4.14-stable patches

added patches:
	scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch
	scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch
	scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch
	scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch
	usb-dwc3-fix-gdbgfifospace_type-values.patch
	usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch

diff --git a/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch b/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch
new file mode 100644 (file)
index 0000000..3cfa457
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch
@@ -0,0 +1,163 @@
+From 6a2cf8d3663e13e19af636c2a8d92e766261dc45 Mon Sep 17 00:00:00 2001
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+Date: Mon, 5 Mar 2018 00:02:55 -0500
+Subject: scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
+
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+
+commit 6a2cf8d3663e13e19af636c2a8d92e766261dc45 upstream.
+
+Because of the shifting around of code in qla2x00_probe_one recently,
+failures during adapter initialization can lead to problems, i.e. NULL
+pointer crashes and doubly freed data structures which cause eventual
+panics.
+
+This V2 version makes the relevant memory free routines idempotent, so
+repeat calls won't cause any harm. I also removed the problematic
+probe_init_failed exit point as it is not needed.
+
+Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure")
+Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c |   59 ++++++++++++++++++++++++++----------------
+ 1 file changed, 37 insertions(+), 22 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -442,7 +442,7 @@ static int qla2x00_alloc_queues(struct q
+       ha->req_q_map[0] = req;
+       set_bit(0, ha->rsp_qid_map);
+       set_bit(0, ha->req_qid_map);
+-      return 1;
++      return 0;
+ 
+ fail_qpair_map:
+       kfree(ha->base_qpair);
+@@ -459,6 +459,9 @@ fail_req_map:
+ 
+ static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req)
+ {
++      if (!ha->req_q_map)
++              return;
++
+       if (IS_QLAFX00(ha)) {
+               if (req && req->ring_fx00)
+                       dma_free_coherent(&ha->pdev->dev,
+@@ -469,14 +472,17 @@ static void qla2x00_free_req_que(struct
+               (req->length + 1) * sizeof(request_t),
+               req->ring, req->dma);
+ 
+-      if (req)
++      if (req) {
+               kfree(req->outstanding_cmds);
+-
+-      kfree(req);
++              kfree(req);
++      }
+ }
+ 
+ static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp)
+ {
++      if (!ha->rsp_q_map)
++              return;
++
+       if (IS_QLAFX00(ha)) {
+               if (rsp && rsp->ring)
+                       dma_free_coherent(&ha->pdev->dev,
+@@ -487,7 +493,8 @@ static void qla2x00_free_rsp_que(struct
+               (rsp->length + 1) * sizeof(response_t),
+               rsp->ring, rsp->dma);
+       }
+-      kfree(rsp);
++      if (rsp)
++              kfree(rsp);
+ }
+ 
+ static void qla2x00_free_queues(struct qla_hw_data *ha)
+@@ -1710,6 +1717,8 @@ qla2x00_abort_all_cmds(scsi_qla_host_t *
+       struct qla_tgt_cmd *cmd;
+       uint8_t trace = 0;
+ 
++      if (!ha->req_q_map)
++              return;
+       spin_lock_irqsave(&ha->hardware_lock, flags);
+       for (que = 0; que < ha->max_req_queues; que++) {
+               req = ha->req_q_map[que];
+@@ -3063,14 +3072,14 @@ qla2x00_probe_one(struct pci_dev *pdev,
+       /* Set up the irqs */
+       ret = qla2x00_request_irqs(ha, rsp);
+       if (ret)
+-              goto probe_hw_failed;
++              goto probe_failed;
+ 
+       /* Alloc arrays of request and response ring ptrs */
+-      if (!qla2x00_alloc_queues(ha, req, rsp)) {
++      if (qla2x00_alloc_queues(ha, req, rsp)) {
+               ql_log(ql_log_fatal, base_vha, 0x003d,
+                   "Failed to allocate memory for queue pointers..."
+                   "aborting.\n");
+-              goto probe_init_failed;
++              goto probe_failed;
+       }
+ 
+       if (ha->mqenable && shost_use_blk_mq(host)) {
+@@ -3347,15 +3356,6 @@ skip_dpc:
+ 
+       return 0;
+ 
+-probe_init_failed:
+-      qla2x00_free_req_que(ha, req);
+-      ha->req_q_map[0] = NULL;
+-      clear_bit(0, ha->req_qid_map);
+-      qla2x00_free_rsp_que(ha, rsp);
+-      ha->rsp_q_map[0] = NULL;
+-      clear_bit(0, ha->rsp_qid_map);
+-      ha->max_req_queues = ha->max_rsp_queues = 0;
+-
+ probe_failed:
+       if (base_vha->timer_active)
+               qla2x00_stop_timer(base_vha);
+@@ -4435,11 +4435,17 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+       if (ha->init_cb)
+               dma_free_coherent(&ha->pdev->dev, ha->init_cb_size,
+                       ha->init_cb, ha->init_cb_dma);
+-      vfree(ha->optrom_buffer);
+-      kfree(ha->nvram);
+-      kfree(ha->npiv_info);
+-      kfree(ha->swl);
+-      kfree(ha->loop_id_map);
++
++      if (ha->optrom_buffer)
++              vfree(ha->optrom_buffer);
++      if (ha->nvram)
++              kfree(ha->nvram);
++      if (ha->npiv_info)
++              kfree(ha->npiv_info);
++      if (ha->swl)
++              kfree(ha->swl);
++      if (ha->loop_id_map)
++              kfree(ha->loop_id_map);
+ 
+       ha->srb_mempool = NULL;
+       ha->ctx_mempool = NULL;
+@@ -4455,6 +4461,15 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+       ha->ex_init_cb_dma = 0;
+       ha->async_pd = NULL;
+       ha->async_pd_dma = 0;
++      ha->loop_id_map = NULL;
++      ha->npiv_info = NULL;
++      ha->optrom_buffer = NULL;
++      ha->swl = NULL;
++      ha->nvram = NULL;
++      ha->mctp_dump = NULL;
++      ha->dcbx_tlv = NULL;
++      ha->xgmac_data = NULL;
++      ha->sfp_data = NULL;
+ 
+       ha->s_dma_pool = NULL;
+       ha->dl_dma_pool = NULL;

diff --git a/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch b/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch
new file mode 100644 (file)
index 0000000..a9738c4
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch
@@ -0,0 +1,37 @@
+From a2390348c19d0819d525d375414a7cfdacb51a68 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <hmadhani@redhat.com>
+Date: Mon, 22 Jan 2018 12:04:20 -0800
+Subject: scsi: qla2xxx: Fix logo flag for qlt_free_session_done()
+
+From: Himanshu Madhani <hmadhani@redhat.com>
+
+commit a2390348c19d0819d525d375414a7cfdacb51a68 upstream.
+
+Commit 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target
+re-login.")fixed the target re-login after session relogin is complete,
+but missed out the qlt_free_session_done() path.
+
+This patch clears send_els_logo flag in qlt_free_session_done()
+callback.
+
+[mkp: checkpatch]
+
+Fixes: 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target re-login.")
+Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -971,6 +971,7 @@ static void qlt_free_session_done(struct
+ 
+                       logo.id = sess->d_id;
+                       logo.cmd_count = 0;
++                      sess->send_els_logo = 0;
+                       qlt_send_first_logo(vha, &logo);
+               }
+ 

diff --git a/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch b/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch
new file mode 100644 (file)
index 0000000..5f28e1f
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch
@@ -0,0 +1,46 @@
+From 5c25d451163cab9be80744cbc5448d6b95ab8d1a Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Thu, 28 Dec 2017 12:33:09 -0800
+Subject: scsi: qla2xxx: Fix NULL pointer access for fcport structure
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 5c25d451163cab9be80744cbc5448d6b95ab8d1a upstream.
+
+when processing iocb in a timeout case, driver was trying to log messages
+without verifying if the fcport structure could have valid data. This
+results in a NULL pointer access.
+
+Fixes: 726b85487067("qla2xxx: Add framework for async fabric discovery")
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -102,11 +102,16 @@ qla2x00_async_iocb_timeout(void *data)
+       struct srb_iocb *lio = &sp->u.iocb_cmd;
+       struct event_arg ea;
+ 
+-      ql_dbg(ql_dbg_disc, fcport->vha, 0x2071,
+-          "Async-%s timeout - hdl=%x portid=%06x %8phC.\n",
+-          sp->name, sp->handle, fcport->d_id.b24, fcport->port_name);
++      if (fcport) {
++              ql_dbg(ql_dbg_disc, fcport->vha, 0x2071,
++                  "Async-%s timeout - hdl=%x portid=%06x %8phC.\n",
++                  sp->name, sp->handle, fcport->d_id.b24, fcport->port_name);
+ 
+-      fcport->flags &= ~FCF_ASYNC_SENT;
++              fcport->flags &= ~FCF_ASYNC_SENT;
++      } else {
++              pr_info("Async-%s timeout - hdl=%x.\n",
++                  sp->name, sp->handle);
++      }
+ 
+       switch (sp->type) {
+       case SRB_LOGIN_CMD:

diff --git a/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch b/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch
new file mode 100644 (file)
index 0000000..e72b116
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch
@@ -0,0 +1,51 @@
+From 62aa281470fdb7c0796d63a1cc918a8c1f02dde2 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Sat, 16 Dec 2017 16:05:09 -0800
+Subject: scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 62aa281470fdb7c0796d63a1cc918a8c1f02dde2 upstream.
+
+This patch fixes following warnings reported by smatch:
+
+drivers/scsi/qla2xxx/qla_mid.c:586 qla25xx_delete_req_que()
+error: we previously assumed 'req' could be null (see line 580)
+
+drivers/scsi/qla2xxx/qla_mid.c:602 qla25xx_delete_rsp_que()
+error: we previously assumed 'rsp' could be null (see line 596)
+
+Fixes: 7867b98dceb7 ("scsi: qla2xxx: Fix memory leak in dual/target mode")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_mid.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_mid.c
++++ b/drivers/scsi/qla2xxx/qla_mid.c
+@@ -582,8 +582,9 @@ qla25xx_delete_req_que(struct scsi_qla_h
+               ret = qla25xx_init_req_que(vha, req);
+               if (ret != QLA_SUCCESS)
+                       return QLA_FUNCTION_FAILED;
++
++              qla25xx_free_req_que(vha, req);
+       }
+-      qla25xx_free_req_que(vha, req);
+ 
+       return ret;
+ }
+@@ -598,8 +599,9 @@ qla25xx_delete_rsp_que(struct scsi_qla_h
+               ret = qla25xx_init_rsp_que(vha, rsp);
+               if (ret != QLA_SUCCESS)
+                       return QLA_FUNCTION_FAILED;
++
++              qla25xx_free_rsp_que(vha, rsp);
+       }
+-      qla25xx_free_rsp_que(vha, rsp);
+ 
+       return ret;
+ }

diff --git a/queue-4.14/series b/queue-4.14/series
index 3694e4bacbfdaecbf551da8afe8796f3bd89fccc..3d542ebd377993cf2ef8ec1c6f143ad324fff7e0 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -33,3 +33,9 @@ btrfs-alloc_chunk-fix-dup-stripe-size-handling.patch
 btrfs-fix-use-after-free-when-cleaning-up-fs_devs-with-a-single-stale-device.patch
 btrfs-remove-spurious-warn_on-ref-count-0-in-find_parent_nodes.patch
 btrfs-fix-memory-barriers-usage-with-device-stats-counters.patch
+scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch
+scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch
+scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch
+scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch
+usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch
+usb-dwc3-fix-gdbgfifospace_type-values.patch

diff --git a/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch b/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch
new file mode 100644 (file)
index 0000000..ab0f96d
--- /dev/null
+++ b/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch
@@ -0,0 +1,48 @@
+From b16ea8b9492e99e03b1269fe93ebdbf8e4eabf8a Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 2 Feb 2018 13:21:35 -0800
+Subject: usb: dwc3: Fix GDBGFIFOSPACE_TYPE values
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit b16ea8b9492e99e03b1269fe93ebdbf8e4eabf8a upstream.
+
+The FIFO/Queue type values are incorrect. Correct them according to
+DWC_usb3 programming guide section 1.2.27 (or DWC_usb31 section 1.2.25).
+
+Additionally, this patch includes ProtocolStatusQ and AuxEventQ types.
+
+Fixes: cf6d867d3b57 ("usb: dwc3: core: add fifo space helper")
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.h |   16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -166,13 +166,15 @@
+ #define DWC3_GDBGFIFOSPACE_TYPE(n)    (((n) << 5) & 0x1e0)
+ #define DWC3_GDBGFIFOSPACE_SPACE_AVAILABLE(n) (((n) >> 16) & 0xffff)
+ 
+-#define DWC3_TXFIFOQ          1
+-#define DWC3_RXFIFOQ          3
+-#define DWC3_TXREQQ           5
+-#define DWC3_RXREQQ           7
+-#define DWC3_RXINFOQ          9
+-#define DWC3_DESCFETCHQ               13
+-#define DWC3_EVENTQ           15
++#define DWC3_TXFIFOQ          0
++#define DWC3_RXFIFOQ          1
++#define DWC3_TXREQQ           2
++#define DWC3_RXREQQ           3
++#define DWC3_RXINFOQ          4
++#define DWC3_PSTATQ           5
++#define DWC3_DESCFETCHQ               6
++#define DWC3_EVENTQ           7
++#define DWC3_AUXEVENTQ                8
+ 
+ /* Global RX Threshold Configuration Register */
+ #define DWC3_GRXTHRCFG_MAXRXBURSTSIZE(n) (((n) & 0x1f) << 19)

diff --git a/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch b/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch
new file mode 100644 (file)
index 0000000..ff48129
--- /dev/null
+++ b/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch
@@ -0,0 +1,31 @@
+From 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Tue, 23 Jan 2018 09:35:14 +0000
+Subject: USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 upstream.
+
+Add the missing platform_device_put() before return from bdc_pci_probe()
+in the platform_device_add_resources() error handling case.
+
+Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/bdc/bdc_pci.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/udc/bdc/bdc_pci.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_pci.c
+@@ -82,6 +82,7 @@ static int bdc_pci_probe(struct pci_dev
+       if (ret) {
+               dev_err(&pci->dev,
+                       "couldn't add resources to bdc device\n");
++              platform_device_put(bdc);
+               return ret;
+       }
+