From fd66879363e8b3ec663fdc3c9aaf628930bced9c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 30 Apr 2024 10:20:11 +0200 Subject: [PATCH] 6.1-stable patches added patches: bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch --- ...bits-for-power-of-two-config_nr_cpus.patch | 44 +++++++ ...ffloading-devices-that-update-md_dst.patch | 110 ++++++++++++++++++ ...pdate-sk_buff-md_dst-during-offloads.patch | 45 +++++++ ...er-updates-sk_buff-md_dst-for-macsec.patch | 40 +++++++ queue-6.1/series | 4 + 5 files changed, 243 insertions(+) create mode 100644 queue-6.1/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch create mode 100644 queue-6.1/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch create mode 100644 queue-6.1/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch create mode 100644 queue-6.1/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch diff --git a/queue-6.1/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch b/queue-6.1/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch new file mode 100644 index 00000000000..62b5b57775e --- /dev/null +++ b/queue-6.1/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch @@ -0,0 +1,44 @@ +From 5af385f5f4cddf908f663974847a4083b2ff2c79 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Mon, 29 Apr 2024 15:47:51 +0100 +Subject: bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Wilcox (Oracle) + +commit 5af385f5f4cddf908f663974847a4083b2ff2c79 upstream. + +bits_per() rounds up to the next power of two when passed a power of +two. This causes crashes on some machines and configurations. + +Reported-by: Михаил Новоселов +Tested-by: Ильфат Гаптрахманов +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3347 +Link: https://lore.kernel.org/all/1c978cf1-2934-4e66-e4b3-e81b04cb3571@rosalinux.ru/ +Fixes: f2d5dcb48f7b (bounds: support non-power-of-two CONFIG_NR_CPUS) +Cc: +Signed-off-by: Matthew Wilcox (Oracle) +Cc: Rik van Riel +Cc: Mel Gorman +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bounds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bounds.c ++++ b/kernel/bounds.c +@@ -19,7 +19,7 @@ int main(void) + DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS); + DEFINE(MAX_NR_ZONES, __MAX_NR_ZONES); + #ifdef CONFIG_SMP +- DEFINE(NR_CPUS_BITS, bits_per(CONFIG_NR_CPUS)); ++ DEFINE(NR_CPUS_BITS, order_base_2(CONFIG_NR_CPUS)); + #endif + DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t)); + #ifdef CONFIG_LRU_GEN diff --git a/queue-6.1/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch b/queue-6.1/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch new file mode 100644 index 00000000000..c14d2c08c6b --- /dev/null +++ b/queue-6.1/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch @@ -0,0 +1,110 @@ +From stable+bounces-41782-greg=kroah.com@vger.kernel.org Tue Apr 30 02:45:07 2024 +From: Rahul Rameshbabu +Date: Mon, 29 Apr 2024 17:44:23 -0700 +Subject: macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu +Message-ID: <20240430004439.299386-3-rrameshbabu@nvidia.com> + +From: Rahul Rameshbabu + +commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream. + +Can now correctly identify where the packets should be delivered by using +md_dst or its absence on devices that provide it. + +This detection is not possible without device drivers that update md_dst. A +fallback pattern should be used for supporting such device drivers. This +fallback mode causes multicast messages to be cloned to both the non-macsec +and macsec ports, independent of whether the multicast message received was +encrypted over MACsec or not. Other non-macsec traffic may also fail to be +handled correctly for devices in promiscuous mode. + +Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ +Cc: Sabrina Dubroca +Cc: stable@vger.kernel.org +Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Benjamin Poirier +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 44 +++++++++++++++++++++++++++++++++++++------- + 1 file changed, 37 insertions(+), 7 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1007,10 +1007,12 @@ static enum rx_handler_result handle_not + struct metadata_dst *md_dst; + struct macsec_rxh_data *rxd; + struct macsec_dev *macsec; ++ bool is_macsec_md_dst; + + rcu_read_lock(); + rxd = macsec_data_rcu(skb->dev); + md_dst = skb_metadata_dst(skb); ++ is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC; + + list_for_each_entry_rcu(macsec, &rxd->secys, secys) { + struct sk_buff *nskb; +@@ -1021,10 +1023,42 @@ static enum rx_handler_result handle_not + * the SecTAG, so we have to deduce which port to deliver to. + */ + if (macsec_is_offloaded(macsec) && netif_running(ndev)) { +- if (md_dst && md_dst->type == METADATA_MACSEC && +- (!find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci))) ++ const struct macsec_ops *ops; ++ ++ ops = macsec_get_ops(macsec, NULL); ++ ++ if (ops->rx_uses_md_dst && !is_macsec_md_dst) + continue; + ++ if (is_macsec_md_dst) { ++ struct macsec_rx_sc *rx_sc; ++ ++ /* All drivers that implement MACsec offload ++ * support using skb metadata destinations must ++ * indicate that they do so. ++ */ ++ DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst); ++ rx_sc = find_rx_sc(&macsec->secy, ++ md_dst->u.macsec_info.sci); ++ if (!rx_sc) ++ continue; ++ /* device indicated macsec offload occurred */ ++ skb->dev = ndev; ++ skb->pkt_type = PACKET_HOST; ++ eth_skb_pkt_type(skb, ndev); ++ ret = RX_HANDLER_ANOTHER; ++ goto out; ++ } ++ ++ /* This datapath is insecure because it is unable to ++ * enforce isolation of broadcast/multicast traffic and ++ * unicast traffic with promiscuous mode on the macsec ++ * netdev. Since the core stack has no mechanism to ++ * check that the hardware did indeed receive MACsec ++ * traffic, it is possible that the response handling ++ * done by the MACsec port was to a plaintext packet. ++ * This violates the MACsec protocol standard. ++ */ + if (ether_addr_equal_64bits(hdr->h_dest, + ndev->dev_addr)) { + /* exact match, divert skb to this port */ +@@ -1040,11 +1074,7 @@ static enum rx_handler_result handle_not + break; + + nskb->dev = ndev; +- if (ether_addr_equal_64bits(hdr->h_dest, +- ndev->broadcast)) +- nskb->pkt_type = PACKET_BROADCAST; +- else +- nskb->pkt_type = PACKET_MULTICAST; ++ eth_skb_pkt_type(nskb, ndev); + + __netif_rx(nskb); + } diff --git a/queue-6.1/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch b/queue-6.1/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch new file mode 100644 index 00000000000..88c63325f75 --- /dev/null +++ b/queue-6.1/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch @@ -0,0 +1,45 @@ +From stable+bounces-41779-greg=kroah.com@vger.kernel.org Tue Apr 30 02:45:02 2024 +From: Rahul Rameshbabu +Date: Mon, 29 Apr 2024 17:44:21 -0700 +Subject: macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu +Message-ID: <20240430004439.299386-1-rrameshbabu@nvidia.com> + +From: Rahul Rameshbabu + +commit 475747a19316b08e856c666a20503e73d7ed67ed upstream. + +Omit rx_use_md_dst comment in upstream commit since macsec_ops is not +documented. + +Cannot know whether a Rx skb missing md_dst is intended for MACsec or not +without knowing whether the device is able to update this field during an +offload. Assume that an offload to a MACsec device cannot support updating +md_dst by default. Capable devices can advertise that they do indicate that +an skb is related to a MACsec offloaded packet using the md_dst. + +Cc: Sabrina Dubroca +Cc: stable@vger.kernel.org +Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Benjamin Poirier +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240423181319.115860-2-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/macsec.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/macsec.h ++++ b/include/net/macsec.h +@@ -302,6 +302,7 @@ struct macsec_ops { + int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); + int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); + int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); ++ bool rx_uses_md_dst; + }; + + void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); diff --git a/queue-6.1/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch b/queue-6.1/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch new file mode 100644 index 00000000000..00818da4896 --- /dev/null +++ b/queue-6.1/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch @@ -0,0 +1,40 @@ +From stable+bounces-41780-greg=kroah.com@vger.kernel.org Tue Apr 30 02:45:06 2024 +From: Rahul Rameshbabu +Date: Mon, 29 Apr 2024 17:44:24 -0700 +Subject: net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu +Message-ID: <20240430004439.299386-4-rrameshbabu@nvidia.com> + +From: Rahul Rameshbabu + +commit 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff upstream. + +mlx5 Rx flow steering and CQE handling enable the driver to be able to +update an skb's md_dst attribute as MACsec when MACsec traffic arrives when +a device is configured for offloading. Advertise this to the core stack to +take advantage of this capability. + +Cc: stable@vger.kernel.org +Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Benjamin Poirier +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240423181319.115860-5-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c +@@ -1703,6 +1703,7 @@ static const struct macsec_ops macsec_of + .mdo_add_secy = mlx5e_macsec_add_secy, + .mdo_upd_secy = mlx5e_macsec_upd_secy, + .mdo_del_secy = mlx5e_macsec_del_secy, ++ .rx_uses_md_dst = true, + }; + + bool mlx5e_macsec_handle_tx_skb(struct mlx5e_macsec *macsec, struct sk_buff *skb) diff --git a/queue-6.1/series b/queue-6.1/series index 762910d9c93..fe7fdd6dac1 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -104,3 +104,7 @@ riscv-fix-vmalloc_start-definition.patch riscv-fix-task_size-on-64-bit-nommu.patch phy-ti-tusb1210-resolve-charger-det-crash-if-charger.patch i2c-smbus-fix-null-function-pointer-dereference.patch +bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch +macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch +macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch +net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch -- 2.47.2