From 0cae942356a6d66460fe1950890f467844755e6d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 20:49:08 +0200 Subject: [PATCH] 5.4-stable patches added patches: dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch net-mlx5-allow-0-for-total-host-vfs.patch --- ...potential-un-allocated-memory-access.patch | 61 ++++++++++++++++ ...-of-login-buffs-in-release-functions.patch | 73 +++++++++++++++++++ .../net-mlx5-allow-0-for-total-host-vfs.patch | 33 +++++++++ queue-5.4/series | 3 + 4 files changed, 170 insertions(+) create mode 100644 queue-5.4/dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch create mode 100644 queue-5.4/ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch create mode 100644 queue-5.4/net-mlx5-allow-0-for-total-host-vfs.patch diff --git a/queue-5.4/dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch b/queue-5.4/dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch new file mode 100644 index 00000000000..1e6d9606058 --- /dev/null +++ b/queue-5.4/dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch @@ -0,0 +1,61 @@ +From 0a46781c89dece85386885a407244ca26e5c1c44 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 12 Jul 2023 18:26:45 +0530 +Subject: dmaengine: mcf-edma: Fix a potential un-allocated memory access + +From: Christophe JAILLET + +commit 0a46781c89dece85386885a407244ca26e5c1c44 upstream. + +When 'mcf_edma' is allocated, some space is allocated for a +flexible array at the end of the struct. 'chans' item are allocated, that is +to say 'pdata->dma_channels'. + +Then, this number of item is stored in 'mcf_edma->n_chans'. + +A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64 +is set. + +This ends to no space allocated by devm_kzalloc() because chans was 0, but +64 items are read and/or written in some not allocated memory. + +Change the logic to define a default value before allocating the memory. + +Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/f55d914407c900828f6fad3ea5fa791a5f17b9a4.1685172449.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mcf-edma.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/dma/mcf-edma.c ++++ b/drivers/dma/mcf-edma.c +@@ -191,7 +191,13 @@ static int mcf_edma_probe(struct platfor + return -EINVAL; + } + +- chans = pdata->dma_channels; ++ if (!pdata->dma_channels) { ++ dev_info(&pdev->dev, "setting default channel number to 64"); ++ chans = 64; ++ } else { ++ chans = pdata->dma_channels; ++ } ++ + len = sizeof(*mcf_edma) + sizeof(*mcf_chan) * chans; + mcf_edma = devm_kzalloc(&pdev->dev, len, GFP_KERNEL); + if (!mcf_edma) +@@ -203,11 +209,6 @@ static int mcf_edma_probe(struct platfor + mcf_edma->drvdata = &mcf_data; + mcf_edma->big_endian = 1; + +- if (!mcf_edma->n_chans) { +- dev_info(&pdev->dev, "setting default channel number to 64"); +- mcf_edma->n_chans = 64; +- } +- + mutex_init(&mcf_edma->fsl_edma_mutex); + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); diff --git a/queue-5.4/ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch b/queue-5.4/ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch new file mode 100644 index 00000000000..241a52a4a76 --- /dev/null +++ b/queue-5.4/ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch @@ -0,0 +1,73 @@ +From d78a671eb8996af19d6311ecdee9790d2fa479f0 Mon Sep 17 00:00:00 2001 +From: Nick Child +Date: Wed, 9 Aug 2023 17:10:36 -0500 +Subject: ibmvnic: Handle DMA unmapping of login buffs in release functions + +From: Nick Child + +commit d78a671eb8996af19d6311ecdee9790d2fa479f0 upstream. + +Rather than leaving the DMA unmapping of the login buffers to the +login response handler, move this work into the login release functions. +Previously, these functions were only used for freeing the allocated +buffers. This could lead to issues if there are more than one +outstanding login buffer requests, which is possible if a login request +times out. + +If a login request times out, then there is another call to send login. +The send login function makes a call to the login buffer release +function. In the past, this freed the buffers but did not DMA unmap. +Therefore, the VIOS could still write to the old login (now freed) +buffer. It is for this reason that it is a good idea to leave the DMA +unmap call to the login buffers release function. + +Since the login buffer release functions now handle DMA unmapping, +remove the duplicate DMA unmapping in handle_login_rsp(). + +Fixes: dff515a3e71d ("ibmvnic: Harden device login requests") +Signed-off-by: Nick Child +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230809221038.51296-3-nnac123@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -873,12 +873,22 @@ static int ibmvnic_login(struct net_devi + + static void release_login_buffer(struct ibmvnic_adapter *adapter) + { ++ if (!adapter->login_buf) ++ return; ++ ++ dma_unmap_single(&adapter->vdev->dev, adapter->login_buf_token, ++ adapter->login_buf_sz, DMA_TO_DEVICE); + kfree(adapter->login_buf); + adapter->login_buf = NULL; + } + + static void release_login_rsp_buffer(struct ibmvnic_adapter *adapter) + { ++ if (!adapter->login_rsp_buf) ++ return; ++ ++ dma_unmap_single(&adapter->vdev->dev, adapter->login_rsp_buf_token, ++ adapter->login_rsp_buf_sz, DMA_FROM_DEVICE); + kfree(adapter->login_rsp_buf); + adapter->login_rsp_buf = NULL; + } +@@ -4298,11 +4308,6 @@ static int handle_login_rsp(union ibmvni + struct ibmvnic_login_buffer *login = adapter->login_buf; + int i; + +- dma_unmap_single(dev, adapter->login_buf_token, adapter->login_buf_sz, +- DMA_TO_DEVICE); +- dma_unmap_single(dev, adapter->login_rsp_buf_token, +- adapter->login_rsp_buf_sz, DMA_FROM_DEVICE); +- + /* If the number of queues requested can't be allocated by the + * server, the login response will return with code 1. We will need + * to resend the login buffer with fewer queues requested. diff --git a/queue-5.4/net-mlx5-allow-0-for-total-host-vfs.patch b/queue-5.4/net-mlx5-allow-0-for-total-host-vfs.patch new file mode 100644 index 00000000000..e3a387b65be --- /dev/null +++ b/queue-5.4/net-mlx5-allow-0-for-total-host-vfs.patch @@ -0,0 +1,33 @@ +From 2dc2b3922d3c0f52d3a792d15dcacfbc4cc76b8f Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Tue, 11 Jul 2023 00:28:10 +0300 +Subject: net/mlx5: Allow 0 for total host VFs + +From: Daniel Jurgens + +commit 2dc2b3922d3c0f52d3a792d15dcacfbc4cc76b8f upstream. + +When querying eswitch functions 0 is a valid number of host VFs. After +introducing ARM SRIOV falling through to getting the max value from PCI +results in using the total VFs allowed on the ARM for the host. + +Fixes: 86eec50beaf3 ("net/mlx5: Support querying max VFs from device"); +Signed-off-by: Daniel Jurgens +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/sriov.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/sriov.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sriov.c +@@ -211,8 +211,7 @@ static u16 mlx5_get_max_vfs(struct mlx5_ + host_total_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_total_vfs); + kvfree(out); +- if (host_total_vfs) +- return host_total_vfs; ++ return host_total_vfs; + } + + done: diff --git a/queue-5.4/series b/queue-5.4/series index 2af939c3032..6b1261dfb6f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -23,3 +23,6 @@ dccp-fix-data-race-around-dp-dccps_mss_cache.patch drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch ib-hfi1-fix-possible-panic-during-hotplug-remove.patch wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch +dmaengine-mcf-edma-fix-a-potential-un-allocated-memory-access.patch +net-mlx5-allow-0-for-total-host-vfs.patch +ibmvnic-handle-dma-unmapping-of-login-buffs-in-release-functions.patch -- 2.47.3