # xfs/ext4/btrfs + # Filesystem + ######################################################## + patches.suse/procfs-add-tunable-for-fd-fdinfo-dentry-retention.patch + + ######################################################## + # xfs/ext4/btrfs/reiserfs ######################################################## patches.fixes/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch patches.drivers/pstore_disable_efi_backend_by_default.patch @@ -13733,8 +13908,10 @@ # Other driver fixes ######################################################## patches.suse/tpm-Downgrade-error-level - patches.drivers/platform-x86-ideapad-laptop-Add-MIIX-720-12IKB-to-no patches.suse/Input-synaptics-Add-intertouch-blacklist-for-Thinkpa.patch + patches.suse/mmc-version-check-printk-downgrade + patches.drivers/platform-x86-ideapad-laptop-Apply-no_hw_rfkill-to-Y2 + patches.drivers/dell_rbu-make-firmware-payload-memory-uncachable ######################################################## # Other drivers we have added to the tree @@ -13869,11 +14046,12 @@ ######################################################## patches.suse/crasher.patch - patches.suse/0001-x86-stacktrace-do-now-unwind-after-user-regs.patch - patches.suse/0002-x86-stacktrace-make-clear-the-success-paths.patch - patches.suse/0003-x86-stacktrace-remove-STACKTRACE_DUMP_ONCE-from-__sa.patch - patches.suse/0004-x86-stacktrace-do-not-fail-for-ORC-with-regs-on-stac.patch - patches.suse/0005-x86-stacktrace-orc-mark-it-as-reliable.patch + patches.suse/0001-x86-stacktrace-Do-not-unwind-after-user-regs.patch + patches.suse/0002-x86-stacktrace-Remove-STACKTRACE_DUMP_ONCE.patch + patches.suse/0003-x86-stacktrace-Clarify-the-reliable-success-paths.patch + patches.suse/0004-x86-stacktrace-Do-not-fail-for-ORC-with-regs-on-stac.patch ++kabi patches.suse/0005-x86-unwind-orc-Detect-the-end-of-the-stack.patch + patches.suse/0006-x86-stacktrace-Enable-HAVE_RELIABLE_STACKTRACE-for-t.patch patches.suse/x86-cpu_entry_area-Map-also-trace_idt_table.patch |