From 2770cbe63ff32a8006b7c6ea4e0a16eebd0f0f5f Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Thu, 26 Jan 2023 20:44:21 +0100
Subject: [PATCH] kernel: add fix for a page pool related crash on GRO

Needed for upcoming mt76 page pool support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ...pool-and-page-referenced-frags-in-GR.patch | 35 +++++++++++++++++++
 ...pool-and-page-referenced-frags-in-GR.patch | 35 +++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 target/linux/generic/pending-5.10/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch
 create mode 100644 target/linux/generic/pending-5.15/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch

diff --git a/target/linux/generic/pending-5.10/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch b/target/linux/generic/pending-5.10/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch
new file mode 100644
index 0000000000..5a145abed3
--- /dev/null
+++ b/target/linux/generic/pending-5.10/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch
@@ -0,0 +1,35 @@
+From: Alexander Duyck <alexanderduyck@fb.com>
+Date: Thu, 26 Jan 2023 11:06:59 -0800
+Subject: [PATCH] skb: Do mix page pool and page referenced frags in GRO
+
+GSO should not merge page pool recycled frames with standard reference
+counted frames. Traditionally this didn't occur, at least not often.
+However as we start looking at adding support for wireless adapters there
+becomes the potential to mix the two due to A-MSDU repartitioning frames in
+the receive path. There are possibly other places where this may have
+occurred however I suspect they must be few and far between as we have not
+seen this issue until now.
+
+Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool")
+Reported-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Alexander Duyck <alexanderduyck@fb.com>
+---
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4166,6 +4166,15 @@ int skb_gro_receive(struct sk_buff *p, s
+ 	if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
+ 		return -E2BIG;
+ 
++	/* Do not splice page pool based packets w/ non-page pool
++	 * packets. This can result in reference count issues as page
++	 * pool pages will not decrement the reference count and will
++	 * instead be immediately returned to the pool or have frag
++	 * count decremented.
++	 */
++	if (p->pp_recycle != skb->pp_recycle)
++		return -ETOOMANYREFS;
++
+ 	lp = NAPI_GRO_CB(p)->last;
+ 	pinfo = skb_shinfo(lp);
+ 
diff --git a/target/linux/generic/pending-5.15/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch b/target/linux/generic/pending-5.15/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch
new file mode 100644
index 0000000000..60c7721df0
--- /dev/null
+++ b/target/linux/generic/pending-5.15/750-skb-Do-mix-page-pool-and-page-referenced-frags-in-GR.patch
@@ -0,0 +1,35 @@
+From: Alexander Duyck <alexanderduyck@fb.com>
+Date: Thu, 26 Jan 2023 11:06:59 -0800
+Subject: [PATCH] skb: Do mix page pool and page referenced frags in GRO
+
+GSO should not merge page pool recycled frames with standard reference
+counted frames. Traditionally this didn't occur, at least not often.
+However as we start looking at adding support for wireless adapters there
+becomes the potential to mix the two due to A-MSDU repartitioning frames in
+the receive path. There are possibly other places where this may have
+occurred however I suspect they must be few and far between as we have not
+seen this issue until now.
+
+Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool")
+Reported-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Alexander Duyck <alexanderduyck@fb.com>
+---
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4348,6 +4348,15 @@ int skb_gro_receive(struct sk_buff *p, s
+ 	if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
+ 		return -E2BIG;
+ 
++	/* Do not splice page pool based packets w/ non-page pool
++	 * packets. This can result in reference count issues as page
++	 * pool pages will not decrement the reference count and will
++	 * instead be immediately returned to the pool or have frag
++	 * count decremented.
++	 */
++	if (p->pp_recycle != skb->pp_recycle)
++		return -ETOOMANYREFS;
++
+ 	lp = NAPI_GRO_CB(p)->last;
+ 	pinfo = skb_shinfo(lp);
+ 
-- 
2.30.2