From d1df83c4ec783b8836eb12cc3460b7435de4c3d9 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Apr 06 2022 05:18:03 +0000 Subject: Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index d7d4bf9..acbaf3f 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2105,3 +2105,5 @@ ff0e50d3564f33b7f4b35cadeabd951d66cfc570 # known to cause regressions 21b5fcdccb32ff09b6b63d4a83c037150665a83f # no gadget mode in SLE12 63c4c320ccf77074ffe9019ac596603133c1b517 # no gadget mode in SLE12 123086843372bc93d26f52edfb71dbf951cd2f17 # # requires USB PD 3.0 +6c984083ec2453dfd3fcf98f392f34500c73e3f2 # not needed +cb8fac6d2727f79f211e745b16c9abbf4d8be652 # cosmetic diff --git a/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch b/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch new file mode 100644 index 0000000..691c173 --- /dev/null +++ b/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch @@ -0,0 +1,67 @@ +From 62004871e1fa7f9a60797595c03477af5b5ec36f Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 15 Jul 2021 12:04:45 -0400 +Subject: [PATCH 1/1] IB/hfi1: Adjust pkey entry in index 0 +Git-commit: 62004871e1fa7f9a60797595c03477af5b5ec36f +Patch-mainline: v5.15 +References: git-fixes + +It is possible for the primary IPoIB network device associated with any +RDMA device to fail to join certain multicast groups preventing IPv6 +neighbor discovery and possibly other network ULPs from working +correctly. The IPv4 broadcast group is not affected as the IPoIB network +device handles joining that multicast group directly. + +This is because the primary IPoIB network device uses the pkey at ndex 0 +in the associated RDMA device's pkey table. Anytime the pkey value of +index 0 changes, the primary IPoIB network device automatically modifies +it's broadcast address (i.e. /sys/class/net/[ib0]/broadcast), since the +broadcast address includes the pkey value, and then bounces carrier. This +includes initial pkey assignment, such as when the pkey at index 0 +transitions from the opa default of invalid (0x0000) to some value such as +the OPA default pkey for Virtual Fabric 0: 0x8001 or when the fabric +manager is restarted with a configuration change causing the pkey at index +0 to change. Many network ULPs are not sensitive to the carrier bounce and +are not expecting the broadcast address to change including the linux IPv6 +stack. This problem does not affect IPoIB child network devices as their +pkey value is constant for all time. + +To mitigate this issue, change the default pkey in at index 0 to 0x8001 to +cover the predominant case and avoid issues as ipoib comes up and the FM +sweeps. + +At some point, ipoib multicast support should automatically fix +non-broadcast addresses as it does with the primary broadcast address. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210715160445.142451.47651.stgit@awfm-01.cornelisnetworks.com +Suggested-by: Josh Collier +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/init.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index 0986aa065418..34106e5be679 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -650,12 +650,7 @@ void hfi1_init_pportdata(struct pci_dev *pdev, struct hfi1_pportdata *ppd, + + ppd->pkeys[default_pkey_idx] = DEFAULT_P_KEY; + ppd->part_enforce |= HFI1_PART_ENFORCE_IN; +- +- if (loopback) { +- dd_dev_err(dd, "Faking data partition 0x8001 in idx %u\n", +- !default_pkey_idx); +- ppd->pkeys[!default_pkey_idx] = 0x8001; +- } ++ ppd->pkeys[0] = 0x8001; + + INIT_WORK(&ppd->link_vc_work, handle_verify_cap); + INIT_WORK(&ppd->link_up_work, handle_link_up); +-- +2.35.0 + diff --git a/patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch b/patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch new file mode 100644 index 0000000..45c6cd7 --- /dev/null +++ b/patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch @@ -0,0 +1,39 @@ +From 9292f8f9a2ac42eb320bced7153aa2e63d8cc13a Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:19:52 -0500 +Subject: [PATCH 1/1] IB/hfi1: Correct guard on eager buffer deallocation +Git-commit: 9292f8f9a2ac42eb320bced7153aa2e63d8cc13a +Patch-mainline: v5.16 +References: git-fixes + +The code tests the dma address which legitimately can be 0. + +The code should test the kernel logical address to avoid leaking eager +buffer allocations that happen to map to a dma address of 0. + +Fixes: 60368186fd85 ("IB/hfi1: Fix user-space buffers mapping with IOMMU enabled") +Link: https://lore.kernel.org/r/20211129191952.101968.17137.stgit@awfm-01.cornelisnetworks.com +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index dbd1c31830b9..8e1236be46e1 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1120,7 +1120,7 @@ void hfi1_free_ctxtdata(struct hfi1_devdata *dd, struct hfi1_ctxtdata *rcd) + rcd->egrbufs.rcvtids = NULL; + + for (e = 0; e < rcd->egrbufs.alloced; e++) { +- if (rcd->egrbufs.buffers[e].dma) ++ if (rcd->egrbufs.buffers[e].addr) + dma_free_coherent(&dd->pcidev->dev, + rcd->egrbufs.buffers[e].len, + rcd->egrbufs.buffers[e].addr, +-- +2.35.0 + diff --git a/patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch b/patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch new file mode 100644 index 0000000..8a36263 --- /dev/null +++ b/patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch @@ -0,0 +1,116 @@ +From 60a8b5a1611b4a26de4839ab9c1fc2a9cf3e17c1 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:20:08 -0500 +Subject: [PATCH 1/1] IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr +Git-commit: 60a8b5a1611b4a26de4839ab9c1fc2a9cf3e17c1 +Patch-mainline: v5.16 +References: git-fixes + +This buffer is currently allocated in hfi1_init(): + + if (reinit) + ret = init_after_reset(dd); + else + ret = loadtime_init(dd); + if (ret) + goto done; + + /* allocate dummy tail memory for all receive contexts */ + dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, + sizeof(u64), + &dd->rcvhdrtail_dummy_dma, + GFP_KERNEL); + + if (!dd->rcvhdrtail_dummy_kvaddr) { + dd_dev_err(dd, "cannot allocate dummy tail memory\n"); + ret = -ENOMEM; + goto done; + } + +The reinit triggered path will overwrite the old allocation and leak it. + +Fix by moving the allocation to hfi1_alloc_devdata() and the deallocation +to hfi1_free_devdata(). + +Link: https://lore.kernel.org/r/20211129192008.101968.91302.stgit@awfm-01.cornelisnetworks.com +Cc: stable@vger.kernel.org +Fixes: 46b010d3eeb8 ("staging/rdma/hfi1: Workaround to prevent corruption during packet delivery") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/init.c | 36 +++++++++++++++---------------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index 6422dd6cae60..4436ed41547c 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -921,18 +921,6 @@ int hfi1_init(struct hfi1_devdata *dd, int reinit) + if (ret) + goto done; + +- /* allocate dummy tail memory for all receive contexts */ +- dd->rcvhdrtail_dummy_kvaddr = dma_zalloc_coherent( +- &dd->pcidev->dev, sizeof(u64), +- &dd->rcvhdrtail_dummy_dma, +- GFP_KERNEL); +- +- if (!dd->rcvhdrtail_dummy_kvaddr) { +- dd_dev_err(dd, "cannot allocate dummy tail memory\n"); +- ret = -ENOMEM; +- goto done; +- } +- + /* dd->rcd can be NULL if early initialization failed */ + for (i = 0; dd->rcd && i < dd->first_dyn_alloc_ctxt; ++i) { + /* +@@ -1261,6 +1249,11 @@ static void hfi1_clean_devdata(struct hfi1_devdata *dd) + dd->tx_opstats = NULL; + kfree(dd->comp_vect); + dd->comp_vect = NULL; ++ if (dd->rcvhdrtail_dummy_kvaddr) ++ dma_free_coherent(&dd->pcidev->dev, sizeof(u64), ++ (void *)dd->rcvhdrtail_dummy_kvaddr, ++ dd->rcvhdrtail_dummy_dma); ++ dd->rcvhdrtail_dummy_kvaddr = NULL; + sdma_clean(dd, dd->num_sdma); + rvt_dealloc_device(&dd->verbs_dev.rdi); + } +@@ -1381,6 +1374,18 @@ static struct hfi1_devdata *hfi1_alloc_devdata(struct pci_dev *pdev, + goto bail; + } + ++ /* allocate dummy tail memory for all receive contexts */ ++ dd->rcvhdrtail_dummy_kvaddr = dma_zalloc_coherent( ++ &dd->pcidev->dev, sizeof(u64), ++ &dd->rcvhdrtail_dummy_dma, ++ GFP_KERNEL); ++ ++ if (!dd->rcvhdrtail_dummy_kvaddr) { ++ ret = -ENOMEM; ++ goto bail; ++ } ++ ++ + kobject_init(&dd->kobj, &hfi1_devdata_type); + return dd; + +@@ -1584,13 +1589,6 @@ static void cleanup_device_data(struct hfi1_devdata *dd) + + free_credit_return(dd); + +- if (dd->rcvhdrtail_dummy_kvaddr) { +- dma_free_coherent(&dd->pcidev->dev, sizeof(u64), +- (void *)dd->rcvhdrtail_dummy_kvaddr, +- dd->rcvhdrtail_dummy_dma); +- dd->rcvhdrtail_dummy_kvaddr = NULL; +- } +- + /* + * Free any resources still in use (usually just kernel contexts) + * at unload; we do for ctxtcnt, because that's what we allocate. +-- +2.35.0 + diff --git a/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch b/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch new file mode 100644 index 0000000..845cd9b --- /dev/null +++ b/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch @@ -0,0 +1,64 @@ +From cbe71c61992c38f72c2b625b2ef25916b9f0d060 Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Fri, 6 Aug 2021 06:30:29 -0700 +Subject: [PATCH 1/1] IB/hfi1: Fix possible null-pointer dereference in + _extend_sdma_tx_descs() +Git-commit: cbe71c61992c38f72c2b625b2ef25916b9f0d060 +Patch-mainline: v5.14 +References: git-fixes + +kmalloc_array() is called to allocate memory for tx->descp. If it fails, +the function __sdma_txclean() is called: + __sdma_txclean(dd, tx); + +However, in the function __sdma_txclean(), tx-descp is dereferenced if +tx->num_desc is not zero: + sdma_unmap_desc(dd, &tx->descp[0]); + +To fix this possible null-pointer dereference, assign the return value of +kmalloc_array() to a local variable descp, and then assign it to tx->descp +if it is not NULL. Otherwise, go to enomem. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210806133029.194964-1-islituo@gmail.com +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Tested-by: Mike Marciniszyn +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/sdma.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index eb15c310d63d..e83dc562629e 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3055,6 +3055,7 @@ static void __sdma_process_event(struct sdma_engine *sde, + static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int i; ++ struct sdma_desc *descp; + + /* Handle last descriptor */ + if (unlikely((tx->num_desc == (MAX_DESC - 1)))) { +@@ -3075,12 +3076,10 @@ static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + if (unlikely(tx->num_desc == MAX_DESC)) + goto enomem; + +- tx->descp = kmalloc_array( +- MAX_DESC, +- sizeof(struct sdma_desc), +- GFP_ATOMIC); +- if (!tx->descp) ++ descp = kmalloc_array(MAX_DESC, sizeof(struct sdma_desc), GFP_ATOMIC); ++ if (!descp) + goto enomem; ++ tx->descp = descp; + + /* reserve last descriptor for coalescing */ + tx->desc_limit = MAX_DESC - 1; +-- +2.35.0 + diff --git a/patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch b/patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch new file mode 100644 index 0000000..52e2f9b --- /dev/null +++ b/patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch @@ -0,0 +1,67 @@ +From b6d57e24ce6cc3df8a8845e1b193e88a65d501b1 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:19:58 -0500 +Subject: [PATCH 1/1] IB/hfi1: Insure use of smp_processor_id() is preempt + disabled +Git-commit: b6d57e24ce6cc3df8a8845e1b193e88a65d501b1 +Patch-mainline: v5.16 +References: git-fixes + +The following BUG has just surfaced with our 5.16 testing: + + BUG: using smp_processor_id() in preemptible [00000000] code: mpicheck/1581081 + caller is sdma_select_user_engine+0x72/0x210 [hfi1] + CPU: 0 PID: 1581081 Comm: mpicheck Tainted: G S 5.16.0-rc1+ #1 + Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0016.033120161139 03/31/2016 + Call Trace: + + dump_stack_lvl+0x33/0x42 + check_preemption_disabled+0xbf/0xe0 + sdma_select_user_engine+0x72/0x210 [hfi1] + ? _raw_spin_unlock_irqrestore+0x1f/0x31 + ? hfi1_mmu_rb_insert+0x6b/0x200 [hfi1] + hfi1_user_sdma_process_request+0xa02/0x1120 [hfi1] + ? hfi1_write_iter+0xb8/0x200 [hfi1] + hfi1_write_iter+0xb8/0x200 [hfi1] + do_iter_readv_writev+0x163/0x1c0 + do_iter_write+0x80/0x1c0 + vfs_writev+0x88/0x1a0 + ? recalibrate_cpu_khz+0x10/0x10 + ? ktime_get+0x3e/0xa0 + ? __fget_files+0x66/0xa0 + do_writev+0x65/0x100 + do_syscall_64+0x3a/0x80 + +Fix this long standing bug by moving the smp_processor_id() to after the +rcu_read_lock(). + +The rcu_read_lock() implicitly disables preemption. + +Link: https://lore.kernel.org/r/20211129191958.101968.87329.stgit@awfm-01.cornelisnetworks.com +Cc: stable@vger.kernel.org +Fixes: 0cb2aa690c7e ("IB/hfi1: Add sysfs interface for affinity setup") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/sdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 2b6c24b7b586..f07d328689d3 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -879,8 +879,8 @@ struct sdma_engine *sdma_select_user_engine(struct hfi1_devdata *dd, + if (cpumask_weight(current_mask) != 1) + goto out; + +- cpu_id = smp_processor_id(); + rcu_read_lock(); ++ cpu_id = smp_processor_id(); + rht_node = rhashtable_lookup_fast(dd->sdma_rht, &cpu_id, + sdma_rht_params); + +-- +2.35.0 + diff --git a/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch b/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch new file mode 100644 index 0000000..f0b51d5 --- /dev/null +++ b/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch @@ -0,0 +1,120 @@ +From d39bf40e55e666b5905fdbd46a0dced030ce87be Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Tue, 12 Oct 2021 13:55:19 -0400 +Subject: [PATCH 1/1] IB/qib: Protect from buffer overflow in struct + qib_user_sdma_pkt fields +Git-commit: d39bf40e55e666b5905fdbd46a0dced030ce87be +Patch-mainline: v5.15 +References: git-fixes + +Overflowing either addrlimit or bytes_togo can allow userspace to trigger +a buffer overflow of kernel memory. Check for overflows in all the places +doing math on user controlled buffers. + +Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") +Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com +Reported-by: Ilja Van Sprundel +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 33 ++++++++++++++++------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index a67599b5a550..ac11943a5ddb 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -602,7 +602,7 @@ done: + /* + * How many pages in this iovec element? + */ +-static int qib_user_sdma_num_pages(const struct iovec *iov) ++static size_t qib_user_sdma_num_pages(const struct iovec *iov) + { + const unsigned long addr = (unsigned long) iov->iov_base; + const unsigned long len = iov->iov_len; +@@ -658,7 +658,7 @@ static void qib_user_sdma_free_pkt_frag(struct device *dev, + static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, + struct qib_user_sdma_queue *pq, + struct qib_user_sdma_pkt *pkt, +- unsigned long addr, int tlen, int npages) ++ unsigned long addr, int tlen, size_t npages) + { + struct page *pages[8]; + int i, j; +@@ -722,7 +722,7 @@ static int qib_user_sdma_pin_pkt(const struct qib_devdata *dd, + unsigned long idx; + + for (idx = 0; idx < niov; idx++) { +- const int npages = qib_user_sdma_num_pages(iov + idx); ++ const size_t npages = qib_user_sdma_num_pages(iov + idx); + const unsigned long addr = (unsigned long) iov[idx].iov_base; + + ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr, +@@ -824,8 +824,8 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + unsigned pktnw; + unsigned pktnwc; + int nfrags = 0; +- int npages = 0; +- int bytes_togo = 0; ++ size_t npages = 0; ++ size_t bytes_togo = 0; + int tiddma = 0; + int cfur; + +@@ -885,7 +885,11 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + + npages += qib_user_sdma_num_pages(&iov[idx]); + +- bytes_togo += slen; ++ if (check_add_overflow(bytes_togo, slen, &bytes_togo) || ++ bytes_togo > type_max(typeof(pkt->bytes_togo))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } + pktnwc += slen >> 2; + idx++; + nfrags++; +@@ -904,8 +908,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + } + + if (frag_size) { +- int tidsmsize, n; +- size_t pktsize; ++ size_t tidsmsize, n, pktsize, sz, addrlimit; + + n = npages*((2*PAGE_SIZE/frag_size)+1); + pktsize = struct_size(pkt, addr, n); +@@ -923,14 +926,24 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + else + tidsmsize = 0; + +- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL); ++ if (check_add_overflow(pktsize, tidsmsize, &sz)) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt = kmalloc(sz, GFP_KERNEL); + if (!pkt) { + ret = -ENOMEM; + goto free_pbc; + } + pkt->largepkt = 1; + pkt->frag_size = frag_size; +- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr); ++ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr), ++ &addrlimit) || ++ addrlimit > type_max(typeof(pkt->addrlimit))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt->addrlimit = addrlimit; + + if (tiddma) { + char *tidsm = (char *)pkt + pktsize; +-- +2.35.0 + diff --git a/patches.suse/NFS-Return-valid-errors-from-nfs2-3_decode_dirent.patch b/patches.suse/NFS-Return-valid-errors-from-nfs2-3_decode_dirent.patch new file mode 100644 index 0000000..d7f1183 --- /dev/null +++ b/patches.suse/NFS-Return-valid-errors-from-nfs2-3_decode_dirent.patch @@ -0,0 +1,98 @@ +From: Trond Myklebust +Date: Thu, 24 Feb 2022 10:59:37 -0500 +Subject: [PATCH] NFS: Return valid errors from nfs2/3_decode_dirent() +Git-commit: 64cfca85bacde54caa64e0ab855c48734894fa37 +Patch-mainline: v5.18 +References: git-fixes + +Valid return values for decode_dirent() callback functions are: + 0: Success + -EBADCOOKIE: End of directory + -EAGAIN: End of xdr_stream + +All errors need to map into one of those three values. + +Fixes: 573c4e1ef53a ("NFS: Simplify ->decode_dirent() calling sequence") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs2xdr.c | 2 +- + fs/nfs/nfs3xdr.c | 20 ++++++-------------- + 2 files changed, 7 insertions(+), 15 deletions(-) + +--- a/fs/nfs/nfs2xdr.c ++++ b/fs/nfs/nfs2xdr.c +@@ -938,7 +938,7 @@ int nfs2_decode_dirent(struct xdr_stream + + error = decode_filename_inline(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return error; ++ return -EAGAIN; + + /* + * The type (size and byte order) of nfscookie isn't defined in +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -1948,7 +1948,6 @@ out_status: + int nfs3_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, + int plus) + { +- struct nfs_entry old = *entry; + __be32 *p; + int error; + +@@ -1967,16 +1966,16 @@ int nfs3_decode_dirent(struct xdr_stream + + error = decode_fileid3(xdr, &entry->ino); + if (unlikely(error)) +- return error; ++ return -EAGAIN; + + error = decode_inline_filename3(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return error; ++ return -EAGAIN; + + entry->prev_cookie = entry->cookie; + error = decode_cookie3(xdr, &entry->cookie); + if (unlikely(error)) +- return error; ++ return -EAGAIN; + + entry->d_type = DT_UNKNOWN; + +@@ -1984,7 +1983,7 @@ int nfs3_decode_dirent(struct xdr_stream + entry->fattr->valid = 0; + error = decode_post_op_attr(xdr, entry->fattr); + if (unlikely(error)) +- return error; ++ return -EAGAIN; + if (entry->fattr->valid & NFS_ATTR_FATTR_V3) + entry->d_type = nfs_umode_to_dtype(entry->fattr->mode); + +@@ -1999,11 +1998,8 @@ int nfs3_decode_dirent(struct xdr_stream + goto out_overflow; + if (*p != xdr_zero) { + error = decode_nfs_fh3(xdr, entry->fh); +- if (unlikely(error)) { +- if (error == -E2BIG) +- goto out_truncated; +- return error; +- } ++ if (unlikely(error)) ++ return -EAGAIN; + } else + zero_nfs_fh3(entry->fh); + } +@@ -2013,10 +2009,6 @@ int nfs3_decode_dirent(struct xdr_stream + out_overflow: + print_overflow_msg(__func__, xdr); + return -EAGAIN; +-out_truncated: +- dprintk("NFS: directory entry contains invalid file handle\n"); +- *entry = old; +- return -EAGAIN; + } + + /* diff --git a/patches.suse/NFSv4-pNFS-Fix-another-issue-with-a-list-iterator-po.patch b/patches.suse/NFSv4-pNFS-Fix-another-issue-with-a-list-iterator-po.patch new file mode 100644 index 0000000..20d3447 --- /dev/null +++ b/patches.suse/NFSv4-pNFS-Fix-another-issue-with-a-list-iterator-po.patch @@ -0,0 +1,109 @@ +From: Trond Myklebust +Date: Mon, 28 Mar 2022 08:36:34 -0400 +Subject: [PATCH] NFSv4/pNFS: Fix another issue with a list iterator pointing + to the head +Git-commit: 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 +Patch-mainline: v5.18 +References: git-fixes + +In nfs4_callback_devicenotify(), if we don't find a matching entry for +the deviceid, we're left with a pointer to 'struct nfs_server' that +actually points to the list of super blocks associated with our struct +nfs_client. +Furthermore, even if we have a valid pointer, nothing pins the super +block, and so the struct nfs_server could end up getting freed while +we're using it. + +Since all we want is a pointer to the struct pnfs_layoutdriver_type, +let's skip all the iteration over super blocks, and just use APIs to +find the layout driver directly. + +Reported-by: Xiaomeng Tong +Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/callback_proc.c | 27 +++++++++------------------ + fs/nfs/pnfs.c | 11 +++++++++++ + fs/nfs/pnfs.h | 2 ++ + 3 files changed, 22 insertions(+), 18 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -351,11 +351,10 @@ __be32 nfs4_callback_devicenotify(struct + void *dummy, struct cb_process_state *cps) + { + int i; ++ const struct pnfs_layoutdriver_type *ld = NULL; + __be32 res = 0; +- struct nfs_client *clp = cps->clp; +- struct nfs_server *server = NULL; + +- if (!clp) { ++ if (!cps->clp) { + res = cpu_to_be32(NFS4ERR_OP_NOT_IN_SESSION); + goto out; + } +@@ -363,23 +362,15 @@ __be32 nfs4_callback_devicenotify(struct + for (i = 0; i < args->ndevs; i++) { + struct cb_devicenotifyitem *dev = &args->devs[i]; + +- if (!server || +- server->pnfs_curr_ld->id != dev->cbd_layout_type) { +- rcu_read_lock(); +- list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) +- if (server->pnfs_curr_ld && +- server->pnfs_curr_ld->id == dev->cbd_layout_type) { +- rcu_read_unlock(); +- goto found; +- } +- rcu_read_unlock(); +- continue; ++ if (!ld || ld->id != dev->cbd_layout_type) { ++ pnfs_put_layoutdriver(ld); ++ ld = pnfs_find_layoutdriver(dev->cbd_layout_type); ++ if (!ld) ++ continue; + } +- +- found: +- nfs4_delete_deviceid(server->pnfs_curr_ld, clp, &dev->cbd_dev_id); ++ nfs4_delete_deviceid(ld, cps->clp, &dev->cbd_dev_id); + } +- ++ pnfs_put_layoutdriver(ld); + out: + kfree(args->devs); + return res; +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -91,6 +91,17 @@ find_pnfs_driver(u32 id) + return local; + } + ++const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id) ++{ ++ return find_pnfs_driver(id); ++} ++ ++void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld) ++{ ++ if (ld) ++ module_put(ld->owner); ++} ++ + void + unset_pnfs_layoutdriver(struct nfs_server *nfss) + { +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -220,6 +220,8 @@ struct pnfs_devicelist { + + extern int pnfs_register_layoutdriver(struct pnfs_layoutdriver_type *); + extern void pnfs_unregister_layoutdriver(struct pnfs_layoutdriver_type *); ++extern const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id); ++extern void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld); + + /* nfs4proc.c */ + extern int nfs4_proc_getdeviceinfo(struct nfs_server *server, diff --git a/patches.suse/NFSv4.1-don-t-retry-BIND_CONN_TO_SESSION-on-session-.patch b/patches.suse/NFSv4.1-don-t-retry-BIND_CONN_TO_SESSION-on-session-.patch new file mode 100644 index 0000000..73f747b --- /dev/null +++ b/patches.suse/NFSv4.1-don-t-retry-BIND_CONN_TO_SESSION-on-session-.patch @@ -0,0 +1,40 @@ +From: Olga Kornievskaia +Date: Thu, 24 Mar 2022 10:38:42 -0400 +Subject: [PATCH] NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error +Git-commit: 1d15d121cc2ad4d016a7dc1493132a9696f91fc5 +Patch-mainline: v5.18 +References: git-fixes + +There is no reason to retry the operation if a session error had +occurred in such case result structure isn't filled out. + +Fixes: dff58530c4ca ("NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/nfs4proc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7368,6 +7368,9 @@ nfs4_bind_one_conn_to_session_done(struc + struct nfs41_bind_conn_to_session_args *args = task->tk_msg.rpc_argp; + struct nfs41_bind_conn_to_session_res *res = task->tk_msg.rpc_resp; + ++ if (task->tk_status == -NFS4ERR_DEADSESSION) ++ return; ++ + if (args->dir == NFS4_CDFC4_FORE_OR_BOTH && + res->dir != NFS4_CDFS4_BOTH) { + rpc_task_close_connection(task); +@@ -7377,7 +7380,7 @@ nfs4_bind_one_conn_to_session_done(struc + } + + static const struct rpc_call_ops nfs4_bind_one_conn_to_session_ops = { +- .rpc_call_done = &nfs4_bind_one_conn_to_session_done, ++ .rpc_call_done = nfs4_bind_one_conn_to_session_done, + }; + + /* diff --git a/patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch b/patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch new file mode 100644 index 0000000..75d57a2 --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch @@ -0,0 +1,72 @@ +From a917dfb66c0a1fa1caacf3d71edcafcab48e6ff0 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 12 Nov 2021 09:59:04 +0100 +Subject: [PATCH 1/1] RDMA/bnxt_re: Scan the whole bitmap when checking if + "disabling RCFW with pending cmd-bit" +Git-commit: a917dfb66c0a1fa1caacf3d71edcafcab48e6ff0 +Patch-mainline: v5.17 +References: git-fixes + +The 'cmdq->cmdq_bitmap' bitmap is 'rcfw->cmdq_depth' bits long. The size +stored in 'cmdq->bmap_size' is the size of the bitmap in bytes. + +Remove this erroneous 'bmap_size' and use 'rcfw->cmdq_depth' directly in +'bnxt_qplib_disable_rcfw_channel()'. Otherwise some error messages may be +missing. + +Other uses of 'cmdq_bitmap' already take into account 'rcfw->cmdq_depth' +directly. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/47ed717c3070a1d0f53e7b4c768a4fd11caf365d.1636707421.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 6 ++---- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 - + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index af74dbdadfaa..c8c8a68f0d90 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -650,12 +650,11 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw) + iounmap(rcfw->cmdq_bar_reg_iomem); + iounmap(rcfw->creq_bar_reg_iomem); + +- indx = find_first_bit(rcfw->cmdq_bitmap, rcfw->bmap_size); +- if (indx != rcfw->bmap_size) ++ indx = find_first_bit(rcfw->cmdq_bitmap, rcfw->cmdq_depth); ++ if (indx != rcfw->cmdq_depth) + dev_err(&rcfw->pdev->dev, + "disabling RCFW with pending cmd-bit %lx\n", indx); + kfree(rcfw->cmdq_bitmap); +- rcfw->bmap_size = 0; + + rcfw->cmdq_bar_reg_iomem = NULL; + rcfw->creq_bar_reg_iomem = NULL; +@@ -709,7 +708,6 @@ int bnxt_qplib_enable_rcfw_channel(struct pci_dev *pdev, + rcfw->cmdq_bitmap = kzalloc(bmap_size, GFP_KERNEL); + if (!rcfw->cmdq_bitmap) + return -ENOMEM; +- rcfw->bmap_size = bmap_size; + + /* CMDQ */ + rcfw->cmdq_bar_reg = RCFW_COMM_PCI_BAR_REGION; +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +index dfeadc192e17..df5deda6c4c9 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +@@ -233,7 +233,6 @@ struct bnxt_qplib_rcfw { + struct tasklet_struct worker; + bool requested; + unsigned long *cmdq_bitmap; +- u32 bmap_size; + unsigned long flags; + #define FIRMWARE_INITIALIZED_FLAG 0 + #define FIRMWARE_FIRST_FLAG 31 +-- +2.35.0 + diff --git a/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch b/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch new file mode 100644 index 0000000..a5997ee --- /dev/null +++ b/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch @@ -0,0 +1,132 @@ +From 305d568b72f17f674155a2a8275f865f207b3808 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Thu, 16 Sep 2021 15:34:46 -0300 +Subject: [PATCH 1/1] RDMA/cma: Ensure rdma_addr_cancel() happens before + issuing more requests +Git-commit: 305d568b72f17f674155a2a8275f865f207b3808 +Patch-mainline: v5.15 +References: git-fixes + +The FSM can run in a circle allowing rdma_resolve_ip() to be called twice +on the same id_priv. While this cannot happen without going through the +work, it violates the invariant that the same address resolution +background request cannot be active twice. + + CPU 1 CPU 2 + +rdma_resolve_addr(): + RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) #1 + + process_one_req(): for #1 + addr_handler(): + RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND + mutex_unlock(&id_priv->handler_mutex); + [.. handler still running ..] + +rdma_resolve_addr(): + RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) + !! two requests are now on the req_list + +rdma_destroy_id(): + destroy_id_handler_unlock(): + _destroy_id(): + cma_cancel_operation(): + rdma_addr_cancel() + + // process_one_req() self removes it + spin_lock_bh(&lock); + cancel_delayed_work(&req->work); + if (!list_empty(&req->list)) == true + + ! rdma_addr_cancel() returns after process_on_req #1 is done + + kfree(id_priv) + + process_one_req(): for #2 + addr_handler(): + mutex_lock(&id_priv->handler_mutex); + !! Use after free on id_priv + +rdma_addr_cancel() expects there to be one req on the list and only +cancels the first one. The self-removal behavior of the work only happens +after the handler has returned. This yields a situations where the +req_list can have two reqs for the same "handle" but rdma_addr_cancel() +only cancels the first one. + +The second req remains active beyond rdma_destroy_id() and will +use-after-free id_priv once it inevitably triggers. + +Fix this by remembering if the id_priv has called rdma_resolve_ip() and +always cancel before calling it again. This ensures the req_list never +gets more than one item in it and doesn't cost anything in the normal flow +that never uses this strange error path. + +Link: https://lore.kernel.org/r/0-v1-3bc675b8006d+22-syz_cancel_uaf_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager") +Reported-by: syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 23 +++++++++++++++++++++++ + drivers/infiniband/core/cma_priv.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 8862b0e572f0..704ce595542c 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1783,6 +1783,14 @@ static void cma_cancel_operation(struct rdma_id_private *id_priv, + { + switch (state) { + case RDMA_CM_ADDR_QUERY: ++ /* ++ * We can avoid doing the rdma_addr_cancel() based on state, ++ * only RDMA_CM_ADDR_QUERY has a work that could still execute. ++ * Notice that the addr_handler work could still be exiting ++ * outside this state, however due to the interaction with the ++ * handler_mutex the work is guaranteed not to touch id_priv ++ * during exit. ++ */ + rdma_addr_cancel(&id_priv->id.route.addr.dev_addr); + break; + case RDMA_CM_ROUTE_QUERY: +@@ -3425,6 +3433,21 @@ int rdma_resolve_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, + if (dst_addr->sa_family == AF_IB) { + ret = cma_resolve_ib_addr(id_priv); + } else { ++ /* ++ * The FSM can return back to RDMA_CM_ADDR_BOUND after ++ * rdma_resolve_ip() is called, eg through the error ++ * path in addr_handler(). If this happens the existing ++ * request must be canceled before issuing a new one. ++ * Since canceling a request is a bit slow and this ++ * oddball path is rare, keep track once a request has ++ * been issued. The track turns out to be a permanent ++ * state since this is the only cancel as it is ++ * immediately before rdma_resolve_ip(). ++ */ ++ if (id_priv->used_resolve_ip) ++ rdma_addr_cancel(&id->route.addr.dev_addr); ++ else ++ id_priv->used_resolve_ip = 1; + ret = rdma_resolve_ip(cma_src_addr(id_priv), dst_addr, + &id->route.addr.dev_addr, + timeout_ms, addr_handler, +diff --git a/drivers/infiniband/core/cma_priv.h b/drivers/infiniband/core/cma_priv.h +index 5c463da99845..f92f101ea981 100644 +--- a/drivers/infiniband/core/cma_priv.h ++++ b/drivers/infiniband/core/cma_priv.h +@@ -87,6 +87,7 @@ struct rdma_id_private { + bool tos_set; + u8 reuseaddr; + u8 afonly; ++ u8 used_resolve_ip; + enum ib_gid_type gid_type; + + /* +-- +2.35.0 + diff --git a/patches.suse/RDMA-cma-Let-cma_resolve_ib_dev-continue-search-even.patch b/patches.suse/RDMA-cma-Let-cma_resolve_ib_dev-continue-search-even.patch new file mode 100644 index 0000000..529ac2f --- /dev/null +++ b/patches.suse/RDMA-cma-Let-cma_resolve_ib_dev-continue-search-even.patch @@ -0,0 +1,65 @@ +From 20679094a0161c94faf77e373fa3f7428a8e14bd Mon Sep 17 00:00:00 2001 +From: Avihai Horon +Date: Thu, 9 Dec 2021 15:16:07 +0200 +Subject: [PATCH 1/1] RDMA/cma: Let cma_resolve_ib_dev() continue search even + after empty entry +Git-commit: 20679094a0161c94faf77e373fa3f7428a8e14bd +Patch-mainline: v5.17 +References: git-fixes + +Currently, when cma_resolve_ib_dev() searches for a matching GID it will +stop searching after encountering the first empty GID table entry. This +behavior is wrong since neither IB nor RoCE spec enforce tightly packed +GID tables. + +For example, when the matching valid GID entry exists at index N, and if a +GID entry is empty at index N-1, cma_resolve_ib_dev() will fail to find +the matching valid entry. + +Fix it by making cma_resolve_ib_dev() continue searching even after +encountering missing entries. + +Fixes: f17df3b0dede ("RDMA/cma: Add support for AF_IB to rdma_resolve_addr()") +Link: https://lore.kernel.org/r/b7346307e3bb396c43d67d924348c6c496493991.1639055490.git.leonro@nvidia.com +Signed-off-by: Avihai Horon +Reviewed-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 8a98aa90956f..27a00ce2e101 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -813,6 +813,7 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv) + u16 pkey, index; + u8 p; + enum ib_port_state port_state; ++ int ret; + int i; + + cma_dev = NULL; +@@ -831,9 +832,14 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv) + + if (ib_get_cached_port_state(cur_dev->device, p, &port_state)) + continue; +- for (i = 0; !rdma_query_gid(cur_dev->device, +- p, i, &gid); +- i++) { ++ ++ for (i = 0; i < cur_dev->device->port_immutable[p].gid_tbl_len; ++ ++i) { ++ ret = rdma_query_gid(cur_dev->device, p, i, ++ &gid); ++ if (ret) ++ continue; ++ + if (!memcmp(&gid, dgid, sizeof(gid))) { + cma_dev = cur_dev; + sgid = gid; +-- +2.35.0 + diff --git a/patches.suse/RDMA-core-Don-t-infoleak-GRH-fields.patch b/patches.suse/RDMA-core-Don-t-infoleak-GRH-fields.patch new file mode 100644 index 0000000..81605b5 --- /dev/null +++ b/patches.suse/RDMA-core-Don-t-infoleak-GRH-fields.patch @@ -0,0 +1,68 @@ +From b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 4 Jan 2022 14:21:52 +0200 +Subject: [PATCH 1/1] RDMA/core: Don't infoleak GRH fields +Git-commit: b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd +Patch-mainline: v5.16 +References: git-fixes + +If dst->is_global field is not set, the GRH fields are not cleared +and the following infoleak is reported. + +===================================================== +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + ucma_init_qp_attr+0x8c7/0xb10 drivers/infiniband/core/ucma.c:1242 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28b/0x510 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable resp created at: + ucma_init_qp_attr+0xa4/0xb10 drivers/infiniband/core/ucma.c:1214 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + +Bytes 40-59 of 144 are uninitialized +Memory access of size 144 starts at ffff888167523b00 +Data copied to user address 0000000020000100 + +CPU: 1 PID: 25910 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr") +Link: https://lore.kernel.org/r/0e9dd51f93410b7b2f4f5562f52befc878b71afa.1641298868.git.leonro@nvidia.com +Reported-by: syzbot+6d532fa8f9463da290bc@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/uverbs_marshall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/uverbs_marshall.c b/drivers/infiniband/core/uverbs_marshall.c +index b8d715c68ca4..11a080646916 100644 +--- a/drivers/infiniband/core/uverbs_marshall.c ++++ b/drivers/infiniband/core/uverbs_marshall.c +@@ -66,7 +66,7 @@ void ib_copy_ah_attr_to_user(struct ib_device *device, + struct rdma_ah_attr *src = ah_attr; + struct rdma_ah_attr conv_ah; + +- memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved)); ++ memset(&dst->grh, 0, sizeof(dst->grh)); + + if ((ah_attr->type == RDMA_AH_ATTR_TYPE_OPA) && + (rdma_ah_get_dlid(ah_attr) > be16_to_cpu(IB_LID_PERMISSIVE)) && +-- +2.35.0 + diff --git a/patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch b/patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch new file mode 100644 index 0000000..54f4826 --- /dev/null +++ b/patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch @@ -0,0 +1,47 @@ +From 483d805191a23191f8294bbf9b4e94836f5d92e4 Mon Sep 17 00:00:00 2001 +From: Avihai Horon +Date: Thu, 9 Dec 2021 15:16:06 +0200 +Subject: [PATCH 1/1] RDMA/core: Let ib_find_gid() continue search even after + empty entry +Git-commit: 483d805191a23191f8294bbf9b4e94836f5d92e4 +Patch-mainline: v5.17 +References: git-fixes + +Currently, ib_find_gid() will stop searching after encountering the first +empty GID table entry. This behavior is wrong since neither IB nor RoCE +spec enforce tightly packed GID tables. + +For example, when a valid GID entry exists at index N, and if a GID entry +is empty at index N-1, ib_find_gid() will fail to find the valid entry. + +Fix it by making ib_find_gid() continue searching even after encountering +missing entries. + +Fixes: 5eb620c81ce3 ("IB/core: Add helpers for uncached GID and P_Key searches") +Link: https://lore.kernel.org/r/e55d331b96cecfc2cf19803d16e7109ea966882d.1639055490.git.leonro@nvidia.com +Signed-off-by: Avihai Horon +Reviewed-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 22a4adda7981..a311df07b1bd 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1120,7 +1120,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid, + for (i = 0; i < device->port_immutable[port].gid_tbl_len; ++i) { + ret = rdma_query_gid(device, port, i, &tmp_gid); + if (ret) +- return ret; ++ continue; ++ + if (!memcmp(&tmp_gid, gid, sizeof *gid)) { + *port_num = port; + if (index) +-- +2.35.0 + diff --git a/patches.suse/RDMA-cxgb4-Set-queue-pair-state-when-being-queried.patch b/patches.suse/RDMA-cxgb4-Set-queue-pair-state-when-being-queried.patch new file mode 100644 index 0000000..d15d609 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-Set-queue-pair-state-when-being-queried.patch @@ -0,0 +1,36 @@ +From e375b9c92985e409c4bb95dd43d34915ea7f5e28 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Mon, 20 Dec 2021 17:25:30 +0200 +Subject: [PATCH 1/1] RDMA/cxgb4: Set queue pair state when being queried +Git-commit: e375b9c92985e409c4bb95dd43d34915ea7f5e28 +Patch-mainline: v5.17 +References: git-fixes + +The API for ib_query_qp requires the driver to set cur_qp_state on return, +add the missing set. + +Fixes: 67bbc05512d8 ("RDMA/cxgb4: Add query_qp support") +Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/qp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index d20b4ef2c853..ffbd9a89981e 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -2460,6 +2460,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + memset(attr, 0, sizeof(*attr)); + memset(init_attr, 0, sizeof(*init_attr)); + attr->qp_state = to_ib_qp_state(qhp->attr.state); ++ attr->cur_qp_state = to_ib_qp_state(qhp->attr.state); + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries; + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries; + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges; +-- +2.35.0 + diff --git a/patches.suse/RDMA-cxgb4-check-for-ipv6-address-properly-while-des.patch b/patches.suse/RDMA-cxgb4-check-for-ipv6-address-properly-while-des.patch new file mode 100644 index 0000000..9011bd9 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-check-for-ipv6-address-properly-while-des.patch @@ -0,0 +1,39 @@ +From 603c4690b01aaffe3a6c3605a429f6dac39852ae Mon Sep 17 00:00:00 2001 +From: Potnuri Bharat Teja +Date: Wed, 31 Mar 2021 19:27:15 +0530 +Subject: [PATCH 1/1] RDMA/cxgb4: check for ipv6 address properly while + destroying listener +Git-commit: 603c4690b01aaffe3a6c3605a429f6dac39852ae +Patch-mainline: v5.12 +References: git-fixes + +ipv6 bit is wrongly set by the below which causes fatal adapter lookup +engine errors for ipv4 connections while destroying a listener. Fix it to +properly check the local address for ipv6. + +Fixes: 3408be145a5d ("RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server") +Link: https://lore.kernel.org/r/20210331135715.30072-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 81903749d241..e42c812e74c3 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3616,7 +3616,8 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id) + c4iw_init_wr_wait(ep->com.wr_waitp); + err = cxgb4_remove_server( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], true); ++ ep->com.dev->rdev.lldi.rxq_ids[0], ++ ep->com.local_addr.ss_family == AF_INET6); + if (err) + goto done; + err = c4iw_wait_for_reply(&ep->com.dev->rdev, ep->com.wr_waitp, +-- +2.35.0 + diff --git a/patches.suse/RDMA-hns-Validate-the-pkey-index.patch b/patches.suse/RDMA-hns-Validate-the-pkey-index.patch new file mode 100644 index 0000000..a8858c4 --- /dev/null +++ b/patches.suse/RDMA-hns-Validate-the-pkey-index.patch @@ -0,0 +1,36 @@ +From 2a67fcfa0db6b4075515bd23497750849b88850f Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Wed, 17 Nov 2021 16:59:54 +0200 +Subject: [PATCH 1/1] RDMA/hns: Validate the pkey index +Git-commit: 2a67fcfa0db6b4075515bd23497750849b88850f +Patch-mainline: v5.17 +References: git-fixes + +Before query pkey, make sure that the queried index is valid. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/20211117145954.123893-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 4194b626f3c6..8233bec053ee 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -298,6 +298,9 @@ static enum rdma_link_layer hns_roce_get_link_layer(struct ib_device *device, + static int hns_roce_query_pkey(struct ib_device *ib_dev, u8 port, u16 index, + u16 *pkey) + { ++ if (index > 0) ++ return -EINVAL; ++ + *pkey = PKEY_ID; + + return 0; +-- +2.35.0 + diff --git a/patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch b/patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch new file mode 100644 index 0000000..b02602b --- /dev/null +++ b/patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch @@ -0,0 +1,44 @@ +From 081bdc9fe05bb23248f5effb6f811da3da4b8252 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 15 Feb 2022 13:05:11 -0800 +Subject: [PATCH 1/1] RDMA/ib_srp: Fix a deadlock +Git-commit: 081bdc9fe05bb23248f5effb6f811da3da4b8252 +Patch-mainline: v5.17 +References: git-fixes + +Remove the flush_workqueue(system_long_wq) call since flushing +system_long_wq is deadlock-prone and since that call is redundant with a +preceding cancel_work_sync() + +Link: https://lore.kernel.org/r/20220215210511.28303-3-bvanassche@acm.org +Fixes: ef6c49d87c34 ("IB/srp: Eliminate state SRP_TARGET_DEAD") +Reported-by: syzbot+831661966588c802aae9@syzkaller.appspotmail.com +Signed-off-by: Bart Van Assche +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index e174e853f8a4..285b766e4e70 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -4047,9 +4047,11 @@ static void srp_remove_one(struct ib_device *device, void *client_data) + spin_unlock(&host->target_lock); + + /* +- * Wait for tl_err and target port removal tasks. ++ * srp_queue_remove_work() queues a call to ++ * srp_remove_target(). The latter function cancels ++ * target->tl_err_work so waiting for the remove works to ++ * finish is sufficient. + */ +- flush_workqueue(system_long_wq); + flush_workqueue(srp_remove_wq); + + kfree(host); +-- +2.35.0 + diff --git a/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch b/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch new file mode 100644 index 0000000..6c663ed --- /dev/null +++ b/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch @@ -0,0 +1,72 @@ +From e677b72a0647249370f2635862bf0241c86f66ad Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Fri, 23 Jul 2021 17:08:55 +0300 +Subject: [PATCH 1/1] RDMA/iwcm: Release resources if iw_cm module + initialization fails +Git-commit: e677b72a0647249370f2635862bf0241c86f66ad +Patch-mainline: v5.15 +References: git-fixes + +The failure during iw_cm module initialization partially left the system +with unreleased memory and other resources. Rewrite the module init/exit +routines in such way that netlink commands will be opened only after +successful initialization. + +Fixes: b493d91d333e ("iwcm: common code for port mapper") +Link: https://lore.kernel.org/r/b01239f99cb1a3e6d2b0694c242d89e6410bcd93.1627048781.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/iwcm.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 42261152b489..2b47073c61a6 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -1186,29 +1186,34 @@ static int __init iw_cm_init(void) + + ret = iwpm_init(RDMA_NL_IWCM); + if (ret) +- pr_err("iw_cm: couldn't init iwpm\n"); +- else +- rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); ++ return ret; ++ + iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0); + if (!iwcm_wq) +- return -ENOMEM; ++ goto err_alloc; + + iwcm_ctl_table_hdr = register_net_sysctl(&init_net, "net/iw_cm", + iwcm_ctl_table); + if (!iwcm_ctl_table_hdr) { + pr_err("iw_cm: couldn't register sysctl paths\n"); +- destroy_workqueue(iwcm_wq); +- return -ENOMEM; ++ goto err_sysctl; + } + ++ rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); + return 0; ++ ++err_sysctl: ++ destroy_workqueue(iwcm_wq); ++err_alloc: ++ iwpm_exit(RDMA_NL_IWCM); ++ return -ENOMEM; + } + + static void __exit iw_cm_cleanup(void) + { ++ rdma_nl_unregister(RDMA_NL_IWCM); + unregister_net_sysctl_table(iwcm_ctl_table_hdr); + destroy_workqueue(iwcm_wq); +- rdma_nl_unregister(RDMA_NL_IWCM); + iwpm_exit(RDMA_NL_IWCM); + } + +-- +2.35.0 + diff --git a/patches.suse/RDMA-mlx4-Don-t-continue-event-handler-after-memory-.patch b/patches.suse/RDMA-mlx4-Don-t-continue-event-handler-after-memory-.patch new file mode 100644 index 0000000..a265a7c --- /dev/null +++ b/patches.suse/RDMA-mlx4-Don-t-continue-event-handler-after-memory-.patch @@ -0,0 +1,45 @@ +From f3136c4ce7acf64bee43135971ca52a880572e32 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 31 Jan 2022 11:45:26 +0200 +Subject: [PATCH 1/1] RDMA/mlx4: Don't continue event handler after memory + allocation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: f3136c4ce7acf64bee43135971ca52a880572e32 +Patch-mainline: v5.17 +References: git-fixes + +The failure to allocate memory during MLX4_DEV_EVENT_PORT_MGMT_CHANGE +event handler will cause skip the assignment logic, but +ib_dispatch_event() will be called anyway. + +Fix it by calling to return instead of break after memory allocation +failure. + +Fixes: 00f5ce99dc6e ("mlx4: Use port management change event instead of smp_snoop") +Link: https://lore.kernel.org/r/12a0e83f18cfad4b5f62654f141e240d04915e10.1643622264.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Reviewed-by: Håkon Bugge +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 1c3d97229988..93b1650eacfa 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -3237,7 +3237,7 @@ static void mlx4_ib_event(struct mlx4_dev *dev, void *ibdev_ptr, + case MLX4_DEV_EVENT_PORT_MGMT_CHANGE: + ew = kmalloc(sizeof *ew, GFP_ATOMIC); + if (!ew) +- break; ++ return; + + INIT_WORK(&ew->work, handle_port_mgmt_change_event); + memcpy(&ew->ib_eqe, eqe, sizeof *eqe); +-- +2.35.0 + diff --git a/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch b/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch new file mode 100644 index 0000000..2309a73 --- /dev/null +++ b/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch @@ -0,0 +1,42 @@ +From f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 12 Oct 2021 10:28:43 +0300 +Subject: [PATCH 1/1] RDMA/mlx4: Return missed an error if device doesn't + support steering +Git-commit: f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b +Patch-mainline: v5.16 +References: git-fixes + +The error flow fixed in this patch is not possible because all kernel +users of create QP interface check that device supports steering before +set IB_QP_CREATE_NETIF_QP flag. + +Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs") +Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 8662f462e2a5..3a1a4ac9dd33 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -1099,8 +1099,10 @@ static int create_qp_common(struct ib_pd *pd, struct ib_qp_init_attr *init_attr, + if (dev->steering_support == + MLX4_STEERING_MODE_DEVICE_MANAGED) + qp->flags |= MLX4_IB_QP_NETIF; +- else ++ else { ++ err = -EINVAL; + goto err; ++ } + } + + err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp); +-- +2.35.0 + diff --git a/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch b/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch new file mode 100644 index 0000000..99c7a93 --- /dev/null +++ b/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch @@ -0,0 +1,95 @@ +From 4f960393a0ee9a39469ceb7c8077ae8db665cc12 Mon Sep 17 00:00:00 2001 +From: Alok Prasad +Date: Wed, 27 Oct 2021 18:43:29 +0000 +Subject: [PATCH 1/1] RDMA/qedr: Fix NULL deref for query_qp on the GSI QP +Git-commit: 4f960393a0ee9a39469ceb7c8077ae8db665cc12 +Patch-mainline: v5.16 +References: git-fixes + +This patch fixes a crash caused by querying the QP via netlink, and +corrects the state of GSI qp. GSI qp's have a NULL qed_qp. + +The call trace is generated by: + $ rdma res show + + BUG: kernel NULL pointer dereference, address: 0000000000000034 + Hardware name: Dell Inc. PowerEdge R720/0M1GCR, BIOS 1.2.6 05/10/2012 + RIP: 0010:qed_rdma_query_qp+0x33/0x1a0 [qed] + RSP: 0018:ffffba560a08f580 EFLAGS: 00010206 + RAX: 0000000200000000 RBX: ffffba560a08f5b8 RCX: 0000000000000000 + RDX: ffffba560a08f5b8 RSI: 0000000000000000 RDI: ffff9807ee458090 + RBP: ffffba560a08f5a0 R08: 0000000000000000 R09: ffff9807890e7048 + R10: ffffba560a08f658 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff9807ee458090 R14: ffff9807f0afb000 R15: ffffba560a08f7ec + FS: 00007fbbf8bfe740(0000) GS:ffff980aafa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000034 CR3: 00000001720ba001 CR4: 00000000000606f0 + Call Trace: + qedr_query_qp+0x82/0x360 [qedr] + ib_query_qp+0x34/0x40 [ib_core] + ? ib_query_qp+0x34/0x40 [ib_core] + fill_res_qp_entry_query.isra.26+0x47/0x1d0 [ib_core] + ? __nla_put+0x20/0x30 + ? nla_put+0x33/0x40 + fill_res_qp_entry+0xe3/0x120 [ib_core] + res_get_common_dumpit+0x3f8/0x5d0 [ib_core] + ? fill_res_cm_id_entry+0x1f0/0x1f0 [ib_core] + nldev_res_get_qp_dumpit+0x1a/0x20 [ib_core] + netlink_dump+0x156/0x2f0 + __netlink_dump_start+0x1ab/0x260 + rdma_nl_rcv+0x1de/0x330 [ib_core] + ? nldev_res_get_cm_id_dumpit+0x20/0x20 [ib_core] + netlink_unicast+0x1b8/0x270 + netlink_sendmsg+0x33e/0x470 + sock_sendmsg+0x63/0x70 + __sys_sendto+0x13f/0x180 + ? setup_sgl.isra.12+0x70/0xc0 + __x64_sys_sendto+0x28/0x30 + do_syscall_64+0x3a/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Cc: stable@vger.kernel.org +Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") +Link: https://lore.kernel.org/r/20211027184329.18454-1-palok@marvell.com +Signed-off-by: Ariel Elior +Signed-off-by: Shai Malin +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Alok Prasad +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qedr/verbs.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index dcb3653db72d..3d4e4a766574 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2744,15 +2744,18 @@ int qedr_query_qp(struct ib_qp *ibqp, + int rc = 0; + + memset(¶ms, 0, sizeof(params)); +- +- rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms); +- if (rc) +- goto err; +- + memset(qp_attr, 0, sizeof(*qp_attr)); + memset(qp_init_attr, 0, sizeof(*qp_init_attr)); + +- qp_attr->qp_state = qedr_get_ibqp_state(params.state); ++ if (qp->qp_type != IB_QPT_GSI) { ++ rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms); ++ if (rc) ++ goto err; ++ qp_attr->qp_state = qedr_get_ibqp_state(params.state); ++ } else { ++ qp_attr->qp_state = qedr_get_ibqp_state(QED_ROCE_QP_STATE_RTS); ++ } ++ + qp_attr->cur_qp_state = qedr_get_ibqp_state(params.state); + qp_attr->path_mtu = ib_mtu_int_to_enum(params.mtu); + qp_attr->path_mig_state = IB_MIG_MIGRATED; +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch b/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch new file mode 100644 index 0000000..6facdce --- /dev/null +++ b/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch @@ -0,0 +1,39 @@ +From 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 Mon Sep 17 00:00:00 2001 +From: Xiao Yang +Date: Mon, 21 Jun 2021 15:14:56 +0800 +Subject: [PATCH 1/1] RDMA/rxe: Don't overwrite errno from ib_umem_get() +Git-commit: 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 +Patch-mainline: v5.14 +References: git-fixes + +rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get() +fails so it's hard for user to know which actual error happens in +ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when +trying to pin pages on a DAX file. + +Return actual error as mlx4/mlx5 does. + +Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com +Signed-off-by: Xiao Yang +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c +index 7f169329a8bf..6aabcb4de235 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -118,7 +118,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, + if (IS_ERR(umem)) { + pr_warn("err %d from rxe_umem_get\n", + (int)PTR_ERR(umem)); +- err = -EINVAL; ++ err = PTR_ERR(umem); + goto err1; + } + +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch index d71e904..5046006 100644 --- a/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch +++ b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch @@ -56,9 +56,9 @@ index 0dd163b745fe..2bbcea61b780 100644 + skb = NULL; + } - per_qp_pkt = SKB_TO_PKT(per_qp_skb); - per_qp_pkt->qp = qp; -@@ -335,9 +340,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + if (unlikely(!per_qp_skb)) + continue; +@@ -288,9 +293,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */ diff --git a/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch b/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch new file mode 100644 index 0000000..ccea370 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch @@ -0,0 +1,49 @@ +From 3896bde92d036de4376b9b4dfa3753ea23659f30 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:42 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix extra copy in prepare_ack_packet +Git-commit: 3896bde92d036de4376b9b4dfa3753ea23659f30 +Patch-mainline: v5.14 +References: git-fixes + +Currently prepare_ack_packet writes almost all the fields of the BTH in +the ack packet twice. Replace code with the subroutine init_bth(). + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-6-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 93322d20c0ab..72cdb170b67b 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -624,18 +624,11 @@ static struct sk_buff *prepare_ack_packet(struct rxe_qp *qp, + ack->mask = rxe_opcode[opcode].mask; + ack->offset = pkt->offset; + ack->paylen = paylen; +- +- /* fill in bth using the request packet headers */ +- memcpy(ack->hdr, pkt->hdr, pkt->offset + RXE_BTH_BYTES); +- +- bth_set_opcode(ack, opcode); +- bth_set_qpn(ack, qp->attr.dest_qp_num); +- bth_set_pad(ack, pad); +- bth_set_se(ack, 0); +- bth_set_psn(ack, psn); +- bth_set_ack(ack, 0); + ack->psn = psn; + ++ bth_init(ack, opcode, 0, 0, pad, IB_DEFAULT_PKEY_FULL, ++ qp->attr.dest_qp_num, 0, psn); ++ + if (ack->mask & RXE_AETH_MASK) { + aeth_set_syn(ack, syndrome); + aeth_set_msn(ack, qp->resp.msn); +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch b/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch new file mode 100644 index 0000000..c834fcc --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch @@ -0,0 +1,57 @@ +From 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Thu, 3 Jun 2021 12:01:12 +0300 +Subject: [PATCH 1/1] RDMA/rxe: Fix failure during driver load +Git-commit: 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 +Patch-mainline: v5.14 +References: git-fixes + +To avoid the following failure when trying to load the rdma_rxe module +while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the +failure, also delete the needless debug print from rxe_setup_udp_tunnel(). + +$ modprobe rdma_rxe +modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted + +Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel") +Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com +Reported-by: Yi Zhang +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index 01662727dca0..fc1ba4904279 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -207,10 +207,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net *net, __be16 port, + + /* Create UDP socket */ + err = udp_sock_create(net, &udp_cfg, &sock); +- if (err < 0) { +- pr_err("failed to create udp socket. err = %d\n", err); ++ if (err < 0) + return ERR_PTR(err); +- } + + tnl_cfg.encap_type = 1; + tnl_cfg.encap_rcv = rxe_udp_encap_recv; +@@ -619,6 +617,12 @@ static int rxe_net_ipv6_init(void) + + recv_sockets.sk6 = rxe_setup_udp_tunnel(&init_net, + htons(ROCE_V2_UDP_DPORT), true); ++ if (PTR_ERR(recv_sockets.sk6) == -EAFNOSUPPORT) { ++ recv_sockets.sk6 = NULL; ++ pr_warn("IPv6 is not supported, can not create a UDPv6 socket\n"); ++ return 0; ++ } ++ + if (IS_ERR(recv_sockets.sk6)) { + recv_sockets.sk6 = NULL; + pr_err("Failed to create IPv6 UDP tunnel\n"); +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch b/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch new file mode 100644 index 0000000..3a6c644 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch @@ -0,0 +1,56 @@ +From ec0fa2445c18ec49a0b7ee0aaa82d1ec00968fc9 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:41 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix over copying in get_srq_wqe +Git-commit: ec0fa2445c18ec49a0b7ee0aaa82d1ec00968fc9 +Patch-mainline: v5.14 +References: git-fixes + +Currently get_srq_wqe() in rxe_resp.c copies the maximum possible number +of bytes from the wqe into the QPs copy of the SRQ wqe. This is usually +extra work and risks reading past the end of the SRQ circular buffer if +the SRQ is configured with less than the maximum possible number of SGEs. + +Check the number of SGEs is not too large. +Compute the actual number of bytes in the WR and copy only those. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-5-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 5718c8bb28ac..93322d20c0ab 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -323,6 +323,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp) + struct rxe_queue *q = srq->rq.queue; + struct rxe_recv_wqe *wqe; + struct ib_event ev; ++ size_t size; + + if (srq->error) + return RESPST_ERR_RNR; +@@ -335,8 +336,13 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp) + return RESPST_ERR_RNR; + } + +- /* note kernel and user space recv wqes have same size */ +- memcpy(&qp->resp.srq_wqe, wqe, sizeof(qp->resp.srq_wqe)); ++ /* don't trust user space data */ ++ if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) { ++ pr_warn("%s: invalid num_sge in SRQ entry\n", __func__); ++ return RESPST_ERR_MALFORMED_WQE; ++ } ++ size = sizeof(wqe) + wqe->dma.num_sge*sizeof(struct rxe_sge); ++ memcpy(&qp->resp.srq_wqe, wqe, size); + + qp->resp.wqe = &qp->resp.srq_wqe.wqe; + advance_consumer(q); +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch b/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch new file mode 100644 index 0000000..4227d73 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch @@ -0,0 +1,41 @@ +From 230bb836ee88683052b01e3bff3885c440a785b1 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:39 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix redundant call to ip_send_check +Git-commit: 230bb836ee88683052b01e3bff3885c440a785b1 +Patch-mainline: v5.14 +References: git-fixes + +For IPV4 packets sent on the wire the rxe driver calls ip_local_out() +which immediately calls __ip_local_out() which sets iph->tot_len and calls +ip_send_check(). This code is duplicated in prepare4(). On the loopback +path the IP header checksum and tot_len fields are not used so they do not +need to be set. + +Remove this redundant code. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-3-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index fc1ba4904279..c4350ce3b306 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -267,8 +267,6 @@ static void prepare_ipv4_hdr(struct dst_entry *dst, struct sk_buff *skb, + iph->ttl = ttl; + __ip_select_ident(dev_net(dst->dev), iph, + skb_shinfo(skb)->gso_segs ?: 1); +- iph->tot_len = htons(skb->len); +- ip_send_check(iph); + } + + static void prepare_ipv6_hdr(struct dst_entry *dst, struct sk_buff *skb, +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch b/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch new file mode 100644 index 0000000..b8e1dc6 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch @@ -0,0 +1,38 @@ +From dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e Mon Sep 17 00:00:00 2001 +From: Junji Wei +Date: Tue, 31 Aug 2021 16:32:23 +0800 +Subject: [PATCH 1/1] RDMA/rxe: Fix wrong port_cap_flags +Git-commit: dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e +Patch-mainline: v5.16 +References: git-fixes + +The port->attr.port_cap_flags should be set to enum +ib_port_capability_mask_bits in ib_mad.h, not +RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com +Signed-off-by: Junji Wei +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_param.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h +index 742e6ec93686..b5a70cbe94aa 100644 +--- a/drivers/infiniband/sw/rxe/rxe_param.h ++++ b/drivers/infiniband/sw/rxe/rxe_param.h +@@ -113,7 +113,7 @@ enum rxe_device_param { + /* default/initial rxe port parameters */ + enum rxe_port_param { + RXE_PORT_GID_TBL_LEN = 1024, +- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP, ++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP, + RXE_PORT_MAX_MSG_SZ = 0x800000, + RXE_PORT_BAD_PKEY_CNTR = 0, + RXE_PORT_QKEY_VIOL_CNTR = 0, +-- +2.35.0 + diff --git a/patches.suse/RDMA-rxe-Handle-skb_clone-failure-in-rxe_recv.c.patch b/patches.suse/RDMA-rxe-Handle-skb_clone-failure-in-rxe_recv.c.patch new file mode 100644 index 0000000..5eddba2 --- /dev/null +++ b/patches.suse/RDMA-rxe-Handle-skb_clone-failure-in-rxe_recv.c.patch @@ -0,0 +1,42 @@ +From 71abf20b28ff87fee6951ec2218d5ce7969c4e87 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Tue, 13 Oct 2020 13:42:37 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Handle skb_clone() failure in rxe_recv.c +Git-commit: 71abf20b28ff87fee6951ec2218d5ce7969c4e87 +Patch-mainline: v5.10 +References: git-fixes + +If skb_clone() is unable to allocate memory for a new sk_buff this is not +detected by the current code. + +Check for a NULL return and continue. This is similar to other errors in +this loop over QPs attached to the multicast address and consistent with +the unreliable UD transport. + +Fixes: e7ec96fc7932f ("RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()") +Addresses-Coverity-ID: 1497804: Null pointer dereferences (NULL_RETURNS) +Link: https://lore.kernel.org/r/20201013184236.5231-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 11f3daf20768..c9984a28eecc 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -271,6 +271,9 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + else + per_qp_skb = skb; + ++ if (unlikely(!per_qp_skb)) ++ continue; ++ + per_qp_pkt = SKB_TO_PKT(per_qp_skb); + per_qp_pkt->qp = qp; + rxe_add_ref(qp); +-- +2.35.0 + diff --git a/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch b/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch new file mode 100644 index 0000000..8f0577e --- /dev/null +++ b/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch @@ -0,0 +1,57 @@ +From: Eric Dumazet +Date: Tue, 22 Mar 2022 17:41:47 -0700 +Subject: llc: fix netdevice reference leaks in llc_ui_bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v5.18-rc1 +Git-commit: 764f4eb6846f5475f1244767d24d25dd86528a4a +References: CVE-2022-28356 bsc#1197391 + +Whenever llc_ui_bind() and/or llc_ui_autobind() +took a reference on a netdevice but subsequently fail, +they must properly release their reference +or risk the infamous message from unregister_netdevice() +at device dismantle. + +unregister_netdevice: waiting for eth0 to become free. Usage count = 3 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: 赵子轩 +Reported-by: Stoyan Manolov +Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +SLE/openSUSE: use dev_put() rather than dev_put_track() which was only +introduced in mainline 5.17-rc1. + +--- + net/llc/af_llc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -299,6 +299,10 @@ static int llc_ui_autobind(struct socket *sock, struct sockaddr_llc *addr) + sock_reset_flag(sk, SOCK_ZAPPED); + rc = 0; + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + return rc; + } + +@@ -398,6 +402,10 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen) + out_put: + llc_sap_put(sap); + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + release_sock(sk); + return rc; + } diff --git a/patches.suse/netfilter-nf_tables-initialize-registers-in-nft_do_c.patch b/patches.suse/netfilter-nf_tables-initialize-registers-in-nft_do_c.patch new file mode 100644 index 0000000..7c2847b --- /dev/null +++ b/patches.suse/netfilter-nf_tables-initialize-registers-in-nft_do_c.patch @@ -0,0 +1,28 @@ +From: Pablo Neira Ayuso +Date: Thu, 17 Mar 2022 12:04:42 +0100 +Subject: netfilter: nf_tables: initialize registers in nft_do_chain() +Patch-mainline: v5.18-rc1 +Git-commit: 4c905f6740a365464e91467aa50916555b28213d +References: CVE-2022-1016 bsc#1197227 + +Initialize registers to avoid stack leak into userspace. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Acked-by: Michal Kubecek + +--- + net/netfilter/nf_tables_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -129,7 +129,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv) + struct nft_stats __percpu *pstats; + const struct nft_rule *rule; + const struct nft_expr *expr, *last; +- struct nft_regs regs; ++ struct nft_regs regs = {}; + unsigned int stackptr = 0; + struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE]; + struct nft_stats *stats; diff --git a/patches.suse/xhci-Fresco-FL1100-controller-should-not-have-BROKEN.patch b/patches.suse/xhci-Fresco-FL1100-controller-should-not-have-BROKEN.patch new file mode 100644 index 0000000..73326ec --- /dev/null +++ b/patches.suse/xhci-Fresco-FL1100-controller-should-not-have-BROKEN.patch @@ -0,0 +1,56 @@ +From e4844092581ceec22489b66c42edc88bc6079783 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 21 Dec 2021 13:28:25 +0200 +Subject: [PATCH] xhci: Fresco FL1100 controller should not have BROKEN_MSI + quirk set. +Git-commit: e4844092581ceec22489b66c42edc88bc6079783 +References: git-fixes +Patch-mainline: v5.16-rc8 + +The Fresco Logic FL1100 controller needs the TRUST_TX_LENGTH quirk like +other Fresco controllers, but should not have the BROKEN_MSI quirks set. + +BROKEN_MSI quirk causes issues in detecting usb drives connected to docks +with this FL1100 controller. +The BROKEN_MSI flag was apparently accidentally set together with the +TRUST_TX_LENGTH quirk + +Original patch went to stable so this should go there as well. + +Fixes: ea0f69d82119 ("xhci: Enable trust tx length quirk for Fresco FL11 USB controller") +Cc: stable@vger.kernel.org +cc: Nikolay Martynov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211221112825.54690-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 3af017883231..5c351970cdf1 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -123,7 +123,6 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + /* Look for vendor-specific quirks */ + if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && + (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK || +- pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 || + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) { + if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK && + pdev->revision == 0x0) { +@@ -158,6 +157,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009) + xhci->quirks |= XHCI_BROKEN_STREAMS; + ++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100) ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH; ++ + if (pdev->vendor == PCI_VENDOR_ID_NEC) + xhci->quirks |= XHCI_NEC_HOST; + +-- +2.34.1 + diff --git a/series.conf b/series.conf index 84f52c0..646b57e 100644 --- a/series.conf +++ b/series.conf @@ -57793,6 +57793,7 @@ patches.suse/RDMA-bnxt_re-Fix-sizeof-mismatch-for-allocation-of-p.patch patches.suse/IB-rdmavt-Fix-sizeof-mismatch.patch patches.suse/RDMA-rxe-Fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch + patches.suse/RDMA-rxe-Handle-skb_clone-failure-in-rxe_recv.c.patch patches.suse/mailbox-avoid-timer-start-from-callback.patch patches.suse/smp-Add-source-and-destination-CPUs-to-__call_single.patch patches.suse/kernel-smp-Provide-CSD-lock-timeout-diagnostics.patch @@ -59161,6 +59162,7 @@ patches.suse/ASoC-wm8960-Fix-wrong-bclk-and-lrclk-with-pll-enable.patch patches.suse/ASoC-intel-atom-Stop-advertising-non-working-S24LE-s.patch patches.suse/ASoC-fsl_esai-Fix-TDM-slot-setup-for-I2S-mode.patch + patches.suse/RDMA-cxgb4-check-for-ipv6-address-properly-while-des.patch patches.suse/RDMA-addr-Be-strict-with-gid-size.patch patches.suse/cifs-On-cifs_reconnect-resolve-the-hostname-again-.patch patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch @@ -59991,6 +59993,11 @@ patches.suse/drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch patches.suse/0005-drm-rockchip-cdn-dp-fix-sign-extension-on-an-int-mul.patch patches.suse/drm-qxl-ensure-surf.data-is-ininitialized.patch + patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch + patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch + patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch + patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch + patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch patches.suse/lib-decompress_unlz4.c-correctly-handle-zero-padding.patch patches.suse/lib-decompressors-remove-set-but-not-used-variabled-.patch patches.suse/mwifiex-re-fix-for-unaligned-accesses.patch @@ -60251,6 +60258,7 @@ patches.suse/net-asix-fix-uninit-value-bugs.patch patches.suse/0006-drm-mediatek-Add-AAL-output-size-configuration.patch patches.suse/RDMA-bnxt_re-Add-missing-spin-lock-initialization-17f2569d.patch + patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch patches.suse/RDMA-efa-Free-IRQ-vectors-on-error-flow.patch patches.suse/xgene-v2-Fix-a-resource-leak-in-the-error-handling-p.patch patches.suse/e1000e-Fix-the-max-snoop-no-snoop-latency-for-10M.patch @@ -60320,6 +60328,8 @@ patches.suse/clk-at91-clk-generated-Limit-the-requested-rate-to-o.patch patches.suse/clk-kirkwood-Fix-a-clocking-boot-regression.patch patches.suse/pinctrl-samsung-Fix-pinctrl-bank-pin-count.patch + patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch + patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch patches.suse/docs-Fix-infiniband-uverbs-minor-number.patch patches.suse/RDMA-efa-Remove-double-QP-type-assignment.patch patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch @@ -60485,6 +60495,7 @@ patches.suse/scsi-lpfc-Use-correct-scnprintf-limit.patch patches.suse/scsi-lpfc-Fix-gcc-Wstringop-overread-warning-again.patch patches.suse/ocfs2-drop-acl-cache-for-directories-too.patch + patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch patches.suse/Revert-ibmvnic-check-failover_pending-in-login-respo.patch patches.suse/scsi-qla2xxx-Fix-excessive-messages-during-device-lo.patch patches.suse/scsi-csiostor-Add-module-softdep-on-cxgb4 @@ -60534,6 +60545,7 @@ patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els patches.suse/scsi-qla2xxx-Fix-unmap-of-already-freed-sgl.patch patches.suse/RDMA-mlx5-Set-user-priority-for-DCT.patch + patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch patches.suse/IB-hfi1-Fix-abba-locking-issue-with-sc_disable.patch patches.suse/sctp-use-init_tag-from-inithdr-for-ABORT-chunk.patch patches.suse/sctp-fix-the-processing-for-INIT-chunk.patch @@ -60581,7 +60593,10 @@ patches.suse/ibmvnic-delay-complete.patch patches.suse/Revert-x86-kvm-fix-vcpu-id-indexed-array-sizes.patch patches.suse/platform-x86-thinkpad_acpi-Fix-bitwise-vs.-logical-w.patch + patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch patches.suse/RDMA-bnxt_re-Fix-query-SRQ-failure.patch + patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch + patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch patches.suse/usb-storage-Add-compatibility-quirk-flags-for-iODD-2.patch patches.suse/USB-chipidea-fix-interrupt-deadlock.patch patches.suse/USB-iowarrior-fix-control-message-timeouts.patch @@ -60724,6 +60739,9 @@ patches.suse/gve-fix-for-null-pointer-dereference.patch patches.suse/i40e-Fix-pre-set-max-number-of-queues-for-VF.patch patches.suse/ice-ignore-dropped-packets-during-init.patch + patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch + patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch + patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregist.patch patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch @@ -60746,6 +60764,7 @@ patches.suse/asix-fix-wrong-return-value-in-asix_check_host_enabl.patch patches.suse/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch patches.suse/recordmcount.pl-fix-typo-in-s390-mcount-regex.patch + patches.suse/xhci-Fresco-FL1100-controller-should-not-have-BROKEN.patch patches.suse/net-usb-pegasus-Do-not-drop-long-Ethernet-frames.patch patches.suse/scsi-lpfc-Terminate-string-in-lpfc_debugfs_nvmeio_trc_write patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch @@ -60755,6 +60774,7 @@ patches.suse/i40e-Fix-for-displaying-message-regarding-NVM-versio.patch patches.suse/iavf-Fix-limit-of-total-number-of-queues-to-active-q.patch patches.suse/tracing-Fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch + patches.suse/RDMA-core-Don-t-infoleak-GRH-fields.patch patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch @@ -60795,6 +60815,11 @@ patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch patches.suse/usb-host-xen-hcd-add-missing-unlock-in-error-path.patch patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch + patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch + patches.suse/RDMA-hns-Validate-the-pkey-index.patch + patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch + patches.suse/RDMA-cma-Let-cma_resolve_ib_dev-continue-search-even.patch + patches.suse/RDMA-cxgb4-Set-queue-pair-state-when-being-queried.patch patches.suse/scsi-ufs-Fix-race-conditions-related-to-driver-data patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch @@ -60842,6 +60867,7 @@ patches.suse/cgroup-v1-Require-capabilities-to-set-release_agent.patch patches.suse/gve-fix-the-wrong-AdminQ-buffer-queue-index-check.patch patches.suse/IB-rdmavt-Validate-remote_addr-during-loopback-atomi.patch + patches.suse/RDMA-mlx4-Don-t-continue-event-handler-after-memory-.patch patches.suse/edac-xgene-fix-deferred-probing.patch patches.suse/ext4-fix-error-handling-in-ext4_restore_inline_data.patch patches.suse/mmc-moxart_remove-Fix-UAF.patch @@ -60871,6 +60897,7 @@ patches.suse/xhci-Prevent-futile-URB-re-submissions-due-to-incorr.patch patches.suse/USB-serial-option-add-support-for-DW5829e.patch patches.suse/USB-serial-option-add-Telit-LE910R1-compositions.patch + patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch patches.suse/tracing-Dump-stacktrace-trigger-to-the-corresponding-instance.patch patches.suse/tracing-Have-traceon-and-traceoff-trigger-honor-the-instance.patch patches.suse/xfrm-fix-mtu-regression.patch @@ -60909,6 +60936,8 @@ patches.suse/ALSA-pcm-Fix-races-among-concurrent-prealloc-proc-wr.patch patches.suse/net-asix-add-proper-error-handling-of-usb-read-error.patch patches.suse/net-ibmvnic-Cleanup-workaround-doing-an-EOI-after-pa.patch + patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch + patches.suse/netfilter-nf_tables-initialize-registers-in-nft_do_c.patch patches.suse/scsi-qla2xxx-Refactor-asynchronous-command-initializ.patch patches.suse/scsi-qla2xxx-Implement-ref-count-for-SRB.patch patches.suse/scsi-qla2xxx-Fix-stuck-session-in-gpdb.patch @@ -60978,6 +61007,9 @@ patches.suse/powerpc-tm-Fix-more-userspace-r13-corruption.patch patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch patches.suse/USB-storage-ums-realtek-fix-error-code-in-rts51x_rea.patch + patches.suse/NFS-Return-valid-errors-from-nfs2-3_decode_dirent.patch + patches.suse/NFSv4.1-don-t-retry-BIND_CONN_TO_SESSION-on-session-.patch + patches.suse/NFSv4-pNFS-Fix-another-issue-with-a-list-iterator-po.patch patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch patches.suse/can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfre.patch patches.suse/can-mcba_usb-mcba_usb_start_xmit-fix-double-dev_kfre.patch