- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] fs/ntfs3: Validate ff offset
by Wang Zhaolong 31 Jul '24

31 Jul '24

From: lei lu <llfamsec(a)gmail.com> mainline inclusion from mainline-v6.10-rc1 commit 50c47879650b4c97836a0086632b3a2e300b0f06 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8RW CVE: CVE-2024-41019 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This adds sanity checks for ff offset. There is a check on rt->first_free at first, but walking through by ff without any check. If the second ff is a large offset. We may encounter an out-of-bound read. Signed-off-by: lei lu <llfamsec(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/ntfs3/fslog.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 6489953d4617..301cfbda5cd4 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -722,7 +722,8 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) if (!rsize || rsize > bytes || rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts || - le16_to_cpu(rt->total) > ne || ff > ts || lf > ts || + le16_to_cpu(rt->total) > ne || + ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) || (ff && ff < sizeof(struct RESTART_TABLE)) || (lf && lf < sizeof(struct RESTART_TABLE))) { return false; @@ -752,6 +753,9 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) return false; off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off)); + + if (off > ts - sizeof(__le32)) + return false; } return true; -- 2.34.3

2 1

[PATCH OLK-5.10] fs/ntfs3: Validate ff offset
by Wang Zhaolong 31 Jul '24

31 Jul '24

From: lei lu <llfamsec(a)gmail.com> mainline inclusion from mainline-v6.10-rc1 commit 50c47879650b4c97836a0086632b3a2e300b0f06 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8RW CVE: CVE-2024-41019 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This adds sanity checks for ff offset. There is a check on rt->first_free at first, but walking through by ff without any check. If the second ff is a large offset. We may encounter an out-of-bound read. Signed-off-by: lei lu <llfamsec(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/ntfs3/fslog.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 6489953d4617..301cfbda5cd4 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -722,7 +722,8 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) if (!rsize || rsize > bytes || rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts || - le16_to_cpu(rt->total) > ne || ff > ts || lf > ts || + le16_to_cpu(rt->total) > ne || + ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) || (ff && ff < sizeof(struct RESTART_TABLE)) || (lf && lf < sizeof(struct RESTART_TABLE))) { return false; @@ -752,6 +753,9 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) return false; off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off)); + + if (off > ts - sizeof(__le32)) + return false; } return true; -- 2.34.3

2 1

[PATCH OLK-5.10 v2] ipv6: sr: fix missing sk_buff release in seg6_input_core
by Dong Chenchen 31 Jul '24

31 Jul '24

From: Andrea Mayer <andrea.mayer(a)uniroma2.it> mainline inclusion from mainline-v6.10-rc1 commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2 CVE: CVE-2024-39490 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails. Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/ipv6/seg6_iptunnel.c [commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter hooks of SRv6, which lead to context conflicts] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/seg6_iptunnel.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 40ac23242c37..ab2a606fdb65 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb) int err; err = seg6_do_srh(skb); - if (unlikely(err)) { - kfree_skb(skb); - return err; - } + if (unlikely(err)) + goto drop; slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); @@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb) err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto drop; return dst_input(skb); +drop: + kfree_skb(skb); + return err; } static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb) -- 2.25.1

2 2

[PATCH openEuler-22.03-LTS-SP1 v2] ipv6: sr: fix missing sk_buff release in seg6_input_core
by Dong Chenchen 31 Jul '24

31 Jul '24

From: Andrea Mayer <andrea.mayer(a)uniroma2.it> mainline inclusion from mainline-v6.10-rc1 commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2 CVE: CVE-2024-39490 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails. Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/ipv6/seg6_iptunnel.c [commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter hooks of SRv6, which lead to context conflicts] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/seg6_iptunnel.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 40ac23242c37..ab2a606fdb65 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb) int err; err = seg6_do_srh(skb); - if (unlikely(err)) { - kfree_skb(skb); - return err; - } + if (unlikely(err)) + goto drop; slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); @@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb) err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto drop; return dst_input(skb); +drop: + kfree_skb(skb); + return err; } static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb) -- 2.25.1

2 1

[PATCH OLK-6.6 v2] [Backport] ipv6: sr: fix missing sk_buff release in seg6_input_core
by Dong Chenchen 31 Jul '24

31 Jul '24

From: Andrea Mayer <andrea.mayer(a)uniroma2.it> mainline inclusion from mainline-v6.10-rc1 commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2 CVE: CVE-2024-39490 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails. Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/seg6_iptunnel.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 03b877ff4558..a75df2ec8db0 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -459,10 +459,8 @@ static int seg6_input_core(struct net *net, struct sock *sk, int err; err = seg6_do_srh(skb); - if (unlikely(err)) { - kfree_skb(skb); - return err; - } + if (unlikely(err)) + goto drop; slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); @@ -486,7 +484,7 @@ static int seg6_input_core(struct net *net, struct sock *sk, err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto drop; if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled)) return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, @@ -494,6 +492,9 @@ static int seg6_input_core(struct net *net, struct sock *sk, skb_dst(skb)->dev, seg6_input_finish); return seg6_input_finish(dev_net(skb->dev), NULL, skb); +drop: + kfree_skb(skb); + return err; } static int seg6_input_nf(struct sk_buff *skb) -- 2.25.1

1 0

[PATCH OLK-6.6] fs/ntfs3: Validate ff offset
by Wang Zhaolong 31 Jul '24

31 Jul '24

From: lei lu <llfamsec(a)gmail.com> mainline inclusion from mainline-v6.10-rc1 commit 50c47879650b4c97836a0086632b3a2e300b0f06 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8RW CVE: CVE-2024-41019 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This adds sanity checks for ff offset. There is a check on rt->first_free at first, but walking through by ff without any check. If the second ff is a large offset. We may encounter an out-of-bound read. Signed-off-by: lei lu <llfamsec(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/ntfs3/fslog.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 4085fe30bf48..f9e96de95f94 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -724,7 +724,8 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) if (!rsize || rsize > bytes || rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts || - le16_to_cpu(rt->total) > ne || ff > ts || lf > ts || + le16_to_cpu(rt->total) > ne || + ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) || (ff && ff < sizeof(struct RESTART_TABLE)) || (lf && lf < sizeof(struct RESTART_TABLE))) { return false; @@ -754,6 +755,9 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes) return false; off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off)); + + if (off > ts - sizeof(__le32)) + return false; } return true; -- 2.34.3

2 1

[PATCH OLK-5.10] net: ena: Add validation for completion descriptors consistency
by Dong Chenchen 31 Jul '24

31 Jul '24

From: David Arinzon <darinzon(a)amazon.com> mainline inclusion from mainline-v6.10-rc1 commit b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS9I CVE: CVE-2024-40999 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added. Signed-off-by: Shahar Itzko <itzko(a)amazon.com> Signed-off-by: David Arinzon <darinzon(a)amazon.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://lore.kernel.org/r/20240512134637.25299-4-darinzon@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/ethernet/amazon/ena/ena_eth_com.c drivers/net/ethernet/amazon/ena/ena_netdev.c drivers/net/ethernet/amazon/ena/ena_regs_defs.h [commit 071271f39ce8 add ENA_REGS_RESET_SUSPECTED_POLL_STARVATION. commit 09323b3bca95 and 9fe890cc5bb8 add ena_reset_device() and ena_increase_stat() to refactor code, which lead to conflicts for not merged.commit da580ca8de2c add device distinct log prefix to files, which not merged. We can use pr_err().] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- drivers/net/ethernet/amazon/ena/ena_eth_com.c | 35 +++++++++++++------ drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 +- .../net/ethernet/amazon/ena/ena_regs_defs.h | 1 + 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/drivers/net/ethernet/amazon/ena/ena_eth_com.c b/drivers/net/ethernet/amazon/ena/ena_eth_com.c index 3af9dbf245f2..ee6250283f07 100644 --- a/drivers/net/ethernet/amazon/ena/ena_eth_com.c +++ b/drivers/net/ethernet/amazon/ena/ena_eth_com.c @@ -222,42 +222,51 @@ static struct ena_eth_io_rx_cdesc_base * idx * io_cq->cdesc_entry_size_in_bytes); } -static u16 ena_com_cdesc_rx_pkt_get(struct ena_com_io_cq *io_cq, - u16 *first_cdesc_idx) +static int ena_com_cdesc_rx_pkt_get(struct ena_com_io_cq *io_cq, + u16 *first_cdesc_idx, + u16 *num_descs) { + u16 count = io_cq->cur_rx_pkt_cdesc_count, head_masked; struct ena_eth_io_rx_cdesc_base *cdesc; - u16 count = 0, head_masked; u32 last = 0; do { + u32 status; + cdesc = ena_com_get_next_rx_cdesc(io_cq); if (!cdesc) break; + status = READ_ONCE(cdesc->status); ena_com_cq_inc_head(io_cq); + if (unlikely((status & ENA_ETH_IO_RX_CDESC_BASE_FIRST_MASK) >> + ENA_ETH_IO_RX_CDESC_BASE_FIRST_SHIFT && count != 0)) { + pr_err("First bit is on in descriptor #%d on q_id: %d, req_id: %u\n", + count, io_cq->qid, cdesc->req_id); + return -EFAULT; + } count++; - last = (READ_ONCE(cdesc->status) & - ENA_ETH_IO_RX_CDESC_BASE_LAST_MASK) >> - ENA_ETH_IO_RX_CDESC_BASE_LAST_SHIFT; + last = (status & ENA_ETH_IO_RX_CDESC_BASE_LAST_MASK) >> + ENA_ETH_IO_RX_CDESC_BASE_LAST_SHIFT; } while (!last); if (last) { *first_cdesc_idx = io_cq->cur_rx_pkt_cdesc_start_idx; - count += io_cq->cur_rx_pkt_cdesc_count; head_masked = io_cq->head & (io_cq->q_depth - 1); + *num_descs = count; io_cq->cur_rx_pkt_cdesc_count = 0; io_cq->cur_rx_pkt_cdesc_start_idx = head_masked; pr_debug("ENA q_id: %d packets were completed. first desc idx %u descs# %d\n", io_cq->qid, *first_cdesc_idx, count); } else { - io_cq->cur_rx_pkt_cdesc_count += count; - count = 0; + io_cq->cur_rx_pkt_cdesc_count = count; + *num_descs = 0; } - return count; + return 0; } static int ena_com_create_meta(struct ena_com_io_sq *io_sq, @@ -517,10 +526,14 @@ int ena_com_rx_pkt(struct ena_com_io_cq *io_cq, u16 cdesc_idx = 0; u16 nb_hw_desc; u16 i = 0; + int rc; WARN(io_cq->direction != ENA_COM_IO_QUEUE_DIRECTION_RX, "wrong Q type"); - nb_hw_desc = ena_com_cdesc_rx_pkt_get(io_cq, &cdesc_idx); + rc = ena_com_cdesc_rx_pkt_get(io_cq, &cdesc_idx, &nb_hw_desc); + if (unlikely(rc != 0)) + return -EFAULT; + if (nb_hw_desc == 0) { ena_rx_ctx->descs = nb_hw_desc; return 0; diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c index fc81db75b19d..e086ae0b6473 100644 --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c @@ -1687,6 +1687,8 @@ static int ena_clean_rx_irq(struct ena_ring *rx_ring, struct napi_struct *napi, rx_ring->rx_stats.bad_desc_num++; u64_stats_update_end(&rx_ring->syncp); adapter->reset_reason = ENA_REGS_RESET_TOO_MANY_RX_DESCS; + } else if (rc == -EFAULT) { + adapter->reset_reason = ENA_REGS_RESET_RX_DESCRIPTOR_MALFORMED; } else { u64_stats_update_begin(&rx_ring->syncp); rx_ring->rx_stats.bad_req_id++; @@ -4055,7 +4057,6 @@ static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev) pci_release_selected_regions(pdev, release_bars); } - static int ena_calc_io_queue_size(struct ena_calc_queue_size_ctx *ctx) { struct ena_admin_feature_llq_desc *llq = &ctx->get_feat_ctx->llq; diff --git a/drivers/net/ethernet/amazon/ena/ena_regs_defs.h b/drivers/net/ethernet/amazon/ena/ena_regs_defs.h index 1e007a41a525..2e7109968205 100644 --- a/drivers/net/ethernet/amazon/ena/ena_regs_defs.h +++ b/drivers/net/ethernet/amazon/ena/ena_regs_defs.h @@ -21,6 +21,7 @@ enum ena_regs_reset_reason_types { ENA_REGS_RESET_USER_TRIGGER = 12, ENA_REGS_RESET_GENERIC = 13, ENA_REGS_RESET_MISS_INTERRUPT = 14, + ENA_REGS_RESET_RX_DESCRIPTOR_MALFORMED = 15, }; /* ena_registers offsets */ -- 2.25.1

2 3

[PATCH openEuler-22.03-LTS-SP1] net: ena: Add validation for completion descriptors consistency
by Dong Chenchen 31 Jul '24

31 Jul '24

From: David Arinzon <darinzon(a)amazon.com> mainline inclusion from mainline-v6.10-rc1 commit b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS9I CVE: CVE-2024-40999 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added. Signed-off-by: Shahar Itzko <itzko(a)amazon.com> Signed-off-by: David Arinzon <darinzon(a)amazon.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://lore.kernel.org/r/20240512134637.25299-4-darinzon@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/ethernet/amazon/ena/ena_eth_com.c drivers/net/ethernet/amazon/ena/ena_netdev.c drivers/net/ethernet/amazon/ena/ena_regs_defs.h [commit 071271f39ce8 add ENA_REGS_RESET_SUSPECTED_POLL_STARVATION. commit 09323b3bca95 and 9fe890cc5bb8 add ena_reset_device() and ena_increase_stat() to refactor code, which lead to conflicts for not merged.commit da580ca8de2c add device distinct log prefix to files, which not merged. We can use pr_err().] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- drivers/net/ethernet/amazon/ena/ena_eth_com.c | 35 +++++++++++++------ drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 +- .../net/ethernet/amazon/ena/ena_regs_defs.h | 1 + 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/drivers/net/ethernet/amazon/ena/ena_eth_com.c b/drivers/net/ethernet/amazon/ena/ena_eth_com.c index 3af9dbf245f2..ee6250283f07 100644 --- a/drivers/net/ethernet/amazon/ena/ena_eth_com.c +++ b/drivers/net/ethernet/amazon/ena/ena_eth_com.c @@ -222,42 +222,51 @@ static struct ena_eth_io_rx_cdesc_base * idx * io_cq->cdesc_entry_size_in_bytes); } -static u16 ena_com_cdesc_rx_pkt_get(struct ena_com_io_cq *io_cq, - u16 *first_cdesc_idx) +static int ena_com_cdesc_rx_pkt_get(struct ena_com_io_cq *io_cq, + u16 *first_cdesc_idx, + u16 *num_descs) { + u16 count = io_cq->cur_rx_pkt_cdesc_count, head_masked; struct ena_eth_io_rx_cdesc_base *cdesc; - u16 count = 0, head_masked; u32 last = 0; do { + u32 status; + cdesc = ena_com_get_next_rx_cdesc(io_cq); if (!cdesc) break; + status = READ_ONCE(cdesc->status); ena_com_cq_inc_head(io_cq); + if (unlikely((status & ENA_ETH_IO_RX_CDESC_BASE_FIRST_MASK) >> + ENA_ETH_IO_RX_CDESC_BASE_FIRST_SHIFT && count != 0)) { + pr_err("First bit is on in descriptor #%d on q_id: %d, req_id: %u\n", + count, io_cq->qid, cdesc->req_id); + return -EFAULT; + } count++; - last = (READ_ONCE(cdesc->status) & - ENA_ETH_IO_RX_CDESC_BASE_LAST_MASK) >> - ENA_ETH_IO_RX_CDESC_BASE_LAST_SHIFT; + last = (status & ENA_ETH_IO_RX_CDESC_BASE_LAST_MASK) >> + ENA_ETH_IO_RX_CDESC_BASE_LAST_SHIFT; } while (!last); if (last) { *first_cdesc_idx = io_cq->cur_rx_pkt_cdesc_start_idx; - count += io_cq->cur_rx_pkt_cdesc_count; head_masked = io_cq->head & (io_cq->q_depth - 1); + *num_descs = count; io_cq->cur_rx_pkt_cdesc_count = 0; io_cq->cur_rx_pkt_cdesc_start_idx = head_masked; pr_debug("ENA q_id: %d packets were completed. first desc idx %u descs# %d\n", io_cq->qid, *first_cdesc_idx, count); } else { - io_cq->cur_rx_pkt_cdesc_count += count; - count = 0; + io_cq->cur_rx_pkt_cdesc_count = count; + *num_descs = 0; } - return count; + return 0; } static int ena_com_create_meta(struct ena_com_io_sq *io_sq, @@ -517,10 +526,14 @@ int ena_com_rx_pkt(struct ena_com_io_cq *io_cq, u16 cdesc_idx = 0; u16 nb_hw_desc; u16 i = 0; + int rc; WARN(io_cq->direction != ENA_COM_IO_QUEUE_DIRECTION_RX, "wrong Q type"); - nb_hw_desc = ena_com_cdesc_rx_pkt_get(io_cq, &cdesc_idx); + rc = ena_com_cdesc_rx_pkt_get(io_cq, &cdesc_idx, &nb_hw_desc); + if (unlikely(rc != 0)) + return -EFAULT; + if (nb_hw_desc == 0) { ena_rx_ctx->descs = nb_hw_desc; return 0; diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c index fc81db75b19d..e086ae0b6473 100644 --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c @@ -1687,6 +1687,8 @@ static int ena_clean_rx_irq(struct ena_ring *rx_ring, struct napi_struct *napi, rx_ring->rx_stats.bad_desc_num++; u64_stats_update_end(&rx_ring->syncp); adapter->reset_reason = ENA_REGS_RESET_TOO_MANY_RX_DESCS; + } else if (rc == -EFAULT) { + adapter->reset_reason = ENA_REGS_RESET_RX_DESCRIPTOR_MALFORMED; } else { u64_stats_update_begin(&rx_ring->syncp); rx_ring->rx_stats.bad_req_id++; @@ -4055,7 +4057,6 @@ static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev) pci_release_selected_regions(pdev, release_bars); } - static int ena_calc_io_queue_size(struct ena_calc_queue_size_ctx *ctx) { struct ena_admin_feature_llq_desc *llq = &ctx->get_feat_ctx->llq; diff --git a/drivers/net/ethernet/amazon/ena/ena_regs_defs.h b/drivers/net/ethernet/amazon/ena/ena_regs_defs.h index 1e007a41a525..2e7109968205 100644 --- a/drivers/net/ethernet/amazon/ena/ena_regs_defs.h +++ b/drivers/net/ethernet/amazon/ena/ena_regs_defs.h @@ -21,6 +21,7 @@ enum ena_regs_reset_reason_types { ENA_REGS_RESET_USER_TRIGGER = 12, ENA_REGS_RESET_GENERIC = 13, ENA_REGS_RESET_MISS_INTERRUPT = 14, + ENA_REGS_RESET_RX_DESCRIPTOR_MALFORMED = 15, }; /* ena_registers offsets */ -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 13169/23386] mm/userfaultfd.o: warning: objtool: mcopy_atomic()+0x1e78: unreachable instruction
by kernel test robot 31 Jul '24

31 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: e5ea67ef45bf84add14bf009f071b29909f087cb commit: 8b9ea9010139596e71aae4be5264c3dd901b13cb [13169/23386] pagecache: support percpu refcount to imporve performance config: x86_64-randconfig-003-20240731 (https://download.01.org/0day-ci/archive/20240731/202407311035.uLDyyIFP-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240731/202407311035.uLDyyIFP-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407311035.uLDyyIFP-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from mm/userfaultfd.c:12: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. >> mm/userfaultfd.o: warning: objtool: mcopy_atomic()+0x1e78: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10] BUILD SUCCESS 563a37de45532f103b7cfa647888d6f6f74ecefe
by kernel test robot 31 Jul '24

31 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 563a37de45532f103b7cfa647888d6f6f74ecefe !10065 iommu: Return right value in iommu_sva_bind_device() elapsed time: 736m configs tested: 33 configs skipped: 99 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-20 arm64 randconfig-001-20240731 clang-15 arm64 randconfig-002-20240731 clang-20 arm64 randconfig-003-20240731 gcc-14.1.0 arm64 randconfig-004-20240731 clang-20 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240731 gcc-13 x86_64 buildonly-randconfig-002-20240731 gcc-13 x86_64 buildonly-randconfig-003-20240731 clang-18 x86_64 buildonly-randconfig-004-20240731 gcc-13 x86_64 buildonly-randconfig-005-20240731 gcc-13 x86_64 buildonly-randconfig-006-20240731 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240731 gcc-12 x86_64 randconfig-002-20240731 gcc-12 x86_64 randconfig-003-20240731 clang-18 x86_64 randconfig-004-20240731 gcc-10 x86_64 randconfig-005-20240731 gcc-13 x86_64 randconfig-006-20240731 clang-18 x86_64 randconfig-011-20240731 clang-18 x86_64 randconfig-012-20240731 clang-18 x86_64 randconfig-013-20240731 gcc-7 x86_64 randconfig-014-20240731 clang-18 x86_64 randconfig-015-20240731 clang-18 x86_64 randconfig-016-20240731 clang-18 x86_64 randconfig-071-20240731 clang-18 x86_64 randconfig-072-20240731 gcc-13 x86_64 randconfig-073-20240731 clang-18 x86_64 randconfig-074-20240731 clang-18 x86_64 randconfig-075-20240731 clang-18 x86_64 randconfig-076-20240731 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

2024

2023

2022

2021

2020

2019

Kernel