--- /dev/null
+From 908a572b80f6e9577b45e81b3dfe2e22111286b8 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: fix blocked_waitq wakeup
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream.
+
+Using waitqueue_active() is racy. Make sure we issue a wake_up()
+unconditionally after storing into fc->blocked. After that it's okay to
+optimize with waitqueue_active() since the first wake up provides the
+necessary barrier for all waiters, not the just the woken one.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3c18ef8117f0 ("fuse: optimize wake_up")
+Cc: <stable@vger.kernel.org> # v3.10
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -391,12 +391,19 @@ static void request_end(struct fuse_conn
+ if (test_bit(FR_BACKGROUND, &req->flags)) {
+ spin_lock(&fc->lock);
+ clear_bit(FR_BACKGROUND, &req->flags);
+- if (fc->num_background == fc->max_background)
++ if (fc->num_background == fc->max_background) {
+ fc->blocked = 0;
+-
+- /* Wake up next waiter, if any */
+- if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
+ wake_up(&fc->blocked_waitq);
++ } else if (!fc->blocked) {
++ /*
++ * Wake up next waiter, if any. It's okay to use
++ * waitqueue_active(), as we've already synced up
++ * fc->blocked with waiters with the wake_up() call
++ * above.
++ */
++ if (waitqueue_active(&fc->blocked_waitq))
++ wake_up(&fc->blocked_waitq);
++ }
+
+ if (fc->num_background == fc->congestion_threshold && fc->sb) {
+ clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
--- /dev/null
+From bc78abbd55dd28e2287ec6d6502b842321a17c87 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:28:55 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_read()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream.
+
+We may pick freed req in this way:
+
+[cpu0] [cpu1]
+fuse_dev_do_read() fuse_dev_do_write()
+ list_move_tail(&req->list, ...); ...
+ spin_unlock(&fpq->lock); ...
+ ... request_end(fc, req);
+ ... fuse_put_request(fc, req);
+ if (test_bit(FR_INTERRUPTED, ...))
+ queue_interrupt(fiq, req);
+
+Fix that by keeping req alive until we finish all manipulations.
+
+Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1311,12 +1311,14 @@ static ssize_t fuse_dev_do_read(struct f
+ goto out_end;
+ }
+ list_move_tail(&req->list, &fpq->processing);
++ __fuse_get_request(req);
+ spin_unlock(&fpq->lock);
+ set_bit(FR_SENT, &req->flags);
+ /* matches barrier in request_wait_answer() */
+ smp_mb__after_atomic();
+ if (test_bit(FR_INTERRUPTED, &req->flags))
+ queue_interrupt(fiq, req);
++ fuse_put_request(fc, req);
+
+ return reqsize;
+
--- /dev/null
+From d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:52:42 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_write()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream.
+
+After we found req in request_find() and released the lock,
+everything may happen with the req in parallel:
+
+cpu0 cpu1
+fuse_dev_do_write() fuse_dev_do_write()
+ req = request_find(fpq, ...) ...
+ spin_unlock(&fpq->lock) ...
+ ... req = request_find(fpq, oh.unique)
+ ... spin_unlock(&fpq->lock)
+ queue_interrupt(&fc->iq, req); ...
+ ... ...
+ ... ...
+ request_end(fc, req);
+ fuse_put_request(fc, req);
+ ... queue_interrupt(&fc->iq, req);
+
+
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct
+
+ /* Is it an interrupt reply? */
+ if (req->intr_unique == oh.unique) {
++ __fuse_get_request(req);
+ spin_unlock(&fpq->lock);
+
+ err = -EINVAL;
+- if (nbytes != sizeof(struct fuse_out_header))
++ if (nbytes != sizeof(struct fuse_out_header)) {
++ fuse_put_request(fc, req);
+ goto err_finish;
++ }
+
+ if (oh.error == -ENOSYS)
+ fc->no_interrupt = 1;
+ else if (oh.error == -EAGAIN)
+ queue_interrupt(&fc->iq, req);
++ fuse_put_request(fc, req);
+
+ fuse_copy_finish(cs);
+ return nbytes;
--- /dev/null
+From 4c316f2f3ff315cb48efb7435621e5bfb81df96d Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: set FR_SENT while locked
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d upstream.
+
+Otherwise fuse_dev_do_write() could come in and finish off the request, and
+the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...))
+in request_end().
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1319,8 +1319,8 @@ static ssize_t fuse_dev_do_read(struct f
+ }
+ list_move_tail(&req->list, &fpq->processing);
+ __fuse_get_request(req);
+- spin_unlock(&fpq->lock);
+ set_bit(FR_SENT, &req->flags);
++ spin_unlock(&fpq->lock);
+ /* matches barrier in request_wait_answer() */
+ smp_mb__after_atomic();
+ if (test_bit(FR_INTERRUPTED, &req->flags))
--- /dev/null
+From 39553065f77c297239308470ee313841f4e07db4 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:15 -0700
+Subject: scsi: qla2xxx: Fix driver hang when FC-NVMe LUNs are configured
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 39553065f77c297239308470ee313841f4e07db4 upstream.
+
+This patch fixes multiple call for qla_nvme_unregister_remote_port() as part
+of qlt_schedule_session_for_deletion(), Do not call it again during
+qla_nvme_delete()
+
+Fixes: e473b3074104 ("scsi: qla2xxx: Add FC-NVMe abort processing")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_nvme.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -657,9 +657,6 @@ void qla_nvme_delete(struct scsi_qla_hos
+ __func__, fcport);
+
+ nvme_fc_set_remoteport_devloss(fcport->nvme_remote_port, 0);
+- init_completion(&fcport->nvme_del_done);
+- nvme_fc_unregister_remoteport(fcport->nvme_remote_port);
+- wait_for_completion(&fcport->nvme_del_done);
+ }
+
+ if (vha->nvme_local_port) {
--- /dev/null
+From 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:13 -0700
+Subject: scsi: qla2xxx: Fix duplicate switch database entries
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 upstream.
+
+The response data buffer used in switch scan is reused 4 times. (For example,
+for commands GPN_FT, GNN_FT for FCP and FC-NVME) Before driver reuses this
+buffer, clear it to prevent duplicate entries in our database.
+
+Fixes: a4239945b8ad1 ("scsi: qla2xxx: Add switch command to simplify fabric discovery"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -4410,9 +4410,9 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout;
+ qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
+
+- rspsz = sizeof(struct ct_sns_gpnft_rsp) +
+- ((vha->hw->max_fibre_devices - 1) *
+- sizeof(struct ct_sns_gpn_ft_data));
++ rspsz = sp->u.iocb_cmd.u.ctarg.rsp_size;
++ memset(sp->u.iocb_cmd.u.ctarg.rsp, 0, sp->u.iocb_cmd.u.ctarg.rsp_size);
++ memset(sp->u.iocb_cmd.u.ctarg.req, 0, sp->u.iocb_cmd.u.ctarg.req_size);
+
+ ct_sns = (struct ct_sns_pkt *)sp->u.iocb_cmd.u.ctarg.req;
+ /* CT_IU preamble */
scsi-qla2xxx-fix-process-response-queue-for-isp26xx-and-above.patch
scsi-qla2xxx-remove-stale-debug-trace-message-from-tcm_qla2xxx.patch
scsi-qla2xxx-shutdown-chip-if-reset-fail.patch
+scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
+scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
+fuse-fix-use-after-free-in-fuse_dev_do_read.patch
+fuse-fix-use-after-free-in-fuse_dev_do_write.patch
+fuse-fix-blocked_waitq-wakeup.patch
+fuse-set-fr_sent-while-locked.patch
scsi-qla2xxx-fix-re-using-loopid-when-handle-is-in-use.patch
scsi-qla2xxx-fix-nvme-session-hang-on-unload.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
