--- /dev/null
+From 3a0cf7ab8df3878a7e2f3d29275b785cf4e7afb6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 24 Jun 2022 13:23:34 +0200
+Subject: ACPI: video: Change how we determine if brightness key-presses are handled
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 3a0cf7ab8df3878a7e2f3d29275b785cf4e7afb6 upstream.
+
+Some systems have an ACPI video bus but not ACPI video devices with
+backlight capability. On these devices brightness key-presses are
+(logically) not reported through the ACPI video bus.
+
+Change how acpi_video_handles_brightness_key_presses() determines if
+brightness key-presses are handled by the ACPI video driver to avoid
+vendor specific drivers/platform/x86 drivers filtering out their
+brightness key-presses even though they are the only ones reporting
+these presses.
+
+Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug")
+Reported-and-tested-by: Stefan Seyfried <seife+kernel@b1-systems.com>
+Reported-and-tested-by: Kenneth Chan <kenneth.t.chan@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20220624112340.10130-2-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_video.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -73,6 +73,7 @@ module_param(device_id_scheme, bool, 044
+ static int only_lcd = -1;
+ module_param(only_lcd, int, 0444);
+
++static bool has_backlight;
+ static int register_count;
+ static DEFINE_MUTEX(register_count_mutex);
+ static DEFINE_MUTEX(video_list_lock);
+@@ -1222,6 +1223,9 @@ acpi_video_bus_get_one_device(struct acp
+ acpi_video_device_bind(video, data);
+ acpi_video_device_find_cap(data);
+
++ if (data->cap._BCM && data->cap._BCL)
++ has_backlight = true;
++
+ mutex_lock(&video->device_list_lock);
+ list_add_tail(&data->entry, &video->video_device_list);
+ mutex_unlock(&video->device_list_lock);
+@@ -2250,6 +2254,7 @@ void acpi_video_unregister(void)
+ if (register_count) {
+ acpi_bus_unregister_driver(&acpi_video_bus);
+ register_count = 0;
++ has_backlight = false;
+ }
+ mutex_unlock(®ister_count_mutex);
+ }
+@@ -2271,13 +2276,7 @@ void acpi_video_unregister_backlight(voi
+
+ bool acpi_video_handles_brightness_key_presses(void)
+ {
+- bool have_video_busses;
+-
+- mutex_lock(&video_list_lock);
+- have_video_busses = !list_empty(&video_bus_head);
+- mutex_unlock(&video_list_lock);
+-
+- return have_video_busses &&
++ return has_backlight &&
+ (report_key_events & REPORT_BRIGHTNESS_KEY_EVENTS);
+ }
+ EXPORT_SYMBOL(acpi_video_handles_brightness_key_presses);
--- /dev/null
+From 8698e3bab4dd7968666e84e111d0bfd17c040e77 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 27 Jun 2022 20:47:19 +0300
+Subject: fanotify: refine the validation checks on non-dir inode mask
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 8698e3bab4dd7968666e84e111d0bfd17c040e77 upstream.
+
+Commit ceaf69f8eadc ("fanotify: do not allow setting dirent events in
+mask of non-dir") added restrictions about setting dirent events in the
+mask of a non-dir inode mark, which does not make any sense.
+
+For backward compatibility, these restictions were added only to new
+(v5.17+) APIs.
+
+It also does not make any sense to set the flags FAN_EVENT_ON_CHILD or
+FAN_ONDIR in the mask of a non-dir inode. Add these flags to the
+dir-only restriction of the new APIs as well.
+
+Move the check of the dir-only flags for new APIs into the helper
+fanotify_events_supported(), which is only called for FAN_MARK_ADD,
+because there is no need to error on an attempt to remove the dir-only
+flags from non-dir inode.
+
+Fixes: ceaf69f8eadc ("fanotify: do not allow setting dirent events in mask of non-dir")
+Link: https://lore.kernel.org/linux-fsdevel/20220627113224.kr2725conevh53u4@quack3.lan/
+Link: https://lore.kernel.org/r/20220627174719.2838175-1-amir73il@gmail.com
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fanotify/fanotify_user.c | 34 +++++++++++++++++++---------------
+ include/linux/fanotify.h | 4 ++++
+ 2 files changed, 23 insertions(+), 15 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -1483,8 +1483,15 @@ static int fanotify_test_fid(struct dent
+ return 0;
+ }
+
+-static int fanotify_events_supported(struct path *path, __u64 mask)
++static int fanotify_events_supported(struct fsnotify_group *group,
++ struct path *path, __u64 mask,
++ unsigned int flags)
+ {
++ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
++ /* Strict validation of events in non-dir inode mask with v5.17+ APIs */
++ bool strict_dir_events = FAN_GROUP_FLAG(group, FAN_REPORT_TARGET_FID) ||
++ (mask & FAN_RENAME);
++
+ /*
+ * Some filesystems such as 'proc' acquire unusual locks when opening
+ * files. For them fanotify permission events have high chances of
+@@ -1496,6 +1503,16 @@ static int fanotify_events_supported(str
+ if (mask & FANOTIFY_PERM_EVENTS &&
+ path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM)
+ return -EINVAL;
++
++ /*
++ * We shouldn't have allowed setting dirent events and the directory
++ * flags FAN_ONDIR and FAN_EVENT_ON_CHILD in mask of non-dir inode,
++ * but because we always allowed it, error only when using new APIs.
++ */
++ if (strict_dir_events && mark_type == FAN_MARK_INODE &&
++ !d_is_dir(path->dentry) && (mask & FANOTIFY_DIRONLY_EVENT_BITS))
++ return -ENOTDIR;
++
+ return 0;
+ }
+
+@@ -1634,7 +1651,7 @@ static int do_fanotify_mark(int fanotify
+ goto fput_and_out;
+
+ if (flags & FAN_MARK_ADD) {
+- ret = fanotify_events_supported(&path, mask);
++ ret = fanotify_events_supported(group, &path, mask, flags);
+ if (ret)
+ goto path_put_and_out;
+ }
+@@ -1657,19 +1674,6 @@ static int do_fanotify_mark(int fanotify
+ else
+ mnt = path.mnt;
+
+- /*
+- * FAN_RENAME is not allowed on non-dir (for now).
+- * We shouldn't have allowed setting any dirent events in mask of
+- * non-dir, but because we always allowed it, error only if group
+- * was initialized with the new flag FAN_REPORT_TARGET_FID.
+- */
+- ret = -ENOTDIR;
+- if (inode && !S_ISDIR(inode->i_mode) &&
+- ((mask & FAN_RENAME) ||
+- ((mask & FANOTIFY_DIRENT_EVENTS) &&
+- FAN_GROUP_FLAG(group, FAN_REPORT_TARGET_FID))))
+- goto path_put_and_out;
+-
+ /* Mask out FAN_EVENT_ON_CHILD flag for sb/mount/non-dir marks */
+ if (mnt || !S_ISDIR(inode->i_mode)) {
+ mask &= ~FAN_EVENT_ON_CHILD;
+--- a/include/linux/fanotify.h
++++ b/include/linux/fanotify.h
+@@ -110,6 +110,10 @@
+ FANOTIFY_PERM_EVENTS | \
+ FAN_Q_OVERFLOW | FAN_ONDIR)
+
++/* Events and flags relevant only for directories */
++#define FANOTIFY_DIRONLY_EVENT_BITS (FANOTIFY_DIRENT_EVENTS | \
++ FAN_EVENT_ON_CHILD | FAN_ONDIR)
++
+ #define ALL_FANOTIFY_EVENT_BITS (FANOTIFY_OUTGOING_EVENTS | \
+ FANOTIFY_EVENT_FLAGS)
+
--- /dev/null
+From 4e43e64d0f1332fcc503babad4dc31aead7131ca Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 28 Jun 2022 12:12:48 +0000
+Subject: ipv6: fix lockdep splat in in6_dump_addrs()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 4e43e64d0f1332fcc503babad4dc31aead7131ca upstream.
+
+As reported by syzbot, we should not use rcu_dereference()
+when rcu_read_lock() is not held.
+
+WARNING: suspicious RCU usage
+5.19.0-rc2-syzkaller #0 Not tainted
+
+net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by syz-executor326/3617:
+ #0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223
+
+stack backtrace:
+CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175
+ inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300
+ netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275
+ __netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380
+ netlink_dump_start include/linux/netlink.h:245 [inline]
+ rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:734
+ ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2546
+ __sys_sendmsg net/socket.c:2575 [inline]
+ __do_sys_sendmsg net/socket.c:2584 [inline]
+ __se_sys_sendmsg net/socket.c:2582 [inline]
+ __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Taehee Yoo <ap420073@gmail.com>
+Link: https://lore.kernel.org/r/20220628121248.858695-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5170,9 +5170,9 @@ next:
+ fillargs->event = RTM_GETMULTICAST;
+
+ /* multicast address */
+- for (ifmca = rcu_dereference(idev->mc_list);
++ for (ifmca = rtnl_dereference(idev->mc_list);
+ ifmca;
+- ifmca = rcu_dereference(ifmca->next), ip_idx++) {
++ ifmca = rtnl_dereference(ifmca->next), ip_idx++) {
+ if (ip_idx < s_ip_idx)
+ continue;
+ err = inet6_fill_ifmcaddr(skb, ifmca, fillargs);
--- /dev/null
+From adabdd8f6acabc0c3fdbba2e7f5a2edd9c5ef22d Mon Sep 17 00:00:00 2001
+From: katrinzhou <katrinzhou@tencent.com>
+Date: Tue, 28 Jun 2022 11:50:30 +0800
+Subject: ipv6/sit: fix ipip6_tunnel_get_prl return value
+
+From: katrinzhou <katrinzhou@tencent.com>
+
+commit adabdd8f6acabc0c3fdbba2e7f5a2edd9c5ef22d upstream.
+
+When kcalloc fails, ipip6_tunnel_get_prl() should return -ENOMEM.
+Move the position of label "out" to return correctly.
+
+Addresses-Coverity: ("Unused value")
+Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
+Signed-off-by: katrinzhou <katrinzhou@tencent.com>
+Reviewed-by: Eric Dumazet<edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20220628035030.1039171-1-zys.zljxml@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct n
+ kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) :
+ NULL;
+
+- rcu_read_lock();
+-
+ ca = min(t->prl_count, cmax);
+
+ if (!kp) {
+@@ -341,7 +339,7 @@ static int ipip6_tunnel_get_prl(struct n
+ }
+ }
+
+- c = 0;
++ rcu_read_lock();
+ for_each_prl_rcu(t->prl) {
+ if (c >= cmax)
+ break;
+@@ -353,7 +351,7 @@ static int ipip6_tunnel_get_prl(struct n
+ if (kprl.addr != htonl(INADDR_ANY))
+ break;
+ }
+-out:
++
+ rcu_read_unlock();
+
+ len = sizeof(*kp) * c;
+@@ -362,7 +360,7 @@ out:
+ ret = -EFAULT;
+
+ kfree(kp);
+-
++out:
+ return ret;
+ }
+
--- /dev/null
+From 665030fd0c1ed9f505932e6e73e7a2c788787a0a Mon Sep 17 00:00:00 2001
+From: Petr Machata <petrm@nvidia.com>
+Date: Wed, 29 Jun 2022 10:02:05 +0300
+Subject: mlxsw: spectrum_router: Fix rollback in tunnel next hop init
+
+From: Petr Machata <petrm@nvidia.com>
+
+commit 665030fd0c1ed9f505932e6e73e7a2c788787a0a upstream.
+
+In mlxsw_sp_nexthop6_init(), a next hop is always added to the router
+linked list, and mlxsw_sp_nexthop_type_init() is invoked afterwards. When
+that function results in an error, the next hop will not have been removed
+from the linked list. As the error is propagated upwards and the caller
+frees the next hop object, the linked list ends up holding an invalid
+object.
+
+A similar issue comes up with mlxsw_sp_nexthop4_init(), where rollback
+block does exist, however does not include the linked list removal.
+
+Both IPv6 and IPv4 next hops have a similar issue with next-hop counter
+rollbacks. As these were introduced in the same patchset as the next hop
+linked list, include the cleanup in this patch.
+
+Fixes: dbe4598c1e92 ("mlxsw: spectrum_router: Keep nexthops in a linked list")
+Fixes: a5390278a5eb ("mlxsw: spectrum: Add support for setting counters on nexthops")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Amit Cohen <amcohen@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20220629070205.803952-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -4418,6 +4418,8 @@ static int mlxsw_sp_nexthop4_init(struct
+ return 0;
+
+ err_nexthop_neigh_init:
++ list_del(&nh->router_list_node);
++ mlxsw_sp_nexthop_counter_free(mlxsw_sp, nh);
+ mlxsw_sp_nexthop_remove(mlxsw_sp, nh);
+ return err;
+ }
+@@ -6743,6 +6745,7 @@ static int mlxsw_sp_nexthop6_init(struct
+ const struct fib6_info *rt)
+ {
+ struct net_device *dev = rt->fib6_nh->fib_nh_dev;
++ int err;
+
+ nh->nhgi = nh_grp->nhgi;
+ nh->nh_weight = rt->fib6_nh->fib_nh_weight;
+@@ -6758,7 +6761,16 @@ static int mlxsw_sp_nexthop6_init(struct
+ return 0;
+ nh->ifindex = dev->ifindex;
+
+- return mlxsw_sp_nexthop_type_init(mlxsw_sp, nh, dev);
++ err = mlxsw_sp_nexthop_type_init(mlxsw_sp, nh, dev);
++ if (err)
++ goto err_nexthop_type_init;
++
++ return 0;
++
++err_nexthop_type_init:
++ list_del(&nh->router_list_node);
++ mlxsw_sp_nexthop_counter_free(mlxsw_sp, nh);
++ return err;
+ }
+
+ static void mlxsw_sp_nexthop6_fini(struct mlxsw_sp *mlxsw_sp,
--- /dev/null
+From 34ad61514c4c3657df21a058f9961c3bb2f84ff2 Mon Sep 17 00:00:00 2001
+From: Alan Adamson <alan.adamson@oracle.com>
+Date: Mon, 27 Jun 2022 16:25:43 -0700
+Subject: nvmet: add a clear_ids attribute for passthru targets
+
+From: Alan Adamson <alan.adamson@oracle.com>
+
+commit 34ad61514c4c3657df21a058f9961c3bb2f84ff2 upstream.
+
+If the clear_ids attribute is set to true, the EUI/GUID/UUID is cleared
+for the passthru target. By default, loop targets will set clear_ids to
+true.
+
+This resolves an issue where a connect to a passthru target fails when
+using a trtype of 'loop' because EUI/GUID/UUID is not unique.
+
+Fixes: 2079f41ec6ff ("nvme: check that EUI/GUID/UUID are globally unique")
+Signed-off-by: Alan Adamson <alan.adamson@oracle.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/configfs.c | 20 ++++++++++++++
+ drivers/nvme/target/core.c | 6 ++++
+ drivers/nvme/target/nvmet.h | 1
+ drivers/nvme/target/passthru.c | 55 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 82 insertions(+)
+
+--- a/drivers/nvme/target/configfs.c
++++ b/drivers/nvme/target/configfs.c
+@@ -773,11 +773,31 @@ static ssize_t nvmet_passthru_io_timeout
+ }
+ CONFIGFS_ATTR(nvmet_passthru_, io_timeout);
+
++static ssize_t nvmet_passthru_clear_ids_show(struct config_item *item,
++ char *page)
++{
++ return sprintf(page, "%u\n", to_subsys(item->ci_parent)->clear_ids);
++}
++
++static ssize_t nvmet_passthru_clear_ids_store(struct config_item *item,
++ const char *page, size_t count)
++{
++ struct nvmet_subsys *subsys = to_subsys(item->ci_parent);
++ unsigned int clear_ids;
++
++ if (kstrtouint(page, 0, &clear_ids))
++ return -EINVAL;
++ subsys->clear_ids = clear_ids;
++ return count;
++}
++CONFIGFS_ATTR(nvmet_passthru_, clear_ids);
++
+ static struct configfs_attribute *nvmet_passthru_attrs[] = {
+ &nvmet_passthru_attr_device_path,
+ &nvmet_passthru_attr_enable,
+ &nvmet_passthru_attr_admin_timeout,
+ &nvmet_passthru_attr_io_timeout,
++ &nvmet_passthru_attr_clear_ids,
+ NULL,
+ };
+
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -1374,6 +1374,12 @@ u16 nvmet_alloc_ctrl(const char *subsysn
+ ctrl->port = req->port;
+ ctrl->ops = req->ops;
+
++#ifdef CONFIG_NVME_TARGET_PASSTHRU
++ /* By default, set loop targets to clear IDS by default */
++ if (ctrl->port->disc_addr.trtype == NVMF_TRTYPE_LOOP)
++ subsys->clear_ids = 1;
++#endif
++
+ INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work);
+ INIT_LIST_HEAD(&ctrl->async_events);
+ INIT_RADIX_TREE(&ctrl->p2p_ns_map, GFP_KERNEL);
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -249,6 +249,7 @@ struct nvmet_subsys {
+ struct config_group passthru_group;
+ unsigned int admin_timeout;
+ unsigned int io_timeout;
++ unsigned int clear_ids;
+ #endif /* CONFIG_NVME_TARGET_PASSTHRU */
+
+ #ifdef CONFIG_BLK_DEV_ZONED
+--- a/drivers/nvme/target/passthru.c
++++ b/drivers/nvme/target/passthru.c
+@@ -30,6 +30,53 @@ void nvmet_passthrough_override_cap(stru
+ ctrl->cap &= ~(1ULL << 43);
+ }
+
++static u16 nvmet_passthru_override_id_descs(struct nvmet_req *req)
++{
++ struct nvmet_ctrl *ctrl = req->sq->ctrl;
++ u16 status = NVME_SC_SUCCESS;
++ int pos, len;
++ bool csi_seen = false;
++ void *data;
++ u8 csi;
++
++ if (!ctrl->subsys->clear_ids)
++ return status;
++
++ data = kzalloc(NVME_IDENTIFY_DATA_SIZE, GFP_KERNEL);
++ if (!data)
++ return NVME_SC_INTERNAL;
++
++ status = nvmet_copy_from_sgl(req, 0, data, NVME_IDENTIFY_DATA_SIZE);
++ if (status)
++ goto out_free;
++
++ for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
++ struct nvme_ns_id_desc *cur = data + pos;
++
++ if (cur->nidl == 0)
++ break;
++ if (cur->nidt == NVME_NIDT_CSI) {
++ memcpy(&csi, cur + 1, NVME_NIDT_CSI_LEN);
++ csi_seen = true;
++ break;
++ }
++ len = sizeof(struct nvme_ns_id_desc) + cur->nidl;
++ }
++
++ memset(data, 0, NVME_IDENTIFY_DATA_SIZE);
++ if (csi_seen) {
++ struct nvme_ns_id_desc *cur = data;
++
++ cur->nidt = NVME_NIDT_CSI;
++ cur->nidl = NVME_NIDT_CSI_LEN;
++ memcpy(cur + 1, &csi, NVME_NIDT_CSI_LEN);
++ }
++ status = nvmet_copy_to_sgl(req, 0, data, NVME_IDENTIFY_DATA_SIZE);
++out_free:
++ kfree(data);
++ return status;
++}
++
+ static u16 nvmet_passthru_override_id_ctrl(struct nvmet_req *req)
+ {
+ struct nvmet_ctrl *ctrl = req->sq->ctrl;
+@@ -152,6 +199,11 @@ static u16 nvmet_passthru_override_id_ns
+ */
+ id->mc = 0;
+
++ if (req->sq->ctrl->subsys->clear_ids) {
++ memset(id->nguid, 0, NVME_NIDT_NGUID_LEN);
++ memset(id->eui64, 0, NVME_NIDT_EUI64_LEN);
++ }
++
+ status = nvmet_copy_to_sgl(req, 0, id, sizeof(*id));
+
+ out_free:
+@@ -176,6 +228,9 @@ static void nvmet_passthru_execute_cmd_w
+ case NVME_ID_CNS_NS:
+ nvmet_passthru_override_id_ns(req);
+ break;
++ case NVME_ID_CNS_NS_DESC_LIST:
++ nvmet_passthru_override_id_descs(req);
++ break;
+ }
+ } else if (status < 0)
+ status = NVME_SC_INTERNAL;
cpufreq-qcom-hw-don-t-do-lmh-things-without-a-throttle-interrupt.patch
tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch
nvmet-tcp-fix-regression-in-data_digest-calculation.patch
+acpi-video-change-how-we-determine-if-brightness-key-presses-are-handled.patch
+tunnels-do-not-assume-mac-header-is-set-in-skb_tunnel_check_pmtu.patch
+fanotify-refine-the-validation-checks-on-non-dir-inode-mask.patch
+nvmet-add-a-clear_ids-attribute-for-passthru-targets.patch
+ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch
+ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch
+mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch
--- /dev/null
+From 853a7614880231747040cada91d2b8d2e995c51a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 24 Jun 2022 15:30:20 +0000
+Subject: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 853a7614880231747040cada91d2b8d2e995c51a upstream.
+
+Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header
+was not set") caught a bug in skb_tunnel_check_pmtu(), as shown
+in this syzbot report [1].
+
+In ndo_start_xmit() paths, there is really no need to use skb->mac_header,
+because skb->data is supposed to point at it.
+
+[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]
+WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
+Modules linked in:
+CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]
+RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
+Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00
+RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212
+RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000
+RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003
+RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff
+R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff
+R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f
+FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+geneve_xmit_skb drivers/net/geneve.c:927 [inline]
+geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107
+__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
+netdev_start_xmit include/linux/netdevice.h:4819 [inline]
+__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309
+dev_direct_xmit include/linux/netdevice.h:3007 [inline]
+packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282
+packet_snd net/packet/af_packet.c:3073 [inline]
+packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104
+sock_sendmsg_nosec net/socket.c:714 [inline]
+sock_sendmsg+0xcf/0x120 net/socket.c:734
+____sys_sendmsg+0x6eb/0x810 net/socket.c:2489
+___sys_sendmsg+0xf3/0x170 net/socket.c:2543
+__sys_sendmsg net/socket.c:2572 [inline]
+__do_sys_sendmsg net/socket.c:2581 [inline]
+__se_sys_sendmsg net/socket.c:2579 [inline]
+__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+RIP: 0033:0x7f3baaa89109
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109
+RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003
+RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000
+</TASK>
+
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -410,7 +410,7 @@ int skb_tunnel_check_pmtu(struct sk_buff
+ u32 mtu = dst_mtu(encap_dst) - headroom;
+
+ if ((skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu)) ||
+- (!skb_is_gso(skb) && (skb->len - skb_mac_header_len(skb)) <= mtu))
++ (!skb_is_gso(skb) && (skb->len - skb_network_offset(skb)) <= mtu))
+ return 0;
+
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
projects / thirdparty / kernel / stable-queue.git / commitdiff
