tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'block-6.14-20250306' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:

- NVMe pull request via Keith:
- TCP use after free fix on polling (Sagi)
- Controller memory buffer cleanup fixes (Icenowy)
- Free leaking requests on bad user passthrough commands (Keith)
- TCP error message fix (Maurizio)
- TCP corruption fix on partial PDU (Maurizio)
- TCP memory ordering fix for weakly ordered archs (Meir)
- Type coercion fix on message error for TCP (Dan)

- Name the RQF flags enum, fixing issues with anon enums and BPF import
of it

- ublk parameter setting fix

- GPT partition 7-bit conversion fix

* tag 'block-6.14-20250306' of git://git.kernel.dk/linux:
block: Name the RQF flags enum
nvme-tcp: fix signedness bug in nvme_tcp_init_connection()
block: fix conversion of GPT partition name to 7-bit
ublk: set_params: properly check if parameters can be applied
nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
nvme-tcp: Fix a C2HTermReq error message
nvmet: remove old function prototype
nvme-ioctl: fix leaked requests on mapping error
nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
nvme-pci: clean up CMBMSC when registering CMB fails
nvme-tcp: fix possible UAF in nvme_tcp_poll

Linus Torvalds 381af8d9 d53276d2

+75 -30
+1 -1
block/partitions/efi.c
··· 682 682 out[size] = 0; 683 683 684 684 while (i < size) { 685 - u8 c = le16_to_cpu(in[i]) & 0xff; 685 + u8 c = le16_to_cpu(in[i]) & 0x7f; 686 686 687 687 if (c && !isprint(c)) 688 688 c = '!';
+5 -2
drivers/block/ublk_drv.c
··· 2715 2715 if (ph.len > sizeof(struct ublk_params)) 2716 2716 ph.len = sizeof(struct ublk_params); 2717 2717 2718 - /* parameters can only be changed when device isn't live */ 2719 2718 mutex_lock(&ub->mutex); 2720 - if (ub->dev_info.state == UBLK_S_DEV_LIVE) { 2719 + if (test_bit(UB_STATE_USED, &ub->state)) { 2720 + /* 2721 + * Parameters can only be changed when device hasn't 2722 + * been started yet 2723 + */ 2721 2724 ret = -EACCES; 2722 2725 } else if (copy_from_user(&ub->params, argp, ph.len)) { 2723 2726 ret = -EFAULT;
+8 -4
drivers/nvme/host/ioctl.c
··· 128 128 if (!nvme_ctrl_sgl_supported(ctrl)) 129 129 dev_warn_once(ctrl->device, "using unchecked data buffer\n"); 130 130 if (has_metadata) { 131 - if (!supports_metadata) 132 - return -EINVAL; 131 + if (!supports_metadata) { 132 + ret = -EINVAL; 133 + goto out; 134 + } 133 135 if (!nvme_ctrl_meta_sgl_supported(ctrl)) 134 136 dev_warn_once(ctrl->device, 135 137 "using unchecked metadata buffer\n"); ··· 141 139 struct iov_iter iter; 142 140 143 141 /* fixedbufs is only for non-vectored io */ 144 - if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC)) 145 - return -EINVAL; 142 + if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC)) { 143 + ret = -EINVAL; 144 + goto out; 145 + } 146 146 ret = io_uring_cmd_import_fixed(ubuffer, bufflen, 147 147 rq_data_dir(req), &iter, ioucmd); 148 148 if (ret < 0)
+13 -8
drivers/nvme/host/pci.c
··· 1983 1983 return; 1984 1984 1985 1985 /* 1986 + * Controllers may support a CMB size larger than their BAR, for 1987 + * example, due to being behind a bridge. Reduce the CMB to the 1988 + * reported size of the BAR 1989 + */ 1990 + size = min(size, bar_size - offset); 1991 + 1992 + if (!IS_ALIGNED(size, memremap_compat_align()) || 1993 + !IS_ALIGNED(pci_resource_start(pdev, bar), 1994 + memremap_compat_align())) 1995 + return; 1996 + 1997 + /* 1986 1998 * Tell the controller about the host side address mapping the CMB, 1987 1999 * and enable CMB decoding for the NVMe 1.4+ scheme: 1988 2000 */ ··· 2004 1992 dev->bar + NVME_REG_CMBMSC); 2005 1993 } 2006 1994 2007 - /* 2008 - * Controllers may support a CMB size larger than their BAR, 2009 - * for example, due to being behind a bridge. Reduce the CMB to 2010 - * the reported size of the BAR 2011 - */ 2012 - if (size > bar_size - offset) 2013 - size = bar_size - offset; 2014 - 2015 1995 if (pci_p2pdma_add_resource(pdev, bar, size, offset)) { 2016 1996 dev_warn(dev->ctrl.device, 2017 1997 "failed to register the CMB\n"); 1998 + hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC); 2018 1999 return; 2019 2000 } 2020 2001
+36 -9
drivers/nvme/host/tcp.c
··· 217 217 return queue - queue->ctrl->queues; 218 218 } 219 219 220 + static inline bool nvme_tcp_recv_pdu_supported(enum nvme_tcp_pdu_type type) 221 + { 222 + switch (type) { 223 + case nvme_tcp_c2h_term: 224 + case nvme_tcp_c2h_data: 225 + case nvme_tcp_r2t: 226 + case nvme_tcp_rsp: 227 + return true; 228 + default: 229 + return false; 230 + } 231 + } 232 + 220 233 /* 221 234 * Check if the queue is TLS encrypted 222 235 */ ··· 788 775 [NVME_TCP_FES_PDU_SEQ_ERR] = "PDU Sequence Error", 789 776 [NVME_TCP_FES_HDR_DIGEST_ERR] = "Header Digest Error", 790 777 [NVME_TCP_FES_DATA_OUT_OF_RANGE] = "Data Transfer Out Of Range", 791 - [NVME_TCP_FES_R2T_LIMIT_EXCEEDED] = "R2T Limit Exceeded", 778 + [NVME_TCP_FES_DATA_LIMIT_EXCEEDED] = "Data Transfer Limit Exceeded", 792 779 [NVME_TCP_FES_UNSUPPORTED_PARAM] = "Unsupported Parameter", 793 780 }; 794 781 ··· 831 818 return 0; 832 819 833 820 hdr = queue->pdu; 821 + if (unlikely(hdr->hlen != sizeof(struct nvme_tcp_rsp_pdu))) { 822 + if (!nvme_tcp_recv_pdu_supported(hdr->type)) 823 + goto unsupported_pdu; 824 + 825 + dev_err(queue->ctrl->ctrl.device, 826 + "pdu type %d has unexpected header length (%d)\n", 827 + hdr->type, hdr->hlen); 828 + return -EPROTO; 829 + } 830 + 834 831 if (unlikely(hdr->type == nvme_tcp_c2h_term)) { 835 832 /* 836 833 * C2HTermReq never includes Header or Data digests. ··· 873 850 nvme_tcp_init_recv_ctx(queue); 874 851 return nvme_tcp_handle_r2t(queue, (void *)queue->pdu); 875 852 default: 876 - dev_err(queue->ctrl->ctrl.device, 877 - "unsupported pdu type (%d)\n", hdr->type); 878 - return -EINVAL; 853 + goto unsupported_pdu; 879 854 } 855 + 856 + unsupported_pdu: 857 + dev_err(queue->ctrl->ctrl.device, 858 + "unsupported pdu type (%d)\n", hdr->type); 859 + return -EINVAL; 880 860 } 881 861 882 862 static inline void nvme_tcp_end_request(struct request *rq, u16 status) ··· 1521 1495 msg.msg_flags = MSG_WAITALL; 1522 1496 ret = kernel_recvmsg(queue->sock, &msg, &iov, 1, 1523 1497 iov.iov_len, msg.msg_flags); 1524 - if (ret < sizeof(*icresp)) { 1498 + if (ret >= 0 && ret < sizeof(*icresp)) 1499 + ret = -ECONNRESET; 1500 + if (ret < 0) { 1525 1501 pr_warn("queue %d: failed to receive icresp, error %d\n", 1526 1502 nvme_tcp_queue_id(queue), ret); 1527 - if (ret >= 0) 1528 - ret = -ECONNRESET; 1529 1503 goto free_icresp; 1530 1504 } 1531 1505 ret = -ENOTCONN; ··· 2725 2699 { 2726 2700 struct nvme_tcp_queue *queue = hctx->driver_data; 2727 2701 struct sock *sk = queue->sock->sk; 2702 + int ret; 2728 2703 2729 2704 if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags)) 2730 2705 return 0; ··· 2733 2706 set_bit(NVME_TCP_Q_POLLING, &queue->flags); 2734 2707 if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue)) 2735 2708 sk_busy_loop(sk, true); 2736 - nvme_tcp_try_recv(queue); 2709 + ret = nvme_tcp_try_recv(queue); 2737 2710 clear_bit(NVME_TCP_Q_POLLING, &queue->flags); 2738 - return queue->nr_cqe; 2711 + return ret < 0 ? ret : queue->nr_cqe; 2739 2712 } 2740 2713 2741 2714 static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
-1
drivers/nvme/target/nvmet.h
··· 647 647 struct nvmet_host *host); 648 648 void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type, 649 649 u8 event_info, u8 log_page); 650 - bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid); 651 650 652 651 #define NVMET_MIN_QUEUE_SIZE 16 653 652 #define NVMET_MAX_QUEUE_SIZE 1024
+11 -4
drivers/nvme/target/tcp.c
··· 571 571 struct nvmet_tcp_cmd *cmd = 572 572 container_of(req, struct nvmet_tcp_cmd, req); 573 573 struct nvmet_tcp_queue *queue = cmd->queue; 574 + enum nvmet_tcp_recv_state queue_state; 575 + struct nvmet_tcp_cmd *queue_cmd; 574 576 struct nvme_sgl_desc *sgl; 575 577 u32 len; 576 578 577 - if (unlikely(cmd == queue->cmd)) { 579 + /* Pairs with store_release in nvmet_prepare_receive_pdu() */ 580 + queue_state = smp_load_acquire(&queue->rcv_state); 581 + queue_cmd = READ_ONCE(queue->cmd); 582 + 583 + if (unlikely(cmd == queue_cmd)) { 578 584 sgl = &cmd->req.cmd->common.dptr.sgl; 579 585 len = le32_to_cpu(sgl->length); 580 586 ··· 589 583 * Avoid using helpers, this might happen before 590 584 * nvmet_req_init is completed. 591 585 */ 592 - if (queue->rcv_state == NVMET_TCP_RECV_PDU && 586 + if (queue_state == NVMET_TCP_RECV_PDU && 593 587 len && len <= cmd->req.port->inline_data_size && 594 588 nvme_is_write(cmd->req.cmd)) 595 589 return; ··· 853 847 { 854 848 queue->offset = 0; 855 849 queue->left = sizeof(struct nvme_tcp_hdr); 856 - queue->cmd = NULL; 857 - queue->rcv_state = NVMET_TCP_RECV_PDU; 850 + WRITE_ONCE(queue->cmd, NULL); 851 + /* Ensure rcv_state is visible only after queue->cmd is set */ 852 + smp_store_release(&queue->rcv_state, NVMET_TCP_RECV_PDU); 858 853 } 859 854 860 855 static void nvmet_tcp_free_crypto(struct nvmet_tcp_queue *queue)
+1 -1
include/linux/blk-mq.h
··· 28 28 typedef __u32 __bitwise req_flags_t; 29 29 30 30 /* Keep rqf_name[] in sync with the definitions below */ 31 - enum { 31 + enum rqf_flags { 32 32 /* drive already may have started this one */ 33 33 __RQF_STARTED, 34 34 /* request for flush sequence */