From 47af2e2efcd0202daacf7df5a82b9039cfed57c4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Feb 2021 16:16:57 +0100 Subject: [PATCH] 4.14-stable patches added patches: acpi-thermal-do-not-call-acpi_thermal_check-directly.patch ibmvnic-ensure-that-crq-entry-read-are-correctly-ordered.patch net-dsa-bcm_sf2-put-device-node-before-return.patch net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch --- ...not-call-acpi_thermal_check-directly.patch | 176 ++++++++++++++++++ ...crq-entry-read-are-correctly-ordered.patch | 38 ++++ ...cm_sf2-put-device-node-before-return.patch | 44 +++++ ...ect-silly-cell_log-in-qdisc_get_rtab.patch | 65 +++++++ 4 files changed, 323 insertions(+) create mode 100644 queue-4.14/acpi-thermal-do-not-call-acpi_thermal_check-directly.patch create mode 100644 queue-4.14/ibmvnic-ensure-that-crq-entry-read-are-correctly-ordered.patch create mode 100644 queue-4.14/net-dsa-bcm_sf2-put-device-node-before-return.patch create mode 100644 queue-4.14/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch diff --git a/queue-4.14/acpi-thermal-do-not-call-acpi_thermal_check-directly.patch b/queue-4.14/acpi-thermal-do-not-call-acpi_thermal_check-directly.patch new file mode 100644 index 00000000000..ea9695b248d --- /dev/null +++ b/queue-4.14/acpi-thermal-do-not-call-acpi_thermal_check-directly.patch @@ -0,0 +1,176 @@ +From 81b704d3e4674e09781d331df73d76675d5ad8cb Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 14 Jan 2021 19:34:22 +0100 +Subject: ACPI: thermal: Do not call acpi_thermal_check() directly + +From: Rafael J. Wysocki + +commit 81b704d3e4674e09781d331df73d76675d5ad8cb upstream. + +Calling acpi_thermal_check() from acpi_thermal_notify() directly +is problematic if _TMP triggers Notify () on the thermal zone for +which it has been evaluated (which happens on some systems), because +it causes a new acpi_thermal_notify() invocation to be queued up +every time and if that takes place too often, an indefinite number of +pending work items may accumulate in kacpi_notify_wq over time. + +Besides, it is not really useful to queue up a new invocation of +acpi_thermal_check() if one of them is pending already. + +For these reasons, rework acpi_thermal_notify() to queue up a thermal +check instead of calling acpi_thermal_check() directly and only allow +one thermal check to be pending at a time. Moreover, only allow one +acpi_thermal_check_fn() instance at a time to run +thermal_zone_device_update() for one thermal zone and make it return +early if it sees other instances running for the same thermal zone. + +While at it, fold acpi_thermal_check() into acpi_thermal_check_fn(), +as it is only called from there after the other changes made here. + +[This issue appears to have been exposed by commit 6d25be5782e4 + ("sched/core, workqueues: Distangle worker accounting from rq + lock"), but it is unclear why it was not visible earlier.] + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208877 +Reported-by: Stephen Berman +Diagnosed-by: Sebastian Andrzej Siewior +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Sebastian Andrzej Siewior +Tested-by: Stephen Berman +Cc: All applicable +[bigeasy: Backported to v5.4.y] +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/thermal.c | 55 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 38 insertions(+), 17 deletions(-) + +--- a/drivers/acpi/thermal.c ++++ b/drivers/acpi/thermal.c +@@ -188,6 +188,8 @@ struct acpi_thermal { + int tz_enabled; + int kelvin_offset; + struct work_struct thermal_check_work; ++ struct mutex thermal_check_lock; ++ refcount_t thermal_check_count; + }; + + /* -------------------------------------------------------------------------- +@@ -513,17 +515,6 @@ static int acpi_thermal_get_trip_points( + return 0; + } + +-static void acpi_thermal_check(void *data) +-{ +- struct acpi_thermal *tz = data; +- +- if (!tz->tz_enabled) +- return; +- +- thermal_zone_device_update(tz->thermal_zone, +- THERMAL_EVENT_UNSPECIFIED); +-} +- + /* sys I/F for generic thermal sysfs support */ + + static int thermal_get_temp(struct thermal_zone_device *thermal, int *temp) +@@ -557,6 +548,8 @@ static int thermal_get_mode(struct therm + return 0; + } + ++static void acpi_thermal_check_fn(struct work_struct *work); ++ + static int thermal_set_mode(struct thermal_zone_device *thermal, + enum thermal_device_mode mode) + { +@@ -582,7 +575,7 @@ static int thermal_set_mode(struct therm + ACPI_DEBUG_PRINT((ACPI_DB_INFO, + "%s kernel ACPI thermal control\n", + tz->tz_enabled ? "Enable" : "Disable")); +- acpi_thermal_check(tz); ++ acpi_thermal_check_fn(&tz->thermal_check_work); + } + return 0; + } +@@ -951,6 +944,12 @@ static void acpi_thermal_unregister_ther + Driver Interface + -------------------------------------------------------------------------- */ + ++static void acpi_queue_thermal_check(struct acpi_thermal *tz) ++{ ++ if (!work_pending(&tz->thermal_check_work)) ++ queue_work(acpi_thermal_pm_queue, &tz->thermal_check_work); ++} ++ + static void acpi_thermal_notify(struct acpi_device *device, u32 event) + { + struct acpi_thermal *tz = acpi_driver_data(device); +@@ -961,17 +960,17 @@ static void acpi_thermal_notify(struct a + + switch (event) { + case ACPI_THERMAL_NOTIFY_TEMPERATURE: +- acpi_thermal_check(tz); ++ acpi_queue_thermal_check(tz); + break; + case ACPI_THERMAL_NOTIFY_THRESHOLDS: + acpi_thermal_trips_update(tz, ACPI_TRIPS_REFRESH_THRESHOLDS); +- acpi_thermal_check(tz); ++ acpi_queue_thermal_check(tz); + acpi_bus_generate_netlink_event(device->pnp.device_class, + dev_name(&device->dev), event, 0); + break; + case ACPI_THERMAL_NOTIFY_DEVICES: + acpi_thermal_trips_update(tz, ACPI_TRIPS_REFRESH_DEVICES); +- acpi_thermal_check(tz); ++ acpi_queue_thermal_check(tz); + acpi_bus_generate_netlink_event(device->pnp.device_class, + dev_name(&device->dev), event, 0); + break; +@@ -1071,7 +1070,27 @@ static void acpi_thermal_check_fn(struct + { + struct acpi_thermal *tz = container_of(work, struct acpi_thermal, + thermal_check_work); +- acpi_thermal_check(tz); ++ ++ if (!tz->tz_enabled) ++ return; ++ /* ++ * In general, it is not sufficient to check the pending bit, because ++ * subsequent instances of this function may be queued after one of them ++ * has started running (e.g. if _TMP sleeps). Avoid bailing out if just ++ * one of them is running, though, because it may have done the actual ++ * check some time ago, so allow at least one of them to block on the ++ * mutex while another one is running the update. ++ */ ++ if (!refcount_dec_not_one(&tz->thermal_check_count)) ++ return; ++ ++ mutex_lock(&tz->thermal_check_lock); ++ ++ thermal_zone_device_update(tz->thermal_zone, THERMAL_EVENT_UNSPECIFIED); ++ ++ refcount_inc(&tz->thermal_check_count); ++ ++ mutex_unlock(&tz->thermal_check_lock); + } + + static int acpi_thermal_add(struct acpi_device *device) +@@ -1103,6 +1122,8 @@ static int acpi_thermal_add(struct acpi_ + if (result) + goto free_memory; + ++ refcount_set(&tz->thermal_check_count, 3); ++ mutex_init(&tz->thermal_check_lock); + INIT_WORK(&tz->thermal_check_work, acpi_thermal_check_fn); + + pr_info(PREFIX "%s [%s] (%ld C)\n", acpi_device_name(device), +@@ -1168,7 +1189,7 @@ static int acpi_thermal_resume(struct de + tz->state.active |= tz->trips.active[i].flags.enabled; + } + +- queue_work(acpi_thermal_pm_queue, &tz->thermal_check_work); ++ acpi_queue_thermal_check(tz); + + return AE_OK; + } diff --git a/queue-4.14/ibmvnic-ensure-that-crq-entry-read-are-correctly-ordered.patch b/queue-4.14/ibmvnic-ensure-that-crq-entry-read-are-correctly-ordered.patch new file mode 100644 index 00000000000..d75fa045181 --- /dev/null +++ b/queue-4.14/ibmvnic-ensure-that-crq-entry-read-are-correctly-ordered.patch @@ -0,0 +1,38 @@ +From e41aec79e62fa50f940cf222d1e9577f14e149dc Mon Sep 17 00:00:00 2001 +From: Lijun Pan +Date: Wed, 27 Jan 2021 19:34:42 -0600 +Subject: ibmvnic: Ensure that CRQ entry read are correctly ordered + +From: Lijun Pan + +commit e41aec79e62fa50f940cf222d1e9577f14e149dc upstream. + +Ensure that received Command-Response Queue (CRQ) entries are +properly read in order by the driver. dma_rmb barrier has +been added before accessing the CRQ descriptor to ensure +the entire descriptor is read before processing. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Signed-off-by: Lijun Pan +Link: https://lore.kernel.org/r/20210128013442.88319-1-ljp@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3682,6 +3682,12 @@ static void ibmvnic_tasklet(void *data) + while (!done) { + /* Pull all the valid messages off the CRQ */ + while ((crq = ibmvnic_next_crq(adapter)) != NULL) { ++ /* This barrier makes sure ibmvnic_next_crq()'s ++ * crq->generic.first & IBMVNIC_CRQ_CMD_RSP is loaded ++ * before ibmvnic_handle_crq()'s ++ * switch(gen_crq->first) and switch(gen_crq->cmd). ++ */ ++ dma_rmb(); + ibmvnic_handle_crq(crq, adapter); + crq->generic.first = 0; + } diff --git a/queue-4.14/net-dsa-bcm_sf2-put-device-node-before-return.patch b/queue-4.14/net-dsa-bcm_sf2-put-device-node-before-return.patch new file mode 100644 index 00000000000..4ac5f86cc16 --- /dev/null +++ b/queue-4.14/net-dsa-bcm_sf2-put-device-node-before-return.patch @@ -0,0 +1,44 @@ +From cf3c46631e1637582f517a574c77cd6c05793817 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 04:33:43 -0800 +Subject: net: dsa: bcm_sf2: put device node before return + +From: Pan Bian + +commit cf3c46631e1637582f517a574c77cd6c05793817 upstream. + +Put the device node dn before return error code on failure path. + +Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210121123343.26330-1-bianpan2016@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -540,15 +540,19 @@ static int bcm_sf2_mdio_register(struct + /* Find our integrated MDIO bus node */ + dn = of_find_compatible_node(NULL, NULL, "brcm,unimac-mdio"); + priv->master_mii_bus = of_mdio_find_bus(dn); +- if (!priv->master_mii_bus) ++ if (!priv->master_mii_bus) { ++ of_node_put(dn); + return -EPROBE_DEFER; ++ } + + get_device(&priv->master_mii_bus->dev); + priv->master_mii_dn = dn; + + priv->slave_mii_bus = devm_mdiobus_alloc(ds->dev); +- if (!priv->slave_mii_bus) ++ if (!priv->slave_mii_bus) { ++ of_node_put(dn); + return -ENOMEM; ++ } + + priv->slave_mii_bus->priv = priv; + priv->slave_mii_bus->name = "sf2 slave mii"; diff --git a/queue-4.14/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch b/queue-4.14/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch new file mode 100644 index 00000000000..a86c4e99f25 --- /dev/null +++ b/queue-4.14/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Feb 4 04:10:00 PM CET 2021 +From: Eric Dumazet +Date: Thu, 14 Jan 2021 08:06:37 -0800 +Subject: net_sched: reject silly cell_log in qdisc_get_rtab() + +From: Eric Dumazet + +commit e4bedf48aaa5552bc1f49703abd17606e7e6e82a upstream + +iproute2 probably never goes beyond 8 for the cell exponent, +but stick to the max shift exponent for signed 32bit. + +UBSAN reported: +UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22 +shift exponent 130 is too large for 32-bit type 'int' +CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x183/0x22e lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:148 [inline] + __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395 + __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389 + qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435 + cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180 + qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246 + tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662 + rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345 + ___sys_sendmsg net/socket.c:2399 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2432 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Cong Wang +Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +[sudip: adjust context] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -397,7 +397,8 @@ struct qdisc_rate_table *qdisc_get_rtab( + { + struct qdisc_rate_table *rtab; + +- if (tab == NULL || r->rate == 0 || r->cell_log == 0 || ++ if (tab == NULL || r->rate == 0 || ++ r->cell_log == 0 || r->cell_log >= 32 || + nla_len(tab) != TC_RTAB_SIZE) + return NULL; + -- 2.47.3