* [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
@ 2024-12-12 2:21 guocai.he.cn
2024-12-12 6:32 ` Greg KH
2024-12-12 17:57 ` Sasha Levin
0 siblings, 2 replies; 8+ messages in thread
From: guocai.he.cn @ 2024-12-12 2:21 UTC (permalink / raw)
To: gregkh, mschmidt; +Cc: selvin.xavier, leon, xiangyu.chen, stable
From: Michal Schmidt <mschmidt@redhat.com>
V2: Corrected the upstream commit id.
commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
roundup_pow_of_two is documented as undefined for 0.
Fix it in the one caller that had this combination.
The undefined behavior was detected by UBSAN:
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
ubsan_epilogue+0x5/0x30
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
__roundup_pow_of_two+0x25/0x35 [bnxt_re]
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __kmalloc+0x1b6/0x4f0
? create_qp.part.0+0x128/0x1c0 [ib_core]
? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
create_qp.part.0+0x128/0x1c0 [ib_core]
ib_create_qp_kernel+0x50/0xd0 [ib_core]
create_mad_qp+0x8e/0xe0 [ib_core]
? __pfx_qp_event_handler+0x10/0x10 [ib_core]
ib_mad_init_device+0x2be/0x680 [ib_core]
add_client_context+0x10d/0x1a0 [ib_core]
enable_device_and_get+0xe0/0x1d0 [ib_core]
ib_register_device+0x53c/0x630 [ib_core]
? srso_alias_return_thunk+0x5/0xfbef5
bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
auxiliary_bus_probe+0x49/0x80
? driver_sysfs_add+0x57/0xc0
really_probe+0xde/0x340
? pm_runtime_barrier+0x54/0x90
? __pfx___driver_attach+0x10/0x10
__driver_probe_device+0x78/0x110
driver_probe_device+0x1f/0xa0
__driver_attach+0xba/0x1c0
bus_for_each_dev+0x8f/0xe0
bus_add_driver+0x146/0x220
driver_register+0x72/0xd0
__auxiliary_driver_register+0x6e/0xd0
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
do_one_initcall+0x5b/0x310
do_init_module+0x90/0x250
init_module_from_file+0x86/0xc0
idempotent_init_module+0x121/0x2b0
__x64_sys_finit_module+0x5e/0xb0
do_syscall_64+0x82/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode_prepare+0x149/0x170
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode+0x75/0x230
? srso_alias_return_thunk+0x5/0xfbef5
? do_syscall_64+0x8e/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? __count_memcg_events+0x69/0x100
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events.constprop.0+0x1a/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? handle_mm_fault+0x1f0/0x300
? srso_alias_return_thunk+0x5/0xfbef5
? do_user_addr_fault+0x34e/0x640
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f4e5132821d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
</TASK>
---[ end trace ]---
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
---
This commit is backporting 78cfd17142ef70599d6409cbd709d94b3da58659 to the branch linux-5.15.y to
solve the CVE-2024-38540. Please merge this commit to linux-5.15.y.
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index dea70db9ee97..82d7381dbd6d 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
hwq_attr.stride = sizeof(struct sq_sge);
hwq_attr.depth = bnxt_qplib_get_depth(sq);
hwq_attr.aux_stride = psn_sz;
- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
+ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
+ : 0;
hwq_attr.type = HWQ_TYPE_QUEUE;
rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
if (rc)
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 2:21 guocai.he.cn
@ 2024-12-12 6:32 ` Greg KH
2024-12-12 17:57 ` Sasha Levin
1 sibling, 0 replies; 8+ messages in thread
From: Greg KH @ 2024-12-12 6:32 UTC (permalink / raw)
To: guocai.he.cn; +Cc: mschmidt, selvin.xavier, leon, xiangyu.chen, stable
On Thu, Dec 12, 2024 at 10:21:21AM +0800, guocai.he.cn@windriver.com wrote:
> From: Michal Schmidt <mschmidt@redhat.com>
>
> V2: Corrected the upstream commit id.
As documented, this goes below the --- line.
Please fix up and resend.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
@ 2024-12-12 6:48 guocai.he.cn
2024-12-12 6:54 ` Greg KH
2024-12-12 17:57 ` Sasha Levin
0 siblings, 2 replies; 8+ messages in thread
From: guocai.he.cn @ 2024-12-12 6:48 UTC (permalink / raw)
To: gregkh, mschmidt; +Cc: selvin.xavier, leon, xiangyu.chen, stable
From: Michal Schmidt <mschmidt@redhat.com>
commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
roundup_pow_of_two is documented as undefined for 0.
Fix it in the one caller that had this combination.
The undefined behavior was detected by UBSAN:
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
ubsan_epilogue+0x5/0x30
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
__roundup_pow_of_two+0x25/0x35 [bnxt_re]
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __kmalloc+0x1b6/0x4f0
? create_qp.part.0+0x128/0x1c0 [ib_core]
? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
create_qp.part.0+0x128/0x1c0 [ib_core]
ib_create_qp_kernel+0x50/0xd0 [ib_core]
create_mad_qp+0x8e/0xe0 [ib_core]
? __pfx_qp_event_handler+0x10/0x10 [ib_core]
ib_mad_init_device+0x2be/0x680 [ib_core]
add_client_context+0x10d/0x1a0 [ib_core]
enable_device_and_get+0xe0/0x1d0 [ib_core]
ib_register_device+0x53c/0x630 [ib_core]
? srso_alias_return_thunk+0x5/0xfbef5
bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
auxiliary_bus_probe+0x49/0x80
? driver_sysfs_add+0x57/0xc0
really_probe+0xde/0x340
? pm_runtime_barrier+0x54/0x90
? __pfx___driver_attach+0x10/0x10
__driver_probe_device+0x78/0x110
driver_probe_device+0x1f/0xa0
__driver_attach+0xba/0x1c0
bus_for_each_dev+0x8f/0xe0
bus_add_driver+0x146/0x220
driver_register+0x72/0xd0
__auxiliary_driver_register+0x6e/0xd0
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
do_one_initcall+0x5b/0x310
do_init_module+0x90/0x250
init_module_from_file+0x86/0xc0
idempotent_init_module+0x121/0x2b0
__x64_sys_finit_module+0x5e/0xb0
do_syscall_64+0x82/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode_prepare+0x149/0x170
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode+0x75/0x230
? srso_alias_return_thunk+0x5/0xfbef5
? do_syscall_64+0x8e/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? __count_memcg_events+0x69/0x100
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events.constprop.0+0x1a/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? handle_mm_fault+0x1f0/0x300
? srso_alias_return_thunk+0x5/0xfbef5
? do_user_addr_fault+0x34e/0x640
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f4e5132821d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
</TASK>
---[ end trace ]---
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
---
This commit is backporting 78cfd17142ef70599d6409cbd709d94b3da58659 to the branch linux-5.15.y to
solve the CVE-2024-38540. Please merge this commit to linux-5.15.y.
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index dea70db9ee97..82d7381dbd6d 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
hwq_attr.stride = sizeof(struct sq_sge);
hwq_attr.depth = bnxt_qplib_get_depth(sq);
hwq_attr.aux_stride = psn_sz;
- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
+ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
+ : 0;
hwq_attr.type = HWQ_TYPE_QUEUE;
rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
if (rc)
--
2.34.1
V2: Corrected the upstream commit id.
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 6:48 [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq guocai.he.cn
@ 2024-12-12 6:54 ` Greg KH
2024-12-12 7:10 ` Harshit Mogalapalli
2024-12-12 17:57 ` Sasha Levin
1 sibling, 1 reply; 8+ messages in thread
From: Greg KH @ 2024-12-12 6:54 UTC (permalink / raw)
To: guocai.he.cn; +Cc: mschmidt, selvin.xavier, leon, xiangyu.chen, stable
On Thu, Dec 12, 2024 at 02:48:46PM +0800, guocai.he.cn@windriver.com wrote:
> From: Michal Schmidt <mschmidt@redhat.com>
>
> commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
>
> Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
> with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
> In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
> roundup_pow_of_two is documented as undefined for 0.
>
> Fix it in the one caller that had this combination.
>
> The undefined behavior was detected by UBSAN:
> UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
> Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x30
> __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
> __roundup_pow_of_two+0x25/0x35 [bnxt_re]
> bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
> bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
> bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? __kmalloc+0x1b6/0x4f0
> ? create_qp.part.0+0x128/0x1c0 [ib_core]
> ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
> create_qp.part.0+0x128/0x1c0 [ib_core]
> ib_create_qp_kernel+0x50/0xd0 [ib_core]
> create_mad_qp+0x8e/0xe0 [ib_core]
> ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
> ib_mad_init_device+0x2be/0x680 [ib_core]
> add_client_context+0x10d/0x1a0 [ib_core]
> enable_device_and_get+0xe0/0x1d0 [ib_core]
> ib_register_device+0x53c/0x630 [ib_core]
> ? srso_alias_return_thunk+0x5/0xfbef5
> bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
> ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
> auxiliary_bus_probe+0x49/0x80
> ? driver_sysfs_add+0x57/0xc0
> really_probe+0xde/0x340
> ? pm_runtime_barrier+0x54/0x90
> ? __pfx___driver_attach+0x10/0x10
> __driver_probe_device+0x78/0x110
> driver_probe_device+0x1f/0xa0
> __driver_attach+0xba/0x1c0
> bus_for_each_dev+0x8f/0xe0
> bus_add_driver+0x146/0x220
> driver_register+0x72/0xd0
> __auxiliary_driver_register+0x6e/0xd0
> ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
> bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
> ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
> do_one_initcall+0x5b/0x310
> do_init_module+0x90/0x250
> init_module_from_file+0x86/0xc0
> idempotent_init_module+0x121/0x2b0
> __x64_sys_finit_module+0x5e/0xb0
> do_syscall_64+0x82/0x160
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? syscall_exit_to_user_mode_prepare+0x149/0x170
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? syscall_exit_to_user_mode+0x75/0x230
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? do_syscall_64+0x8e/0x160
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? __count_memcg_events+0x69/0x100
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? count_memcg_events.constprop.0+0x1a/0x30
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? handle_mm_fault+0x1f0/0x300
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? do_user_addr_fault+0x34e/0x640
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x7f4e5132821d
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
> RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
> RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
> R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
> R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
> </TASK>
> ---[ end trace ]---
>
> Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
> Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
> Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
> Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
> Signed-off-by: Leon Romanovsky <leon@kernel.org>
> Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I have not signed off on this backport, why did you add this here? You
do know what this is saying right?
Please work with your other kernel developers at your company for you
all to come up with a better workflow for doing all of these backports.
What you are doing here now just isn't working for us at all, sorry.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 6:54 ` Greg KH
@ 2024-12-12 7:10 ` Harshit Mogalapalli
2024-12-12 7:47 ` Greg KH
0 siblings, 1 reply; 8+ messages in thread
From: Harshit Mogalapalli @ 2024-12-12 7:10 UTC (permalink / raw)
To: Greg KH, guocai.he.cn, Sasha Levin
Cc: mschmidt, selvin.xavier, leon, xiangyu.chen, Vegard Nossum,
stable
Hi Greg,
On 12/12/24 12:24, Greg KH wrote:
...
>>
>> Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
>> Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
>> Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
>> Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
>> Signed-off-by: Leon Romanovsky <leon@kernel.org>
>> Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> I have not signed off on this backport, why did you add this here? You
> do know what this is saying right?
>
Note: I think Guocai cherry-picked 6.1.y commit: (probable reason for
your SOB and Xiangyu Chen's SOB there)
stable-6.1 : v6.1.117 - 84d2f2915218 bnxt_re: avoid shift
undefined behavior in bnxt_qplib_alloc_init_hwq
This clean cherry-picks to 5.15.y
Question: In cases like this where we benefit from cherry-picking a
commit from another stable branch as opposed to upstream commit(if we
used original upstream for cherry-picking, we would get conflicts and
probably have to resolve in the same way as we did for 6.1.y], how do we
differentiate that in commit message ? May be with a comment before SOB
[ Harshit: Cherry-picked it from 6.1.y branch, it is a clean
cherry-pick], as per Option 3 documented in [1], the first line (commit
78cfd17142ef70599d6409cbd709d94b3da58659 upstream) should still point to
upstream commit right ?
[1] https://www.kernel.org/doc/html/v6.12/process/stable-kernel-rules.html
Thanks,
Harshit
> Please work with your other kernel developers at your company for you
> all to come up with a better workflow for doing all of these backports.
> What you are doing here now just isn't working for us at all, sorry.
>
> greg k-h
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 7:10 ` Harshit Mogalapalli
@ 2024-12-12 7:47 ` Greg KH
0 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2024-12-12 7:47 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: guocai.he.cn, Sasha Levin, mschmidt, selvin.xavier, leon,
xiangyu.chen, Vegard Nossum, stable
On Thu, Dec 12, 2024 at 12:40:19PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 12/12/24 12:24, Greg KH wrote:
> ...
> > >
> > > Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
> > > Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
> > > Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
> > > Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
> > > Signed-off-by: Leon Romanovsky <leon@kernel.org>
> > > Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > I have not signed off on this backport, why did you add this here? You
> > do know what this is saying right?
> >
>
> Note: I think Guocai cherry-picked 6.1.y commit: (probable reason for your
> SOB and Xiangyu Chen's SOB there)
Maybe, but how am I supposed to know that?
> stable-6.1 : v6.1.117 - 84d2f2915218 bnxt_re: avoid shift undefined
> behavior in bnxt_qplib_alloc_init_hwq
>
> This clean cherry-picks to 5.15.y
>
> Question: In cases like this where we benefit from cherry-picking a commit
> from another stable branch as opposed to upstream commit(if we used original
> upstream for cherry-picking, we would get conflicts and probably have to
> resolve in the same way as we did for 6.1.y], how do we differentiate that
> in commit message ? May be with a comment before SOB [ Harshit:
> Cherry-picked it from 6.1.y branch, it is a clean cherry-pick], as per
> Option 3 documented in [1], the first line (commit
> 78cfd17142ef70599d6409cbd709d94b3da58659 upstream) should still point to
> upstream commit right ?
>
> [1] https://www.kernel.org/doc/html/v6.12/process/stable-kernel-rules.html
What would you want to see if you get a random backport sent to you to
do something with and the signed-off-by lines do NOT match with what is
upstream?
Be reasonable here people, realize that someone is on the other side of
these emails and I have to verify that they are actually what they claim
to be (hint, that's getting harder recently with the uptick in backports
that are not correct...)
Make it simple for us please.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 6:48 [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq guocai.he.cn
2024-12-12 6:54 ` Greg KH
@ 2024-12-12 17:57 ` Sasha Levin
1 sibling, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2024-12-12 17:57 UTC (permalink / raw)
To: stable; +Cc: guocai.he.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 78cfd17142ef70599d6409cbd709d94b3da58659
WARNING: Author mismatch between patch and upstream commit:
Backport author: guocai.he.cn@windriver.com
Commit author: Michal Schmidt <mschmidt@redhat.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: a658f011d89d)
6.1.y | Present (different SHA1: 84d2f2915218)
5.15.y | Not found
Note: The patch differs from the upstream commit:
---
1: 78cfd17142ef7 ! 1: b6bf18a2edb26 bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
@@ Metadata
## Commit message ##
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
+ commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
+
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
@@ Commit message
Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
+ Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
## drivers/infiniband/hw/bnxt_re/qplib_fp.c ##
@@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
@@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_q
- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
+ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
+ : 0;
- /* Update msn tbl size */
- if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) {
- hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode));
+ hwq_attr.type = HWQ_TYPE_QUEUE;
+ rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
+ if (rc)
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y | Success | Success |
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
2024-12-12 2:21 guocai.he.cn
2024-12-12 6:32 ` Greg KH
@ 2024-12-12 17:57 ` Sasha Levin
1 sibling, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2024-12-12 17:57 UTC (permalink / raw)
To: stable; +Cc: guocai.he.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 78cfd17142ef70599d6409cbd709d94b3da58659
WARNING: Author mismatch between patch and upstream commit:
Backport author: guocai.he.cn@windriver.com
Commit author: Michal Schmidt <mschmidt@redhat.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: a658f011d89d)
6.1.y | Present (different SHA1: 84d2f2915218)
5.15.y | Not found
Note: The patch differs from the upstream commit:
---
1: 78cfd17142ef7 ! 1: 51e93e317df96 bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
@@ Metadata
## Commit message ##
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
+ V2: Corrected the upstream commit id.
+
+ commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
+
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
@@ Commit message
Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
+ Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
## drivers/infiniband/hw/bnxt_re/qplib_fp.c ##
@@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
@@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_q
- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
+ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
+ : 0;
- /* Update msn tbl size */
- if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) {
- hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode));
+ hwq_attr.type = HWQ_TYPE_QUEUE;
+ rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
+ if (rc)
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y | Success | Success |
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-12-12 17:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-12 6:48 [PATCH V2][5.15.y] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq guocai.he.cn
2024-12-12 6:54 ` Greg KH
2024-12-12 7:10 ` Harshit Mogalapalli
2024-12-12 7:47 ` Greg KH
2024-12-12 17:57 ` Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2024-12-12 2:21 guocai.he.cn
2024-12-12 6:32 ` Greg KH
2024-12-12 17:57 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox