From: Greg Kroah-Hartman Date: Tue, 19 Nov 2024 13:17:07 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.1~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9f4f9f6590dd1e867616ef7790b6b19e15d57bd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ipvs-properly-dereference-pe-in-ip_vs_add_service.patch net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch --- diff --git a/queue-6.1/ipvs-properly-dereference-pe-in-ip_vs_add_service.patch b/queue-6.1/ipvs-properly-dereference-pe-in-ip_vs_add_service.patch new file mode 100644 index 00000000000..d42d093e863 --- /dev/null +++ b/queue-6.1/ipvs-properly-dereference-pe-in-ip_vs_add_service.patch @@ -0,0 +1,53 @@ +From stable+bounces-93947-greg=kroah.com@vger.kernel.org Tue Nov 19 11:25:26 2024 +From: Bin Lan +Date: Tue, 19 Nov 2024 18:20:10 +0800 +Subject: ipvs: properly dereference pe in ip_vs_add_service +To: , +Message-ID: <20241119102010.2572322-1-bin.lan.cn@windriver.com> + +From: Chen Hanxiao + +[ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ] + +Use pe directly to resolve sparse warning: + + net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression + +Fixes: 39b972231536 ("ipvs: handle connections started by real-servers") +Signed-off-by: Chen Hanxiao +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +[ Resolve minor conflicts to fix CVE-2024-42322 ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1382,18 +1382,18 @@ ip_vs_add_service(struct netns_ipvs *ipv + sched = NULL; + } + +- /* Bind the ct retriever */ +- RCU_INIT_POINTER(svc->pe, pe); +- pe = NULL; +- + /* Update the virtual service counters */ + if (svc->port == FTPPORT) + atomic_inc(&ipvs->ftpsvc_counter); + else if (svc->port == 0) + atomic_inc(&ipvs->nullsvc_counter); +- if (svc->pe && svc->pe->conn_out) ++ if (pe && pe->conn_out) + atomic_inc(&ipvs->conn_out_counter); + ++ /* Bind the ct retriever */ ++ RCU_INIT_POINTER(svc->pe, pe); ++ pe = NULL; ++ + ip_vs_start_estimator(ipvs, &svc->stats); + + /* Count only IPv4 services for old get/setsockopt interface */ diff --git a/queue-6.1/net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch b/queue-6.1/net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch new file mode 100644 index 00000000000..4c8654c2f5a --- /dev/null +++ b/queue-6.1/net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch @@ -0,0 +1,75 @@ +From prvs=1053b6616b=xiangyu.chen@windriver.com Tue Nov 19 08:41:51 2024 +From: Xiangyu Chen +Date: Tue, 19 Nov 2024 15:41:35 +0800 +Subject: net: fec: remove .ndo_poll_controller to avoid deadlocks +To: wei.fang@nxp.com, gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org, xiangyu.chen@aol.com +Message-ID: <20241119074135.4005807-1-xiangyu.chen@eng.windriver.com> + +From: Wei Fang + +[ Upstream commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 ] + +There is a deadlock issue found in sungem driver, please refer to the +commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid +deadlocks"). The root cause of the issue is that netpoll is in atomic +context and disable_irq() is called by .ndo_poll_controller interface +of sungem driver, however, disable_irq() might sleep. After analyzing +the implementation of fec_poll_controller(), the fec driver should have +the same issue. Due to the fec driver uses NAPI for TX completions, the +.ndo_poll_controller is unnecessary to be implemented in the fec driver, +so fec_poll_controller() can be safely removed. + +Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic") +Signed-off-by: Wei Fang +Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3508,29 +3508,6 @@ fec_set_mac_address(struct net_device *n + return 0; + } + +-#ifdef CONFIG_NET_POLL_CONTROLLER +-/** +- * fec_poll_controller - FEC Poll controller function +- * @dev: The FEC network adapter +- * +- * Polled functionality used by netconsole and others in non interrupt mode +- * +- */ +-static void fec_poll_controller(struct net_device *dev) +-{ +- int i; +- struct fec_enet_private *fep = netdev_priv(dev); +- +- for (i = 0; i < FEC_IRQ_NUM; i++) { +- if (fep->irq[i] > 0) { +- disable_irq(fep->irq[i]); +- fec_enet_interrupt(fep->irq[i], dev); +- enable_irq(fep->irq[i]); +- } +- } +-} +-#endif +- + static inline void fec_enet_set_netdev_features(struct net_device *netdev, + netdev_features_t features) + { +@@ -3604,9 +3581,6 @@ static const struct net_device_ops fec_n + .ndo_tx_timeout = fec_timeout, + .ndo_set_mac_address = fec_set_mac_address, + .ndo_eth_ioctl = fec_enet_ioctl, +-#ifdef CONFIG_NET_POLL_CONTROLLER +- .ndo_poll_controller = fec_poll_controller, +-#endif + .ndo_set_features = fec_set_features, + }; + diff --git a/queue-6.1/net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch b/queue-6.1/net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch new file mode 100644 index 00000000000..bfa97651684 --- /dev/null +++ b/queue-6.1/net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch @@ -0,0 +1,97 @@ +From stable+bounces-93930-greg=kroah.com@vger.kernel.org Tue Nov 19 09:06:43 2024 +From: Xiangyu Chen +Date: Tue, 19 Nov 2024 16:06:18 +0800 +Subject: net/sched: taprio: extend minimum interval restriction to entire cycle too +To: vladimir.oltean@nxp.com, gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org, xiangyu.chen@aol.com +Message-ID: <20241119080618.4010517-1-xiangyu.chen@eng.windriver.com> + +From: Vladimir Oltean + +[ Upstream commit fb66df20a7201e60f2b13d7f95d031b31a8831d3 ] + +It is possible for syzbot to side-step the restriction imposed by the +blamed commit in the Fixes: tag, because the taprio UAPI permits a +cycle-time different from (and potentially shorter than) the sum of +entry intervals. + +We need one more restriction, which is that the cycle time itself must +be larger than N * ETH_ZLEN bit times, where N is the number of schedule +entries. This restriction needs to apply regardless of whether the cycle +time came from the user or was the implicit, auto-calculated value, so +we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" +branch. This way covers both conditions and scenarios. + +Add a selftest which illustrates the issue triggered by syzbot. + +Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals") +Reported-by: syzbot+a7d2b1d5d1af83035567@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/ +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 10 ++-- + tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json | 22 ++++++++++ + 2 files changed, 27 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -915,11 +915,6 @@ static int parse_taprio_schedule(struct + list_for_each_entry(entry, &new->entries, list) + cycle = ktime_add_ns(cycle, entry->interval); + +- if (!cycle) { +- NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); +- return -EINVAL; +- } +- + if (cycle < 0 || cycle > INT_MAX) { + NL_SET_ERR_MSG(extack, "'cycle_time' is too big"); + return -EINVAL; +@@ -928,6 +923,11 @@ static int parse_taprio_schedule(struct + new->cycle_time = cycle; + } + ++ if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) { ++ NL_SET_ERR_MSG(extack, "'cycle_time' is too small"); ++ return -EINVAL; ++ } ++ + return 0; + } + +--- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json +@@ -133,6 +133,28 @@ + ] + }, + { ++ "id": "831f", ++ "name": "Add taprio Qdisc with too short cycle-time", ++ "category": [ ++ "qdisc", ++ "taprio" ++ ], ++ "plugins": { ++ "requires": "nsPlugin" ++ }, ++ "setup": [ ++ "echo \"1 1 8\" > /sys/bus/netdevsim/new_device" ++ ], ++ "cmdUnderTest": "$TC qdisc add dev $ETH root handle 1: taprio num_tc 2 queues 1@0 1@1 sched-entry S 01 200000 sched-entry S 02 200000 cycle-time 100 clockid CLOCK_TAI", ++ "expExitCode": "2", ++ "verifyCmd": "$TC qdisc show dev $ETH", ++ "matchPattern": "qdisc taprio 1: root refcnt", ++ "matchCount": "0", ++ "teardown": [ ++ "echo \"1\" > /sys/bus/netdevsim/del_device" ++ ] ++ }, ++ { + "id": "3e1e", + "name": "Add taprio Qdisc with an invalid cycle-time", + "category": [ diff --git a/queue-6.1/series b/queue-6.1/series index 978438ba32b..6253bd1282d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -55,3 +55,6 @@ ksmbd-fix-potencial-out-of-bounds-when-buffer-offset-is-invalid.patch net-add-copy_safe_from_sockptr-helper.patch nfc-llcp-fix-nfc_llcp_setsockopt-unsafe-copies.patch fs-9p-fix-uninitialized-values-during-inode-evict.patch +ipvs-properly-dereference-pe-in-ip_vs_add_service.patch +net-sched-taprio-extend-minimum-interval-restriction-to-entire-cycle-too.patch +net-fec-remove-.ndo_poll_controller-to-avoid-deadlocks.patch