From 75f7f56c8ca73e3f903013c2b1b665901d0eb45e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Feb 2023 04:19:16 -0500 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...hecking-for-null-for-nlmsg_find_attr.patch | 43 ++++++++++ ...d-tcindex-search-key-must-be-16-bits.patch | 81 +++++++++++++++++++ ...ontroller-shutdown-in-apple_nvme_dis.patch | 39 +++++++++ ...uth-work-after-tearing-down-queues-i.patch | 48 +++++++++++ ...th-work-after-tearing-down-queues-in.patch | 49 +++++++++++ queue-6.1/series | 5 ++ 6 files changed, 265 insertions(+) create mode 100644 queue-6.1/i40e-add-checking-for-null-for-nlmsg_find_attr.patch create mode 100644 queue-6.1/net-sched-tcindex-search-key-must-be-16-bits.patch create mode 100644 queue-6.1/nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch create mode 100644 queue-6.1/nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch create mode 100644 queue-6.1/nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch diff --git a/queue-6.1/i40e-add-checking-for-null-for-nlmsg_find_attr.patch b/queue-6.1/i40e-add-checking-for-null-for-nlmsg_find_attr.patch new file mode 100644 index 00000000000..c8f0b19e437 --- /dev/null +++ b/queue-6.1/i40e-add-checking-for-null-for-nlmsg_find_attr.patch @@ -0,0 +1,43 @@ +From 09c622e28107809c5b7b8f616cc63b456f11f9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 09:28:33 -0800 +Subject: i40e: Add checking for null for nlmsg_find_attr() + +From: Natalia Petrova + +[ Upstream commit 7fa0b526f865cb42aa33917fd02a92cb03746f4d ] + +The result of nlmsg_find_attr() 'br_spec' is dereferenced in +nla_for_each_nested(), but it can take NULL value in nla_find() function, +which will result in an error. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") +Signed-off-by: Natalia Petrova +Reviewed-by: Jesse Brandeburg +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230209172833.3596034-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 18044c2a36faa..d30bc38725e97 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -13140,6 +13140,8 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, + } + + br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); ++ if (!br_spec) ++ return -EINVAL; + + nla_for_each_nested(attr, br_spec, rem) { + __u16 mode; +-- +2.39.0 + diff --git a/queue-6.1/net-sched-tcindex-search-key-must-be-16-bits.patch b/queue-6.1/net-sched-tcindex-search-key-must-be-16-bits.patch new file mode 100644 index 00000000000..0f34891bc28 --- /dev/null +++ b/queue-6.1/net-sched-tcindex-search-key-must-be-16-bits.patch @@ -0,0 +1,81 @@ +From da14ebbaa80ab08f897bbbb3414fe2906a8e4af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Feb 2023 22:47:29 -0300 +Subject: net/sched: tcindex: search key must be 16 bits + +From: Pedro Tammela + +[ Upstream commit 42018a322bd453e38b3ffee294982243e50a484f ] + +Syzkaller found an issue where a handle greater than 16 bits would trigger +a null-ptr-deref in the imperfect hash area update. + +general protection fault, probably for non-canonical address +0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] +CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted +6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/21/2023 +RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509 +Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb +a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c +02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00 +RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8 +RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8 +R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00 +FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572 +tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155 +rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132 +netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xd3/0x120 net/socket.c:734 +____sys_sendmsg+0x334/0x8c0 net/socket.c:2476 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 +__sys_sendmmsg+0x18f/0x460 net/socket.c:2616 +__do_sys_sendmmsg net/socket.c:2645 [inline] +__se_sys_sendmmsg net/socket.c:2642 [inline] +__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + +Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu") +Signed-off-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Reported-by: syzbot +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index 4422b711af081..eea8e185fcdb2 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -502,7 +502,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + /* lookup the filter, guaranteed to exist */ + for (cf = rcu_dereference_bh_rtnl(*fp); cf; + fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp)) +- if (cf->key == handle) ++ if (cf->key == (u16)handle) + break; + + f->next = cf->next; +-- +2.39.0 + diff --git a/queue-6.1/nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch b/queue-6.1/nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch new file mode 100644 index 00000000000..d9d54849345 --- /dev/null +++ b/queue-6.1/nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch @@ -0,0 +1,39 @@ +From 1611eb1747c6a533f1bce6d21d6323f9c5409514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 11:14:09 +0100 +Subject: nvme-apple: fix controller shutdown in apple_nvme_disable + +From: Christoph Hellwig + +[ Upstream commit c76b8308e4c9148e44e0c7e086ab6d8b4bb10162 ] + +nvme_shutdown_ctrl already shuts the controller down, there is no +need to also call nvme_disable_ctrl for the shutdown case. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Eric Curtin +Reviewed-by: Sagi Grimberg +Reviewed-by: Hector Martin +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/apple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c +index 262d2b60ac6dd..92c70c4b2f6ec 100644 +--- a/drivers/nvme/host/apple.c ++++ b/drivers/nvme/host/apple.c +@@ -831,7 +831,8 @@ static void apple_nvme_disable(struct apple_nvme *anv, bool shutdown) + + if (shutdown) + nvme_shutdown_ctrl(&anv->ctrl); +- nvme_disable_ctrl(&anv->ctrl); ++ else ++ nvme_disable_ctrl(&anv->ctrl); + } + + WRITE_ONCE(anv->ioq.enabled, false); +-- +2.39.0 + diff --git a/queue-6.1/nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch b/queue-6.1/nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch new file mode 100644 index 00000000000..26358e20e43 --- /dev/null +++ b/queue-6.1/nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch @@ -0,0 +1,48 @@ +From 0883f151449ca4fd6f432f218b051da47cedb8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 13:24:24 +0200 +Subject: nvme-rdma: stop auth work after tearing down queues in error recovery + +From: Sagi Grimberg + +[ Upstream commit 91c11d5f32547a08d462934246488fe72f3d44c3 ] + +when starting error recovery there might be a authentication work +running, and it involves I/O commands. Given the controller is tearing +down there is no chance for the I/O to complete other than timing out +which may unnecessarily take a full io timeout. + +So first tear down the queues, fail/cancel all inflight I/O (including +potentially authentication) and only then stop authentication. This +ensures that failover is not stalled due to blocked authentication I/O. + +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 6f918e61b6aef..80383213b8828 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1154,13 +1154,13 @@ static void nvme_rdma_error_recovery_work(struct work_struct *work) + struct nvme_rdma_ctrl *ctrl = container_of(work, + struct nvme_rdma_ctrl, err_work); + +- nvme_auth_stop(&ctrl->ctrl); + nvme_stop_keep_alive(&ctrl->ctrl); + flush_work(&ctrl->ctrl.async_event_work); + nvme_rdma_teardown_io_queues(ctrl, false); + nvme_start_queues(&ctrl->ctrl); + nvme_rdma_teardown_admin_queue(ctrl, false); + nvme_start_admin_queue(&ctrl->ctrl); ++ nvme_auth_stop(&ctrl->ctrl); + + if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) { + /* state change failure is ok if we started ctrl delete */ +-- +2.39.0 + diff --git a/queue-6.1/nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch b/queue-6.1/nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch new file mode 100644 index 00000000000..673c0a17aab --- /dev/null +++ b/queue-6.1/nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch @@ -0,0 +1,49 @@ +From 1a7e283dfef898f640058ae10f3306f8b2c7f75c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 13:24:23 +0200 +Subject: nvme-tcp: stop auth work after tearing down queues in error recovery + +From: Sagi Grimberg + +[ Upstream commit 1f1a4f89562d3b33b6ca4fc8a4f3bd4cd35ab4ea ] + +when starting error recovery there might be a authentication work +running, and it involves I/O commands. Given the controller is tearing +down there is no chance for the I/O to complete other than timing out +which may unnecessarily take a full io timeout. + +So first tear down the queues, fail/cancel all inflight I/O (including +potentially authentication) and only then stop authentication. This +ensures that failover is not stalled due to blocked authentication I/O. + +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 4c052c261517e..1dc7c733c7e39 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2128,7 +2128,6 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work) + struct nvme_tcp_ctrl, err_work); + struct nvme_ctrl *ctrl = &tcp_ctrl->ctrl; + +- nvme_auth_stop(ctrl); + nvme_stop_keep_alive(ctrl); + flush_work(&ctrl->async_event_work); + nvme_tcp_teardown_io_queues(ctrl, false); +@@ -2136,6 +2135,7 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work) + nvme_start_queues(ctrl); + nvme_tcp_teardown_admin_queue(ctrl, false); + nvme_start_admin_queue(ctrl); ++ nvme_auth_stop(ctrl); + + if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_CONNECTING)) { + /* state change failure is ok if we started ctrl delete */ +-- +2.39.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 3e63051dc80..9c31c2aae67 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -104,3 +104,8 @@ ipv6-fix-datagram-socket-connection-with-dscp.patch ipv6-fix-tcp-socket-connection-with-dscp.patch mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch mm-extend-max-struct-page-size-for-kmsan.patch +i40e-add-checking-for-null-for-nlmsg_find_attr.patch +net-sched-tcindex-search-key-must-be-16-bits.patch +nvme-tcp-stop-auth-work-after-tearing-down-queues-in.patch +nvme-rdma-stop-auth-work-after-tearing-down-queues-i.patch +nvme-apple-fix-controller-shutdown-in-apple_nvme_dis.patch -- 2.47.2