From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 25 Feb 2024 10:50:35 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.308~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fc821be181ea5adabb7aa9d9a1ad2e8d5ec0a23;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch
---

diff --git a/queue-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch b/queue-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch
new file mode 100644
index 00000000000..8eeb0b50323
--- /dev/null
+++ b/queue-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch
@@ -0,0 +1,100 @@
+From e6f57c6881916df39db7d95981a8ad2b9c3458d6 Mon Sep 17 00:00:00 2001
+From: Daniel Vacek <neelx@redhat.com>
+Date: Thu, 1 Feb 2024 09:10:08 +0100
+Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
+
+From: Daniel Vacek <neelx@redhat.com>
+
+commit e6f57c6881916df39db7d95981a8ad2b9c3458d6 upstream.
+
+Unfortunately the commit `fd8958efe877` introduced another error
+causing the `descs` array to overflow. This reults in further crashes
+easily reproducible by `sendmsg` system call.
+
+[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
+[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
+--
+[ 1080.974535] Call Trace:
+[ 1080.976990]  <TASK>
+[ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
+[ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
+[ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]
+[ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
+[ 1081.046978]  dev_hard_start_xmit+0xc4/0x210
+--
+[ 1081.148347]  __sys_sendmsg+0x59/0xa0
+
+crash> ipoib_txreq 0xffff9cfeba229f00
+struct ipoib_txreq {
+  txreq = {
+    list = {
+      next = 0xffff9cfeba229f00,
+      prev = 0xffff9cfeba229f00
+    },
+    descp = 0xffff9cfeba229f40,
+    coalesce_buf = 0x0,
+    wait = 0xffff9cfea4e69a48,
+    complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
+    packet_len = 0x46d,
+    tlen = 0x0,
+    num_desc = 0x0,
+    desc_limit = 0x6,
+    next_descq_idx = 0x45c,
+    coalesce_idx = 0x0,
+    flags = 0x0,
+    descs = {{
+        qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
+      }, {
+        qw = {  0x3800014231b108, 0x4}
+      }, {
+        qw = { 0x310000e4ee0fcf0, 0x8}
+      }, {
+        qw = {  0x3000012e9f8000, 0x8}
+      }, {
+        qw = {  0x59000dfb9d0000, 0x8}
+      }, {
+        qw = {  0x78000e02e40000, 0x8}
+      }}
+  },
+  sdma_hdr =  0x400300015528b000,  <<< invalid pointer in the tx request structure
+  sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)
+  complete = 0x0,
+  priv = 0x0,
+  txq = 0xffff9cfea4e69880,
+  skb = 0xffff9d099809f400
+}
+
+If an SDMA send consists of exactly 6 descriptors and requires dword
+padding (in the 7th descriptor), the sdma_txreq descriptor array is not
+properly expanded and the packet will overflow into the container
+structure. This results in a panic when the send completion runs. The
+exact panic varies depending on what elements of the container structure
+get corrupted. The fix is to use the correct expression in
+_pad_sdma_tx_descs() to test the need to expand the descriptor array.
+
+With this patch the crashes are no longer reproducible and the machine is
+stable.
+
+Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors")
+Cc: stable@vger.kernel.org
+Reported-by: Mats Kronberg <kronberg@nsc.liu.se>
+Tested-by: Mats Kronberg <kronberg@nsc.liu.se>
+Signed-off-by: Daniel Vacek <neelx@redhat.com>
+Link: https://lore.kernel.org/r/20240201081009.1109442-1-neelx@redhat.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -3200,7 +3200,7 @@ int _pad_sdma_tx_descs(struct hfi1_devda
+ {
+ 	int rval = 0;
+ 
+-	if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
++	if ((unlikely(tx->num_desc == tx->desc_limit))) {
+ 		rval = _extend_sdma_tx_descs(dd, tx);
+ 		if (rval) {
+ 			__sdma_txclean(dd, tx);
diff --git a/queue-5.10/series b/queue-5.10/series
index 8ae5037c435..61a72548dd2 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -71,3 +71,4 @@ jbd2-recheck-chechpointing-non-dirty-buffer.patch
 jbd2-fix-wrongly-judgement-for-buffer-head-removing-.patch
 x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch
 erofs-fix-lz4-inplace-decompression.patch
+ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch