[PATCH AUTOSEL 6.16-6.12] RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM

[PATCH AUTOSEL 6.16-6.12] RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM

[Sasha Levin]

From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>

[ Upstream commit 09d231ab569ca97478445ccc1ad44ab026de39b1 ]

Since both "length" and "offset" are of type u32, there is
no functional issue here.

Reviewed-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Signed-off-by: Shravya KN <shravya.k-n@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20250704043857.19158-2-kalesh-anakkur.purayil@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit should be backported to stable kernel trees for the
following reasons:

1. **Clear Bug Fix**: The commit fixes a genuine copy-paste error where
   `sizeof(length)` was incorrectly used instead of `sizeof(offset)`
   when copying the offset value to userspace in line 4749. This bug has
   been present since the code was introduced in commit 9b0a7a2cb87d9
   (December 2023).

2. **Potential Functional Impact**: While the commit message states "no
   functional issue" because both `length` and `offset` are u32 types
   (and thus have the same size), this is still a correctness issue that
   should be fixed. The bug could become problematic if:
   - The types are changed in the future
   - Compiler optimizations or static analysis tools get confused
   - It sets a bad precedent for similar code patterns

3. **Small and Contained Fix**: This is a one-line change that simply
   corrects the sizeof() argument from `sizeof(length)` to
   `sizeof(offset)`. The change is minimal, easy to verify, and has zero
   risk of introducing regressions.

4. **Affects User-Kernel Interface**: The buggy code is in the
   `uverbs_copy_to()` function which copies data to userspace through
   the RDMA uverbs interface. This is part of the user-kernel ABI for
   the Broadcom NetXtreme-E RoCE driver, making correctness particularly
   important.

5. **Recently Introduced Bug**: The bug was introduced relatively
   recently (December 2023), meaning it could affect stable kernels from
   6.8 onwards. Backporting ensures all affected stable versions get the
   fix.

6. **No Architecture Changes**: This is purely a bug fix with no feature
   additions or architectural changes. It simply corrects an obvious
   typo in the sizeof() operator usage.

The commit meets all the stable tree criteria: it fixes a real bug (even
if currently benign), is minimal in scope, has no side effects, and
carries essentially zero risk of regression.

 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
index 063801384b2b..3a627acb82ce 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -4738,7 +4738,7 @@ static int UVERBS_HANDLER(BNXT_RE_METHOD_GET_TOGGLE_MEM)(struct uverbs_attr_bund
 		return err;
 
 	err = uverbs_copy_to(attrs, BNXT_RE_TOGGLE_MEM_MMAP_OFFSET,
-			     &offset, sizeof(length));
+			     &offset, sizeof(offset));
 	if (err)
 		return err;
 
-- 
2.39.5

[PATCH AUTOSEL 6.16-5.4] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()

[Sasha Levin]

From: "Yury Norov [NVIDIA]" <yury.norov@gmail.com>

[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ]

The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.

Signed-off-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit should be backported to stable kernel trees. Here's my
extensive analysis:

## Bug Fix Analysis

The commit fixes a **genuine divide-by-zero bug** in the
`find_hw_thread_mask()` function. The code changes show:

1. **Original bug**: The division `num_cores_per_socket =
   node_affinity.num_online_cpus / affinity->num_core_siblings /
   node_affinity.num_online_nodes` occurs at lines 967-969 BEFORE
   checking if `num_core_siblings > 0` at line 972.

2. **The fix**: Moves the check `if (affinity->num_core_siblings == 0)
   return;` to line 973-974 (in the new code) BEFORE the division
   operation, preventing the divide-by-zero.

## When the Bug Can Trigger

The `num_core_siblings` value is initialized as:
```c
cpumask_weight(topology_sibling_cpumask(cpumask_first(&node_affinity.pro
c.mask)))
```

This can be 0 in several real-world scenarios:
- Single-core systems without SMT/hyperthreading
- Systems where SMT is disabled at runtime
- Virtualized environments with unusual CPU topology
- Certain ARM or other architectures where topology_sibling_cpumask()
  returns empty

## Stable Kernel Criteria Met

1. **Fixes a real bug**: ✓ - Prevents kernel divide-by-zero crash
2. **Small and contained**: ✓ - Only 20 lines changed in one function
3. **No side effects**: ✓ - Early return preserves existing behavior
   when num_core_siblings==0
4. **No architectural changes**: ✓ - Simple defensive programming fix
5. **Clear bug fix**: ✓ - Not a feature or optimization
6. **Low regression risk**: ✓ - Only adds safety check, doesn't change
   logic

## Impact Assessment

- **Severity**: Medium-High - Can cause kernel panic on affected systems
- **Affected systems**: HFI1 InfiniBand hardware on systems with
  specific CPU configurations
- **User impact**: System crash when loading HFI1 driver on vulnerable
  configurations

The commit message clearly states "fix possible divide-by-zero" and the
code change unambiguously moves a zero-check before a division operation
that uses that value as divisor. This is a textbook example of a bug fix
that should be backported to stable kernels to prevent crashes on
systems with certain CPU topologies.

 drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
index 7ead8746b79b..f2c530ab85a5 100644
--- a/drivers/infiniband/hw/hfi1/affinity.c
+++ b/drivers/infiniband/hw/hfi1/affinity.c
@@ -964,31 +964,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask,
 				struct hfi1_affinity_node_list *affinity)
 {
 	int possible, curr_cpu, i;
-	uint num_cores_per_socket = node_affinity.num_online_cpus /
+	uint num_cores_per_socket;
+
+	cpumask_copy(hw_thread_mask, &affinity->proc.mask);
+
+	if (affinity->num_core_siblings == 0)
+		return;
+
+	num_cores_per_socket = node_affinity.num_online_cpus /
 					affinity->num_core_siblings /
 						node_affinity.num_online_nodes;
 
-	cpumask_copy(hw_thread_mask, &affinity->proc.mask);
-	if (affinity->num_core_siblings > 0) {
-		/* Removing other siblings not needed for now */
-		possible = cpumask_weight(hw_thread_mask);
-		curr_cpu = cpumask_first(hw_thread_mask);
-		for (i = 0;
-		     i < num_cores_per_socket * node_affinity.num_online_nodes;
-		     i++)
-			curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
-
-		for (; i < possible; i++) {
-			cpumask_clear_cpu(curr_cpu, hw_thread_mask);
-			curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
-		}
+	/* Removing other siblings not needed for now */
+	possible = cpumask_weight(hw_thread_mask);
+	curr_cpu = cpumask_first(hw_thread_mask);
+	for (i = 0;
+	     i < num_cores_per_socket * node_affinity.num_online_nodes;
+	     i++)
+		curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
 
-		/* Identifying correct HW threads within physical cores */
-		cpumask_shift_left(hw_thread_mask, hw_thread_mask,
-				   num_cores_per_socket *
-				   node_affinity.num_online_nodes *
-				   hw_thread_no);
+	for (; i < possible; i++) {
+		cpumask_clear_cpu(curr_cpu, hw_thread_mask);
+		curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
 	}
+
+	/* Identifying correct HW threads within physical cores */
+	cpumask_shift_left(hw_thread_mask, hw_thread_mask,
+			   num_cores_per_socket *
+			   node_affinity.num_online_nodes *
+			   hw_thread_no);
 }
 
 int hfi1_get_proc_affinity(int node)
-- 
2.39.5