Merge tag 'v6.6.83' into for/openbmc/dev-6.6

This is the 6.6.83 stable release

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmfSyLoACgkQONu9yGCS
# aT5ioRAAjc8tbbt

Merge tag 'v6.6.83' into for/openbmc/dev-6.6

This is the 6.6.83 stable release

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmfSyLoACgkQONu9yGCS
# aT5ioRAAjc8tbbt6WfQoHQdy34s+/OUX8H+BTIHuGVbSRqU9xEbKmcaTbaQD266K
# AVcu+FpxwDNF9l1jxeh3XZsyIX5AwrFshA78HVwrz+IXtFcWBajwZ02Hv3EmUEqV
# ZrJksF/B1UcSSeBnAFHk/z3OLhqPgucmAKhlJRSvZf+Ps79+J405aG7/TUt5nVPE
# klQhqh35LWlCOZujKGwgOlJXsWwZdEA3rn87JBQxfTWJGQlMUY7+HP2dOLBu1cdZ
# zi72mkxw9Z6oA1IJl4DhVEsx/EH5P+tVGgiLN5yoJw5+NwB5XdXZ2TH5fZfcEtK4
# PEFs735w4VB8gbhVsDsnI23dSBNwbcwYFJgEIWHd+ZmfwNRSW4W0LPgFaKp79i3M
# CDoi0HZ8v0P9p5ZO+11oCAVfndxtVZlVSAm/lrTS0yEan7jiPcfN173hNfCMWAxj
# TR+O5IT9FbfYeVcnYUE9LdQZf5tx0GakvylGBfPWuwG0oCEQi5C9zSus7+pDSyrG
# rCNjnrhvS1shZrijV4xBaRFfqNv1kWl5k9jZCrq2EiWi1hyL+uiRKvUhhroiE4BF
# OA/2hllJSqzvW0hLcxd9YqbxwlQJ8h+hox4TyCyvA1pjnbtCIAOQ5pxfY4EVcmD9
# oG2B+JGHxQJmSXArRW7KctcAu/h7ciTsC7yej1fXbzBOxeadO/A=
# =3QPz
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 13 Mar 2025 22:29:54 ACDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Good signature from "Greg Kroah-Hartman <gregkh@kernel.org>" [marginal]
# gpg: gregkh@kernel.org: Verified 12 signatures in the past 7 weeks. Encrypted
# 0 messages.
# gpg: Warning: you have yet to encrypt a message to this key!
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E

show more ...

nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch

[ Upstream commit a16f88964c647103dad7743a484b216d488a6352 ]

The order in which queue->cmd and rcv_state are updated is cruc

nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch

[ Upstream commit a16f88964c647103dad7743a484b216d488a6352 ]

The order in which queue->cmd and rcv_state are updated is crucial.
If these assignments are reordered by the compiler, the worker might not
get queued in nvmet_tcp_queue_response(), hanging the IO. to enforce the
the correct reordering, set rcv_state using smp_store_release().

Fixes: bdaf13279192 ("nvmet-tcp: fix a segmentation fault during io parsing error")

Signed-off-by: Meir Elisha <meir.elisha@volumez.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.51' into for/openbmc/dev-6.6

This is the 6.6.51 stable release

nvmet-tcp: fix kernel crash if commands allocation fails

[ Upstream commit 5572a55a6f830ee3f3a994b6b962a5c327d28cb3 ]

If the commands allocation fails in nvmet_tcp_alloc_cmds()
the kernel crashes i

nvmet-tcp: fix kernel crash if commands allocation fails

[ Upstream commit 5572a55a6f830ee3f3a994b6b962a5c327d28cb3 ]

If the commands allocation fails in nvmet_tcp_alloc_cmds()
the kernel crashes in nvmet_tcp_release_queue_work() because of
a NULL pointer dereference.

nvmet: failed to install queue 0 cntlid 1 ret 6
Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000008

Fix the bug by setting queue->nr_cmds to zero in case
nvmet_tcp_alloc_cmd() fails.

Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.48' into for/openbmc/dev-6.6

This is the 6.6.48 stable release

nvmet-tcp: do not continue for invalid icreq

[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]

When the length check for an icreq sqe fails we should not
continue processing but rather r

nvmet-tcp: do not continue for invalid icreq

[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]

When the length check for an icreq sqe fails we should not
continue processing but rather return immediately as all
other contents of that sqe cannot be relied on.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.33' into dev-6.6

This is the 6.6.33 stable release

nvmet-tcp: fix possible memory leak when tearing down a controller

[ Upstream commit 6825bdde44340c5a9121f6d6fa25cc885bd9e821 ]

When we teardown the controller, we wait for pending I/Os to complete

nvmet-tcp: fix possible memory leak when tearing down a controller

[ Upstream commit 6825bdde44340c5a9121f6d6fa25cc885bd9e821 ]

When we teardown the controller, we wait for pending I/Os to complete
(sq->ref on all queues to drop to zero) and then we go over the commands,
and free their command buffers in case they are still fetching data from
the host (e.g. processing nvme writes) and have yet to take a reference
on the sq.

However, we may miss the case where commands have failed before executing
and are queued for sending a response, but will never occur because the
queue socket is already down. In this case we may miss deallocating command
buffers.

Solve this by freeing all commands buffers as nvmet_tcp_free_cmd_buffers is
idempotent anyways.

Reported-by: Yi Zhang <yi.zhang@redhat.com>
Tested-by: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.19' into dev-6.6

This is the 6.6.19 stable release

nvmet-tcp: fix nvme tcp ida memory leak

[ Upstream commit 47c5dd66c1840524572dcdd956f4af2bdb6fbdff ]

The nvmet_tcp_queue_ida should be destroy when the nvmet-tcp module
exit.

Signed-off-by: Guixin

nvmet-tcp: fix nvme tcp ida memory leak

[ Upstream commit 47c5dd66c1840524572dcdd956f4af2bdb6fbdff ]

The nvmet_tcp_queue_ida should be destroy when the nvmet-tcp module
exit.

Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.14' into dev-6.6

This is the 6.6.14 stable release

nvmet-tcp: Fix the H2C expected PDU len calculation

[ Upstream commit 9a1abc24850eb759e36a2f8869161c3b7254c904 ]

The nvmet_tcp_handle_h2c_data_pdu() function should take into
consideration the poss

nvmet-tcp: Fix the H2C expected PDU len calculation

[ Upstream commit 9a1abc24850eb759e36a2f8869161c3b7254c904 ]

The nvmet_tcp_handle_h2c_data_pdu() function should take into
consideration the possibility that the header digest and/or the data
digests are enabled when calculating the expected PDU length, before
comparing it to the value stored in cmd->pdu_len.

Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

nvmet-tcp: fix a crash in nvmet_req_complete()

[ Upstream commit 0849a5441358cef02586fb2d60f707c0db195628 ]

in nvmet_tcp_handle_h2c_data_pdu(), if the host sends a data_offset
different from rbytes

nvmet-tcp: fix a crash in nvmet_req_complete()

[ Upstream commit 0849a5441358cef02586fb2d60f707c0db195628 ]

in nvmet_tcp_handle_h2c_data_pdu(), if the host sends a data_offset
different from rbytes_done, the driver ends up calling nvmet_req_complete()
passing a status error.
The problem is that at this point cmd->req is not yet initialized,
the kernel will crash after dereferencing a NULL pointer.

Fix the bug by replacing the call to nvmet_req_complete() with
nvmet_tcp_fatal_error().

Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Reviewed-by: Keith Busch <kbsuch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

[ Upstream commit efa56305908ba20de2104f1b8508c6a7401833be ]

If the host sends an H2CData command with an invalid DATAL,
the

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

[ Upstream commit efa56305908ba20de2104f1b8508c6a7401833be ]

If the host sends an H2CData command with an invalid DATAL,
the kernel may crash in nvmet_tcp_build_pdu_iovec().

Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]
Call trace:
process_one_work+0x174/0x3c8
worker_thread+0x2d0/0x3e8
kthread+0x104/0x110

Fix the bug by raising a fatal error if DATAL isn't coherent
with the packet size.
Also, the PDU length should never exceed the MAXH2CDATA parameter which
has been communicated to the host in nvmet_tcp_handle_icreq().

Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:
"A fix for a regression with sed-opal and saved keys, and outside of
that an NVMe pull request fixi

Merge tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:
"A fix for a regression with sed-opal and saved keys, and outside of
that an NVMe pull request fixing a few minor issues on that front"

* tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux:
nvme-pci: add BOGUS_NID for Intel 0a54 device
nvmet-auth: complete a request only after freeing the dhchap pointers
nvme: sanitize metadata bounce buffer for reads
block: Fix regression in sed-opal for a saved key.
nvme-auth: use chap->s2 to indicate bidirectional authentication
nvmet-tcp: Fix a possible UAF in queue intialization setup
nvme-rdma: do not try to stop unallocated queues

show more ...

Merge tag 'nvme-6.6-2023-10-18' of git://git.infradead.org/nvme into block-6.6

Pull NVMe fixes from Keith:

"nvme fixes for Linux 6.6

- nvme-rdma queue fix (Maurizio)
- nvmet-auth double free fix

Merge tag 'nvme-6.6-2023-10-18' of git://git.infradead.org/nvme into block-6.6

Pull NVMe fixes from Keith:

"nvme fixes for Linux 6.6

- nvme-rdma queue fix (Maurizio)
- nvmet-auth double free fix (Maurizio)
- nvme-tcp use-after-free fix (Sagi)
- nvme-auth data direction fix (Martin)
- nvme passthrough metadata sanitization (Keith)
- nvme bogus identifiers for multi-controller ssd (Keith)"

* tag 'nvme-6.6-2023-10-18' of git://git.infradead.org/nvme:
nvme-pci: add BOGUS_NID for Intel 0a54 device
nvmet-auth: complete a request only after freeing the dhchap pointers
nvme: sanitize metadata bounce buffer for reads
nvme-auth: use chap->s2 to indicate bidirectional authentication
nvmet-tcp: Fix a possible UAF in queue intialization setup
nvme-rdma: do not try to stop unallocated queues

show more ...

nvmet-tcp: Fix a possible UAF in queue intialization setup

From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, whic

nvmet-tcp: Fix a possible UAF in queue intialization setup

From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, which may lead to
RCE (may also lead to an LPE in case the attacker already has local
privileges)."

Hence, when a queue initialization fails after the ahash requests are
allocated, it is guaranteed that the queue removal async work will be
called, hence leave the deallocation to the queue removal.

Also, be extra careful not to continue processing the socket, so set
queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.

Cc: stable@vger.kernel.org
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

show more ...

Merge tag 'kvm-riscv-fixes-6.6-1' of https://github.com/kvm-riscv/linux into HEAD

KVM/riscv fixes for 6.6, take #1

- Fix KVM_GET_REG_LIST API for ISA_EXT registers
- Fix reading ISA_EXT register of

Merge tag 'kvm-riscv-fixes-6.6-1' of https://github.com/kvm-riscv/linux into HEAD

KVM/riscv fixes for 6.6, take #1

- Fix KVM_GET_REG_LIST API for ISA_EXT registers
- Fix reading ISA_EXT register of a missing extension
- Fix ISA_EXT register handling in get-reg-list test
- Fix filtering of AIA registers in get-reg-list test

show more ...

Merge tag 'block-6.6-2023-09-15' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:

- NVMe pull via Keith:
- nvme-tcp iov len fix (Varun)
- nvme-hwmon const qualifier for s

Merge tag 'block-6.6-2023-09-15' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:

- NVMe pull via Keith:
- nvme-tcp iov len fix (Varun)
- nvme-hwmon const qualifier for safety (Krzysztof)
- nvme-fc null pointer checks (Nigel)
- nvme-pci no numa node fix (Pratyush)
- nvme timeout fix for non-compliant controllers (Keith)

- MD pull via Song fixing regressions with both 6.5 and 6.6

- Fix a use-after-free regression in resizing blk-mq tags (Chengming)

* tag 'block-6.6-2023-09-15' of git://git.kernel.dk/linux:
nvme: avoid bogus CRTO values
md: Put the right device in md_seq_next
nvme-pci: do not set the NUMA node of device if it has none
blk-mq: fix tags UAF when shrinking q->nr_hw_queues
md/raid1: fix error: ISO C90 forbids mixed declarations
md: fix warning for holder mismatch from export_rdev()
md: don't dereference mddev after export_rdev()
nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()
nvme: host: hwmon: constify pointers to hwmon_channel_info
nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()

show more ...

Merge tag 'nvme-6.6-2023-09-14' of git://git.infradead.org/nvme into block-6.6

Pull NVMe fixes from Keith:

"nvme fixes for Linux 6.6

- nvme-tcp iov len fix (Varun)
- nvme-hwmon const qualifier f

Merge tag 'nvme-6.6-2023-09-14' of git://git.infradead.org/nvme into block-6.6

Pull NVMe fixes from Keith:

"nvme fixes for Linux 6.6

- nvme-tcp iov len fix (Varun)
- nvme-hwmon const qualifier for safety (Krzysztof)
- nvme-fc null pointer checks (Nigel)
- nvme-pci no numa node fix (Pratyush)
- nvme timeout fix for non-compliant controllers (Keith)"

* tag 'nvme-6.6-2023-09-14' of git://git.infradead.org/nvme:
nvme: avoid bogus CRTO values
nvme-pci: do not set the NUMA node of device if it has none
nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()
nvme: host: hwmon: constify pointers to hwmon_channel_info
nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()

show more ...

Merge branch 'next' into for-linus

Prepare input updates for 6.6 merge window.

nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()

iov_len is the valid data length, so pass iov_len instead of sg->length to
bvec_set_page().

Fixes: 5bfaba275ae6 ("nvmet-tcp: don't m

nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()

iov_len is the valid data length, so pass iov_len instead of sg->length to
bvec_set_page().

Fixes: 5bfaba275ae6 ("nvmet-tcp: don't map pages which can't come from HIGHMEM")
Signed-off-by: Rakshana Sridhar <rakshanas@chelsio.com>
Signed-off-by: Varun Prakash <varun@chelsio.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>

show more ...

Merge drm/drm-next into drm-intel-next

Catching-up with drm-next and drm-intel-gt-next.
It will unblock a code refactor around the platform
definitions (names vs acronyms).

Signed-off-by: Rodrigo V

Merge drm/drm-next into drm-intel-next

Catching-up with drm-next and drm-intel-gt-next.
It will unblock a code refactor around the platform
definitions (names vs acronyms).

Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

show more ...

Merge drm/drm-next into drm-intel-gt-next

Need to pull in b3e4aae612ec ("drm/i915/hdcp: Modify hdcp_gsc_message msg sending mechanism") as
a dependency for https://patchwork.freedesktop.org/series/1

Merge drm/drm-next into drm-intel-gt-next

Need to pull in b3e4aae612ec ("drm/i915/hdcp: Modify hdcp_gsc_message msg sending mechanism") as
a dependency for https://patchwork.freedesktop.org/series/121735/

Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

show more ...

Merge drm/drm-next into drm-misc-next

Backmerging to get v6.5-rc2.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>