--- /dev/null
+From 2aa71b4b294ee2c3041d085404cea914be9b3225 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+Date: Fri, 4 Aug 2023 12:12:20 +0200
+Subject: net: marvell: prestera: fix handling IPv4 routes with nhid
+
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+
+commit 2aa71b4b294ee2c3041d085404cea914be9b3225 upstream.
+
+Fix handling IPv4 routes referencing a nexthop via its id by replacing
+calls to fib_info_nh() with fib_info_nhc().
+
+Trying to add an IPv4 route referencing a nextop via nhid:
+
+ $ ip link set up swp5
+ $ ip a a 10.0.0.1/24 dev swp5
+ $ ip nexthop add dev swp5 id 20 via 10.0.0.2
+ $ ip route add 10.0.1.0/24 nhid 20
+
+triggers warnings when trying to handle the route:
+
+[ 528.805763] ------------[ cut here ]------------
+[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
+[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1
+[ 528.845178] Hardware name: delta,tn48m-dn (DT)
+[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
+[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera]
+[ 528.876007] sp : ffff80000b20bc90
+[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48
+[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
+[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200
+[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059
+[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
+[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
+[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020
+[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86
+[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc
+[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80
+[ 528.951058] Call trace:
+[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera]
+[ 528.965348] process_one_work+0x208/0x488
+[ 528.969387] worker_thread+0x4c/0x430
+[ 528.973068] kthread+0x120/0x138
+[ 528.976313] ret_from_fork+0x10/0x20
+[ 528.979909] ---[ end trace 0000000000000000 ]---
+[ 528.984998] ------------[ cut here ]------------
+[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
+[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1
+[ 529.024368] Hardware name: delta,tn48m-dn (DT)
+[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
+[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera]
+[ 529.055452] sp : ffff80000b20bc60
+[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48
+[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
+[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0
+[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059
+[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
+[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
+[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80
+[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 0000000000000018
+[ 529.116157] x5 : 00000000d3497eb6 x4 : ffff000105604081 x3 : 000000008e979557
+[ 529.123329] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80
+[ 529.130501] Call trace:
+[ 529.132958] __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 529.138394] prestera_k_arb_fib_evt+0x6b8/0xd50 [prestera]
+[ 529.143918] __prestera_router_fib_event_work+0x100/0x158 [prestera]
+[ 529.150313] process_one_work+0x208/0x488
+[ 529.154348] worker_thread+0x4c/0x430
+[ 529.158030] kthread+0x120/0x138
+[ 529.161274] ret_from_fork+0x10/0x20
+[ 529.164867] ---[ end trace 0000000000000000 ]---
+
+and results in a non offloaded route:
+
+ $ ip route
+ 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap
+ 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 rt_trap
+
+When creating a route referencing a nexthop via its ID, the nexthop will
+be stored in a separate nh pointer instead of the array of nexthops in
+the fib_info struct. This causes issues since fib_info_nh() only handles
+the nexthops array, but not the separate nh pointer, and will loudly
+WARN about it.
+
+In contrast fib_info_nhc() handles both, but returns a fib_nh_common
+pointer instead of a fib_nh pointer. Luckily we only ever access fields
+from the fib_nh_common parts, so we can just replace all instances of
+fib_info_nh() with fib_info_nhc() and access the fields via their
+fib_nh_common names.
+
+This allows handling IPv4 routes with an external nexthop, and they now
+get offloaded as expected:
+
+ $ ip route
+ 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap
+ 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 offload rt_offload
+
+Fixes: 396b80cb5cc8 ("net: marvell: prestera: Add neighbour cache accounting")
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Acked-by: Elad Nachman <enachman@marvell.com>
+Link: https://lore.kernel.org/r/20230804101220.247515-1-jonas.gorski@bisdn.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/prestera/prestera_router.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/prestera/prestera_router.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_router.c
+@@ -166,11 +166,11 @@ prestera_util_neigh2nc_key(struct preste
+
+ static bool __prestera_fi_is_direct(struct fib_info *fi)
+ {
+- struct fib_nh *fib_nh;
++ struct fib_nh_common *fib_nhc;
+
+ if (fib_info_num_path(fi) == 1) {
+- fib_nh = fib_info_nh(fi, 0);
+- if (fib_nh->fib_nh_gw_family == AF_UNSPEC)
++ fib_nhc = fib_info_nhc(fi, 0);
++ if (fib_nhc->nhc_gw_family == AF_UNSPEC)
+ return true;
+ }
+
+@@ -261,7 +261,7 @@ static bool
+ __prestera_util_kern_n_is_reachable_v4(u32 tb_id, __be32 *addr,
+ struct net_device *dev)
+ {
+- struct fib_nh *fib_nh;
++ struct fib_nh_common *fib_nhc;
+ struct fib_result res;
+ bool reachable;
+
+@@ -269,8 +269,8 @@ __prestera_util_kern_n_is_reachable_v4(u
+
+ if (!prestera_util_kern_get_route(&res, tb_id, addr))
+ if (prestera_fi_is_direct(res.fi)) {
+- fib_nh = fib_info_nh(res.fi, 0);
+- if (dev == fib_nh->fib_nh_dev)
++ fib_nhc = fib_info_nhc(res.fi, 0);
++ if (dev == fib_nhc->nhc_dev)
+ reachable = true;
+ }
+
+@@ -324,7 +324,7 @@ prestera_kern_fib_info_nhc(struct fib_no
+ if (info->family == AF_INET) {
+ fen4_info = container_of(info, struct fib_entry_notifier_info,
+ info);
+- return &fib_info_nh(fen4_info->fi, n)->nh_common;
++ return fib_info_nhc(fen4_info->fi, n);
+ } else if (info->family == AF_INET6) {
+ fen6_info = container_of(info, struct fib6_entry_notifier_info,
+ info);
--- /dev/null
+From 6b47808f223c70ff564f9b363446d2a5fa1e05b2 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Fri, 4 Aug 2023 15:59:51 -0700
+Subject: net: tls: avoid discarding data on record close
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 6b47808f223c70ff564f9b363446d2a5fa1e05b2 upstream.
+
+TLS records end with a 16B tag. For TLS device offload we only
+need to make space for this tag in the stream, the device will
+generate and replace it with the actual calculated tag.
+
+Long time ago the code would just re-reference the head frag
+which mostly worked but was suboptimal because it prevented TCP
+from combining the record into a single skb frag. I'm not sure
+if it was correct as the first frag may be shorter than the tag.
+
+The commit under fixes tried to replace that with using the page
+frag and if the allocation failed rolling back the data, if record
+was long enough. It achieves better fragment coalescing but is
+also buggy.
+
+We don't roll back the iterator, so unless we're at the end of
+send we'll skip the data we designated as tag and start the
+next record as if the rollback never happened.
+There's also the possibility that the record was constructed
+with MSG_MORE and the data came from a different syscall and
+we already told the user space that we "got it".
+
+Allocate a single dummy page and use it as fallback.
+
+Found by code inspection, and proven by forcing allocation
+failures.
+
+Fixes: e7b159a48ba6 ("net/tls: remove the record tail optimization")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 64 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 33 insertions(+), 31 deletions(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -52,6 +52,8 @@ static LIST_HEAD(tls_device_list);
+ static LIST_HEAD(tls_device_down_list);
+ static DEFINE_SPINLOCK(tls_device_lock);
+
++static struct page *dummy_page;
++
+ static void tls_device_free_ctx(struct tls_context *ctx)
+ {
+ if (ctx->tx_conf == TLS_HW) {
+@@ -313,36 +315,33 @@ static int tls_push_record(struct sock *
+ return tls_push_sg(sk, ctx, offload_ctx->sg_tx_data, 0, flags);
+ }
+
+-static int tls_device_record_close(struct sock *sk,
+- struct tls_context *ctx,
+- struct tls_record_info *record,
+- struct page_frag *pfrag,
+- unsigned char record_type)
++static void tls_device_record_close(struct sock *sk,
++ struct tls_context *ctx,
++ struct tls_record_info *record,
++ struct page_frag *pfrag,
++ unsigned char record_type)
+ {
+ struct tls_prot_info *prot = &ctx->prot_info;
+- int ret;
++ struct page_frag dummy_tag_frag;
+
+ /* append tag
+ * device will fill in the tag, we just need to append a placeholder
+ * use socket memory to improve coalescing (re-using a single buffer
+ * increases frag count)
+- * if we can't allocate memory now, steal some back from data
++ * if we can't allocate memory now use the dummy page
+ */
+- if (likely(skb_page_frag_refill(prot->tag_size, pfrag,
+- sk->sk_allocation))) {
+- ret = 0;
+- tls_append_frag(record, pfrag, prot->tag_size);
+- } else {
+- ret = prot->tag_size;
+- if (record->len <= prot->overhead_size)
+- return -ENOMEM;
++ if (unlikely(pfrag->size - pfrag->offset < prot->tag_size) &&
++ !skb_page_frag_refill(prot->tag_size, pfrag, sk->sk_allocation)) {
++ dummy_tag_frag.page = dummy_page;
++ dummy_tag_frag.offset = 0;
++ pfrag = &dummy_tag_frag;
+ }
++ tls_append_frag(record, pfrag, prot->tag_size);
+
+ /* fill prepend */
+ tls_fill_prepend(ctx, skb_frag_address(&record->frags[0]),
+ record->len - prot->overhead_size,
+ record_type);
+- return ret;
+ }
+
+ static int tls_create_new_record(struct tls_offload_context_tx *offload_ctx,
+@@ -535,18 +534,8 @@ last_record:
+
+ if (done || record->len >= max_open_record_len ||
+ (record->num_frags >= MAX_SKB_FRAGS - 1)) {
+- rc = tls_device_record_close(sk, tls_ctx, record,
+- pfrag, record_type);
+- if (rc) {
+- if (rc > 0) {
+- size += rc;
+- } else {
+- size = orig_size;
+- destroy_record(record);
+- ctx->open_record = NULL;
+- break;
+- }
+- }
++ tls_device_record_close(sk, tls_ctx, record,
++ pfrag, record_type);
+
+ rc = tls_push_record(sk,
+ tls_ctx,
+@@ -1466,14 +1455,26 @@ int __init tls_device_init(void)
+ {
+ int err;
+
+- destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0);
+- if (!destruct_wq)
++ dummy_page = alloc_page(GFP_KERNEL);
++ if (!dummy_page)
+ return -ENOMEM;
+
++ destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0);
++ if (!destruct_wq) {
++ err = -ENOMEM;
++ goto err_free_dummy;
++ }
++
+ err = register_netdevice_notifier(&tls_dev_notifier);
+ if (err)
+- destroy_workqueue(destruct_wq);
++ goto err_destroy_wq;
+
++ return 0;
++
++err_destroy_wq:
++ destroy_workqueue(destruct_wq);
++err_free_dummy:
++ put_page(dummy_page);
+ return err;
+ }
+
+@@ -1482,4 +1483,5 @@ void __exit tls_device_cleanup(void)
+ unregister_netdevice_notifier(&tls_dev_notifier);
+ destroy_workqueue(destruct_wq);
+ clean_acked_data_flush();
++ put_page(dummy_page);
+ }
--- /dev/null
+From 5ac8480ae4d01f0ca5dfd561884424046df2478a Mon Sep 17 00:00:00 2001
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Date: Wed, 9 Aug 2023 21:44:36 -0700
+Subject: RDMA/bnxt_re: Fix error handling in probe failure path
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+commit 5ac8480ae4d01f0ca5dfd561884424046df2478a upstream.
+
+During bnxt_re_dev_init(), when bnxt_re_setup_chip_ctx() fails unregister
+with L2 first before bailing out probe.
+
+Fixes: ae8637e13185 ("RDMA/bnxt_re: Add chip context to identify 57500 series")
+Link: https://lore.kernel.org/r/1691642677-21369-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1152,6 +1152,8 @@ static int bnxt_re_dev_init(struct bnxt_
+
+ rc = bnxt_re_setup_chip_ctx(rdev, wqe_mode);
+ if (rc) {
++ bnxt_unregister_dev(rdev->en_dev);
++ clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags);
+ ibdev_err(&rdev->ibdev, "Failed to get chip context\n");
+ return -EINVAL;
+ }
--- /dev/null
+From 5363fc488da579923edf6a2fdca3d3b651dd800b Mon Sep 17 00:00:00 2001
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Wed, 9 Aug 2023 21:44:35 -0700
+Subject: RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+commit 5363fc488da579923edf6a2fdca3d3b651dd800b upstream.
+
+ib_dealloc_device() should be called only after device cleanup. Fix the
+dealloc sequence.
+
+Fixes: 6d758147c7b8 ("RDMA/bnxt_re: Use auxiliary driver interface")
+Link: https://lore.kernel.org/r/1691642677-21369-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1425,8 +1425,8 @@ static void bnxt_re_remove(struct auxili
+ }
+ bnxt_re_setup_cc(rdev, false);
+ ib_unregister_device(&rdev->ibdev);
+- ib_dealloc_device(&rdev->ibdev);
+ bnxt_re_dev_uninit(rdev);
++ ib_dealloc_device(&rdev->ibdev);
+ skip_remove:
+ mutex_unlock(&bnxt_re_mutex);
+ }
--- /dev/null
+From 186b169cf1e4be85aa212a893ea783a543400979 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@nvidia.com>
+Date: Wed, 19 Jul 2023 12:02:41 +0300
+Subject: RDMA/umem: Set iova in ODP flow
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+commit 186b169cf1e4be85aa212a893ea783a543400979 upstream.
+
+Fixing the ODP registration flow to set the iova correctly.
+The calculation in ib_umem_num_dma_blocks() function assumes the iova of
+the umem is set correctly.
+
+When iova is not set, the calculation in ib_umem_num_dma_blocks() is
+equivalent to length/page_size, which is true only when memory is aligned.
+For unaligned memory, iova must be set for the ALIGN() in the
+ib_umem_num_dma_blocks() to take effect and return a correct value.
+
+mlx5_ib uses ib_umem_num_dma_blocks() to decide the mkey size to use for
+the MR. Without this fix, when registering unaligned ODP MR, a wrong
+size mkey might be chosen and this might cause the UMR to fail.
+
+UMR would fail over insufficient size to update the mkey translation:
+infiniband mlx5_0: dump_cqe:273:(pid 0): dump error cqe
+00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000030: 00 00 00 00 0f 00 78 06 25 00 00 58 00 da ac d2
+infiniband mlx5_0: mlx5_ib_post_send_wait:806:(pid 20311): reg umr
+failed (6)
+infiniband mlx5_0: pagefault_real_mr:661:(pid 20311): Failed to update
+mkey page tables
+
+Fixes: f0093fb1a7cb ("RDMA/mlx5: Move mlx5_ib_cont_pages() to the creation of the mlx5_ib_mr")
+Fixes: a665aca89a41 ("RDMA/umem: Split ib_umem_num_pages() into ib_umem_num_dma_blocks()")
+Signed-off-by: Artemy Kovalyov <artemyko@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/3d4be7ca2155bf239dd8c00a2d25974a92c26ab8.1689757344.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -85,6 +85,8 @@ unsigned long ib_umem_find_best_pgsz(str
+ dma_addr_t mask;
+ int i;
+
++ umem->iova = va = virt;
++
+ if (umem->is_odp) {
+ unsigned int page_size = BIT(to_ib_umem_odp(umem)->page_shift);
+
+@@ -100,7 +102,6 @@ unsigned long ib_umem_find_best_pgsz(str
+ */
+ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT);
+
+- umem->iova = va = virt;
+ /* The best result is the smallest page size that results in the minimum
+ * number of required pages. Compute the largest page size that could
+ * work based on VA address bits that don't change.
drm-rockchip-don-t-spam-logs-in-atomic-check.patch
wifi-brcm80211-handle-params_v1-allocation-failure.patch
wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch
+rdma-umem-set-iova-in-odp-flow.patch
+rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch
+rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch
+net-tls-avoid-discarding-data-on-record-close.patch
+net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
