[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: fb1a3132ee1ac968316e45d21a48703a6db0b6c3
WARNING: Author mismatch between patch and upstream commit: Backport author: Xiangyu Chenxiangyu.chen@eng.windriver.com Commit author: Vlad Buslovvladbu@nvidia.com
Status in newer kernel trees: 6.13.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (exact SHA1)
Note: The patch differs from the upstream commit: --- 1: fb1a3132ee1ac ! 1: 3bc3763a234af net/mlx5e: Fix use-after-free of encap entry in neigh update handler @@ Metadata ## Commit message ## net/mlx5e: Fix use-after-free of encap entry in neigh update handler
+ [ Upstream commit fb1a3132ee1ac968316e45d21a48703a6db0b6c3 ] + Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock removal from TC filter update path and properly handle concurrent encap entry insertion/deletion which can lead to following use-after-free: @@ Commit message Signed-off-by: Vlad Buslov vladbu@nvidia.com Reviewed-by: Roi Dayan roid@nvidia.com Signed-off-by: Saeed Mahameed saeedm@nvidia.com + [ since kernel 5.10 doesn't have commit 0d9f96471493 + ("net/mlx5e: Extract tc tunnel encap/decap code to dedicated file") + which moved encap/decap from en_tc.c to tc_tun_encap.c, so backport and + move the additional functions to en_tc.c instead of tc_tun_encap.c ] + Signed-off-by: Xiangyu Chen xiangyu.chen@windriver.com + Signed-off-by: He Zhe zhe.he@windriver.com
## drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c ## @@ drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c: static void mlx5e_rep_neigh_update(struct work_struct *work) work); struct mlx5e_neigh_hash_entry *nhe = update_work->nhe; struct neighbour *n = update_work->n; -+ struct mlx5e_encap_entry *e = NULL; - bool neigh_connected, same_dev; - struct mlx5e_encap_entry *e; ++ struct mlx5e_encap_entry *e = NULL; unsigned char ha[ETH_ALEN]; - struct mlx5e_priv *priv; + bool neigh_connected; u8 nud_state, dead;
- rtnl_lock(); @@ drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c: static void mlx5e_rep_neigh_update(struct work_struct *work) - if (!same_dev) - goto out; + + trace_mlx5e_rep_neigh_update(nhe, ha, neigh_connected);
- list_for_each_entry(e, &nhe->encap_list, encap_list) { - if (!mlx5e_encap_take(e)) @@ drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c: static void mlx5e_rep_ne - mlx5e_rep_update_flows(priv, e, neigh_connected, ha); - mlx5e_encap_put(priv, e); - } - out: rtnl_unlock(); mlx5e_release_neigh_update_work(update_work); + }
## drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c ## @@ drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c: void mlx5e_rep_update_flows(struct mlx5e_priv *priv, @@ drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c: void mlx5e_rep_update_flows
mlx5e_take_all_encap_flows(e, &flow_list);
- ## drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ## -@@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: static void mlx5e_take_all_route_decap_flows(struct mlx5e_route_entry *r, - mlx5e_take_tmp_flow(flow, flow_list, 0); + ## drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ## +@@ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c: void mlx5e_put_encap_flow_list(struct mlx5e_priv *priv, struct list_head *flow_l + mlx5e_flow_put(priv, flow); }
+typedef bool (match_cb)(struct mlx5e_encap_entry *); @@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: static void mlx5e_tak -mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, - struct mlx5e_encap_entry *e) +mlx5e_get_next_matching_encap(struct mlx5e_neigh_hash_entry *nhe, -+ struct mlx5e_encap_entry *e, -+ match_cb match) ++ struct mlx5e_encap_entry *e, ++ match_cb match) { struct mlx5e_encap_entry *next = NULL;
-@@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, +@@ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c: mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, /* wait for encap to be fully initialized */ wait_for_completion(&next->res_ready); /* continue searching if encap entry is not in valid state after completion */ @@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: mlx5e_get_next_valid_ e = next; goto retry; } -@@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, +@@ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c: mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, return next; }
@@ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c: mlx5e_get_next_valid_
## drivers/net/ethernet/mellanox/mlx5/core/en_tc.h ## @@ drivers/net/ethernet/mellanox/mlx5/core/en_tc.h: void mlx5e_take_all_encap_flows(struct mlx5e_encap_entry *e, struct list_head *f - void mlx5e_put_flow_list(struct mlx5e_priv *priv, struct list_head *flow_list); + void mlx5e_put_encap_flow_list(struct mlx5e_priv *priv, struct list_head *flow_list);
struct mlx5e_neigh_hash_entry; +struct mlx5e_encap_entry * ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.10.y | Success | Success |