--- /dev/null
+From 18bd6caaef4021803dd0d031dc37c2d001d18a5b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 11 Sep 2018 20:47:23 +0200
+Subject: ceph: fix compat_ioctl for ceph_dir_operations
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 18bd6caaef4021803dd0d031dc37c2d001d18a5b upstream.
+
+The ceph_ioctl function is used both for files and directories, but only
+the files support doing that in 32-bit compat mode.
+
+On the s390 architecture, there is also a problem with invalid 31-bit
+pointers that need to be passed through compat_ptr().
+
+Use the new compat_ptr_ioctl() to address both issues.
+
+Note: When backporting this patch to stable kernels, "compat_ioctl:
+add compat_ptr_ioctl()" is needed as well.
+
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/dir.c | 1 +
+ fs/ceph/file.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -1809,6 +1809,7 @@ const struct file_operations ceph_dir_fo
+ .open = ceph_open,
+ .release = ceph_release,
+ .unlocked_ioctl = ceph_ioctl,
++ .compat_ioctl = compat_ptr_ioctl,
+ .fsync = ceph_fsync,
+ .lock = ceph_lock,
+ .flock = ceph_flock,
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -2188,7 +2188,7 @@ const struct file_operations ceph_file_f
+ .splice_read = generic_file_splice_read,
+ .splice_write = iter_file_splice_write,
+ .unlocked_ioctl = ceph_ioctl,
+- .compat_ioctl = ceph_ioctl,
++ .compat_ioctl = compat_ptr_ioctl,
+ .fallocate = ceph_fallocate,
+ .copy_file_range = ceph_copy_file_range,
+ };
--- /dev/null
+From 2952db0fd51b0890f728df94ac563c21407f4f43 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 11 Sep 2018 16:55:03 +0200
+Subject: compat_ioctl: add compat_ptr_ioctl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 2952db0fd51b0890f728df94ac563c21407f4f43 upstream.
+
+Many drivers have ioctl() handlers that are completely compatible between
+32-bit and 64-bit architectures, except for the argument that is passed
+down from user space and may have to be passed through compat_ptr()
+in order to become a valid 64-bit pointer.
+
+Using ".compat_ptr = compat_ptr_ioctl" in file operations should let
+us simplify a lot of those drivers to avoid #ifdef checks, and convert
+additional drivers that don't have proper compat handling yet.
+
+On most architectures, the compat_ptr_ioctl() just passes all arguments
+to the corresponding ->ioctl handler. The exception is arch/s390, where
+compat_ptr() clears the top bit of a 32-bit pointer value, so user space
+pointers to the second 2GB alias the first 2GB, as is the case for native
+32-bit s390 user space.
+
+The compat_ptr_ioctl() function must therefore be used only with
+ioctl functions that either ignore the argument or pass a pointer to a
+compatible data type.
+
+If any ioctl command handled by fops->unlocked_ioctl passes a plain
+integer instead of a pointer, or any of the passed data types is
+incompatible between 32-bit and 64-bit architectures, a proper handler
+is required instead of compat_ptr_ioctl.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+---
+v3: add a better description
+v2: use compat_ptr_ioctl instead of generic_compat_ioctl_ptrarg,
+as suggested by Al Viro
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioctl.c | 35 +++++++++++++++++++++++++++++++++++
+ include/linux/fs.h | 7 +++++++
+ 2 files changed, 42 insertions(+)
+
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -8,6 +8,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/mm.h>
+ #include <linux/capability.h>
++#include <linux/compat.h>
+ #include <linux/file.h>
+ #include <linux/fs.h>
+ #include <linux/security.h>
+@@ -719,3 +720,37 @@ SYSCALL_DEFINE3(ioctl, unsigned int, fd,
+ {
+ return ksys_ioctl(fd, cmd, arg);
+ }
++
++#ifdef CONFIG_COMPAT
++/**
++ * compat_ptr_ioctl - generic implementation of .compat_ioctl file operation
++ *
++ * This is not normally called as a function, but instead set in struct
++ * file_operations as
++ *
++ * .compat_ioctl = compat_ptr_ioctl,
++ *
++ * On most architectures, the compat_ptr_ioctl() just passes all arguments
++ * to the corresponding ->ioctl handler. The exception is arch/s390, where
++ * compat_ptr() clears the top bit of a 32-bit pointer value, so user space
++ * pointers to the second 2GB alias the first 2GB, as is the case for
++ * native 32-bit s390 user space.
++ *
++ * The compat_ptr_ioctl() function must therefore be used only with ioctl
++ * functions that either ignore the argument or pass a pointer to a
++ * compatible data type.
++ *
++ * If any ioctl command handled by fops->unlocked_ioctl passes a plain
++ * integer instead of a pointer, or any of the passed data types
++ * is incompatible between 32-bit and 64-bit architectures, a proper
++ * handler is required instead of compat_ptr_ioctl.
++ */
++long compat_ptr_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
++{
++ if (!file->f_op->unlocked_ioctl)
++ return -ENOIOCTLCMD;
++
++ return file->f_op->unlocked_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
++}
++EXPORT_SYMBOL(compat_ptr_ioctl);
++#endif
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1727,6 +1727,13 @@ int vfs_mkobj(struct dentry *, umode_t,
+
+ extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+
++#ifdef CONFIG_COMPAT
++extern long compat_ptr_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg);
++#else
++#define compat_ptr_ioctl NULL
++#endif
++
+ /*
+ * VFS file helper functions.
+ */
--- /dev/null
+From 4adc0423de92cf850d1ef5c0e7cb28fd7a38219e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Nov 2019 10:06:54 +0100
+Subject: media: venus: remove invalid compat_ioctl32 handler
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 4adc0423de92cf850d1ef5c0e7cb28fd7a38219e upstream.
+
+v4l2_compat_ioctl32() is the function that calls into
+v4l2_file_operations->compat_ioctl32(), so setting that back to the same
+function leads to a trivial endless loop, followed by a kernel
+stack overrun.
+
+Remove the incorrect assignment.
+
+Cc: stable@vger.kernel.org
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/qcom/venus/vdec.c | 3 ---
+ drivers/media/platform/qcom/venus/venc.c | 3 ---
+ 2 files changed, 6 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -1412,9 +1412,6 @@ static const struct v4l2_file_operations
+ .unlocked_ioctl = video_ioctl2,
+ .poll = v4l2_m2m_fop_poll,
+ .mmap = v4l2_m2m_fop_mmap,
+-#ifdef CONFIG_COMPAT
+- .compat_ioctl32 = v4l2_compat_ioctl32,
+-#endif
+ };
+
+ static int vdec_probe(struct platform_device *pdev)
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -1235,9 +1235,6 @@ static const struct v4l2_file_operations
+ .unlocked_ioctl = video_ioctl2,
+ .poll = v4l2_m2m_fop_poll,
+ .mmap = v4l2_m2m_fop_mmap,
+-#ifdef CONFIG_COMPAT
+- .compat_ioctl32 = v4l2_compat_ioctl32,
+-#endif
+ };
+
+ static int venc_probe(struct platform_device *pdev)
--- /dev/null
+From 22802bf742c25b1e2473c70b3b99da98af65ef4d Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Tue, 3 Dec 2019 00:44:59 +0900
+Subject: nvme: Namepace identification descriptor list is optional
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 22802bf742c25b1e2473c70b3b99da98af65ef4d upstream.
+
+Despite NVM Express specification 1.3 requires a controller claiming to
+be 1.3 or higher implement Identify CNS 03h (Namespace Identification
+Descriptor list), the driver doesn't really need this identification in
+order to use a namespace. The code had already documented in comments
+that we're not to consider an error to this command.
+
+Return success if the controller provided any response to an
+namespace identification descriptors command.
+
+Fixes: 538af88ea7d9de24 ("nvme: make nvme_report_ns_ids propagate error back")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=205679
+Reported-by: Ingo Brunberg <ingo_brunberg@web.de>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Cc: stable@vger.kernel.org # 5.4+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1727,6 +1727,8 @@ static int nvme_report_ns_ids(struct nvm
+ if (ret)
+ dev_warn(ctrl->device,
+ "Identify Descriptors failed (%d)\n", ret);
++ if (ret > 0)
++ ret = 0;
+ }
+ return ret;
+ }
--- /dev/null
+From 655e7aee1f0398602627a485f7dca6c29cc96cae Mon Sep 17 00:00:00 2001
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Thu, 31 Oct 2019 17:34:09 +0800
+Subject: Revert "nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T"
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+commit 655e7aee1f0398602627a485f7dca6c29cc96cae upstream.
+
+Since e045fa29e893 ("PCI/MSI: Fix incorrect MSI-X masking on resume") is
+merged, we can revert the previous quirk now.
+
+This reverts commit 19ea025e1d28c629b369c3532a85b3df478cc5c6.
+
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204887
+Fixes: 19ea025e1d28 ("nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T")
+Link: https://lore.kernel.org/r/20191031093408.9322-1-jian-hong@endlessm.com
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/core.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2406,16 +2406,6 @@ static const struct nvme_core_quirk_entr
+ .vid = 0x14a4,
+ .fr = "22301111",
+ .quirks = NVME_QUIRK_SIMPLE_SUSPEND,
+- },
+- {
+- /*
+- * This Kingston E8FK11.T firmware version has no interrupt
+- * after resume with actions related to suspend to idle
+- * https://bugzilla.kernel.org/show_bug.cgi?id=204887
+- */
+- .vid = 0x2646,
+- .fr = "E8FK11.T",
+- .quirks = NVME_QUIRK_SIMPLE_SUSPEND,
+ }
+ };
+
--- /dev/null
+From 324e1c402069e8d277d2a2b18ce40bde1265b96a Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Fri, 18 Oct 2019 14:18:21 -0700
+Subject: scsi: lpfc: Fix bad ndlp ptr in xri aborted handling
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit 324e1c402069e8d277d2a2b18ce40bde1265b96a upstream.
+
+In cases where I/O may be aborted, such as driver unload or link bounces,
+the system will crash based on a bad ndlp pointer.
+
+Example:
+ RIP: 0010:lpfc_sli4_abts_err_handler+0x15/0x140 [lpfc]
+ ...
+ lpfc_sli4_io_xri_aborted+0x20d/0x270 [lpfc]
+ lpfc_sli4_sp_handle_abort_xri_wcqe.isra.54+0x84/0x170 [lpfc]
+ lpfc_sli4_fp_handle_cqe+0xc2/0x480 [lpfc]
+ __lpfc_sli4_process_cq+0xc6/0x230 [lpfc]
+ __lpfc_sli4_hba_process_cq+0x29/0xc0 [lpfc]
+ process_one_work+0x14c/0x390
+
+Crash was caused by a bad ndlp address passed to I/O indicated by the XRI
+aborted CQE. The address was not NULL so the routine deferenced the ndlp
+ptr. The bad ndlp also caused the lpfc_sli4_io_xri_aborted to call an
+erroneous io handler. Root cause for the bad ndlp was an lpfc_ncmd that
+was aborted, put on the abort_io list, completed, taken off the abort_io
+list, sent to lpfc_release_nvme_buf where it was put back on the abort_io
+list because the lpfc_ncmd->flags setting LPFC_SBUF_XBUSY was not cleared
+on the final completion.
+
+Rework the exchange busy handling to ensure the flags are properly set for
+both scsi and nvme.
+
+Fixes: c490850a0947 ("scsi: lpfc: Adapt partitioned XRI lists to efficient sharing")
+Cc: <stable@vger.kernel.org> # v5.1+
+Link: https://lore.kernel.org/r/20191018211832.7917-6-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_scsi.c | 11 +++++++----
+ drivers/scsi/lpfc/lpfc_sli.c | 5 ++++-
+ drivers/scsi/lpfc/lpfc_sli.h | 3 +--
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -526,7 +526,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba
+ &qp->lpfc_abts_io_buf_list, list) {
+ if (psb->cur_iocbq.sli4_xritag == xri) {
+ list_del_init(&psb->list);
+- psb->exch_busy = 0;
++ psb->flags &= ~LPFC_SBUF_XBUSY;
+ psb->status = IOSTAT_SUCCESS;
+ if (psb->cur_iocbq.iocb_flag == LPFC_IO_NVME) {
+ qp->abts_nvme_io_bufs--;
+@@ -566,7 +566,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba
+ if (iocbq->sli4_xritag != xri)
+ continue;
+ psb = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
+- psb->exch_busy = 0;
++ psb->flags &= ~LPFC_SBUF_XBUSY;
+ spin_unlock_irqrestore(&phba->hbalock, iflag);
+ if (!list_empty(&pring->txq))
+ lpfc_worker_wake_up(phba);
+@@ -786,7 +786,7 @@ lpfc_release_scsi_buf_s4(struct lpfc_hba
+ psb->prot_seg_cnt = 0;
+
+ qp = psb->hdwq;
+- if (psb->exch_busy) {
++ if (psb->flags & LPFC_SBUF_XBUSY) {
+ spin_lock_irqsave(&qp->abts_io_buf_list_lock, iflag);
+ psb->pCmd = NULL;
+ list_add_tail(&psb->list, &qp->lpfc_abts_io_buf_list);
+@@ -3835,7 +3835,10 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba
+ lpfc_cmd->result = (pIocbOut->iocb.un.ulpWord[4] & IOERR_PARAM_MASK);
+ lpfc_cmd->status = pIocbOut->iocb.ulpStatus;
+ /* pick up SLI4 exhange busy status from HBA */
+- lpfc_cmd->exch_busy = pIocbOut->iocb_flag & LPFC_EXCHANGE_BUSY;
++ if (pIocbOut->iocb_flag & LPFC_EXCHANGE_BUSY)
++ lpfc_cmd->flags |= LPFC_SBUF_XBUSY;
++ else
++ lpfc_cmd->flags &= ~LPFC_SBUF_XBUSY;
+
+ #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
+ if (lpfc_cmd->prot_data_type) {
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -11736,7 +11736,10 @@ lpfc_sli_wake_iocb_wait(struct lpfc_hba
+ !(cmdiocbq->iocb_flag & LPFC_IO_LIBDFC)) {
+ lpfc_cmd = container_of(cmdiocbq, struct lpfc_io_buf,
+ cur_iocbq);
+- lpfc_cmd->exch_busy = rspiocbq->iocb_flag & LPFC_EXCHANGE_BUSY;
++ if (rspiocbq && (rspiocbq->iocb_flag & LPFC_EXCHANGE_BUSY))
++ lpfc_cmd->flags |= LPFC_SBUF_XBUSY;
++ else
++ lpfc_cmd->flags &= ~LPFC_SBUF_XBUSY;
+ }
+
+ pdone_q = cmdiocbq->context_un.wait_queue;
+--- a/drivers/scsi/lpfc/lpfc_sli.h
++++ b/drivers/scsi/lpfc/lpfc_sli.h
+@@ -384,14 +384,13 @@ struct lpfc_io_buf {
+
+ struct lpfc_nodelist *ndlp;
+ uint32_t timeout;
+- uint16_t flags; /* TBD convert exch_busy to flags */
++ uint16_t flags;
+ #define LPFC_SBUF_XBUSY 0x1 /* SLI4 hba reported XB on WCQE cmpl */
+ #define LPFC_SBUF_BUMP_QDEPTH 0x2 /* bumped queue depth counter */
+ /* External DIF device IO conversions */
+ #define LPFC_SBUF_NORMAL_DIF 0x4 /* normal mode to insert/strip */
+ #define LPFC_SBUF_PASS_DIF 0x8 /* insert/strip mode to passthru */
+ #define LPFC_SBUF_NOT_POSTED 0x10 /* SGL failed post to FW. */
+- uint16_t exch_busy; /* SLI4 hba reported XB on complete WCQE */
+ uint16_t status; /* From IOCB Word 7- ulpStatus */
+ uint32_t result; /* From IOCB Word 4. */
+
--- /dev/null
+From 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 5 Nov 2019 07:06:51 -0800
+Subject: scsi: qla2xxx: Do command completion on abort timeout
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 upstream.
+
+On switch, fabric and mgt command timeout, driver send Abort to tell FW to
+return the original command. If abort is timeout, then return both Abort
+and original command for cleanup.
+
+Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
+Cc: stable@vger.kernel.org # 5.2
+Link: https://lore.kernel.org/r/20191105150657.8092-3-hmadhani@marvell.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_def.h | 1 +
+ drivers/scsi/qla2xxx/qla_init.c | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -604,6 +604,7 @@ typedef struct srb {
+ const char *name;
+ int iocbs;
+ struct qla_qpair *qpair;
++ struct srb *cmd_sp;
+ struct list_head elem;
+ u32 gen1; /* scratch */
+ u32 gen2; /* scratch */
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -101,8 +101,22 @@ static void qla24xx_abort_iocb_timeout(v
+ u32 handle;
+ unsigned long flags;
+
++ if (sp->cmd_sp)
++ ql_dbg(ql_dbg_async, sp->vha, 0x507c,
++ "Abort timeout - cmd hdl=%x, cmd type=%x hdl=%x, type=%x\n",
++ sp->cmd_sp->handle, sp->cmd_sp->type,
++ sp->handle, sp->type);
++ else
++ ql_dbg(ql_dbg_async, sp->vha, 0x507c,
++ "Abort timeout 2 - hdl=%x, type=%x\n",
++ sp->handle, sp->type);
++
+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
+ for (handle = 1; handle < qpair->req->num_outstanding_cmds; handle++) {
++ if (sp->cmd_sp && (qpair->req->outstanding_cmds[handle] ==
++ sp->cmd_sp))
++ qpair->req->outstanding_cmds[handle] = NULL;
++
+ /* removing the abort */
+ if (qpair->req->outstanding_cmds[handle] == sp) {
+ qpair->req->outstanding_cmds[handle] = NULL;
+@@ -111,6 +125,9 @@ static void qla24xx_abort_iocb_timeout(v
+ }
+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+
++ if (sp->cmd_sp)
++ sp->cmd_sp->done(sp->cmd_sp, QLA_OS_TIMER_EXPIRED);
++
+ abt->u.abt.comp_status = CS_TIMEOUT;
+ sp->done(sp, QLA_OS_TIMER_EXPIRED);
+ }
+@@ -142,6 +159,7 @@ static int qla24xx_async_abort_cmd(srb_t
+ sp->type = SRB_ABT_CMD;
+ sp->name = "abort";
+ sp->qpair = cmd_sp->qpair;
++ sp->cmd_sp = cmd_sp;
+ if (wait)
+ sp->flags = SRB_WAKEUP_ON_COMP;
+
--- /dev/null
+From f45bca8c5052e8c59bab64ee90c44441678b9a52 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 5 Nov 2019 07:06:54 -0800
+Subject: scsi: qla2xxx: Fix double scsi_done for abort path
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit f45bca8c5052e8c59bab64ee90c44441678b9a52 upstream.
+
+Current code assumes abort will remove the original command from the active
+list where scsi_done will not be called. Instead, the eh_abort thread will
+do the scsi_done. That is not the case. Instead, we have a double
+scsi_done calls triggering use after free.
+
+Abort will tell FW to release the command from FW possesion. The original
+command will return to ULP with error in its normal fashion via scsi_done.
+eh_abort path would wait for the original command completion before
+returning. eh_abort path will not perform the scsi_done call.
+
+Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
+Cc: stable@vger.kernel.org # 5.2
+Link: https://lore.kernel.org/r/20191105150657.8092-6-hmadhani@marvell.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_def.h | 5 +
+ drivers/scsi/qla2xxx/qla_isr.c | 5 +
+ drivers/scsi/qla2xxx/qla_nvme.c | 4 -
+ drivers/scsi/qla2xxx/qla_os.c | 117 ++++++++++++++++++++--------------------
+ 4 files changed, 72 insertions(+), 59 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -591,13 +591,16 @@ typedef struct srb {
+ */
+ uint8_t cmd_type;
+ uint8_t pad[3];
+- atomic_t ref_count;
+ struct kref cmd_kref; /* need to migrate ref_count over to this */
+ void *priv;
+ wait_queue_head_t nvme_ls_waitq;
+ struct fc_port *fcport;
+ struct scsi_qla_host *vha;
+ unsigned int start_timer:1;
++ unsigned int abort:1;
++ unsigned int aborted:1;
++ unsigned int completed:1;
++
+ uint32_t handle;
+ uint16_t flags;
+ uint16_t type;
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -2466,6 +2466,11 @@ qla2x00_status_entry(scsi_qla_host_t *vh
+ return;
+ }
+
++ if (sp->abort)
++ sp->aborted = 1;
++ else
++ sp->completed = 1;
++
+ if (sp->cmd_type != TYPE_SRB) {
+ req->outstanding_cmds[handle] = NULL;
+ ql_dbg(ql_dbg_io, vha, 0x3015,
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -224,8 +224,8 @@ static void qla_nvme_abort_work(struct w
+
+ if (ha->flags.host_shutting_down) {
+ ql_log(ql_log_info, sp->fcport->vha, 0xffff,
+- "%s Calling done on sp: %p, type: 0x%x, sp->ref_count: 0x%x\n",
+- __func__, sp, sp->type, atomic_read(&sp->ref_count));
++ "%s Calling done on sp: %p, type: 0x%x\n",
++ __func__, sp, sp->type);
+ sp->done(sp, 0);
+ goto out;
+ }
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -698,11 +698,6 @@ void qla2x00_sp_compl(srb_t *sp, int res
+ struct scsi_cmnd *cmd = GET_CMD_SP(sp);
+ struct completion *comp = sp->comp;
+
+- if (WARN_ON_ONCE(atomic_read(&sp->ref_count) == 0))
+- return;
+-
+- atomic_dec(&sp->ref_count);
+-
+ sp->free(sp);
+ cmd->result = res;
+ CMD_SP(cmd) = NULL;
+@@ -794,11 +789,6 @@ void qla2xxx_qpair_sp_compl(srb_t *sp, i
+ struct scsi_cmnd *cmd = GET_CMD_SP(sp);
+ struct completion *comp = sp->comp;
+
+- if (WARN_ON_ONCE(atomic_read(&sp->ref_count) == 0))
+- return;
+-
+- atomic_dec(&sp->ref_count);
+-
+ sp->free(sp);
+ cmd->result = res;
+ CMD_SP(cmd) = NULL;
+@@ -903,7 +893,7 @@ qla2xxx_queuecommand(struct Scsi_Host *h
+
+ sp->u.scmd.cmd = cmd;
+ sp->type = SRB_SCSI_CMD;
+- atomic_set(&sp->ref_count, 1);
++
+ CMD_SP(cmd) = (void *)sp;
+ sp->free = qla2x00_sp_free_dma;
+ sp->done = qla2x00_sp_compl;
+@@ -985,11 +975,9 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
+
+ sp->u.scmd.cmd = cmd;
+ sp->type = SRB_SCSI_CMD;
+- atomic_set(&sp->ref_count, 1);
+ CMD_SP(cmd) = (void *)sp;
+ sp->free = qla2xxx_qpair_sp_free_dma;
+ sp->done = qla2xxx_qpair_sp_compl;
+- sp->qpair = qpair;
+
+ rval = ha->isp_ops->start_scsi_mq(sp);
+ if (rval != QLA_SUCCESS) {
+@@ -1184,16 +1172,6 @@ qla2x00_wait_for_chip_reset(scsi_qla_hos
+ return return_status;
+ }
+
+-static int
+-sp_get(struct srb *sp)
+-{
+- if (!refcount_inc_not_zero((refcount_t *)&sp->ref_count))
+- /* kref get fail */
+- return ENXIO;
+- else
+- return 0;
+-}
+-
+ #define ISP_REG_DISCONNECT 0xffffffffU
+ /**************************************************************************
+ * qla2x00_isp_reg_stat
+@@ -1249,6 +1227,9 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
+ uint64_t lun;
+ int rval;
+ struct qla_hw_data *ha = vha->hw;
++ uint32_t ratov_j;
++ struct qla_qpair *qpair;
++ unsigned long flags;
+
+ if (qla2x00_isp_reg_stat(ha)) {
+ ql_log(ql_log_info, vha, 0x8042,
+@@ -1261,13 +1242,26 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
+ return ret;
+
+ sp = scsi_cmd_priv(cmd);
++ qpair = sp->qpair;
+
+- if (sp->fcport && sp->fcport->deleted)
++ if ((sp->fcport && sp->fcport->deleted) || !qpair)
+ return SUCCESS;
+
+- /* Return if the command has already finished. */
+- if (sp_get(sp))
++ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
++ if (sp->completed) {
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+ return SUCCESS;
++ }
++
++ if (sp->abort || sp->aborted) {
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++ return FAILED;
++ }
++
++ sp->abort = 1;
++ sp->comp = ∁
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++
+
+ id = cmd->device->id;
+ lun = cmd->device->lun;
+@@ -1276,47 +1270,37 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
+ "Aborting from RISC nexus=%ld:%d:%llu sp=%p cmd=%p handle=%x\n",
+ vha->host_no, id, lun, sp, cmd, sp->handle);
+
++ /*
++ * Abort will release the original Command/sp from FW. Let the
++ * original command call scsi_done. In return, he will wakeup
++ * this sleeping thread.
++ */
+ rval = ha->isp_ops->abort_command(sp);
++
+ ql_dbg(ql_dbg_taskm, vha, 0x8003,
+ "Abort command mbx cmd=%p, rval=%x.\n", cmd, rval);
+
++ /* Wait for the command completion. */
++ ratov_j = ha->r_a_tov/10 * 4 * 1000;
++ ratov_j = msecs_to_jiffies(ratov_j);
+ switch (rval) {
+ case QLA_SUCCESS:
+- /*
+- * The command has been aborted. That means that the firmware
+- * won't report a completion.
+- */
+- sp->done(sp, DID_ABORT << 16);
+- ret = SUCCESS;
+- break;
+- case QLA_FUNCTION_PARAMETER_ERROR: {
+- /* Wait for the command completion. */
+- uint32_t ratov = ha->r_a_tov/10;
+- uint32_t ratov_j = msecs_to_jiffies(4 * ratov * 1000);
+-
+- WARN_ON_ONCE(sp->comp);
+- sp->comp = ∁
+ if (!wait_for_completion_timeout(&comp, ratov_j)) {
+ ql_dbg(ql_dbg_taskm, vha, 0xffff,
+ "%s: Abort wait timer (4 * R_A_TOV[%d]) expired\n",
+- __func__, ha->r_a_tov);
++ __func__, ha->r_a_tov/10);
+ ret = FAILED;
+ } else {
+ ret = SUCCESS;
+ }
+ break;
+- }
+ default:
+- /*
+- * Either abort failed or abort and completion raced. Let
+- * the SCSI core retry the abort in the former case.
+- */
+ ret = FAILED;
+ break;
+ }
+
+ sp->comp = NULL;
+- atomic_dec(&sp->ref_count);
++
+ ql_log(ql_log_info, vha, 0x801c,
+ "Abort command issued nexus=%ld:%d:%llu -- %x.\n",
+ vha->host_no, id, lun, ret);
+@@ -1708,32 +1692,53 @@ static void qla2x00_abort_srb(struct qla
+ scsi_qla_host_t *vha = qp->vha;
+ struct qla_hw_data *ha = vha->hw;
+ int rval;
++ bool ret_cmd;
++ uint32_t ratov_j;
+
+- if (sp_get(sp))
++ if (qla2x00_chip_is_down(vha)) {
++ sp->done(sp, res);
+ return;
++ }
+
+ if (sp->type == SRB_NVME_CMD || sp->type == SRB_NVME_LS ||
+ (sp->type == SRB_SCSI_CMD && !ha->flags.eeh_busy &&
+ !test_bit(ABORT_ISP_ACTIVE, &vha->dpc_flags) &&
+ !qla2x00_isp_reg_stat(ha))) {
++ if (sp->comp) {
++ sp->done(sp, res);
++ return;
++ }
++
+ sp->comp = ∁
++ sp->abort = 1;
+ spin_unlock_irqrestore(qp->qp_lock_ptr, *flags);
+- rval = ha->isp_ops->abort_command(sp);
+
++ rval = ha->isp_ops->abort_command(sp);
++ /* Wait for command completion. */
++ ret_cmd = false;
++ ratov_j = ha->r_a_tov/10 * 4 * 1000;
++ ratov_j = msecs_to_jiffies(ratov_j);
+ switch (rval) {
+ case QLA_SUCCESS:
+- sp->done(sp, res);
++ if (wait_for_completion_timeout(&comp, ratov_j)) {
++ ql_dbg(ql_dbg_taskm, vha, 0xffff,
++ "%s: Abort wait timer (4 * R_A_TOV[%d]) expired\n",
++ __func__, ha->r_a_tov/10);
++ ret_cmd = true;
++ }
++ /* else FW return SP to driver */
+ break;
+- case QLA_FUNCTION_PARAMETER_ERROR:
+- wait_for_completion(&comp);
++ default:
++ ret_cmd = true;
+ break;
+ }
+
+ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
+- sp->comp = NULL;
++ if (ret_cmd && (!sp->completed || !sp->aborted))
++ sp->done(sp, res);
++ } else {
++ sp->done(sp, res);
+ }
+-
+- atomic_dec(&sp->ref_count);
+ }
+
+ static void
+@@ -1755,7 +1760,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
+ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
+ sp = req->outstanding_cmds[cnt];
+ if (sp) {
+- req->outstanding_cmds[cnt] = NULL;
+ switch (sp->cmd_type) {
+ case TYPE_SRB:
+ qla2x00_abort_srb(qp, sp, res, &flags);
+@@ -1777,6 +1781,7 @@ __qla2x00_abort_all_cmds(struct qla_qpai
+ default:
+ break;
+ }
++ req->outstanding_cmds[cnt] = NULL;
+ }
+ }
+ spin_unlock_irqrestore(qp->qp_lock_ptr, flags);
--- /dev/null
+From dd322b7f3efc8cda085bb60eadc4aee6324eadd8 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 5 Nov 2019 07:06:53 -0800
+Subject: scsi: qla2xxx: Fix driver unload hang
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit dd322b7f3efc8cda085bb60eadc4aee6324eadd8 upstream.
+
+This patch fixes driver unload hang by removing msleep()
+
+Fixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191105150657.8092-5-hmadhani@marvell.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -9021,8 +9021,6 @@ int qla2xxx_delete_qpair(struct scsi_qla
+ struct qla_hw_data *ha = qpair->hw;
+
+ qpair->delete_in_progress = 1;
+- while (atomic_read(&qpair->ref_count))
+- msleep(500);
+
+ ret = qla25xx_delete_req_que(vha, qpair->req);
+ if (ret != QLA_SUCCESS)
--- /dev/null
+From 2f856d4e8c23f5ad5221f8da4a2f22d090627f19 Mon Sep 17 00:00:00 2001
+From: Arun Easi <aeasi@marvell.com>
+Date: Tue, 5 Nov 2019 07:06:55 -0800
+Subject: scsi: qla2xxx: Fix memory leak when sending I/O fails
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 2f856d4e8c23f5ad5221f8da4a2f22d090627f19 upstream.
+
+On heavy loads, a memory leak of the srb_t structure is observed. This
+would make the qla2xxx_srbs cache gobble up memory.
+
+Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
+Cc: stable@vger.kernel.org # 5.2
+Link: https://lore.kernel.org/r/20191105150657.8092-7-hmadhani@marvell.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -909,6 +909,8 @@ qla2xxx_queuecommand(struct Scsi_Host *h
+
+ qc24_host_busy_free_sp:
+ sp->free(sp);
++ CMD_SP(cmd) = NULL;
++ qla2x00_rel_sp(sp);
+
+ qc24_target_busy:
+ return SCSI_MLQUEUE_TARGET_BUSY;
+@@ -992,6 +994,8 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
+
+ qc24_host_busy_free_sp:
+ sp->free(sp);
++ CMD_SP(cmd) = NULL;
++ qla2xxx_rel_qpair_sp(sp->qpair, sp);
+
+ qc24_target_busy:
+ return SCSI_MLQUEUE_TARGET_BUSY;
--- /dev/null
+From 100843f176109af94600e500da0428e21030ca7f Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Fri, 25 Oct 2019 18:12:53 +0200
+Subject: scsi: zfcp: trace channel log even for FCP command responses
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 100843f176109af94600e500da0428e21030ca7f upstream.
+
+While v2.6.26 commit b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug
+trace") is right that we don't want to flood the (payload) trace ring
+buffer, we don't trace successful FCP command responses by default. So we
+can include the channel log for problem determination with failed responses
+of any FSF request type.
+
+Fixes: b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug trace")
+Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Link: https://lore.kernel.org/r/e37597b5c4ae123aaa85fd86c23a9f71e994e4a9.1572018132.git.bblock@linux.ibm.com
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_dbf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_dbf.c
++++ b/drivers/s390/scsi/zfcp_dbf.c
+@@ -95,11 +95,9 @@ void zfcp_dbf_hba_fsf_res(char *tag, int
+ memcpy(rec->u.res.fsf_status_qual, &q_head->fsf_status_qual,
+ FSF_STATUS_QUALIFIER_SIZE);
+
+- if (q_head->fsf_command != FSF_QTCB_FCP_CMND) {
+- rec->pl_len = q_head->log_length;
+- zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
+- rec->pl_len, "fsf_res", req->req_id);
+- }
++ rec->pl_len = q_head->log_length;
++ zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
++ rec->pl_len, "fsf_res", req->req_id);
+
+ debug_event(dbf->hba, level, rec, sizeof(*rec));
+ spin_unlock_irqrestore(&dbf->hba_lock, flags);
usb-gadget-configfs-fix-missing-spin_lock_init.patch
usb-gadget-pch_udc-fix-use-after-free.patch
+nvme-namepace-identification-descriptor-list-is-optional.patch
+revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch
+scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch
+scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch
+scsi-qla2xxx-do-command-completion-on-abort-timeout.patch
+scsi-qla2xxx-fix-driver-unload-hang.patch
+scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch
+scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch
+compat_ioctl-add-compat_ptr_ioctl.patch
+ceph-fix-compat_ioctl-for-ceph_dir_operations.patch
+media-venus-remove-invalid-compat_ioctl32-handler.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
