Fixing CVE-2024-38597
Jakub Kicinski (1): eth: sungem: remove .ndo_poll_controller to avoid deadlocks
Wei Fang (1): net: fec: remove .ndo_poll_controller to avoid deadlocks
drivers/net/ethernet/freescale/fec_main.c | 3 --- drivers/net/ethernet/sun/sungem.c | 14 -------------- 2 files changed, 17 deletions(-)
From: Wei Fang wei.fang@nxp.com
mainline inclusion from mainline-v6.10-rc1 commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S6S CVE: CVE-2024-38597
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.
Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic") Signed-off-by: Wei Fang wei.fang@nxp.com Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski kuba@kernel.org
Conflicts: drivers/net/ethernet/freescale/fec_main.c [Adjust context conflicts] Signed-off-by: Liu Chuang liuchuang40@huawei.com --- drivers/net/ethernet/freescale/fec_main.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 3e402c9b3598..e2441345593e 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -3101,9 +3101,6 @@ static const struct net_device_ops fec_netdev_ops = { .ndo_tx_timeout = fec_timeout, .ndo_set_mac_address = fec_set_mac_address, .ndo_do_ioctl = fec_enet_ioctl, -#ifdef CONFIG_NET_POLL_CONTROLLER - .ndo_poll_controller = fec_poll_controller, -#endif .ndo_set_features = fec_set_features, };
From: Jakub Kicinski kuba@kernel.org
mainline inclusion from mainline-v6.10-rc1 commit ac0a230f719b02432d8c7eba7615ebd691da86f4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S6S CVE: CVE-2024-38597
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Erhard reports netpoll warnings from sungem:
netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c
gem_poll_controller() disables interrupts, which may sleep. We can't sleep in netpoll, it has interrupts disabled completely. Strangely, gem_poll_controller() doesn't even poll the completions, and instead acts as if an interrupt has fired so it just schedules NAPI and exits. None of this has been necessary for years, since netpoll invokes NAPI directly.
Fixes: fe09bb619096 ("sungem: Spring cleaning and GRO support") Reported-and-tested-by: Erhard Furtner erhard_f@mailbox.org Link: https://lore.kernel.org/all/20240428125306.2c3080ef@legion Reviewed-by: Eric Dumazet edumazet@google.com Link: https://lore.kernel.org/r/20240508134504.3560956-1-kuba@kernel.org Signed-off-by: Jakub Kicinski kuba@kernel.org
Conflicts: drivers/net/ethernet/sun/sungem.c Signed-off-by: Liu Chuang liuchuang40@huawei.com --- drivers/net/ethernet/sun/sungem.c | 14 -------------- 1 file changed, 14 deletions(-)
diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c index b9221fc1674d..de8ce1651989 100644 --- a/drivers/net/ethernet/sun/sungem.c +++ b/drivers/net/ethernet/sun/sungem.c @@ -959,17 +959,6 @@ static irqreturn_t gem_interrupt(int irq, void *dev_id) return IRQ_HANDLED; }
-#ifdef CONFIG_NET_POLL_CONTROLLER -static void gem_poll_controller(struct net_device *dev) -{ - struct gem *gp = netdev_priv(dev); - - disable_irq(gp->pdev->irq); - gem_interrupt(gp->pdev->irq, dev); - enable_irq(gp->pdev->irq); -} -#endif - static void gem_tx_timeout(struct net_device *dev) { struct gem *gp = netdev_priv(dev); @@ -2835,9 +2824,6 @@ static const struct net_device_ops gem_netdev_ops = { .ndo_change_mtu = gem_change_mtu, .ndo_validate_addr = eth_validate_addr, .ndo_set_mac_address = gem_set_mac_address, -#ifdef CONFIG_NET_POLL_CONTROLLER - .ndo_poll_controller = gem_poll_controller, -#endif };
static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/9592 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/9592 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...
-
Liu Chuang -
patchwork bot