From: Sasha Levin Date: Wed, 18 Mar 2020 19:27:17 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.217~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eccf2a1faf1b361314db16f21adbb6c2553d9361;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/drm-amdgpu-fix-tlb-invalidation-request-when-using-s.patch b/queue-5.4/drm-amdgpu-fix-tlb-invalidation-request-when-using-s.patch new file mode 100644 index 00000000000..1016b8cfad2 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-tlb-invalidation-request-when-using-s.patch @@ -0,0 +1,91 @@ +From 4669d2cb70c9e5b6876b3e4206174e33d4a4b02d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 19:54:45 -0500 +Subject: drm/amdgpu: Fix TLB invalidation request when using semaphore +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +[ Upstream commit 37c58ddf57364d1a636850bb8ba6acbe1e16195e ] + +Use a more meaningful variable name for the invalidation request +that is distinct from the tmp variable that gets overwritten when +acquiring the invalidation semaphore. + +Fixes: 4ed8a03740d0 ("drm/amdgpu: invalidate mmhub semaphore workaround in gmc9/gmc10") +Signed-off-by: Felix Kuehling +Reviewed-by: Christian König +Reviewed-by: Yong Zhao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 5 +++-- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 8 ++++---- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +index a7ba4c6cf7a1c..f642e066e67a2 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +@@ -230,7 +230,8 @@ static void gmc_v10_0_flush_vm_hub(struct amdgpu_device *adev, uint32_t vmid, + unsigned int vmhub, uint32_t flush_type) + { + struct amdgpu_vmhub *hub = &adev->vmhub[vmhub]; +- u32 tmp = gmc_v10_0_get_invalidate_req(vmid, flush_type); ++ u32 inv_req = gmc_v10_0_get_invalidate_req(vmid, flush_type); ++ u32 tmp; + /* Use register 17 for GART */ + const unsigned eng = 17; + unsigned int i; +@@ -258,7 +259,7 @@ static void gmc_v10_0_flush_vm_hub(struct amdgpu_device *adev, uint32_t vmid, + DRM_ERROR("Timeout waiting for sem acquire in VM flush!\n"); + } + +- WREG32_NO_KIQ(hub->vm_inv_eng0_req + eng, tmp); ++ WREG32_NO_KIQ(hub->vm_inv_eng0_req + eng, inv_req); + + /* + * Issue a dummy read to wait for the ACK register to be cleared +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index da53a55bf955b..688111ef814de 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -487,13 +487,13 @@ static void gmc_v9_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + { + bool use_semaphore = gmc_v9_0_use_invalidate_semaphore(adev, vmhub); + const unsigned eng = 17; +- u32 j, tmp; ++ u32 j, inv_req, tmp; + struct amdgpu_vmhub *hub; + + BUG_ON(vmhub >= adev->num_vmhubs); + + hub = &adev->vmhub[vmhub]; +- tmp = gmc_v9_0_get_invalidate_req(vmid, flush_type); ++ inv_req = gmc_v9_0_get_invalidate_req(vmid, flush_type); + + /* This is necessary for a HW workaround under SRIOV as well + * as GFXOFF under bare metal +@@ -504,7 +504,7 @@ static void gmc_v9_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + uint32_t req = hub->vm_inv_eng0_req + eng; + uint32_t ack = hub->vm_inv_eng0_ack + eng; + +- amdgpu_virt_kiq_reg_write_reg_wait(adev, req, ack, tmp, ++ amdgpu_virt_kiq_reg_write_reg_wait(adev, req, ack, inv_req, + 1 << vmid); + return; + } +@@ -532,7 +532,7 @@ static void gmc_v9_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + DRM_ERROR("Timeout waiting for sem acquire in VM flush!\n"); + } + +- WREG32_NO_KIQ(hub->vm_inv_eng0_req + eng, tmp); ++ WREG32_NO_KIQ(hub->vm_inv_eng0_req + eng, inv_req); + + /* + * Issue a dummy read to wait for the ACK register to be cleared +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-allow-host-controllers-to-require-r1b-for-c.patch b/queue-5.4/mmc-core-allow-host-controllers-to-require-r1b-for-c.patch new file mode 100644 index 00000000000..22125be9089 --- /dev/null +++ b/queue-5.4/mmc-core-allow-host-controllers-to-require-r1b-for-c.patch @@ -0,0 +1,63 @@ +From a1f5bc9fb86ffafa865dcb1ff31b126b7095bcd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 12:49:43 +0100 +Subject: mmc: core: Allow host controllers to require R1B for CMD6 + +From: Ulf Hansson + +[ Upstream commit 1292e3efb149ee21d8d33d725eeed4e6b1ade963 ] + +It has turned out that some host controllers can't use R1B for CMD6 and +other commands that have R1B associated with them. Therefore invent a new +host cap, MMC_CAP_NEED_RSP_BUSY to let them specify this. + +In __mmc_switch(), let's check the flag and use it to prevent R1B responses +from being converted into R1. Note that, this also means that the host are +on its own, when it comes to manage the busy timeout. + +Suggested-by: Sowjanya Komatineni +Cc: +Tested-by: Anders Roxell +Tested-by: Sowjanya Komatineni +Tested-by: Faiz Abbas +Tested-By: Peter Geis +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/mmc_ops.c | 6 ++++-- + include/linux/mmc/host.h | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c +index cfb2ce979baf1..5a4eddef8067b 100644 +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -540,9 +540,11 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value, + * If the max_busy_timeout of the host is specified, make sure it's + * enough to fit the used timeout_ms. In case it's not, let's instruct + * the host to avoid HW busy detection, by converting to a R1 response +- * instead of a R1B. ++ * instead of a R1B. Note, some hosts requires R1B, which also means ++ * they are on their own when it comes to deal with the busy timeout. + */ +- if (host->max_busy_timeout && (timeout_ms > host->max_busy_timeout)) ++ if (!(host->caps & MMC_CAP_NEED_RSP_BUSY) && host->max_busy_timeout && ++ (timeout_ms > host->max_busy_timeout)) + use_r1b_resp = false; + + cmd.opcode = MMC_SWITCH; +diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h +index ba703384bea0c..4c5eb3aa8e723 100644 +--- a/include/linux/mmc/host.h ++++ b/include/linux/mmc/host.h +@@ -333,6 +333,7 @@ struct mmc_host { + MMC_CAP_UHS_SDR50 | MMC_CAP_UHS_SDR104 | \ + MMC_CAP_UHS_DDR50) + #define MMC_CAP_SYNC_RUNTIME_PM (1 << 21) /* Synced runtime PM suspends. */ ++#define MMC_CAP_NEED_RSP_BUSY (1 << 22) /* Commands with R1B can't use R1. */ + #define MMC_CAP_DRIVER_TYPE_A (1 << 23) /* Host supports Driver Type A */ + #define MMC_CAP_DRIVER_TYPE_C (1 << 24) /* Host supports Driver Type C */ + #define MMC_CAP_DRIVER_TYPE_D (1 << 25) /* Host supports Driver Type D */ +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-default-to-generic_cmd6_time-as-timeout-in-.patch b/queue-5.4/mmc-core-default-to-generic_cmd6_time-as-timeout-in-.patch new file mode 100644 index 00000000000..6b5a59a9b6f --- /dev/null +++ b/queue-5.4/mmc-core-default-to-generic_cmd6_time-as-timeout-in-.patch @@ -0,0 +1,79 @@ +From 8473832a4e3714072a5e9f0e77b0a9ef6f3d6320 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 15:27:47 +0100 +Subject: mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() + +From: Ulf Hansson + +[ Upstream commit 533a6cfe08f96a7b5c65e06d20916d552c11b256 ] + +All callers of __mmc_switch() should now be specifying a valid timeout for +the CMD6 command. However, just to be sure, let's print a warning and +default to use the generic_cmd6_time in case the provided timeout_ms +argument is zero. + +In this context, let's also simplify some of the corresponding code and +clarify some related comments. + +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20200122142747.5690-4-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/mmc_ops.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c +index 09113b9ad6790..cfb2ce979baf1 100644 +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -458,10 +458,6 @@ static int mmc_poll_for_busy(struct mmc_card *card, unsigned int timeout_ms, + bool expired = false; + bool busy = false; + +- /* We have an unspecified cmd timeout, use the fallback value. */ +- if (!timeout_ms) +- timeout_ms = MMC_OPS_TIMEOUT_MS; +- + /* + * In cases when not allowed to poll by using CMD13 or because we aren't + * capable of polling by using ->card_busy(), then rely on waiting the +@@ -534,14 +530,19 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value, + + mmc_retune_hold(host); + ++ if (!timeout_ms) { ++ pr_warn("%s: unspecified timeout for CMD6 - use generic\n", ++ mmc_hostname(host)); ++ timeout_ms = card->ext_csd.generic_cmd6_time; ++ } ++ + /* +- * If the cmd timeout and the max_busy_timeout of the host are both +- * specified, let's validate them. A failure means we need to prevent +- * the host from doing hw busy detection, which is done by converting +- * to a R1 response instead of a R1B. ++ * If the max_busy_timeout of the host is specified, make sure it's ++ * enough to fit the used timeout_ms. In case it's not, let's instruct ++ * the host to avoid HW busy detection, by converting to a R1 response ++ * instead of a R1B. + */ +- if (timeout_ms && host->max_busy_timeout && +- (timeout_ms > host->max_busy_timeout)) ++ if (host->max_busy_timeout && (timeout_ms > host->max_busy_timeout)) + use_r1b_resp = false; + + cmd.opcode = MMC_SWITCH; +@@ -552,10 +553,6 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value, + cmd.flags = MMC_CMD_AC; + if (use_r1b_resp) { + cmd.flags |= MMC_RSP_SPI_R1B | MMC_RSP_R1B; +- /* +- * A busy_timeout of zero means the host can decide to use +- * whatever value it finds suitable. +- */ + cmd.busy_timeout = timeout_ms; + } else { + cmd.flags |= MMC_RSP_SPI_R1 | MMC_RSP_R1; +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-emmc-slee.patch b/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-emmc-slee.patch new file mode 100644 index 00000000000..0350cbd168f --- /dev/null +++ b/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-emmc-slee.patch @@ -0,0 +1,50 @@ +From f75bf6fc10f5519e68968df317b6f82fd0e731b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 10:20:36 +0100 +Subject: mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command + +From: Ulf Hansson + +[ Upstream commit 18d200460cd73636d4f20674085c39e32b4e0097 ] + +The busy timeout for the CMD5 to put the eMMC into sleep state, is specific +to the card. Potentially the timeout may exceed the host->max_busy_timeout. +If that becomes the case, mmc_sleep() converts from using an R1B response +to an R1 response, as to prevent the host from doing HW busy detection. + +However, it has turned out that some hosts requires an R1B response no +matter what, so let's respect that via checking MMC_CAP_NEED_RSP_BUSY. Note +that, if the R1B gets enforced, the host becomes fully responsible of +managing the needed busy timeout, in one way or the other. + +Suggested-by: Sowjanya Komatineni +Cc: +Link: https://lore.kernel.org/r/20200311092036.16084-1-ulf.hansson@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/mmc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index c8804895595f4..b7159e243323b 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1911,9 +1911,12 @@ static int mmc_sleep(struct mmc_host *host) + * If the max_busy_timeout of the host is specified, validate it against + * the sleep cmd timeout. A failure means we need to prevent the host + * from doing hw busy detection, which is done by converting to a R1 +- * response instead of a R1B. ++ * response instead of a R1B. Note, some hosts requires R1B, which also ++ * means they are on their own when it comes to deal with the busy ++ * timeout. + */ +- if (host->max_busy_timeout && (timeout_ms > host->max_busy_timeout)) { ++ if (!(host->caps & MMC_CAP_NEED_RSP_BUSY) && host->max_busy_timeout && ++ (timeout_ms > host->max_busy_timeout)) { + cmd.flags = MMC_RSP_R1 | MMC_CMD_AC; + } else { + cmd.flags = MMC_RSP_R1B | MMC_CMD_AC; +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-erase-tri.patch b/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-erase-tri.patch new file mode 100644 index 00000000000..cc3b81298f0 --- /dev/null +++ b/queue-5.4/mmc-core-respect-mmc_cap_need_rsp_busy-for-erase-tri.patch @@ -0,0 +1,51 @@ +From 6962ee503cebdcaf7ec8194714723e4fa5fcc1e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 14:43:00 +0100 +Subject: mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard + +From: Ulf Hansson + +[ Upstream commit 43cc64e5221cc6741252b64bc4531dd1eefb733d ] + +The busy timeout that is computed for each erase/trim/discard operation, +can become quite long and may thus exceed the host->max_busy_timeout. If +that becomes the case, mmc_do_erase() converts from using an R1B response +to an R1 response, as to prevent the host from doing HW busy detection. + +However, it has turned out that some hosts requires an R1B response no +matter what, so let's respect that via checking MMC_CAP_NEED_RSP_BUSY. Note +that, if the R1B gets enforced, the host becomes fully responsible of +managing the needed busy timeout, in one way or the other. + +Suggested-by: Sowjanya Komatineni +Cc: +Tested-by: Anders Roxell +Tested-by: Sowjanya Komatineni +Tested-by: Faiz Abbas +Tested-By: Peter Geis +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c +index abf8f5eb0a1c8..26644b7ec13e3 100644 +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -1732,8 +1732,11 @@ static int mmc_do_erase(struct mmc_card *card, unsigned int from, + * the erase operation does not exceed the max_busy_timeout, we should + * use R1B response. Or we need to prevent the host from doing hw busy + * detection, which is done by converting to a R1 response instead. ++ * Note, some hosts requires R1B, which also means they are on their own ++ * when it comes to deal with the busy timeout. + */ +- if (card->host->max_busy_timeout && ++ if (!(card->host->caps & MMC_CAP_NEED_RSP_BUSY) && ++ card->host->max_busy_timeout && + busy_timeout > card->host->max_busy_timeout) { + cmd.flags = MMC_RSP_SPI_R1 | MMC_RSP_R1 | MMC_CMD_AC; + } else { +-- +2.20.1 + diff --git a/queue-5.4/mmc-sdhci-omap-fix-busy-detection-by-enabling-mmc_ca.patch b/queue-5.4/mmc-sdhci-omap-fix-busy-detection-by-enabling-mmc_ca.patch new file mode 100644 index 00000000000..ed4d9fd6891 --- /dev/null +++ b/queue-5.4/mmc-sdhci-omap-fix-busy-detection-by-enabling-mmc_ca.patch @@ -0,0 +1,46 @@ +From cd89d80d29c76ad1d6557efc891c1ce5067b37b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 15:05:02 +0100 +Subject: mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY + +From: Ulf Hansson + +[ Upstream commit 055e04830d4544c57f2a5192a26c9e25915c29c0 ] + +It has turned out that the sdhci-omap controller requires the R1B response, +for commands that has this response associated with them. So, converting +from an R1B to an R1 response for a CMD6 for example, leads to problems +with the HW busy detection support. + +Fix this by informing the mmc core about the requirement, via setting the +host cap, MMC_CAP_NEED_RSP_BUSY. + +Reported-by: Naresh Kamboju +Reported-by: Anders Roxell +Reported-by: Faiz Abbas +Cc: +Tested-by: Anders Roxell +Tested-by: Faiz Abbas +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-omap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c +index 083e7e053c954..d3135249b2e40 100644 +--- a/drivers/mmc/host/sdhci-omap.c ++++ b/drivers/mmc/host/sdhci-omap.c +@@ -1134,6 +1134,9 @@ static int sdhci_omap_probe(struct platform_device *pdev) + host->mmc_host_ops.execute_tuning = sdhci_omap_execute_tuning; + host->mmc_host_ops.enable_sdio_irq = sdhci_omap_enable_sdio_irq; + ++ /* R1B responses is required to properly manage HW busy detection. */ ++ mmc->caps |= MMC_CAP_NEED_RSP_BUSY; ++ + ret = sdhci_setup_host(host); + if (ret) + goto err_put_sync; +-- +2.20.1 + diff --git a/queue-5.4/mmc-sdhci-tegra-fix-busy-detection-by-enabling-mmc_c.patch b/queue-5.4/mmc-sdhci-tegra-fix-busy-detection-by-enabling-mmc_c.patch new file mode 100644 index 00000000000..cf6614455aa --- /dev/null +++ b/queue-5.4/mmc-sdhci-tegra-fix-busy-detection-by-enabling-mmc_c.patch @@ -0,0 +1,47 @@ +From e27134843b8c72a6d253c68077a5638d15136b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 15:50:11 +0100 +Subject: mmc: sdhci-tegra: Fix busy detection by enabling + MMC_CAP_NEED_RSP_BUSY + +From: Ulf Hansson + +[ Upstream commit d2f8bfa4bff5028bc40ed56b4497c32e05b0178f ] + +It has turned out that the sdhci-tegra controller requires the R1B response, +for commands that has this response associated with them. So, converting +from an R1B to an R1 response for a CMD6 for example, leads to problems +with the HW busy detection support. + +Fix this by informing the mmc core about the requirement, via setting the +host cap, MMC_CAP_NEED_RSP_BUSY. + +Reported-by: Bitan Biswas +Reported-by: Peter Geis +Suggested-by: Sowjanya Komatineni +Cc: +Tested-by: Sowjanya Komatineni +Tested-By: Peter Geis +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-tegra.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-tegra.c b/drivers/mmc/host/sdhci-tegra.c +index 403ac44a73782..a25c3a4d3f6cb 100644 +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -1552,6 +1552,9 @@ static int sdhci_tegra_probe(struct platform_device *pdev) + if (tegra_host->soc_data->nvquirks & NVQUIRK_ENABLE_DDR50) + host->mmc->caps |= MMC_CAP_1_8V_DDR; + ++ /* R1B responses is required to properly manage HW busy detection. */ ++ host->mmc->caps |= MMC_CAP_NEED_RSP_BUSY; ++ + tegra_sdhci_parse_dt(host); + + tegra_host->power_gpio = devm_gpiod_get_optional(&pdev->dev, "power", +-- +2.20.1 + diff --git a/queue-5.4/netfilter-hashlimit-do-not-use-indirect-calls-during.patch b/queue-5.4/netfilter-hashlimit-do-not-use-indirect-calls-during.patch new file mode 100644 index 00000000000..2f09a3705b4 --- /dev/null +++ b/queue-5.4/netfilter-hashlimit-do-not-use-indirect-calls-during.patch @@ -0,0 +1,76 @@ +From 394812cb71b05b5f488a2c62eb770e5a91264062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 12:25:10 +0100 +Subject: netfilter: hashlimit: do not use indirect calls during gc + +From: Florian Westphal + +[ Upstream commit 28b3a4270c0fc064557e409111f2a678e64b6fa7 ] + +no need, just use a simple boolean to indicate we want to reap all +entries. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_hashlimit.c | 22 ++++------------------ + 1 file changed, 4 insertions(+), 18 deletions(-) + +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 1b68a131083c2..7a2c4b8408c49 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -358,21 +358,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, + return 0; + } + +-static bool select_all(const struct xt_hashlimit_htable *ht, +- const struct dsthash_ent *he) +-{ +- return true; +-} +- +-static bool select_gc(const struct xt_hashlimit_htable *ht, +- const struct dsthash_ent *he) +-{ +- return time_after_eq(jiffies, he->expires); +-} +- +-static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, +- bool (*select)(const struct xt_hashlimit_htable *ht, +- const struct dsthash_ent *he)) ++static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, bool select_all) + { + unsigned int i; + +@@ -382,7 +368,7 @@ static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, + + spin_lock_bh(&ht->lock); + hlist_for_each_entry_safe(dh, n, &ht->hash[i], node) { +- if ((*select)(ht, dh)) ++ if (time_after_eq(jiffies, dh->expires) || select_all) + dsthash_free(ht, dh); + } + spin_unlock_bh(&ht->lock); +@@ -396,7 +382,7 @@ static void htable_gc(struct work_struct *work) + + ht = container_of(work, struct xt_hashlimit_htable, gc_work.work); + +- htable_selective_cleanup(ht, select_gc); ++ htable_selective_cleanup(ht, false); + + queue_delayed_work(system_power_efficient_wq, + &ht->gc_work, msecs_to_jiffies(ht->cfg.gc_interval)); +@@ -420,7 +406,7 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo) + { + cancel_delayed_work_sync(&hinfo->gc_work); + htable_remove_proc_entry(hinfo); +- htable_selective_cleanup(hinfo, select_all); ++ htable_selective_cleanup(hinfo, true); + kfree(hinfo->name); + vfree(hinfo); + } +-- +2.20.1 + diff --git a/queue-5.4/netfilter-xt_hashlimit-unregister-proc-file-before-r.patch b/queue-5.4/netfilter-xt_hashlimit-unregister-proc-file-before-r.patch new file mode 100644 index 00000000000..d657e31eb35 --- /dev/null +++ b/queue-5.4/netfilter-xt_hashlimit-unregister-proc-file-before-r.patch @@ -0,0 +1,66 @@ +From 960a432768c23a88af49268c3263306fe212d824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2020 22:53:52 -0800 +Subject: netfilter: xt_hashlimit: unregister proc file before releasing mutex + +From: Cong Wang + +[ Upstream commit 99b79c3900d4627672c85d9f344b5b0f06bc2a4d ] + +Before releasing the global mutex, we only unlink the hashtable +from the hash list, its proc file is still not unregistered at +this point. So syzbot could trigger a race condition where a +parallel htable_create() could register the same file immediately +after the mutex is released. + +Move htable_remove_proc_entry() back to mutex protection to +fix this. And, fold htable_destroy() into htable_put() to make +the code slightly easier to understand. + +Reported-and-tested-by: syzbot+d195fd3b9a364ddd6731@syzkaller.appspotmail.com +Fixes: c4a3922d2d20 ("netfilter: xt_hashlimit: reduce hashlimit_mutex scope for htable_put()") +Signed-off-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_hashlimit.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 7a2c4b8408c49..8c835ad637290 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -402,15 +402,6 @@ static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo) + remove_proc_entry(hinfo->name, parent); + } + +-static void htable_destroy(struct xt_hashlimit_htable *hinfo) +-{ +- cancel_delayed_work_sync(&hinfo->gc_work); +- htable_remove_proc_entry(hinfo); +- htable_selective_cleanup(hinfo, true); +- kfree(hinfo->name); +- vfree(hinfo); +-} +- + static struct xt_hashlimit_htable *htable_find_get(struct net *net, + const char *name, + u_int8_t family) +@@ -432,8 +423,13 @@ static void htable_put(struct xt_hashlimit_htable *hinfo) + { + if (refcount_dec_and_mutex_lock(&hinfo->use, &hashlimit_mutex)) { + hlist_del(&hinfo->node); ++ htable_remove_proc_entry(hinfo); + mutex_unlock(&hashlimit_mutex); +- htable_destroy(hinfo); ++ ++ cancel_delayed_work_sync(&hinfo->gc_work); ++ htable_selective_cleanup(hinfo, true); ++ kfree(hinfo->name); ++ vfree(hinfo); + } + } + +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..57e937a5219 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,9 @@ +netfilter-hashlimit-do-not-use-indirect-calls-during.patch +netfilter-xt_hashlimit-unregister-proc-file-before-r.patch +drm-amdgpu-fix-tlb-invalidation-request-when-using-s.patch +mmc-core-default-to-generic_cmd6_time-as-timeout-in-.patch +mmc-core-allow-host-controllers-to-require-r1b-for-c.patch +mmc-sdhci-tegra-fix-busy-detection-by-enabling-mmc_c.patch +mmc-sdhci-omap-fix-busy-detection-by-enabling-mmc_ca.patch +mmc-core-respect-mmc_cap_need_rsp_busy-for-emmc-slee.patch +mmc-core-respect-mmc_cap_need_rsp_busy-for-erase-tri.patch