release/5.2.28/iw_cxgb4-fix-ECN-check-on-the-passive-accept.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From b2bc331b88e86c5a7db4217d9cc0b0d8b6337210 Mon Sep 17 00:00:00 2001
 From: Potnuri Bharat Teja <bharat@chelsio.com>
 Date: Thu, 3 Oct 2019 16:13:53 +0530
 Subject: [PATCH] iw_cxgb4: fix ECN check on the passive accept

 commit 612e0486ad0845c41ac10492e78144f99e326375 upstream.

 pass_accept_req() is using the same skb for handling accept request and
 sending accept reply to HW. Here req and rpl structures are pointing to
 same skb->data which is over written by INIT_TP_WR() and leads to
 accessing corrupt req fields in accept_cr() while checking for ECN flags.
 Reordered code in accept_cr() to fetch correct req fields.

 Fixes: 92e7ae7172 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections")
 Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
 Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.com
 Signed-off-by: Doug Ledford <dledford@redhat.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
 index 0f3b1193d5f8..f792b410d5bd 100644
 --- a/drivers/infiniband/hw/cxgb4/cm.c
 +++ b/drivers/infiniband/hw/cxgb4/cm.c
 @@ -2421,20 +2421,6 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb,
  	enum chip_type adapter_type = ep->com.dev->rdev.lldi.adapter_type;

  	pr_debug("ep %p tid %u\n", ep, ep->hwtid);
 -
 -	skb_get(skb);
 -	rpl = cplhdr(skb);
 -	if (!is_t4(adapter_type)) {
 -		skb_trim(skb, roundup(sizeof(*rpl5), 16));
 -		rpl5 = (void *)rpl;
 -		INIT_TP_WR(rpl5, ep->hwtid);
 -	} else {
 -		skb_trim(skb, sizeof(*rpl));
 -		INIT_TP_WR(rpl, ep->hwtid);
 -	}
 -	OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
 -						    ep->hwtid));
 -
  	cxgb_best_mtu(ep->com.dev->rdev.lldi.mtus, ep->mtu, &mtu_idx,
  		      enable_tcp_timestamps && req->tcpopt.tstamp,
  		      (ep->com.remote_addr.ss_family == AF_INET) ? 0 : 1);
 @@ -2480,6 +2466,20 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb,
  		if (tcph->ece && tcph->cwr)
  			opt2 |= CCTRL_ECN_V(1);
  	}
 +
 +	skb_get(skb);
 +	rpl = cplhdr(skb);
 +	if (!is_t4(adapter_type)) {
 +		skb_trim(skb, roundup(sizeof(*rpl5), 16));
 +		rpl5 = (void *)rpl;
 +		INIT_TP_WR(rpl5, ep->hwtid);
 +	} else {
 +		skb_trim(skb, sizeof(*rpl));
 +		INIT_TP_WR(rpl, ep->hwtid);
 +	}
 +	OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
 +						    ep->hwtid));
 +
  	if (CHELSIO_CHIP_VERSION(adapter_type) > CHELSIO_T4) {
  		u32 isn = (prandom_u32() & ~7UL) - 1;
  		opt2 |= T5_OPT_2_VALID_F;
 --
 2.7.4
	From b2bc331b88e86c5a7db4217d9cc0b0d8b6337210 Mon Sep 17 00:00:00 2001
	From: Potnuri Bharat Teja <bharat@chelsio.com>
	Date: Thu, 3 Oct 2019 16:13:53 +0530
	Subject: [PATCH] iw_cxgb4: fix ECN check on the passive accept

	commit 612e0486ad0845c41ac10492e78144f99e326375 upstream.

	pass_accept_req() is using the same skb for handling accept request and
	sending accept reply to HW. Here req and rpl structures are pointing to
	same skb->data which is over written by INIT_TP_WR() and leads to
	accessing corrupt req fields in accept_cr() while checking for ECN flags.
	Reordered code in accept_cr() to fetch correct req fields.

	Fixes: 92e7ae7172 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections")
	Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
	Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.com
	Signed-off-by: Doug Ledford <dledford@redhat.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
	index 0f3b1193d5f8..f792b410d5bd 100644
	--- a/drivers/infiniband/hw/cxgb4/cm.c
	+++ b/drivers/infiniband/hw/cxgb4/cm.c
	@@ -2421,20 +2421,6 @@ static int accept_cr(struct c4iw_ep ep, struct sk_buff skb,
	enum chip_type adapter_type = ep->com.dev->rdev.lldi.adapter_type;

	pr_debug("ep %p tid %u\n", ep, ep->hwtid);
	-
	- skb_get(skb);
	- rpl = cplhdr(skb);
	- if (!is_t4(adapter_type)) {
	- skb_trim(skb, roundup(sizeof(*rpl5), 16));
	- rpl5 = (void *)rpl;
	- INIT_TP_WR(rpl5, ep->hwtid);
	- } else {
	- skb_trim(skb, sizeof(*rpl));
	- INIT_TP_WR(rpl, ep->hwtid);
	- }
	- OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
	- ep->hwtid));
	-
	cxgb_best_mtu(ep->com.dev->rdev.lldi.mtus, ep->mtu, &mtu_idx,
	enable_tcp_timestamps && req->tcpopt.tstamp,
	(ep->com.remote_addr.ss_family == AF_INET) ? 0 : 1);
	@@ -2480,6 +2466,20 @@ static int accept_cr(struct c4iw_ep ep, struct sk_buff skb,
	if (tcph->ece && tcph->cwr)
	opt2 \|= CCTRL_ECN_V(1);
	}
	+
	+ skb_get(skb);
	+ rpl = cplhdr(skb);
	+ if (!is_t4(adapter_type)) {
	+ skb_trim(skb, roundup(sizeof(*rpl5), 16));
	+ rpl5 = (void *)rpl;
	+ INIT_TP_WR(rpl5, ep->hwtid);
	+ } else {
	+ skb_trim(skb, sizeof(*rpl));
	+ INIT_TP_WR(rpl, ep->hwtid);
	+ }
	+ OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
	+ ep->hwtid));
	+
	if (CHELSIO_CHIP_VERSION(adapter_type) > CHELSIO_T4) {
	u32 isn = (prandom_u32() & ~7UL) - 1;
	opt2 \|= T5_OPT_2_VALID_F;
	--
	2.7.4