From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 13:30:48 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v4.9.322~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ba1083f214b873026c3291fe60cef076bc7bd18;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch --- diff --git a/queue-5.18/acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch b/queue-5.18/acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch new file mode 100644 index 00000000000..2b3ddb1a243 --- /dev/null +++ b/queue-5.18/acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch @@ -0,0 +1,74 @@ +From 3a0cf7ab8df3878a7e2f3d29275b785cf4e7afb6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 24 Jun 2022 13:23:34 +0200 +Subject: ACPI: video: Change how we determine if brightness key-presses are handled + +From: Hans de Goede + +commit 3a0cf7ab8df3878a7e2f3d29275b785cf4e7afb6 upstream. + +Some systems have an ACPI video bus but not ACPI video devices with +backlight capability. On these devices brightness key-presses are +(logically) not reported through the ACPI video bus. + +Change how acpi_video_handles_brightness_key_presses() determines if +brightness key-presses are handled by the ACPI video driver to avoid +vendor specific drivers/platform/x86 drivers filtering out their +brightness key-presses even though they are the only ones reporting +these presses. + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Reported-and-tested-by: Stefan Seyfried +Reported-and-tested-by: Kenneth Chan +Signed-off-by: Hans de Goede +Acked-by: Rafael J. Wysocki +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-2-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -73,6 +73,7 @@ module_param(device_id_scheme, bool, 044 + static int only_lcd = -1; + module_param(only_lcd, int, 0444); + ++static bool has_backlight; + static int register_count; + static DEFINE_MUTEX(register_count_mutex); + static DEFINE_MUTEX(video_list_lock); +@@ -1222,6 +1223,9 @@ acpi_video_bus_get_one_device(struct acp + acpi_video_device_bind(video, data); + acpi_video_device_find_cap(data); + ++ if (data->cap._BCM && data->cap._BCL) ++ has_backlight = true; ++ + mutex_lock(&video->device_list_lock); + list_add_tail(&data->entry, &video->video_device_list); + mutex_unlock(&video->device_list_lock); +@@ -2250,6 +2254,7 @@ void acpi_video_unregister(void) + if (register_count) { + acpi_bus_unregister_driver(&acpi_video_bus); + register_count = 0; ++ has_backlight = false; + } + mutex_unlock(®ister_count_mutex); + } +@@ -2271,13 +2276,7 @@ void acpi_video_unregister_backlight(voi + + bool acpi_video_handles_brightness_key_presses(void) + { +- bool have_video_busses; +- +- mutex_lock(&video_list_lock); +- have_video_busses = !list_empty(&video_bus_head); +- mutex_unlock(&video_list_lock); +- +- return have_video_busses && ++ return has_backlight && + (report_key_events & REPORT_BRIGHTNESS_KEY_EVENTS); + } + EXPORT_SYMBOL(acpi_video_handles_brightness_key_presses); diff --git a/queue-5.18/fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch b/queue-5.18/fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch new file mode 100644 index 00000000000..25d168f976a --- /dev/null +++ b/queue-5.18/fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch @@ -0,0 +1,114 @@ +From 8698e3bab4dd7968666e84e111d0bfd17c040e77 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Mon, 27 Jun 2022 20:47:19 +0300 +Subject: fanotify: refine the validation checks on non-dir inode mask + +From: Amir Goldstein + +commit 8698e3bab4dd7968666e84e111d0bfd17c040e77 upstream. + +Commit ceaf69f8eadc ("fanotify: do not allow setting dirent events in +mask of non-dir") added restrictions about setting dirent events in the +mask of a non-dir inode mark, which does not make any sense. + +For backward compatibility, these restictions were added only to new +(v5.17+) APIs. + +It also does not make any sense to set the flags FAN_EVENT_ON_CHILD or +FAN_ONDIR in the mask of a non-dir inode. Add these flags to the +dir-only restriction of the new APIs as well. + +Move the check of the dir-only flags for new APIs into the helper +fanotify_events_supported(), which is only called for FAN_MARK_ADD, +because there is no need to error on an attempt to remove the dir-only +flags from non-dir inode. + +Fixes: ceaf69f8eadc ("fanotify: do not allow setting dirent events in mask of non-dir") +Link: https://lore.kernel.org/linux-fsdevel/20220627113224.kr2725conevh53u4@quack3.lan/ +Link: https://lore.kernel.org/r/20220627174719.2838175-1-amir73il@gmail.com +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify_user.c | 34 +++++++++++++++++++--------------- + include/linux/fanotify.h | 4 ++++ + 2 files changed, 23 insertions(+), 15 deletions(-) + +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -1483,8 +1483,15 @@ static int fanotify_test_fid(struct dent + return 0; + } + +-static int fanotify_events_supported(struct path *path, __u64 mask) ++static int fanotify_events_supported(struct fsnotify_group *group, ++ struct path *path, __u64 mask, ++ unsigned int flags) + { ++ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS; ++ /* Strict validation of events in non-dir inode mask with v5.17+ APIs */ ++ bool strict_dir_events = FAN_GROUP_FLAG(group, FAN_REPORT_TARGET_FID) || ++ (mask & FAN_RENAME); ++ + /* + * Some filesystems such as 'proc' acquire unusual locks when opening + * files. For them fanotify permission events have high chances of +@@ -1496,6 +1503,16 @@ static int fanotify_events_supported(str + if (mask & FANOTIFY_PERM_EVENTS && + path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM) + return -EINVAL; ++ ++ /* ++ * We shouldn't have allowed setting dirent events and the directory ++ * flags FAN_ONDIR and FAN_EVENT_ON_CHILD in mask of non-dir inode, ++ * but because we always allowed it, error only when using new APIs. ++ */ ++ if (strict_dir_events && mark_type == FAN_MARK_INODE && ++ !d_is_dir(path->dentry) && (mask & FANOTIFY_DIRONLY_EVENT_BITS)) ++ return -ENOTDIR; ++ + return 0; + } + +@@ -1634,7 +1651,7 @@ static int do_fanotify_mark(int fanotify + goto fput_and_out; + + if (flags & FAN_MARK_ADD) { +- ret = fanotify_events_supported(&path, mask); ++ ret = fanotify_events_supported(group, &path, mask, flags); + if (ret) + goto path_put_and_out; + } +@@ -1657,19 +1674,6 @@ static int do_fanotify_mark(int fanotify + else + mnt = path.mnt; + +- /* +- * FAN_RENAME is not allowed on non-dir (for now). +- * We shouldn't have allowed setting any dirent events in mask of +- * non-dir, but because we always allowed it, error only if group +- * was initialized with the new flag FAN_REPORT_TARGET_FID. +- */ +- ret = -ENOTDIR; +- if (inode && !S_ISDIR(inode->i_mode) && +- ((mask & FAN_RENAME) || +- ((mask & FANOTIFY_DIRENT_EVENTS) && +- FAN_GROUP_FLAG(group, FAN_REPORT_TARGET_FID)))) +- goto path_put_and_out; +- + /* Mask out FAN_EVENT_ON_CHILD flag for sb/mount/non-dir marks */ + if (mnt || !S_ISDIR(inode->i_mode)) { + mask &= ~FAN_EVENT_ON_CHILD; +--- a/include/linux/fanotify.h ++++ b/include/linux/fanotify.h +@@ -110,6 +110,10 @@ + FANOTIFY_PERM_EVENTS | \ + FAN_Q_OVERFLOW | FAN_ONDIR) + ++/* Events and flags relevant only for directories */ ++#define FANOTIFY_DIRONLY_EVENT_BITS (FANOTIFY_DIRENT_EVENTS | \ ++ FAN_EVENT_ON_CHILD | FAN_ONDIR) ++ + #define ALL_FANOTIFY_EVENT_BITS (FANOTIFY_OUTGOING_EVENTS | \ + FANOTIFY_EVENT_FLAGS) + diff --git a/queue-5.18/ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch b/queue-5.18/ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch new file mode 100644 index 00000000000..e8cec5fa442 --- /dev/null +++ b/queue-5.18/ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch @@ -0,0 +1,77 @@ +From 4e43e64d0f1332fcc503babad4dc31aead7131ca Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 28 Jun 2022 12:12:48 +0000 +Subject: ipv6: fix lockdep splat in in6_dump_addrs() + +From: Eric Dumazet + +commit 4e43e64d0f1332fcc503babad4dc31aead7131ca upstream. + +As reported by syzbot, we should not use rcu_dereference() +when rcu_read_lock() is not held. + +WARNING: suspicious RCU usage +5.19.0-rc2-syzkaller #0 Not tainted + +net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by syz-executor326/3617: + #0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223 + +stack backtrace: +CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175 + inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300 + netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275 + __netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380 + netlink_dump_start include/linux/netlink.h:245 [inline] + rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:734 + ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2546 + __sys_sendmsg net/socket.c:2575 [inline] + __do_sys_sendmsg net/socket.c:2584 [inline] + __se_sys_sendmsg net/socket.c:2582 [inline] + __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Taehee Yoo +Link: https://lore.kernel.org/r/20220628121248.858695-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5170,9 +5170,9 @@ next: + fillargs->event = RTM_GETMULTICAST; + + /* multicast address */ +- for (ifmca = rcu_dereference(idev->mc_list); ++ for (ifmca = rtnl_dereference(idev->mc_list); + ifmca; +- ifmca = rcu_dereference(ifmca->next), ip_idx++) { ++ ifmca = rtnl_dereference(ifmca->next), ip_idx++) { + if (ip_idx < s_ip_idx) + continue; + err = inet6_fill_ifmcaddr(skb, ifmca, fillargs); diff --git a/queue-5.18/ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch b/queue-5.18/ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch new file mode 100644 index 00000000000..631369e8a1f --- /dev/null +++ b/queue-5.18/ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch @@ -0,0 +1,62 @@ +From adabdd8f6acabc0c3fdbba2e7f5a2edd9c5ef22d Mon Sep 17 00:00:00 2001 +From: katrinzhou +Date: Tue, 28 Jun 2022 11:50:30 +0800 +Subject: ipv6/sit: fix ipip6_tunnel_get_prl return value + +From: katrinzhou + +commit adabdd8f6acabc0c3fdbba2e7f5a2edd9c5ef22d upstream. + +When kcalloc fails, ipip6_tunnel_get_prl() should return -ENOMEM. +Move the position of label "out" to return correctly. + +Addresses-Coverity: ("Unused value") +Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.") +Signed-off-by: katrinzhou +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220628035030.1039171-1-zys.zljxml@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct n + kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) : + NULL; + +- rcu_read_lock(); +- + ca = min(t->prl_count, cmax); + + if (!kp) { +@@ -341,7 +339,7 @@ static int ipip6_tunnel_get_prl(struct n + } + } + +- c = 0; ++ rcu_read_lock(); + for_each_prl_rcu(t->prl) { + if (c >= cmax) + break; +@@ -353,7 +351,7 @@ static int ipip6_tunnel_get_prl(struct n + if (kprl.addr != htonl(INADDR_ANY)) + break; + } +-out: ++ + rcu_read_unlock(); + + len = sizeof(*kp) * c; +@@ -362,7 +360,7 @@ out: + ret = -EFAULT; + + kfree(kp); +- ++out: + return ret; + } + diff --git a/queue-5.18/mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch b/queue-5.18/mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch new file mode 100644 index 00000000000..7ddb3d529c8 --- /dev/null +++ b/queue-5.18/mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch @@ -0,0 +1,72 @@ +From 665030fd0c1ed9f505932e6e73e7a2c788787a0a Mon Sep 17 00:00:00 2001 +From: Petr Machata +Date: Wed, 29 Jun 2022 10:02:05 +0300 +Subject: mlxsw: spectrum_router: Fix rollback in tunnel next hop init + +From: Petr Machata + +commit 665030fd0c1ed9f505932e6e73e7a2c788787a0a upstream. + +In mlxsw_sp_nexthop6_init(), a next hop is always added to the router +linked list, and mlxsw_sp_nexthop_type_init() is invoked afterwards. When +that function results in an error, the next hop will not have been removed +from the linked list. As the error is propagated upwards and the caller +frees the next hop object, the linked list ends up holding an invalid +object. + +A similar issue comes up with mlxsw_sp_nexthop4_init(), where rollback +block does exist, however does not include the linked list removal. + +Both IPv6 and IPv4 next hops have a similar issue with next-hop counter +rollbacks. As these were introduced in the same patchset as the next hop +linked list, include the cleanup in this patch. + +Fixes: dbe4598c1e92 ("mlxsw: spectrum_router: Keep nexthops in a linked list") +Fixes: a5390278a5eb ("mlxsw: spectrum: Add support for setting counters on nexthops") +Signed-off-by: Petr Machata +Reviewed-by: Amit Cohen +Signed-off-by: Ido Schimmel +Link: https://lore.kernel.org/r/20220629070205.803952-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -4418,6 +4418,8 @@ static int mlxsw_sp_nexthop4_init(struct + return 0; + + err_nexthop_neigh_init: ++ list_del(&nh->router_list_node); ++ mlxsw_sp_nexthop_counter_free(mlxsw_sp, nh); + mlxsw_sp_nexthop_remove(mlxsw_sp, nh); + return err; + } +@@ -6743,6 +6745,7 @@ static int mlxsw_sp_nexthop6_init(struct + const struct fib6_info *rt) + { + struct net_device *dev = rt->fib6_nh->fib_nh_dev; ++ int err; + + nh->nhgi = nh_grp->nhgi; + nh->nh_weight = rt->fib6_nh->fib_nh_weight; +@@ -6758,7 +6761,16 @@ static int mlxsw_sp_nexthop6_init(struct + return 0; + nh->ifindex = dev->ifindex; + +- return mlxsw_sp_nexthop_type_init(mlxsw_sp, nh, dev); ++ err = mlxsw_sp_nexthop_type_init(mlxsw_sp, nh, dev); ++ if (err) ++ goto err_nexthop_type_init; ++ ++ return 0; ++ ++err_nexthop_type_init: ++ list_del(&nh->router_list_node); ++ mlxsw_sp_nexthop_counter_free(mlxsw_sp, nh); ++ return err; + } + + static void mlxsw_sp_nexthop6_fini(struct mlxsw_sp *mlxsw_sp, diff --git a/queue-5.18/nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch b/queue-5.18/nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch new file mode 100644 index 00000000000..2e9c05cd597 --- /dev/null +++ b/queue-5.18/nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch @@ -0,0 +1,166 @@ +From 34ad61514c4c3657df21a058f9961c3bb2f84ff2 Mon Sep 17 00:00:00 2001 +From: Alan Adamson +Date: Mon, 27 Jun 2022 16:25:43 -0700 +Subject: nvmet: add a clear_ids attribute for passthru targets + +From: Alan Adamson + +commit 34ad61514c4c3657df21a058f9961c3bb2f84ff2 upstream. + +If the clear_ids attribute is set to true, the EUI/GUID/UUID is cleared +for the passthru target. By default, loop targets will set clear_ids to +true. + +This resolves an issue where a connect to a passthru target fails when +using a trtype of 'loop' because EUI/GUID/UUID is not unique. + +Fixes: 2079f41ec6ff ("nvme: check that EUI/GUID/UUID are globally unique") +Signed-off-by: Alan Adamson +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/configfs.c | 20 ++++++++++++++ + drivers/nvme/target/core.c | 6 ++++ + drivers/nvme/target/nvmet.h | 1 + drivers/nvme/target/passthru.c | 55 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 82 insertions(+) + +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -773,11 +773,31 @@ static ssize_t nvmet_passthru_io_timeout + } + CONFIGFS_ATTR(nvmet_passthru_, io_timeout); + ++static ssize_t nvmet_passthru_clear_ids_show(struct config_item *item, ++ char *page) ++{ ++ return sprintf(page, "%u\n", to_subsys(item->ci_parent)->clear_ids); ++} ++ ++static ssize_t nvmet_passthru_clear_ids_store(struct config_item *item, ++ const char *page, size_t count) ++{ ++ struct nvmet_subsys *subsys = to_subsys(item->ci_parent); ++ unsigned int clear_ids; ++ ++ if (kstrtouint(page, 0, &clear_ids)) ++ return -EINVAL; ++ subsys->clear_ids = clear_ids; ++ return count; ++} ++CONFIGFS_ATTR(nvmet_passthru_, clear_ids); ++ + static struct configfs_attribute *nvmet_passthru_attrs[] = { + &nvmet_passthru_attr_device_path, + &nvmet_passthru_attr_enable, + &nvmet_passthru_attr_admin_timeout, + &nvmet_passthru_attr_io_timeout, ++ &nvmet_passthru_attr_clear_ids, + NULL, + }; + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1374,6 +1374,12 @@ u16 nvmet_alloc_ctrl(const char *subsysn + ctrl->port = req->port; + ctrl->ops = req->ops; + ++#ifdef CONFIG_NVME_TARGET_PASSTHRU ++ /* By default, set loop targets to clear IDS by default */ ++ if (ctrl->port->disc_addr.trtype == NVMF_TRTYPE_LOOP) ++ subsys->clear_ids = 1; ++#endif ++ + INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work); + INIT_LIST_HEAD(&ctrl->async_events); + INIT_RADIX_TREE(&ctrl->p2p_ns_map, GFP_KERNEL); +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -249,6 +249,7 @@ struct nvmet_subsys { + struct config_group passthru_group; + unsigned int admin_timeout; + unsigned int io_timeout; ++ unsigned int clear_ids; + #endif /* CONFIG_NVME_TARGET_PASSTHRU */ + + #ifdef CONFIG_BLK_DEV_ZONED +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -30,6 +30,53 @@ void nvmet_passthrough_override_cap(stru + ctrl->cap &= ~(1ULL << 43); + } + ++static u16 nvmet_passthru_override_id_descs(struct nvmet_req *req) ++{ ++ struct nvmet_ctrl *ctrl = req->sq->ctrl; ++ u16 status = NVME_SC_SUCCESS; ++ int pos, len; ++ bool csi_seen = false; ++ void *data; ++ u8 csi; ++ ++ if (!ctrl->subsys->clear_ids) ++ return status; ++ ++ data = kzalloc(NVME_IDENTIFY_DATA_SIZE, GFP_KERNEL); ++ if (!data) ++ return NVME_SC_INTERNAL; ++ ++ status = nvmet_copy_from_sgl(req, 0, data, NVME_IDENTIFY_DATA_SIZE); ++ if (status) ++ goto out_free; ++ ++ for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) { ++ struct nvme_ns_id_desc *cur = data + pos; ++ ++ if (cur->nidl == 0) ++ break; ++ if (cur->nidt == NVME_NIDT_CSI) { ++ memcpy(&csi, cur + 1, NVME_NIDT_CSI_LEN); ++ csi_seen = true; ++ break; ++ } ++ len = sizeof(struct nvme_ns_id_desc) + cur->nidl; ++ } ++ ++ memset(data, 0, NVME_IDENTIFY_DATA_SIZE); ++ if (csi_seen) { ++ struct nvme_ns_id_desc *cur = data; ++ ++ cur->nidt = NVME_NIDT_CSI; ++ cur->nidl = NVME_NIDT_CSI_LEN; ++ memcpy(cur + 1, &csi, NVME_NIDT_CSI_LEN); ++ } ++ status = nvmet_copy_to_sgl(req, 0, data, NVME_IDENTIFY_DATA_SIZE); ++out_free: ++ kfree(data); ++ return status; ++} ++ + static u16 nvmet_passthru_override_id_ctrl(struct nvmet_req *req) + { + struct nvmet_ctrl *ctrl = req->sq->ctrl; +@@ -152,6 +199,11 @@ static u16 nvmet_passthru_override_id_ns + */ + id->mc = 0; + ++ if (req->sq->ctrl->subsys->clear_ids) { ++ memset(id->nguid, 0, NVME_NIDT_NGUID_LEN); ++ memset(id->eui64, 0, NVME_NIDT_EUI64_LEN); ++ } ++ + status = nvmet_copy_to_sgl(req, 0, id, sizeof(*id)); + + out_free: +@@ -176,6 +228,9 @@ static void nvmet_passthru_execute_cmd_w + case NVME_ID_CNS_NS: + nvmet_passthru_override_id_ns(req); + break; ++ case NVME_ID_CNS_NS_DESC_LIST: ++ nvmet_passthru_override_id_descs(req); ++ break; + } + } else if (status < 0) + status = NVME_SC_INTERNAL; diff --git a/queue-5.18/series b/queue-5.18/series index 8c9c9e02ee4..d8fde560214 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -70,3 +70,10 @@ epic100-fix-use-after-free-on-rmmod.patch cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch nvmet-tcp-fix-regression-in-data_digest-calculation.patch +acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch +tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch +fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch +nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch +ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch +ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch +mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch diff --git a/queue-5.18/tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch b/queue-5.18/tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch new file mode 100644 index 00000000000..5f9b924ad59 --- /dev/null +++ b/queue-5.18/tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch @@ -0,0 +1,89 @@ +From 853a7614880231747040cada91d2b8d2e995c51a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 24 Jun 2022 15:30:20 +0000 +Subject: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() + +From: Eric Dumazet + +commit 853a7614880231747040cada91d2b8d2e995c51a upstream. + +Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header +was not set") caught a bug in skb_tunnel_check_pmtu(), as shown +in this syzbot report [1]. + +In ndo_start_xmit() paths, there is really no need to use skb->mac_header, +because skb->data is supposed to point at it. + +[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline] +WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 +Modules linked in: +CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline] +RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 +Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00 +RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212 +RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000 +RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003 +RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff +R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f +FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +geneve_xmit_skb drivers/net/geneve.c:927 [inline] +geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107 +__netdev_start_xmit include/linux/netdevice.h:4805 [inline] +netdev_start_xmit include/linux/netdevice.h:4819 [inline] +__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309 +dev_direct_xmit include/linux/netdevice.h:3007 [inline] +packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282 +packet_snd net/packet/af_packet.c:3073 [inline] +packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2489 +___sys_sendmsg+0xf3/0x170 net/socket.c:2543 +__sys_sendmsg net/socket.c:2572 [inline] +__do_sys_sendmsg net/socket.c:2581 [inline] +__se_sys_sendmsg net/socket.c:2579 [inline] +__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f3baaa89109 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109 +RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003 +RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000 + + +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Stefano Brivio +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -410,7 +410,7 @@ int skb_tunnel_check_pmtu(struct sk_buff + u32 mtu = dst_mtu(encap_dst) - headroom; + + if ((skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu)) || +- (!skb_is_gso(skb) && (skb->len - skb_mac_header_len(skb)) <= mtu)) ++ (!skb_is_gso(skb) && (skb->len - skb_network_offset(skb)) <= mtu)) + return 0; + + skb_dst_update_pmtu_no_confirm(skb, mtu);