From fb112ae6e975af2bf50ac81eb85d3acc800a6d33 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 6 Sep 2020 22:55:58 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...-uninitialized-chaddr-when-handling-.patch | 52 +++++++++ ...se-netif_rx_ni-when-not-in-interrupt.patch | 42 +++++++ ...-check-for-zero-dir-entries-in-nvram.patch | 39 +++++++ ...ac-check-return-value-of-of_find_dev.patch | 39 +++++++ ...-fix-of_dma_router_xlate-s-of_dma_xl.patch | 47 ++++++++ ...fix-burst-length-if-burst-size-is-sm.patch | 48 ++++++++ ...n-epoll-keep-a-reference-on-files-ad.patch | 42 +++++++ ...g2.h-add-missing-around-n-in-roundup.patch | 37 ++++++ ...lize-iommu-gcmd-register-modificatio.patch | 62 ++++++++++ ...les-fix-destination-register-zeroing.patch | 82 +++++++++++++ ...les-incorrect-enum-nft_list_attribut.patch | 35 ++++++ queue-4.4/series | 13 +++ ...oft-lockup-when-tg3_reset_task-fails.patch | 80 +++++++++++++ ...hermal-fix-bogus-thermal-shutdowns-f.patch | 110 ++++++++++++++++++ 14 files changed, 728 insertions(+) create mode 100644 queue-4.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch create mode 100644 queue-4.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch create mode 100644 queue-4.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch create mode 100644 queue-4.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch create mode 100644 queue-4.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch create mode 100644 queue-4.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch create mode 100644 queue-4.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch create mode 100644 queue-4.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch create mode 100644 queue-4.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch create mode 100644 queue-4.4/netfilter-nf_tables-fix-destination-register-zeroing.patch create mode 100644 queue-4.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch create mode 100644 queue-4.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch create mode 100644 queue-4.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch diff --git a/queue-4.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch b/queue-4.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch new file mode 100644 index 00000000000..ee026d71a79 --- /dev/null +++ b/queue-4.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch @@ -0,0 +1,52 @@ +From 5c201a348772a34d8be6edc144427eecab94d84f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 20:36:43 +0200 +Subject: batman-adv: Avoid uninitialized chaddr when handling DHCP + +From: Sven Eckelmann + +[ Upstream commit 303216e76dcab6049c9d42390b1032f0649a8206 ] + +The gateway client code can try to optimize the delivery of DHCP packets to +avoid broadcasting them through the whole mesh. But also transmissions to +the client can be optimized by looking up the destination via the chaddr of +the DHCP packet. + +But the chaddr is currently only done when chaddr is fully inside the +non-paged area of the skbuff. Otherwise it will not be initialized and the +unoptimized path should have been taken. + +But the implementation didn't handle this correctly. It didn't retrieve the +correct chaddr but still tried to perform the TT lookup with this +uninitialized memory. + +Reported-by: syzbot+ab16e463b903f5a37036@syzkaller.appspotmail.com +Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast") +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/gateway_client.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index a88b529b7ca08..5fdb88f72b68f 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -757,8 +757,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len, + + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET; + /* store the client address if the message is going to a client */ +- if (ret == BATADV_DHCP_TO_CLIENT && +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) { ++ if (ret == BATADV_DHCP_TO_CLIENT) { ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) ++ return BATADV_DHCP_NO; ++ + /* check if the DHCP packet carries an Ethernet DHCP */ + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET; + if (*p != BATADV_DHCP_HTYPE_ETHERNET) +-- +2.25.1 + diff --git a/queue-4.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch b/queue-4.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch new file mode 100644 index 00000000000..8fa874100c9 --- /dev/null +++ b/queue-4.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch @@ -0,0 +1,42 @@ +From eb4b7387e966fac96d26414eb76b474a381ed143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 17:46:10 +0300 +Subject: batman-adv: bla: use netif_rx_ni when not in interrupt context + +From: Jussi Kivilinna + +[ Upstream commit 279e89b2281af3b1a9f04906e157992c19c9f163 ] + +batadv_bla_send_claim() gets called from worker thread context through +batadv_bla_periodic_work(), thus netif_rx_ni needs to be used in that +case. This fixes "NOHZ: local_softirq_pending 08" log messages seen +when batman-adv is enabled. + +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Jussi Kivilinna +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index cea7fdeac5aa2..9aa5daa551273 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -380,7 +380,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac, + skb->len + ETH_HLEN); + soft_iface->last_rx = jiffies; + +- netif_rx(skb); ++ if (in_interrupt()) ++ netif_rx(skb); ++ else ++ netif_rx_ni(skb); + out: + if (primary_if) + batadv_hardif_free_ref(primary_if); +-- +2.25.1 + diff --git a/queue-4.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch b/queue-4.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch new file mode 100644 index 00000000000..674d9432183 --- /dev/null +++ b/queue-4.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch @@ -0,0 +1,39 @@ +From 619db0ceed2c09551e152a48c8f360baed47e743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:33 -0400 +Subject: bnxt_en: Check for zero dir entries in NVRAM. + +From: Vasundhara Volam + +[ Upstream commit dbbfa96ad920c50d58bcaefa57f5f33ceef9d00e ] + +If firmware goes into unstable state, HWRM_NVM_GET_DIR_INFO firmware +command may return zero dir entries. Return error in such case to +avoid zero length dma buffer request. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 45bd628eaf3aa..416fb16686a61 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -991,6 +991,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc != 0) + return rc; + ++ if (!dir_entries || !entry_length) ++ return -EIO; ++ + /* Insert 2 bytes of directory info (count and size of entries) */ + if (len < 2) + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch b/queue-4.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch new file mode 100644 index 00000000000..2ac93a375f6 --- /dev/null +++ b/queue-4.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch @@ -0,0 +1,39 @@ +From 0716a63afba8914097d36f5e804b8ddaaf9a55da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 19:57:26 +0800 +Subject: dmaengine: at_hdmac: check return value of of_find_device_by_node() + in at_dma_xlate() + +From: Yu Kuai + +[ Upstream commit 0cef8e2c5a07d482ec907249dbd6687e8697677f ] + +The reurn value of of_find_device_by_node() is not checked, thus null +pointer dereference will be triggered if of_find_device_by_node() +failed. + +Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20200817115728.1706719-2-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_hdmac.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index 941ace0521306..5276074d0e364 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -1817,6 +1817,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec, + return NULL; + + dmac_pdev = of_find_device_by_node(dma_spec->np); ++ if (!dmac_pdev) ++ return NULL; + + dma_cap_zero(mask); + dma_cap_set(DMA_SLAVE, mask); +-- +2.25.1 + diff --git a/queue-4.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch b/queue-4.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch new file mode 100644 index 00000000000..f2222c664f0 --- /dev/null +++ b/queue-4.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch @@ -0,0 +1,47 @@ +From 268c69bf7e929b1fd0c211b44e136b5efd641728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:49:28 +0300 +Subject: dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling + +From: Peter Ujfalusi + +[ Upstream commit 5b2aa9f918f6837ae943557f8cec02c34fcf80e7 ] + +of_dma_xlate callback can return ERR_PTR as well NULL in case of failure. + +If error code is returned (not NULL) then the route should be released and +the router should not be registered for the channel. + +Fixes: 56f13c0d9524c ("dmaengine: of_dma: Support for DMA routers") +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200806104928.25975-1-peter.ujfalusi@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/of-dma.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index 1e1f2986eba8f..86c591481dfe9 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -72,12 +72,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); +- if (chan) { +- chan->router = ofdma->dma_router; +- chan->route_data = route_data; +- } else { ++ if (IS_ERR_OR_NULL(chan)) { + ofdma->dma_router->route_free(ofdma->dma_router->dev, + route_data); ++ } else { ++ chan->router = ofdma->dma_router; ++ chan->route_data = route_data; + } + + /* +-- +2.25.1 + diff --git a/queue-4.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch b/queue-4.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch new file mode 100644 index 00000000000..08fee9b76a5 --- /dev/null +++ b/queue-4.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch @@ -0,0 +1,48 @@ +From 918386ff53713a42ceb67adf17972196f4897d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 08:46:17 +0200 +Subject: dmaengine: pl330: Fix burst length if burst size is smaller than bus + width + +From: Marek Szyprowski + +[ Upstream commit 0661cef675d37e2c4b66a996389ebeae8568e49e ] + +Move the burst len fixup after setting the generic value for it. This +finally enables the fixup introduced by commit 137bd11090d8 ("dmaengine: +pl330: Align DMA memcpy operations to MFIFO width"), which otherwise was +overwritten by the generic value. + +Reported-by: kernel test robot +Fixes: 137bd11090d8 ("dmaengine: pl330: Align DMA memcpy operations to MFIFO width") +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20200825064617.16193-1-m.szyprowski@samsung.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pl330.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 799c182c3eacc..9aa57b37381a9 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2629,6 +2629,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + while (burst != (1 << desc->rqcfg.brst_size)) + desc->rqcfg.brst_size++; + ++ desc->rqcfg.brst_len = get_burst_len(desc, len); + /* + * If burst size is smaller than bus width then make sure we only + * transfer one at a time to avoid a burst stradling an MFIFO entry. +@@ -2636,7 +2637,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width) + desc->rqcfg.brst_len = 1; + +- desc->rqcfg.brst_len = get_burst_len(desc, len); + desc->bytes_requested = len; + + desc->txd.flags = flags; +-- +2.25.1 + diff --git a/queue-4.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch b/queue-4.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch new file mode 100644 index 00000000000..04727561aa4 --- /dev/null +++ b/queue-4.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch @@ -0,0 +1,42 @@ +From 786397accd670411987150465243b79054399e3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:30:48 -0400 +Subject: fix regression in "epoll: Keep a reference on files added to the + check list" + +From: Al Viro + +[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ] + +epoll_loop_check_proc() can run into a file already committed to destruction; +we can't grab a reference on those and don't need to add them to the set for +reverse path check anyway. + +Tested-by: Marc Zyngier +Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list") +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index b8959d0d4c723..e5324642023d6 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1720,9 +1720,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * during ep_insert(). + */ + if (list_empty(&epi->ffd.file->f_tfile_llink)) { +- get_file(epi->ffd.file); +- list_add(&epi->ffd.file->f_tfile_llink, +- &tfile_check_list); ++ if (get_file_rcu(epi->ffd.file)) ++ list_add(&epi->ffd.file->f_tfile_llink, ++ &tfile_check_list); + } + } + } +-- +2.25.1 + diff --git a/queue-4.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch b/queue-4.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch new file mode 100644 index 00000000000..1fcd529b10e --- /dev/null +++ b/queue-4.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch @@ -0,0 +1,37 @@ +From 489ba29d6079a8066909c8ae7d72c12ffcf80967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 16:36:19 -0700 +Subject: include/linux/log2.h: add missing () around n in roundup_pow_of_two() + +From: Jason Gunthorpe + +[ Upstream commit 428fc0aff4e59399ec719ffcc1f7a5d29a4ee476 ] + +Otherwise gcc generates warnings if the expression is complicated. + +Fixes: 312a0c170945 ("[PATCH] LOG2: Alter roundup_pow_of_two() so that it can use a ilog2() on a constant") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Andrew Morton +Link: https://lkml.kernel.org/r/0-v1-8a2697e3c003+41165-log_brackets_jgg@nvidia.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/log2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/log2.h b/include/linux/log2.h +index c373295f359fa..cca606609e1bc 100644 +--- a/include/linux/log2.h ++++ b/include/linux/log2.h +@@ -159,7 +159,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n) + #define roundup_pow_of_two(n) \ + ( \ + __builtin_constant_p(n) ? ( \ +- (n == 1) ? 1 : \ ++ ((n) == 1) ? 1 : \ + (1UL << (ilog2((n) - 1) + 1)) \ + ) : \ + __roundup_pow_of_two(n) \ +-- +2.25.1 + diff --git a/queue-4.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch b/queue-4.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch new file mode 100644 index 00000000000..66c7324cfdc --- /dev/null +++ b/queue-4.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch @@ -0,0 +1,62 @@ +From 1e208ecaab0ccc451d67382b69b891578a0a0530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:06:15 +0800 +Subject: iommu/vt-d: Serialize IOMMU GCMD register modifications + +From: Lu Baolu + +[ Upstream commit 6e4e9ec65078093165463c13d4eb92b3e8d7b2e8 ] + +The VT-d spec requires (10.4.4 Global Command Register, GCMD_REG General +Description) that: + +If multiple control fields in this register need to be modified, software +must serialize the modifications through multiple writes to this register. + +However, in irq_remapping.c, modifications of IRE and CFI are done in one +write. We need to do two separate writes with STS checking after each. It +also checks the status register before writing command register to avoid +unnecessary register write. + +Fixes: af8d102f999a4 ("x86/intel/irq_remapping: Clean up x2apic opt-out security warning mess") +Signed-off-by: Lu Baolu +Reviewed-by: Kevin Tian +Cc: Andy Lutomirski +Cc: Jacob Pan +Cc: Kevin Tian +Cc: Ashok Raj +Link: https://lore.kernel.org/r/20200828000615.8281-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel_irq_remapping.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index ac596928f6b40..ce125ec23d2a5 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -486,12 +486,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu) + + /* Enable interrupt-remapping */ + iommu->gcmd |= DMA_GCMD_IRE; +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */ + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); +- + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, + readl, (sts & DMA_GSTS_IRES), sts); + ++ /* Block compatibility-format MSIs */ ++ if (sts & DMA_GSTS_CFIS) { ++ iommu->gcmd &= ~DMA_GCMD_CFI; ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, ++ readl, !(sts & DMA_GSTS_CFIS), sts); ++ } ++ + /* + * With CFI clear in the Global Command register, we should be + * protected from dangerous (i.e. compatibility) interrupts +-- +2.25.1 + diff --git a/queue-4.4/netfilter-nf_tables-fix-destination-register-zeroing.patch b/queue-4.4/netfilter-nf_tables-fix-destination-register-zeroing.patch new file mode 100644 index 00000000000..5e40f4a9c94 --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-fix-destination-register-zeroing.patch @@ -0,0 +1,82 @@ +From 62b63ca194e5538b289c75eda79e8c81757994a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 21:05:50 +0200 +Subject: netfilter: nf_tables: fix destination register zeroing + +From: Florian Westphal + +[ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ] + +Following bug was reported via irc: +nft list ruleset + set knock_candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + elements = { 127.0.0.1 . 123, + 127.0.0.1 . 123 } + } + .. + udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 } + udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport } + +It should not have been possible to add a duplicate set entry. + +After some debugging it turned out that the problem is the immediate +value (123) in the second-to-last rule. + +Concatenations use 32bit registers, i.e. the elements are 8 bytes each, +not 6 and it turns out the kernel inserted + +inet firewall @knock_candidates_ipv4 + element 0100007f ffff7b00 : 0 [end] + element 0100007f 00007b00 : 0 [end] + +Note the non-zero upper bits of the first element. It turns out that +nft_immediate doesn't zero the destination register, but this is needed +when the length isn't a multiple of 4. + +Furthermore, the zeroing in nft_payload is broken. We can't use +[len / 4] = 0 -- if len is a multiple of 4, index is off by one. + +Skip zeroing in this case and use a conditional instead of (len -1) / 4. + +Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nft_payload.c | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index b96df7499600f..bee9031a40066 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -74,6 +74,8 @@ struct nft_regs { + static inline void nft_data_copy(u32 *dst, const struct nft_data *src, + unsigned int len) + { ++ if (len % NFT_REG32_SIZE) ++ dst[len / NFT_REG32_SIZE] = 0; + memcpy(dst, src, len); + } + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 09b4b07eb6764..ab3e7b14de09b 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -74,7 +74,9 @@ static void nft_payload_eval(const struct nft_expr *expr, + u32 *dest = ®s->data[priv->dreg]; + int offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; ++ + switch (priv->base) { + case NFT_PAYLOAD_LL_HEADER: + if (!skb_mac_header_was_set(skb)) +-- +2.25.1 + diff --git a/queue-4.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch b/queue-4.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch new file mode 100644 index 00000000000..34401e6ac98 --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch @@ -0,0 +1,35 @@ +From 6dd02cf54aba2cf72ef5c76d1783792795bbd95b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:12:55 +0200 +Subject: netfilter: nf_tables: incorrect enum nft_list_attributes definition + +From: Pablo Neira Ayuso + +[ Upstream commit da9125df854ea48a6240c66e8a67be06e2c12c03 ] + +This should be NFTA_LIST_UNSPEC instead of NFTA_LIST_UNPEC, all other +similar attribute definitions are postfixed with _UNSPEC. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index d8c8a7c9d88a7..b0a1c33d4a153 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -111,7 +111,7 @@ enum nf_tables_msg_types { + * @NFTA_LIST_ELEM: list element (NLA_NESTED) + */ + enum nft_list_attributes { +- NFTA_LIST_UNPEC, ++ NFTA_LIST_UNSPEC, + NFTA_LIST_ELEM, + __NFTA_LIST_MAX + }; +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 886f9ce51ab..30b091988e6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,16 @@ hwmon-applesmc-check-status-earlier.patch ceph-don-t-allow-setlease-on-cephfs.patch s390-don-t-trace-preemption-in-percpu-macros.patch xen-xenbus-fix-granting-of-vmalloc-d-memory.patch +dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch +batman-adv-avoid-uninitialized-chaddr-when-handling-.patch +batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch +dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch +netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch +netfilter-nf_tables-fix-destination-register-zeroing.patch +dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch +bnxt_en-check-for-zero-dir-entries-in-nvram.patch +fix-regression-in-epoll-keep-a-reference-on-files-ad.patch +tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch +iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch +thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch +include-linux-log2.h-add-missing-around-n-in-roundup.patch diff --git a/queue-4.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch b/queue-4.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch new file mode 100644 index 00000000000..314068dc6fd --- /dev/null +++ b/queue-4.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch @@ -0,0 +1,80 @@ +From 06b4efb0d82dd48edbf33a4ad899f53940e8986f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 14:28:54 -0400 +Subject: tg3: Fix soft lockup when tg3_reset_task() fails. + +From: Michael Chan + +[ Upstream commit 556699341efa98243e08e34401b3f601da91f5a3 ] + +If tg3_reset_task() fails, the device state is left in an inconsistent +state with IFF_RUNNING still set but NAPI state not enabled. A +subsequent operation, such as ifdown or AER error can cause it to +soft lock up when it tries to disable NAPI state. + +Fix it by bringing down the device to !IFF_RUNNING state when +tg3_reset_task() fails. tg3_reset_task() running from workqueue +will now call tg3_close() when the reset fails. We need to +modify tg3_reset_task_cancel() slightly to avoid tg3_close() +calling cancel_work_sync() to cancel tg3_reset_task(). Otherwise +cancel_work_sync() will wait forever for tg3_reset_task() to +finish. + +Reported-by: David Christensen +Reported-by: Baptiste Covolato +Fixes: db2199737990 ("tg3: Schedule at most one tg3_reset_task run") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index e198427d0f292..2ee2b6e858283 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7203,8 +7203,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp) + + static inline void tg3_reset_task_cancel(struct tg3 *tp) + { +- cancel_work_sync(&tp->reset_task); +- tg3_flag_clear(tp, RESET_TASK_PENDING); ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags)) ++ cancel_work_sync(&tp->reset_task); + tg3_flag_clear(tp, TX_RECOVERY_PENDING); + } + +@@ -11176,18 +11176,27 @@ static void tg3_reset_task(struct work_struct *work) + + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0); + err = tg3_init_hw(tp, true); +- if (err) ++ if (err) { ++ tg3_full_unlock(tp); ++ tp->irq_sync = 0; ++ tg3_napi_enable(tp); ++ /* Clear this flag so that tg3_reset_task_cancel() will not ++ * call cancel_work_sync() and wait forever. ++ */ ++ tg3_flag_clear(tp, RESET_TASK_PENDING); ++ dev_close(tp->dev); + goto out; ++ } + + tg3_netif_start(tp); + +-out: + tg3_full_unlock(tp); + + if (!err) + tg3_phy_start(tp); + + tg3_flag_clear(tp, RESET_TASK_PENDING); ++out: + rtnl_unlock(); + } + +-- +2.25.1 + diff --git a/queue-4.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch b/queue-4.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch new file mode 100644 index 00000000000..b3c27a07078 --- /dev/null +++ b/queue-4.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch @@ -0,0 +1,110 @@ +From cfbed5f8757f65030acfde029a6bb339e6dc743d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 11:33:38 -0700 +Subject: thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 + +From: Tony Lindgren + +[ Upstream commit 30d24faba0532d6972df79a1bf060601994b5873 ] + +We can sometimes get bogus thermal shutdowns on omap4430 at least with +droid4 running idle with a battery charger connected: + +thermal thermal_zone0: critical temperature reached (143 C), shutting down + +Dumping out the register values shows we can occasionally get a 0x7f value +that is outside the TRM listed values in the ADC conversion table. And then +we get a normal value when reading again after that. Reading the register +multiple times does not seem help avoiding the bogus values as they stay +until the next sample is ready. + +Looking at the TRM chapter "18.4.10.2.3 ADC Codes Versus Temperature", we +should have values from 13 to 107 listed with a total of 95 values. But +looking at the omap4430_adc_to_temp array, the values are off, and the +end values are missing. And it seems that the 4430 ADC table is similar +to omap3630 rather than omap4460. + +Let's fix the issue by using values based on the omap3630 table and just +ignoring invalid values. Compared to the 4430 TRM, the omap3630 table has +the missing values added while the TRM table only shows every second +value. + +Note that sometimes the ADC register values within the valid table can +also be way off for about 1 out of 10 values. But it seems that those +just show about 25 C too low values rather than too high values. So those +do not cause a bogus thermal shutdown. + +Fixes: 1a31270e54d7 ("staging: omap-thermal: add OMAP4 data structures") +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200706183338.25622-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + .../ti-soc-thermal/omap4-thermal-data.c | 23 ++++++++++--------- + .../thermal/ti-soc-thermal/omap4xxx-bandgap.h | 10 +++++--- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +index d255d33da9eb3..02e71d461d5c5 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +@@ -49,20 +49,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = { + + /* + * Temperature values in milli degree celsius +- * ADC code values from 530 to 923 ++ * ADC code values from 13 to 107, see TRM ++ * "18.4.10.2.3 ADC Codes Versus Temperature". + */ + static const int + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = { +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000, +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000, +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000, +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000, +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000, +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000, +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000, +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000, +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000, +- 117000, 118000, 120000, 122000, 123000, ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000, ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000, ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500, ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000, ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000, ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000, ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000, ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000, ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000, + }; + + /* OMAP4430 data */ +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +index 6f2de3a3356d4..86850082b24b9 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +@@ -67,9 +67,13 @@ + * and thresholds for OMAP4430. + */ + +-/* ADC conversion table limits */ +-#define OMAP4430_ADC_START_VALUE 0 +-#define OMAP4430_ADC_END_VALUE 127 ++/* ++ * ADC conversion table limits. Ignore values outside the TRM listed ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter ++ * "18.4.10.2.3 ADC Codes Versus Temperature". ++ */ ++#define OMAP4430_ADC_START_VALUE 13 ++#define OMAP4430_ADC_END_VALUE 107 + /* bandgap clock limits (no control on 4430) */ + #define OMAP4430_MAX_FREQ 32768 + #define OMAP4430_MIN_FREQ 32768 +-- +2.25.1 + -- 2.47.2