--- /dev/null
+From stable+bounces-93947-greg=kroah.com@vger.kernel.org Tue Nov 19 11:25:26 2024
+From: Bin Lan <bin.lan.cn@windriver.com>
+Date: Tue, 19 Nov 2024 18:20:10 +0800
+Subject: ipvs: properly dereference pe in ip_vs_add_service
+To: <chenhx.fnst@fujitsu.com>, <stable@vger.kernel.org>
+Message-ID: <20241119102010.2572322-1-bin.lan.cn@windriver.com>
+
+From: Chen Hanxiao <chenhx.fnst@fujitsu.com>
+
+[ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ]
+
+Use pe directly to resolve sparse warning:
+
+ net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression
+
+Fixes: 39b972231536 ("ipvs: handle connections started by real-servers")
+Signed-off-by: Chen Hanxiao <chenhx.fnst@fujitsu.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[ Resolve minor conflicts to fix CVE-2024-42322 ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1382,18 +1382,18 @@ ip_vs_add_service(struct netns_ipvs *ipv
+ sched = NULL;
+ }
+
+- /* Bind the ct retriever */
+- RCU_INIT_POINTER(svc->pe, pe);
+- pe = NULL;
+-
+ /* Update the virtual service counters */
+ if (svc->port == FTPPORT)
+ atomic_inc(&ipvs->ftpsvc_counter);
+ else if (svc->port == 0)
+ atomic_inc(&ipvs->nullsvc_counter);
+- if (svc->pe && svc->pe->conn_out)
++ if (pe && pe->conn_out)
+ atomic_inc(&ipvs->conn_out_counter);
+
++ /* Bind the ct retriever */
++ RCU_INIT_POINTER(svc->pe, pe);
++ pe = NULL;
++
+ ip_vs_start_estimator(ipvs, &svc->stats);
+
+ /* Count only IPv4 services for old get/setsockopt interface */
--- /dev/null
+From prvs=1053b6616b=xiangyu.chen@windriver.com Tue Nov 19 08:41:51 2024
+From: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
+Date: Tue, 19 Nov 2024 15:41:35 +0800
+Subject: net: fec: remove .ndo_poll_controller to avoid deadlocks
+To: wei.fang@nxp.com, gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, xiangyu.chen@aol.com
+Message-ID: <20241119074135.4005807-1-xiangyu.chen@eng.windriver.com>
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 ]
+
+There is a deadlock issue found in sungem driver, please refer to the
+commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid
+deadlocks"). The root cause of the issue is that netpoll is in atomic
+context and disable_irq() is called by .ndo_poll_controller interface
+of sungem driver, however, disable_irq() might sleep. After analyzing
+the implementation of fec_poll_controller(), the fec driver should have
+the same issue. Due to the fec driver uses NAPI for TX completions, the
+.ndo_poll_controller is unnecessary to be implemented in the fec driver,
+so fec_poll_controller() can be safely removed.
+
+Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3508,29 +3508,6 @@ fec_set_mac_address(struct net_device *n
+ return 0;
+ }
+
+-#ifdef CONFIG_NET_POLL_CONTROLLER
+-/**
+- * fec_poll_controller - FEC Poll controller function
+- * @dev: The FEC network adapter
+- *
+- * Polled functionality used by netconsole and others in non interrupt mode
+- *
+- */
+-static void fec_poll_controller(struct net_device *dev)
+-{
+- int i;
+- struct fec_enet_private *fep = netdev_priv(dev);
+-
+- for (i = 0; i < FEC_IRQ_NUM; i++) {
+- if (fep->irq[i] > 0) {
+- disable_irq(fep->irq[i]);
+- fec_enet_interrupt(fep->irq[i], dev);
+- enable_irq(fep->irq[i]);
+- }
+- }
+-}
+-#endif
+-
+ static inline void fec_enet_set_netdev_features(struct net_device *netdev,
+ netdev_features_t features)
+ {
+@@ -3604,9 +3581,6 @@ static const struct net_device_ops fec_n
+ .ndo_tx_timeout = fec_timeout,
+ .ndo_set_mac_address = fec_set_mac_address,
+ .ndo_eth_ioctl = fec_enet_ioctl,
+-#ifdef CONFIG_NET_POLL_CONTROLLER
+- .ndo_poll_controller = fec_poll_controller,
+-#endif
+ .ndo_set_features = fec_set_features,
+ };
+
--- /dev/null
+From stable+bounces-93930-greg=kroah.com@vger.kernel.org Tue Nov 19 09:06:43 2024
+From: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
+Date: Tue, 19 Nov 2024 16:06:18 +0800
+Subject: net/sched: taprio: extend minimum interval restriction to entire cycle too
+To: vladimir.oltean@nxp.com, gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, xiangyu.chen@aol.com
+Message-ID: <20241119080618.4010517-1-xiangyu.chen@eng.windriver.com>
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit fb66df20a7201e60f2b13d7f95d031b31a8831d3 ]
+
+It is possible for syzbot to side-step the restriction imposed by the
+blamed commit in the Fixes: tag, because the taprio UAPI permits a
+cycle-time different from (and potentially shorter than) the sum of
+entry intervals.
+
+We need one more restriction, which is that the cycle time itself must
+be larger than N * ETH_ZLEN bit times, where N is the number of schedule
+entries. This restriction needs to apply regardless of whether the cycle
+time came from the user or was the implicit, auto-calculated value, so
+we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)"
+branch. This way covers both conditions and scenarios.
+
+Add a selftest which illustrates the issue triggered by syzbot.
+
+Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals")
+Reported-by: syzbot+a7d2b1d5d1af83035567@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c | 10 ++--
+ tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json | 22 ++++++++++
+ 2 files changed, 27 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -915,11 +915,6 @@ static int parse_taprio_schedule(struct
+ list_for_each_entry(entry, &new->entries, list)
+ cycle = ktime_add_ns(cycle, entry->interval);
+
+- if (!cycle) {
+- NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0");
+- return -EINVAL;
+- }
+-
+ if (cycle < 0 || cycle > INT_MAX) {
+ NL_SET_ERR_MSG(extack, "'cycle_time' is too big");
+ return -EINVAL;
+@@ -928,6 +923,11 @@ static int parse_taprio_schedule(struct
+ new->cycle_time = cycle;
+ }
+
++ if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) {
++ NL_SET_ERR_MSG(extack, "'cycle_time' is too small");
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json
++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json
+@@ -133,6 +133,28 @@
+ ]
+ },
+ {
++ "id": "831f",
++ "name": "Add taprio Qdisc with too short cycle-time",
++ "category": [
++ "qdisc",
++ "taprio"
++ ],
++ "plugins": {
++ "requires": "nsPlugin"
++ },
++ "setup": [
++ "echo \"1 1 8\" > /sys/bus/netdevsim/new_device"
++ ],
++ "cmdUnderTest": "$TC qdisc add dev $ETH root handle 1: taprio num_tc 2 queues 1@0 1@1 sched-entry S 01 200000 sched-entry S 02 200000 cycle-time 100 clockid CLOCK_TAI",
++ "expExitCode": "2",
++ "verifyCmd": "$TC qdisc show dev $ETH",
++ "matchPattern": "qdisc taprio 1: root refcnt",
++ "matchCount": "0",
++ "teardown": [
++ "echo \"1\" > /sys/bus/netdevsim/del_device"
++ ]
++ },
++ {
+ "id": "3e1e",
+ "name": "Add taprio Qdisc with an invalid cycle-time",
+ "category": [
net-add-copy_safe_from_sockptr-helper.patch
nfc-llcp-fix-nfc_llcp_setsockopt-unsafe-copies.patch
fs-9p-fix-uninitialized-values-during-inode-evict.patch
+ipvs-properly-dereference-pe-in-ip_vs_add_service.patch
+net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch
+net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
