--- /dev/null
+From 09c622e28107809c5b7b8f616cc63b456f11f9ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 09:28:33 -0800
+Subject: i40e: Add checking for null for nlmsg_find_attr()
+
+From: Natalia Petrova <n.petrova@fintech.ru>
+
+[ Upstream commit 7fa0b526f865cb42aa33917fd02a92cb03746f4d ]
+
+The result of nlmsg_find_attr() 'br_spec' is dereferenced in
+nla_for_each_nested(), but it can take NULL value in nla_find() function,
+which will result in an error.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops")
+Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230209172833.3596034-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 18044c2a36faa..d30bc38725e97 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -13140,6 +13140,8 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev,
+ }
+
+ br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
++ if (!br_spec)
++ return -EINVAL;
+
+ nla_for_each_nested(attr, br_spec, rem) {
+ __u16 mode;
+--
+2.39.0
+
--- /dev/null
+From da14ebbaa80ab08f897bbbb3414fe2906a8e4af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Feb 2023 22:47:29 -0300
+Subject: net/sched: tcindex: search key must be 16 bits
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 42018a322bd453e38b3ffee294982243e50a484f ]
+
+Syzkaller found an issue where a handle greater than 16 bits would trigger
+a null-ptr-deref in the imperfect hash area update.
+
+general protection fault, probably for non-canonical address
+0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
+CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted
+6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/21/2023
+RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509
+Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb
+a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
+02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00
+RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8
+RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8
+R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00
+FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572
+tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155
+rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132
+netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942
+sock_sendmsg_nosec net/socket.c:714 [inline]
+sock_sendmsg+0xd3/0x120 net/socket.c:734
+____sys_sendmsg+0x334/0x8c0 net/socket.c:2476
+___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
+__sys_sendmmsg+0x18f/0x460 net/socket.c:2616
+__do_sys_sendmmsg net/socket.c:2645 [inline]
+__se_sys_sendmmsg net/socket.c:2642 [inline]
+__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+
+Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_tcindex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 4422b711af081..eea8e185fcdb2 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -502,7 +502,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ /* lookup the filter, guaranteed to exist */
+ for (cf = rcu_dereference_bh_rtnl(*fp); cf;
+ fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
+- if (cf->key == handle)
++ if (cf->key == (u16)handle)
+ break;
+
+ f->next = cf->next;
+--
+2.39.0
+
--- /dev/null
+From 1611eb1747c6a533f1bce6d21d6323f9c5409514 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 11:14:09 +0100
+Subject: nvme-apple: fix controller shutdown in apple_nvme_disable
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit c76b8308e4c9148e44e0c7e086ab6d8b4bb10162 ]
+
+nvme_shutdown_ctrl already shuts the controller down, there is no
+need to also call nvme_disable_ctrl for the shutdown case.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Eric Curtin <ecurtin@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/apple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c
+index 262d2b60ac6dd..92c70c4b2f6ec 100644
+--- a/drivers/nvme/host/apple.c
++++ b/drivers/nvme/host/apple.c
+@@ -831,7 +831,8 @@ static void apple_nvme_disable(struct apple_nvme *anv, bool shutdown)
+
+ if (shutdown)
+ nvme_shutdown_ctrl(&anv->ctrl);
+- nvme_disable_ctrl(&anv->ctrl);
++ else
++ nvme_disable_ctrl(&anv->ctrl);
+ }
+
+ WRITE_ONCE(anv->ioq.enabled, false);
+--
+2.39.0
+
--- /dev/null
+From 0883f151449ca4fd6f432f218b051da47cedb8b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 13:24:24 +0200
+Subject: nvme-rdma: stop auth work after tearing down queues in error recovery
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 91c11d5f32547a08d462934246488fe72f3d44c3 ]
+
+when starting error recovery there might be a authentication work
+running, and it involves I/O commands. Given the controller is tearing
+down there is no chance for the I/O to complete other than timing out
+which may unnecessarily take a full io timeout.
+
+So first tear down the queues, fail/cancel all inflight I/O (including
+potentially authentication) and only then stop authentication. This
+ensures that failover is not stalled due to blocked authentication I/O.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 6f918e61b6aef..80383213b8828 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1154,13 +1154,13 @@ static void nvme_rdma_error_recovery_work(struct work_struct *work)
+ struct nvme_rdma_ctrl *ctrl = container_of(work,
+ struct nvme_rdma_ctrl, err_work);
+
+- nvme_auth_stop(&ctrl->ctrl);
+ nvme_stop_keep_alive(&ctrl->ctrl);
+ flush_work(&ctrl->ctrl.async_event_work);
+ nvme_rdma_teardown_io_queues(ctrl, false);
+ nvme_start_queues(&ctrl->ctrl);
+ nvme_rdma_teardown_admin_queue(ctrl, false);
+ nvme_start_admin_queue(&ctrl->ctrl);
++ nvme_auth_stop(&ctrl->ctrl);
+
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) {
+ /* state change failure is ok if we started ctrl delete */
+--
+2.39.0
+
--- /dev/null
+From 1a7e283dfef898f640058ae10f3306f8b2c7f75c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 13:24:23 +0200
+Subject: nvme-tcp: stop auth work after tearing down queues in error recovery
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 1f1a4f89562d3b33b6ca4fc8a4f3bd4cd35ab4ea ]
+
+when starting error recovery there might be a authentication work
+running, and it involves I/O commands. Given the controller is tearing
+down there is no chance for the I/O to complete other than timing out
+which may unnecessarily take a full io timeout.
+
+So first tear down the queues, fail/cancel all inflight I/O (including
+potentially authentication) and only then stop authentication. This
+ensures that failover is not stalled due to blocked authentication I/O.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 4c052c261517e..1dc7c733c7e39 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -2128,7 +2128,6 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work)
+ struct nvme_tcp_ctrl, err_work);
+ struct nvme_ctrl *ctrl = &tcp_ctrl->ctrl;
+
+- nvme_auth_stop(ctrl);
+ nvme_stop_keep_alive(ctrl);
+ flush_work(&ctrl->async_event_work);
+ nvme_tcp_teardown_io_queues(ctrl, false);
+@@ -2136,6 +2135,7 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work)
+ nvme_start_queues(ctrl);
+ nvme_tcp_teardown_admin_queue(ctrl, false);
+ nvme_start_admin_queue(ctrl);
++ nvme_auth_stop(ctrl);
+
+ if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_CONNECTING)) {
+ /* state change failure is ok if we started ctrl delete */
+--
+2.39.0
+
ipv6-fix-tcp-socket-connection-with-dscp.patch
mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch
mm-extend-max-struct-page-size-for-kmsan.patch
+i40e-add-checking-for-null-for-nlmsg_find_attr.patch
+net-sched-tcindex-search-key-must-be-16-bits.patch
+nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch
+nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch
+nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
