--- /dev/null
+From fdfa083549de5d50ebf7f6811f33757781e838c0 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sun, 4 Feb 2024 16:42:07 -0800
+Subject: RDMA/srpt: Support specifying the srpt_service_guid parameter
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit fdfa083549de5d50ebf7f6811f33757781e838c0 upstream.
+
+Make loading ib_srpt with this parameter set work. The current behavior is
+that setting that parameter while loading the ib_srpt kernel module
+triggers the following kernel crash:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+Call Trace:
+ <TASK>
+ parse_one+0x18c/0x1d0
+ parse_args+0xe1/0x230
+ load_module+0x8de/0xa60
+ init_module_from_file+0x8b/0xd0
+ idempotent_init_module+0x181/0x240
+ __x64_sys_finit_module+0x5a/0xb0
+ do_syscall_64+0x5f/0xe0
+ entry_SYSCALL_64_after_hwframe+0x6e/0x76
+
+Cc: LiHonggang <honggangli@163.com>
+Reported-by: LiHonggang <honggangli@163.com>
+Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20240205004207.17031-1-bvanassche@acm.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+[ Alok: Backport to 5.4.y since the commit has already been backported to
+ 5.15y, 5.10.y, and 4.19.y ]
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -79,12 +79,16 @@ module_param(srpt_srq_size, int, 0444);
+ MODULE_PARM_DESC(srpt_srq_size,
+ "Shared receive queue (SRQ) size.");
+
++static int srpt_set_u64_x(const char *buffer, const struct kernel_param *kp)
++{
++ return kstrtou64(buffer, 16, (u64 *)kp->arg);
++}
+ static int srpt_get_u64_x(char *buffer, const struct kernel_param *kp)
+ {
+ return sprintf(buffer, "0x%016llx", *(u64 *)kp->arg);
+ }
+-module_param_call(srpt_service_guid, NULL, srpt_get_u64_x, &srpt_service_guid,
+- 0444);
++module_param_call(srpt_service_guid, srpt_set_u64_x, srpt_get_u64_x,
++ &srpt_service_guid, 0444);
+ MODULE_PARM_DESC(srpt_service_guid,
+ "Using this value for ioc_guid, id_ext, and cm_listen_id instead of using the node_guid of the first HCA.");
+
mmc-cqhci-fix-checking-of-cqhci_halt-state.patch
net-openvswitch-fix-race-on-port-output.patch
openvswitch-fix-lockup-on-tx-to-unregistering-netdev-with-carrier.patch
+rdma-srpt-support-specifying-the-srpt_service_guid-parameter.patch
+virtio-net-add-validation-for-used-length.patch
--- /dev/null
+From ad993a95c508417acdeb15244109e009e50d8758 Mon Sep 17 00:00:00 2001
+From: Xie Yongji <xieyongji@bytedance.com>
+Date: Mon, 31 May 2021 21:58:52 +0800
+Subject: virtio-net: Add validation for used length
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+commit ad993a95c508417acdeb15244109e009e50d8758 upstream.
+
+This adds validation for used length (might come
+from an untrusted device) to avoid data corruption
+or loss.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9ce6146ec7b50
+ virtio_net: Add XDP frame size in two code paths ]
+Signed-off-by: Larry Bassel <larry.bassel@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -717,6 +717,12 @@ static struct sk_buff *receive_small(str
+ len -= vi->hdr_len;
+ stats->bytes += len;
+
++ if (unlikely(len > GOOD_PACKET_LEN)) {
++ pr_debug("%s: rx error: len %u exceeds max size %d\n",
++ dev->name, len, GOOD_PACKET_LEN);
++ dev->stats.rx_length_errors++;
++ goto err_len;
++ }
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (xdp_prog) {
+@@ -819,6 +825,7 @@ err:
+ err_xdp:
+ rcu_read_unlock();
+ stats->xdp_drops++;
++err_len:
+ stats->drops++;
+ put_page(page);
+ xdp_xmit:
+@@ -871,6 +878,13 @@ static struct sk_buff *receive_mergeable
+ head_skb = NULL;
+ stats->bytes += len - vi->hdr_len;
+
++ truesize = mergeable_ctx_to_truesize(ctx);
++ if (unlikely(len > truesize)) {
++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
++ dev->name, len, (unsigned long)ctx);
++ dev->stats.rx_length_errors++;
++ goto err_skb;
++ }
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (xdp_prog) {
+@@ -990,14 +1004,6 @@ static struct sk_buff *receive_mergeable
+ }
+ rcu_read_unlock();
+
+- truesize = mergeable_ctx_to_truesize(ctx);
+- if (unlikely(len > truesize)) {
+- pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
+- dev->name, len, (unsigned long)ctx);
+- dev->stats.rx_length_errors++;
+- goto err_skb;
+- }
+-
+ head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog,
+ metasize);
+ curr_skb = head_skb;
projects / thirdparty / kernel / stable-queue.git / commitdiff
