--- /dev/null
+From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:39 +0530
+Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream.
+
+Klocwork reported warning of rport maybe NULL and will be dereferenced.
+rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
+
+Check valid rport returned by fc_bsg_to_rport().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -264,6 +264,10 @@ qla2x00_process_els(struct bsg_job *bsg_
+
+ if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ rport = fc_bsg_to_rport(bsg_job);
++ if (!rport) {
++ rval = -ENOMEM;
++ goto done;
++ }
+ fcport = *(fc_port_t **) rport->dd_data;
+ host = rport_to_shost(rport);
+ vha = shost_priv(host);
--- /dev/null
+From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:37 +0530
+Subject: scsi: qla2xxx: Fix potential NULL pointer dereference
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream.
+
+Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate
+pointer before dereferencing the pointer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s
+ *((uint32_t *)(&cmd_pkt->entry_type)) = cpu_to_le32(COMMAND_TYPE_6);
+
+ /* No data transfer */
+- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) {
++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE ||
++ tot_dsds == 0) {
+ cmd_pkt->byte_count = cpu_to_le32(0);
+ return 0;
+ }
--- /dev/null
+From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:41 +0530
+Subject: scsi: qla2xxx: Pointer may be dereferenced
+
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+
+commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream.
+
+Klocwork tool reported pointer 'rport' returned from call to function
+fc_bsg_to_rport() may be NULL and will be dereferenced.
+
+Add a fix to validate rport before dereferencing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -2488,6 +2488,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_
+
+ if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ rport = fc_bsg_to_rport(bsg_job);
++ if (!rport)
++ return ret;
+ host = rport_to_shost(rport);
+ vha = shost_priv(host);
+ } else {
--- /dev/null
+From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:38 -0700
+Subject: scsi: qla2xxx: Wait for io return on terminate rport
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream.
+
+System crash due to use after free.
+Current code allows terminate_rport_io to exit before making
+sure all IOs has returned. For FCP-2 device, IO's can hang
+on in HW because driver has not tear down the session in FW at
+first sign of cable pull. When dev_loss_tmo timer pops,
+terminate_rport_io is called and upper layer is about to
+free various resources. Terminate_rport_io trigger qla to do
+the final cleanup, but the cleanup might not be fast enough where it
+leave qla still holding on to the same resource.
+
+Wait for IO's to return to upper layer before resources are freed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -1800,6 +1800,7 @@ static void
+ qla2x00_terminate_rport_io(struct fc_rport *rport)
+ {
+ fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
++ scsi_qla_host_t *vha;
+
+ if (!fcport)
+ return;
+@@ -1809,9 +1810,12 @@ qla2x00_terminate_rport_io(struct fc_rpo
+
+ if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
+ return;
++ vha = fcport->vha;
+
+ if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) {
+ qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16);
++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24,
++ 0, WAIT_TARGET);
+ return;
+ }
+ /*
+@@ -1826,6 +1830,15 @@ qla2x00_terminate_rport_io(struct fc_rpo
+ else
+ qla2x00_port_logout(fcport->vha, fcport);
+ }
++
++ /* check for any straggling io left behind */
++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) {
++ ql_log(ql_log_warn, vha, 0x300b,
++ "IO not return. Resetting. \n");
++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
++ qla2xxx_wake_dpc(vha);
++ qla2x00_wait_for_chip_reset(vha);
++ }
+ }
+
+ static int
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch
xtensa-iss-fix-call-to-split_if_spec.patch
+scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
+scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
+scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
+scsi-qla2xxx-pointer-may-be-dereferenced.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
