From: Greg Kroah-Hartman Date: Fri, 2 Mar 2018 08:34:19 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.98~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e72146c447d42fdd4d1215f81f3ecce740349de7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm64-dts-marvell-add-comphy-nodes-on-cp110-master-and-slave.patch arm64-dts-marvell-mcbin-add-comphy-references-to-ethernet-ports.patch net-sched-crash-on-blocks-with-goto-chain-action.patch net-sched-fix-crash-when-deleting-secondary-chains.patch net-sched-fix-use-after-free-in-tcf_block_put_ext.patch net_sched-get-rid-of-rcu_barrier-in-tcf_block_put_ext.patch --- diff --git a/queue-4.14/arm64-dts-marvell-add-comphy-nodes-on-cp110-master-and-slave.patch b/queue-4.14/arm64-dts-marvell-add-comphy-nodes-on-cp110-master-and-slave.patch new file mode 100644 index 00000000000..188aaba9dfc --- /dev/null +++ b/queue-4.14/arm64-dts-marvell-add-comphy-nodes-on-cp110-master-and-slave.patch @@ -0,0 +1,117 @@ +From 910d1bf2c68fa1d7dcde0316cb91f62758407e8d Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Mon, 18 Sep 2017 09:58:09 +0200 +Subject: arm64: dts: marvell: add comphy nodes on cp110 master and slave + +From: Antoine Tenart + +commit 910d1bf2c68fa1d7dcde0316cb91f62758407e8d upstream. + +This patch describes the comphy available in the cp110 master and slave. +This comphy provides serdes lanes used by various controllers such as +the network one. + +Signed-off-by: Antoine Tenart +Signed-off-by: Gregory CLEMENT +Cc: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi | 38 +++++++++++++++++++ + arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi | 38 +++++++++++++++++++ + 2 files changed, 76 insertions(+) + +--- a/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi +@@ -111,6 +111,44 @@ + }; + }; + ++ cpm_comphy: phy@120000 { ++ compatible = "marvell,comphy-cp110"; ++ reg = <0x120000 0x6000>; ++ marvell,system-controller = <&cpm_syscon0>; ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ cpm_comphy0: phy@0 { ++ reg = <0>; ++ #phy-cells = <1>; ++ }; ++ ++ cpm_comphy1: phy@1 { ++ reg = <1>; ++ #phy-cells = <1>; ++ }; ++ ++ cpm_comphy2: phy@2 { ++ reg = <2>; ++ #phy-cells = <1>; ++ }; ++ ++ cpm_comphy3: phy@3 { ++ reg = <3>; ++ #phy-cells = <1>; ++ }; ++ ++ cpm_comphy4: phy@4 { ++ reg = <4>; ++ #phy-cells = <1>; ++ }; ++ ++ cpm_comphy5: phy@5 { ++ reg = <5>; ++ #phy-cells = <1>; ++ }; ++ }; ++ + cpm_mdio: mdio@12a200 { + #address-cells = <1>; + #size-cells = <0>; +--- a/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi +@@ -111,6 +111,44 @@ + }; + }; + ++ cps_comphy: phy@120000 { ++ compatible = "marvell,comphy-cp110"; ++ reg = <0x120000 0x6000>; ++ marvell,system-controller = <&cps_syscon0>; ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ cps_comphy0: phy@0 { ++ reg = <0>; ++ #phy-cells = <1>; ++ }; ++ ++ cps_comphy1: phy@1 { ++ reg = <1>; ++ #phy-cells = <1>; ++ }; ++ ++ cps_comphy2: phy@2 { ++ reg = <2>; ++ #phy-cells = <1>; ++ }; ++ ++ cps_comphy3: phy@3 { ++ reg = <3>; ++ #phy-cells = <1>; ++ }; ++ ++ cps_comphy4: phy@4 { ++ reg = <4>; ++ #phy-cells = <1>; ++ }; ++ ++ cps_comphy5: phy@5 { ++ reg = <5>; ++ #phy-cells = <1>; ++ }; ++ }; ++ + cps_mdio: mdio@12a200 { + #address-cells = <1>; + #size-cells = <0>; diff --git a/queue-4.14/arm64-dts-marvell-mcbin-add-comphy-references-to-ethernet-ports.patch b/queue-4.14/arm64-dts-marvell-mcbin-add-comphy-references-to-ethernet-ports.patch new file mode 100644 index 00000000000..542e2eab857 --- /dev/null +++ b/queue-4.14/arm64-dts-marvell-mcbin-add-comphy-references-to-ethernet-ports.patch @@ -0,0 +1,59 @@ +From 760b3843fcd88f2a46e66eec08e2e6023a425809 Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Thu, 21 Sep 2017 09:54:07 +0200 +Subject: arm64: dts: marvell: mcbin: add comphy references to Ethernet ports + +From: Antoine Tenart + +commit 760b3843fcd88f2a46e66eec08e2e6023a425809 upstream. + +This patch adds comphy phandles to the Ethernet ports in the mcbin +device tree. The comphy is used to configure the serdes PHYs used by +these ports. + +Signed-off-by: Antoine Tenart +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Cc: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/marvell/armada-8040-mcbin.dts | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dts ++++ b/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dts +@@ -228,8 +228,11 @@ + + &cpm_eth0 { + status = "okay"; ++ /* Network PHY */ + phy = <&phy0>; + phy-mode = "10gbase-kr"; ++ /* Generic PHY, providing serdes lanes */ ++ phys = <&cpm_comphy4 0>; + }; + + &cpm_sata0 { +@@ -263,15 +266,21 @@ + + &cps_eth0 { + status = "okay"; ++ /* Network PHY */ + phy = <&phy8>; + phy-mode = "10gbase-kr"; ++ /* Generic PHY, providing serdes lanes */ ++ phys = <&cps_comphy4 0>; + }; + + &cps_eth1 { + /* CPS Lane 0 - J5 (Gigabit RJ45) */ + status = "okay"; ++ /* Network PHY */ + phy = <&ge_phy>; + phy-mode = "sgmii"; ++ /* Generic PHY, providing serdes lanes */ ++ phys = <&cps_comphy0 1>; + }; + + &cps_pinctrl { diff --git a/queue-4.14/net-sched-crash-on-blocks-with-goto-chain-action.patch b/queue-4.14/net-sched-crash-on-blocks-with-goto-chain-action.patch new file mode 100644 index 00000000000..e3e5da4f3ce --- /dev/null +++ b/queue-4.14/net-sched-crash-on-blocks-with-goto-chain-action.patch @@ -0,0 +1,73 @@ +From a60b3f515d30d0fe8537c64671926879a3548103 Mon Sep 17 00:00:00 2001 +From: Roman Kapl +Date: Fri, 24 Nov 2017 12:27:58 +0100 +Subject: net: sched: crash on blocks with goto chain action + +From: Roman Kapl + +commit a60b3f515d30d0fe8537c64671926879a3548103 upstream. + +tcf_block_put_ext has assumed that all filters (and thus their goto +actions) are destroyed in RCU callback and thus can not race with our +list iteration. However, that is not true during netns cleanup (see +tcf_exts_get_net comment). + +Prevent the user after free by holding all chains (except 0, that one is +already held). foreach_safe is not enough in this case. + +To reproduce, run the following in a netns and then delete the ns: + ip link add dtest type dummy + tc qdisc add dev dtest ingress + tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower action goto chain 2 + +Fixes: 822e86d997 ("net_sched: remove tcf_block_put_deferred()") +Signed-off-by: Roman Kapl +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Cc: Cong Wang +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_api.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -282,7 +282,8 @@ static void tcf_block_put_final(struct w + struct tcf_chain *chain, *tmp; + + rtnl_lock(); +- /* Only chain 0 should be still here. */ ++ ++ /* At this point, all the chains should have refcnt == 1. */ + list_for_each_entry_safe(chain, tmp, &block->chain_list, list) + tcf_chain_put(chain); + rtnl_unlock(); +@@ -290,17 +291,23 @@ static void tcf_block_put_final(struct w + } + + /* XXX: Standalone actions are not allowed to jump to any chain, and bound +- * actions should be all removed after flushing. However, filters are now +- * destroyed in tc filter workqueue with RTNL lock, they can not race here. ++ * actions should be all removed after flushing. + */ + void tcf_block_put(struct tcf_block *block) + { +- struct tcf_chain *chain, *tmp; ++ struct tcf_chain *chain; + + if (!block) + return; + +- list_for_each_entry_safe(chain, tmp, &block->chain_list, list) ++ /* Hold a refcnt for all chains, except 0, so that they don't disappear ++ * while we are iterating. ++ */ ++ list_for_each_entry(chain, &block->chain_list, list) ++ if (chain->index) ++ tcf_chain_hold(chain); ++ ++ list_for_each_entry(chain, &block->chain_list, list) + tcf_chain_flush(chain); + + INIT_WORK(&block->work, tcf_block_put_final); diff --git a/queue-4.14/net-sched-fix-crash-when-deleting-secondary-chains.patch b/queue-4.14/net-sched-fix-crash-when-deleting-secondary-chains.patch new file mode 100644 index 00000000000..d98124e7d1b --- /dev/null +++ b/queue-4.14/net-sched-fix-crash-when-deleting-secondary-chains.patch @@ -0,0 +1,56 @@ +From d7aa04a5e82b4f254d306926c81eae8df69e5200 Mon Sep 17 00:00:00 2001 +From: Roman Kapl +Date: Mon, 20 Nov 2017 22:21:13 +0100 +Subject: net: sched: fix crash when deleting secondary chains + +From: Roman Kapl + +commit d7aa04a5e82b4f254d306926c81eae8df69e5200 upstream. + +If you flush (delete) a filter chain other than chain 0 (such as when +deleting the device), the kernel may run into a use-after-free. The +chain refcount must not be decremented unless we are sure we are done +with the chain. + +To reproduce the bug, run: + ip link add dtest type dummy + tc qdisc add dev dtest ingress + tc filter add dev dtest chain 1 parent ffff: flower + ip link del dtest + +Introduced in: commit f93e1cdcf42c ("net/sched: fix filter flushing"), +but unless you have KAsan or luck, you won't notice it until +commit 0dadc117ac8b ("cls_flower: use tcf_exts_get_net() before call_rcu()") + +Fixes: f93e1cdcf42c ("net/sched: fix filter flushing") +Acked-by: Jiri Pirko +Signed-off-by: Roman Kapl +Signed-off-by: David S. Miller +Cc: Cong Wang +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_api.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -197,14 +197,15 @@ static struct tcf_chain *tcf_chain_creat + + static void tcf_chain_flush(struct tcf_chain *chain) + { +- struct tcf_proto *tp; ++ struct tcf_proto *tp = rtnl_dereference(chain->filter_chain); + + if (chain->p_filter_chain) + RCU_INIT_POINTER(*chain->p_filter_chain, NULL); +- while ((tp = rtnl_dereference(chain->filter_chain)) != NULL) { ++ while (tp) { + RCU_INIT_POINTER(chain->filter_chain, tp->next); +- tcf_chain_put(chain); + tcf_proto_destroy(tp); ++ tp = rtnl_dereference(chain->filter_chain); ++ tcf_chain_put(chain); + } + } + diff --git a/queue-4.14/net-sched-fix-use-after-free-in-tcf_block_put_ext.patch b/queue-4.14/net-sched-fix-use-after-free-in-tcf_block_put_ext.patch new file mode 100644 index 00000000000..730ef01d3a7 --- /dev/null +++ b/queue-4.14/net-sched-fix-use-after-free-in-tcf_block_put_ext.patch @@ -0,0 +1,84 @@ +From df45bf84e4f5a48f23d4b1a07d21d566e8b587b2 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Fri, 8 Dec 2017 19:27:27 +0100 +Subject: net: sched: fix use-after-free in tcf_block_put_ext + +From: Jiri Pirko + +commit df45bf84e4f5a48f23d4b1a07d21d566e8b587b2 upstream. + +Since the block is freed with last chain being put, once we reach the +end of iteration of list_for_each_entry_safe, the block may be +already freed. I'm hitting this only by creating and deleting clsact: + +[ 202.171952] ================================================================== +[ 202.180182] BUG: KASAN: use-after-free in tcf_block_put_ext+0x240/0x390 +[ 202.187590] Read of size 8 at addr ffff880225539a80 by task tc/796 +[ 202.194508] +[ 202.196185] CPU: 0 PID: 796 Comm: tc Not tainted 4.15.0-rc2jiri+ #5 +[ 202.203200] Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016 +[ 202.213613] Call Trace: +[ 202.216369] dump_stack+0xda/0x169 +[ 202.220192] ? dma_virt_map_sg+0x147/0x147 +[ 202.224790] ? show_regs_print_info+0x54/0x54 +[ 202.229691] ? tcf_chain_destroy+0x1dc/0x250 +[ 202.234494] print_address_description+0x83/0x3d0 +[ 202.239781] ? tcf_block_put_ext+0x240/0x390 +[ 202.244575] kasan_report+0x1ba/0x460 +[ 202.248707] ? tcf_block_put_ext+0x240/0x390 +[ 202.253518] tcf_block_put_ext+0x240/0x390 +[ 202.258117] ? tcf_chain_flush+0x290/0x290 +[ 202.262708] ? qdisc_hash_del+0x82/0x1a0 +[ 202.267111] ? qdisc_hash_add+0x50/0x50 +[ 202.271411] ? __lock_is_held+0x5f/0x1a0 +[ 202.275843] clsact_destroy+0x3d/0x80 [sch_ingress] +[ 202.281323] qdisc_destroy+0xcb/0x240 +[ 202.285445] qdisc_graft+0x216/0x7b0 +[ 202.289497] tc_get_qdisc+0x260/0x560 + +Fix this by holding the block also by chain 0 and put chain 0 +explicitly, out of the list_for_each_entry_safe loop at the very +end of tcf_block_put_ext. + +Fixes: efbf78973978 ("net_sched: get rid of rcu_barrier() in tcf_block_put_ext()") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Cc: Cong Wang +Signed-off-by: Greg Kroah-Hartman + + +--- + net/sched/cls_api.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -290,21 +290,22 @@ void tcf_block_put(struct tcf_block *blo + if (!block) + return; + +- /* Hold a refcnt for all chains, except 0, so that they don't disappear ++ /* Hold a refcnt for all chains, so that they don't disappear + * while we are iterating. + */ + list_for_each_entry(chain, &block->chain_list, list) +- if (chain->index) +- tcf_chain_hold(chain); ++ tcf_chain_hold(chain); + + list_for_each_entry(chain, &block->chain_list, list) + tcf_chain_flush(chain); + +- /* At this point, all the chains should have refcnt >= 1. Block will be +- * freed after all chains are gone. +- */ ++ /* At this point, all the chains should have refcnt >= 1. */ + list_for_each_entry_safe(chain, tmp, &block->chain_list, list) + tcf_chain_put(chain); ++ ++ /* Finally, put chain 0 and allow block to be freed. */ ++ chain = list_first_entry(&block->chain_list, struct tcf_chain, list); ++ tcf_chain_put(chain); + } + EXPORT_SYMBOL(tcf_block_put); + diff --git a/queue-4.14/net_sched-get-rid-of-rcu_barrier-in-tcf_block_put_ext.patch b/queue-4.14/net_sched-get-rid-of-rcu_barrier-in-tcf_block_put_ext.patch new file mode 100644 index 00000000000..255a9ec6703 --- /dev/null +++ b/queue-4.14/net_sched-get-rid-of-rcu_barrier-in-tcf_block_put_ext.patch @@ -0,0 +1,125 @@ +From efbf78973978b0d25af59bc26c8013a942af6e64 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Mon, 4 Dec 2017 10:48:18 -0800 +Subject: net_sched: get rid of rcu_barrier() in tcf_block_put_ext() + +From: Cong Wang + +commit efbf78973978b0d25af59bc26c8013a942af6e64 upstream. + +Both Eric and Paolo noticed the rcu_barrier() we use in +tcf_block_put_ext() could be a performance bottleneck when +we have a lot of tc classes. + +Paolo provided the following to demonstrate the issue: + +tc qdisc add dev lo root htb +for I in `seq 1 1000`; do + tc class add dev lo parent 1: classid 1:$I htb rate 100kbit + tc qdisc add dev lo parent 1:$I handle $((I + 1)): htb + for J in `seq 1 10`; do + tc filter add dev lo parent $((I + 1)): u32 match ip src 1.1.1.$J + done +done +time tc qdisc del dev root + +real 0m54.764s +user 0m0.023s +sys 0m0.000s + +The rcu_barrier() there is to ensure we free the block after all chains +are gone, that is, to queue tcf_block_put_final() at the tail of workqueue. +We can achieve this ordering requirement by refcnt'ing tcf block instead, +that is, the tcf block is freed only when the last chain in this block is +gone. This also simplifies the code. + +Paolo reported after this patch we get: + +real 0m0.017s +user 0m0.000s +sys 0m0.017s + +Tested-by: Paolo Abeni +Cc: Eric Dumazet +Cc: Jiri Pirko +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + include/net/sch_generic.h | 1 - + net/sched/cls_api.c | 29 +++++++++-------------------- + 2 files changed, 9 insertions(+), 21 deletions(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -273,7 +273,6 @@ struct tcf_chain { + + struct tcf_block { + struct list_head chain_list; +- struct work_struct work; + }; + + static inline void qdisc_cb_private_validate(const struct sk_buff *skb, int sz) +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -211,8 +211,12 @@ static void tcf_chain_flush(struct tcf_c + + static void tcf_chain_destroy(struct tcf_chain *chain) + { ++ struct tcf_block *block = chain->block; ++ + list_del(&chain->list); + kfree(chain); ++ if (list_empty(&block->chain_list)) ++ kfree(block); + } + + static void tcf_chain_hold(struct tcf_chain *chain) +@@ -276,26 +280,12 @@ err_chain_create: + } + EXPORT_SYMBOL(tcf_block_get); + +-static void tcf_block_put_final(struct work_struct *work) +-{ +- struct tcf_block *block = container_of(work, struct tcf_block, work); +- struct tcf_chain *chain, *tmp; +- +- rtnl_lock(); +- +- /* At this point, all the chains should have refcnt == 1. */ +- list_for_each_entry_safe(chain, tmp, &block->chain_list, list) +- tcf_chain_put(chain); +- rtnl_unlock(); +- kfree(block); +-} +- + /* XXX: Standalone actions are not allowed to jump to any chain, and bound + * actions should be all removed after flushing. + */ + void tcf_block_put(struct tcf_block *block) + { +- struct tcf_chain *chain; ++ struct tcf_chain *chain, *tmp; + + if (!block) + return; +@@ -310,12 +300,11 @@ void tcf_block_put(struct tcf_block *blo + list_for_each_entry(chain, &block->chain_list, list) + tcf_chain_flush(chain); + +- INIT_WORK(&block->work, tcf_block_put_final); +- /* Wait for RCU callbacks to release the reference count and make +- * sure their works have been queued before this. ++ /* At this point, all the chains should have refcnt >= 1. Block will be ++ * freed after all chains are gone. + */ +- rcu_barrier(); +- tcf_queue_work(&block->work); ++ list_for_each_entry_safe(chain, tmp, &block->chain_list, list) ++ tcf_chain_put(chain); + } + EXPORT_SYMBOL(tcf_block_put); + diff --git a/queue-4.14/series b/queue-4.14/series index dbb517d2281..4c0e95fb9b9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -107,3 +107,9 @@ nfp-always-unmask-aux-interrupts-at-init.patch mlxsw-pci-wait-after-reset-before-accessing-hw.patch mips-implement-__multi3-for-gcc7-mips64r6-builds.patch powerpc-pseries-enable-ras-hotplug-events-later.patch +arm64-dts-marvell-add-comphy-nodes-on-cp110-master-and-slave.patch +arm64-dts-marvell-mcbin-add-comphy-references-to-ethernet-ports.patch +net-sched-fix-crash-when-deleting-secondary-chains.patch +net-sched-crash-on-blocks-with-goto-chain-action.patch +net_sched-get-rid-of-rcu_barrier-in-tcf_block_put_ext.patch +net-sched-fix-use-after-free-in-tcf_block_put_ext.patch