diff --git a/patches.suse/0006-nvme-Implement-In-Band-authentication.patch b/patches.suse/0006-nvme-Implement-In-Band-authentication.patch index 8792793..7176997 100644 --- a/patches.suse/0006-nvme-Implement-In-Band-authentication.patch +++ b/patches.suse/0006-nvme-Implement-In-Band-authentication.patch @@ -1433,7 +1433,7 @@ Acked-by: Hannes Reinecke return a->mode; } -@@ -4360,8 +4487,10 @@ static void nvme_handle_aen_notice(struc +@@ -4367,8 +4494,10 @@ static void nvme_handle_aen_notice(struc * recovery actions from interfering with the controller's * firmware activation. */ @@ -1445,7 +1445,7 @@ Acked-by: Hannes Reinecke break; #ifdef CONFIG_NVME_MULTIPATH case NVME_AER_NOTICE_ANA: -@@ -4408,6 +4537,7 @@ EXPORT_SYMBOL_GPL(nvme_complete_async_ev +@@ -4415,6 +4544,7 @@ EXPORT_SYMBOL_GPL(nvme_complete_async_ev void nvme_stop_ctrl(struct nvme_ctrl *ctrl) { nvme_mpath_stop(ctrl); @@ -1453,7 +1453,7 @@ Acked-by: Hannes Reinecke nvme_stop_keep_alive(ctrl); nvme_stop_failfast_work(ctrl); flush_work(&ctrl->async_event_work); -@@ -4464,6 +4594,8 @@ static void nvme_free_ctrl(struct device +@@ -4471,6 +4601,8 @@ static void nvme_free_ctrl(struct device nvme_free_cels(ctrl); nvme_mpath_uninit(ctrl); @@ -1462,7 +1462,7 @@ Acked-by: Hannes Reinecke __free_page(ctrl->discard_page); if (subsys) { -@@ -4554,6 +4686,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctr +@@ -4561,6 +4693,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctr nvme_fault_inject_init(&ctrl->fault_inject, dev_name(ctrl->device)); nvme_mpath_init_ctrl(ctrl); @@ -1547,7 +1547,7 @@ Acked-by: Hannes Reinecke { NVMF_OPT_ERR, NULL } }; -@@ -831,6 +867,34 @@ static int nvmf_parse_options(struct nvm +@@ -834,6 +870,34 @@ static int nvmf_parse_options(struct nvm case NVMF_OPT_DISCOVERY: opts->discovery_nqn = true; break; @@ -1582,7 +1582,7 @@ Acked-by: Hannes Reinecke default: pr_warn("unknown parameter or missing value '%s' in ctrl creation request\n", p); -@@ -949,6 +1013,7 @@ void nvmf_free_options(struct nvmf_ctrl_ +@@ -952,6 +1016,7 @@ void nvmf_free_options(struct nvmf_ctrl_ kfree(opts->subsysnqn); kfree(opts->host_traddr); kfree(opts->host_iface); @@ -1590,7 +1590,7 @@ Acked-by: Hannes Reinecke kfree(opts); } EXPORT_SYMBOL_GPL(nvmf_free_options); -@@ -958,7 +1023,8 @@ EXPORT_SYMBOL_GPL(nvmf_free_options); +@@ -961,7 +1026,8 @@ EXPORT_SYMBOL_GPL(nvmf_free_options); NVMF_OPT_KATO | NVMF_OPT_HOSTNQN | \ NVMF_OPT_HOST_ID | NVMF_OPT_DUP_CONNECT |\ NVMF_OPT_DISABLE_SQFLOW | NVMF_OPT_DISCOVERY |\ @@ -1600,7 +1600,7 @@ Acked-by: Hannes Reinecke static struct nvme_ctrl * nvmf_create_ctrl(struct device *dev, const char *buf) -@@ -1195,7 +1261,14 @@ static void __exit nvmf_exit(void) +@@ -1198,7 +1264,14 @@ static void __exit nvmf_exit(void) BUILD_BUG_ON(sizeof(struct nvmf_connect_command) != 64); BUILD_BUG_ON(sizeof(struct nvmf_property_get_command) != 64); BUILD_BUG_ON(sizeof(struct nvmf_property_set_command) != 64); @@ -1704,14 +1704,14 @@ Acked-by: Hannes Reinecke nvme_start_queues(&ctrl->ctrl); --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c -@@ -2096,6 +2096,7 @@ static void nvme_tcp_error_recovery_work +@@ -2095,6 +2095,7 @@ static void nvme_tcp_error_recovery_work struct nvme_tcp_ctrl, err_work); struct nvme_ctrl *ctrl = &tcp_ctrl->ctrl; + nvme_auth_stop(ctrl); nvme_stop_keep_alive(ctrl); + flush_work(&ctrl->async_event_work); nvme_tcp_teardown_io_queues(ctrl, false); - /* unquiesce to fail fast pending requests */ --- a/drivers/nvme/host/trace.c +++ b/drivers/nvme/host/trace.c @@ -287,6 +287,34 @@ static const char *nvme_trace_fabrics_pr diff --git a/patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch b/patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch new file mode 100644 index 0000000..e6050d3 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch @@ -0,0 +1,33 @@ +From: Sagi Grimberg +Date: Tue, 1 Feb 2022 14:54:20 +0200 +Subject: nvme-tcp: fix possible use-after-free in transport error_recovery + work +Patch-mainline: v5.17-rc3 +Git-commit: ff9fc7ebf5c06de1ef72a69f9b1ab40af8b07f9e +References: bsc#1193787 bsc#1197146 bsc#1193554 + +While nvme_tcp_submit_async_event_work is checking the ctrl and queue +state before preparing the AER command and scheduling io_work, in order +to fully prevent a race where this check is not reliable the error +recovery work must flush async_event_work before continuing to destroy +the admin queue after setting the ctrl state to RESETTING such that +there is no race .submit_async_event and the error recovery handler +itself changing the ctrl state. + +Tested-by: Chris Leech +Signed-off-by: Sagi Grimberg +Acked-by: Daniel Wagner +--- + drivers/nvme/host/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2096,6 +2096,7 @@ static void nvme_tcp_error_recovery_work + struct nvme_ctrl *ctrl = &tcp_ctrl->ctrl; + + nvme_stop_keep_alive(ctrl); ++ flush_work(&ctrl->async_event_work); + nvme_tcp_teardown_io_queues(ctrl, false); + /* unquiesce to fail fast pending requests */ + nvme_start_queues(ctrl); diff --git a/series.conf b/series.conf index 48a48c9..28cde29 100644 --- a/series.conf +++ b/series.conf @@ -8275,6 +8275,7 @@ patches.suse/cgroup-v1-Require-capabilities-to-set-release_agent.patch patches.suse/ALSA-hda-Fix-UAF-of-leds-class-devs-at-unbinding.patch patches.suse/nvme-fix-a-possible-use-after-free-in-controller-res.patch + patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch patches.suse/nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_ba.patch patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch