Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch b/queue-5.10/netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch
new file mode 100644 (file)
index 0000000..f24cfba
--- /dev/null
+++ b/queue-5.10/netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch
@@ -0,0 +1,43 @@
+From f51e61672dd183021c0c8b64a2d160524fe71823 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 11:40:57 +0200
+Subject: netfilter: nft_exthdr: Fix for unsafe packet data read
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit cf6b5ffdce5a78b2fcb0e53b3a2487c490bcbf7f ]
+
+While iterating through an SCTP packet's chunks, skb_header_pointer() is
+called for the minimum expected chunk header size. If (that part of) the
+skbuff is non-linear, the following memcpy() may read data past
+temporary buffer '_sch'. Use skb_copy_bits() instead which does the
+right thing in this situation.
+
+Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index 274c5f0085186..eb183c024ac46 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -389,7 +389,9 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
+                               break;
+ 
+                       dest[priv->len / NFT_REG32_SIZE] = 0;
+-                      memcpy(dest, (char *)sch + priv->offset, priv->len);
++                      if (skb_copy_bits(pkt->skb, offset + priv->offset,
++                                        dest, priv->len) < 0)
++                              break;
+                       return;
+               }
+               offset += SCTP_PAD4(ntohs(sch->length));
+-- 
+2.40.1
+

diff --git a/queue-5.10/netfilter-nft_exthdr-search-chunks-in-sctp-packets-o.patch b/queue-5.10/netfilter-nft_exthdr-search-chunks-in-sctp-packets-o.patch
new file mode 100644 (file)
index 0000000..9197b95
--- /dev/null
+++ b/queue-5.10/netfilter-nft_exthdr-search-chunks-in-sctp-packets-o.patch
@@ -0,0 +1,47 @@
+From 1342f4dc576095f01825d0670c5561884bd23845 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 19:06:45 +0200
+Subject: netfilter: nft_exthdr: Search chunks in SCTP packets only
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 5acc44f39458f43dac9724cefa4da29847cfe997 ]
+
+Since user space does not generate a payload dependency, plain sctp
+chunk matches cause searching in non-SCTP packets, too. Avoid this
+potential mis-interpretation of packet data by checking pkt->tprot.
+
+Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index b4682aeabab96..274c5f0085186 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -371,6 +371,9 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
+       const struct sctp_chunkhdr *sch;
+       struct sctp_chunkhdr _sch;
+ 
++      if (pkt->tprot != IPPROTO_SCTP)
++              goto err;
++
+       do {
+               sch = skb_header_pointer(pkt->skb, offset, sizeof(_sch), &_sch);
+               if (!sch || !sch->length)
+@@ -391,7 +394,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
+               }
+               offset += SCTP_PAD4(ntohs(sch->length));
+       } while (offset < pkt->skb->len);
+-
++err:
+       if (priv->flags & NFT_EXTHDR_F_PRESENT)
+               nft_reg_store8(dest, false);
+       else
+-- 
+2.40.1
+

diff --git a/queue-5.10/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch b/queue-5.10/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch
new file mode 100644 (file)
index 0000000..fc3ddfc
--- /dev/null
+++ b/queue-5.10/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch
@@ -0,0 +1,47 @@
+From b10951baf4ad1ab8993cd2799044c42e4ee0d2e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 17:43:57 -0300
+Subject: nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
+
+From: Irvin Cote <irvin.cote@insa-lyon.fr>
+
+[ Upstream commit dc785d69d753a3894c93afc23b91404652382ead ]
+
+Don't mix NULL and ERR_PTR returns.
+
+Fixes: 2e87570be9d2 ("nvme-pci: factor out a nvme_pci_alloc_dev helper")
+Signed-off-by: Irvin Cote <irvin.cote@insa-lyon.fr>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 7bb42d0e087af..9c67ebd4eac38 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2868,7 +2868,7 @@ static struct nvme_dev *nvme_pci_alloc_dev(struct pci_dev *pdev,
+ 
+       dev = kzalloc_node(sizeof(*dev), GFP_KERNEL, node);
+       if (!dev)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       INIT_WORK(&dev->ctrl.reset_work, nvme_reset_work);
+       INIT_WORK(&dev->remove_work, nvme_remove_dead_ctrl_work);
+       mutex_init(&dev->shutdown_lock);
+@@ -2913,8 +2913,8 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+       int result = -ENOMEM;
+ 
+       dev = nvme_pci_alloc_dev(pdev, id);
+-      if (!dev)
+-              return -ENOMEM;
++      if (IS_ERR(dev))
++              return PTR_ERR(dev);
+ 
+       result = nvme_dev_map(dev);
+       if (result)
+-- 
+2.40.1
+

diff --git a/queue-5.10/perf-metric-return-early-if-no-cpu-pmu-table-exists.patch b/queue-5.10/perf-metric-return-early-if-no-cpu-pmu-table-exists.patch
new file mode 100644 (file)
index 0000000..a1893d6
--- /dev/null
+++ b/queue-5.10/perf-metric-return-early-if-no-cpu-pmu-table-exists.patch
@@ -0,0 +1,78 @@
+From d2725fc61d0846c110e6a0b5279193b84f509646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 09:48:40 -0700
+Subject: perf metric: Return early if no CPU PMU table exists
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 3f5df3ac646e21a79a421ae4037c4ef0632bcaa9 ]
+
+Previous behavior is to segfault if there is no CPU PMU table and a
+metric is sought. To reproduce compile with NO_JEVENTS=1 then request a
+metric, for example, "perf stat -M IPC true".
+
+Committer testing:
+
+Before:
+
+  $ make -k NO_JEVENTS=1 BUILD_BPF_SKEL=1 O=/tmp/build/perf-urgent -C tools/perf install-bin
+  $ perf stat -M IPC true
+  Segmentation fault (core dumped)
+  $
+
+After:
+
+  $ perf stat -M IPC true
+
+   Usage: perf stat [<options>] [<command>]
+
+      -M, --metrics <metric/metric group list>
+                            monitor specified metrics or metric groups (separated by ,)
+  $
+
+Fixes: 00facc760903be66 ("perf jevents: Switch build to use jevents.py")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Caleb Biggers <caleb.biggers@intel.com>
+Cc: Florian Fischer <florian.fischer@muhq.space>
+Cc: Ian Rogers <rogers.email@gmail.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Kshipra Bopardikar <kshipra.bopardikar@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Miaoqian Lin <linmq006@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Perry Taylor <perry.taylor@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Xing Zhengjun <zhengjun.xing@linux.intel.com>
+Link: https://lore.kernel.org/r/20220830164846.401143-3-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/metricgroup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
+index 060454a172935..81b274aa81c18 100644
+--- a/tools/perf/util/metricgroup.c
++++ b/tools/perf/util/metricgroup.c
+@@ -1122,6 +1122,9 @@ int metricgroup__parse_groups(const struct option *opt,
+       if (!map)
+               return 0;
+ 
++      if (!table)
++              return -EINVAL;
++
+       return parse_groups(perf_evlist, str, metric_no_group,
+                           metric_no_merge, NULL, metric_events, map);
+ }
+-- 
+2.40.1
+

diff --git a/queue-5.10/series b/queue-5.10/series
index f3fee339c0c411fd22d4c47eca6b396244f81f7b..17db4329e6613a1d40a4201f4feeb24e3e7e3ff0 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -139,3 +139,7 @@ nvme-pci-factor-out-a-nvme_pci_alloc_dev-helper.patch
 nvme-pci-do-not-set-the-numa-node-of-device-if-it-ha.patch
 watchdog-itco_wdt-no-need-to-stop-the-timer-in-probe.patch
 watchdog-itco_wdt-set-no_reboot-if-the-watchdog-is-n.patch
+perf-metric-return-early-if-no-cpu-pmu-table-exists.patch
+netfilter-nft_exthdr-search-chunks-in-sctp-packets-o.patch
+netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch
+nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch