From: Greg Kroah-Hartman Date: Sat, 14 Dec 2019 15:11:06 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.4~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0cc1d6a16a76d7ee6a77eabc0b043dcec31be7b5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ceph-fix-compat_ioctl-for-ceph_dir_operations.patch compat_ioctl-add-compat_ptr_ioctl.patch media-venus-remove-invalid-compat_ioctl32-handler.patch nvme-namepace-identification-descriptor-list-is-optional.patch revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch scsi-qla2xxx-do-command-completion-on-abort-timeout.patch scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch scsi-qla2xxx-fix-driver-unload-hang.patch scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch --- diff --git a/queue-5.4/ceph-fix-compat_ioctl-for-ceph_dir_operations.patch b/queue-5.4/ceph-fix-compat_ioctl-for-ceph_dir_operations.patch new file mode 100644 index 00000000000..6c0fe474bfd --- /dev/null +++ b/queue-5.4/ceph-fix-compat_ioctl-for-ceph_dir_operations.patch @@ -0,0 +1,51 @@ +From 18bd6caaef4021803dd0d031dc37c2d001d18a5b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 11 Sep 2018 20:47:23 +0200 +Subject: ceph: fix compat_ioctl for ceph_dir_operations + +From: Arnd Bergmann + +commit 18bd6caaef4021803dd0d031dc37c2d001d18a5b upstream. + +The ceph_ioctl function is used both for files and directories, but only +the files support doing that in 32-bit compat mode. + +On the s390 architecture, there is also a problem with invalid 31-bit +pointers that need to be passed through compat_ptr(). + +Use the new compat_ptr_ioctl() to address both issues. + +Note: When backporting this patch to stable kernels, "compat_ioctl: +add compat_ptr_ioctl()" is needed as well. + +Reviewed-by: "Yan, Zheng" +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/dir.c | 1 + + fs/ceph/file.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1809,6 +1809,7 @@ const struct file_operations ceph_dir_fo + .open = ceph_open, + .release = ceph_release, + .unlocked_ioctl = ceph_ioctl, ++ .compat_ioctl = compat_ptr_ioctl, + .fsync = ceph_fsync, + .lock = ceph_lock, + .flock = ceph_flock, +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -2188,7 +2188,7 @@ const struct file_operations ceph_file_f + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, + .unlocked_ioctl = ceph_ioctl, +- .compat_ioctl = ceph_ioctl, ++ .compat_ioctl = compat_ptr_ioctl, + .fallocate = ceph_fallocate, + .copy_file_range = ceph_copy_file_range, + }; diff --git a/queue-5.4/compat_ioctl-add-compat_ptr_ioctl.patch b/queue-5.4/compat_ioctl-add-compat_ptr_ioctl.patch new file mode 100644 index 00000000000..05e3b069edd --- /dev/null +++ b/queue-5.4/compat_ioctl-add-compat_ptr_ioctl.patch @@ -0,0 +1,109 @@ +From 2952db0fd51b0890f728df94ac563c21407f4f43 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 11 Sep 2018 16:55:03 +0200 +Subject: compat_ioctl: add compat_ptr_ioctl() + +From: Arnd Bergmann + +commit 2952db0fd51b0890f728df94ac563c21407f4f43 upstream. + +Many drivers have ioctl() handlers that are completely compatible between +32-bit and 64-bit architectures, except for the argument that is passed +down from user space and may have to be passed through compat_ptr() +in order to become a valid 64-bit pointer. + +Using ".compat_ptr = compat_ptr_ioctl" in file operations should let +us simplify a lot of those drivers to avoid #ifdef checks, and convert +additional drivers that don't have proper compat handling yet. + +On most architectures, the compat_ptr_ioctl() just passes all arguments +to the corresponding ->ioctl handler. The exception is arch/s390, where +compat_ptr() clears the top bit of a 32-bit pointer value, so user space +pointers to the second 2GB alias the first 2GB, as is the case for native +32-bit s390 user space. + +The compat_ptr_ioctl() function must therefore be used only with +ioctl functions that either ignore the argument or pass a pointer to a +compatible data type. + +If any ioctl command handled by fops->unlocked_ioctl passes a plain +integer instead of a pointer, or any of the passed data types is +incompatible between 32-bit and 64-bit architectures, a proper handler +is required instead of compat_ptr_ioctl. + +Signed-off-by: Arnd Bergmann +--- +v3: add a better description +v2: use compat_ptr_ioctl instead of generic_compat_ioctl_ptrarg, +as suggested by Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ioctl.c | 35 +++++++++++++++++++++++++++++++++++ + include/linux/fs.h | 7 +++++++ + 2 files changed, 42 insertions(+) + +--- a/fs/ioctl.c ++++ b/fs/ioctl.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -719,3 +720,37 @@ SYSCALL_DEFINE3(ioctl, unsigned int, fd, + { + return ksys_ioctl(fd, cmd, arg); + } ++ ++#ifdef CONFIG_COMPAT ++/** ++ * compat_ptr_ioctl - generic implementation of .compat_ioctl file operation ++ * ++ * This is not normally called as a function, but instead set in struct ++ * file_operations as ++ * ++ * .compat_ioctl = compat_ptr_ioctl, ++ * ++ * On most architectures, the compat_ptr_ioctl() just passes all arguments ++ * to the corresponding ->ioctl handler. The exception is arch/s390, where ++ * compat_ptr() clears the top bit of a 32-bit pointer value, so user space ++ * pointers to the second 2GB alias the first 2GB, as is the case for ++ * native 32-bit s390 user space. ++ * ++ * The compat_ptr_ioctl() function must therefore be used only with ioctl ++ * functions that either ignore the argument or pass a pointer to a ++ * compatible data type. ++ * ++ * If any ioctl command handled by fops->unlocked_ioctl passes a plain ++ * integer instead of a pointer, or any of the passed data types ++ * is incompatible between 32-bit and 64-bit architectures, a proper ++ * handler is required instead of compat_ptr_ioctl. ++ */ ++long compat_ptr_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ++{ ++ if (!file->f_op->unlocked_ioctl) ++ return -ENOIOCTLCMD; ++ ++ return file->f_op->unlocked_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); ++} ++EXPORT_SYMBOL(compat_ptr_ioctl); ++#endif +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1727,6 +1727,13 @@ int vfs_mkobj(struct dentry *, umode_t, + + extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + ++#ifdef CONFIG_COMPAT ++extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg); ++#else ++#define compat_ptr_ioctl NULL ++#endif ++ + /* + * VFS file helper functions. + */ diff --git a/queue-5.4/media-venus-remove-invalid-compat_ioctl32-handler.patch b/queue-5.4/media-venus-remove-invalid-compat_ioctl32-handler.patch new file mode 100644 index 00000000000..1d6c7cbe3b2 --- /dev/null +++ b/queue-5.4/media-venus-remove-invalid-compat_ioctl32-handler.patch @@ -0,0 +1,54 @@ +From 4adc0423de92cf850d1ef5c0e7cb28fd7a38219e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 6 Nov 2019 10:06:54 +0100 +Subject: media: venus: remove invalid compat_ioctl32 handler + +From: Arnd Bergmann + +commit 4adc0423de92cf850d1ef5c0e7cb28fd7a38219e upstream. + +v4l2_compat_ioctl32() is the function that calls into +v4l2_file_operations->compat_ioctl32(), so setting that back to the same +function leads to a trivial endless loop, followed by a kernel +stack overrun. + +Remove the incorrect assignment. + +Cc: stable@vger.kernel.org +Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") +Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files") +Signed-off-by: Arnd Bergmann +Acked-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/qcom/venus/vdec.c | 3 --- + drivers/media/platform/qcom/venus/venc.c | 3 --- + 2 files changed, 6 deletions(-) + +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -1412,9 +1412,6 @@ static const struct v4l2_file_operations + .unlocked_ioctl = video_ioctl2, + .poll = v4l2_m2m_fop_poll, + .mmap = v4l2_m2m_fop_mmap, +-#ifdef CONFIG_COMPAT +- .compat_ioctl32 = v4l2_compat_ioctl32, +-#endif + }; + + static int vdec_probe(struct platform_device *pdev) +--- a/drivers/media/platform/qcom/venus/venc.c ++++ b/drivers/media/platform/qcom/venus/venc.c +@@ -1235,9 +1235,6 @@ static const struct v4l2_file_operations + .unlocked_ioctl = video_ioctl2, + .poll = v4l2_m2m_fop_poll, + .mmap = v4l2_m2m_fop_mmap, +-#ifdef CONFIG_COMPAT +- .compat_ioctl32 = v4l2_compat_ioctl32, +-#endif + }; + + static int venc_probe(struct platform_device *pdev) diff --git a/queue-5.4/nvme-namepace-identification-descriptor-list-is-optional.patch b/queue-5.4/nvme-namepace-identification-descriptor-list-is-optional.patch new file mode 100644 index 00000000000..470b40b98d9 --- /dev/null +++ b/queue-5.4/nvme-namepace-identification-descriptor-list-is-optional.patch @@ -0,0 +1,42 @@ +From 22802bf742c25b1e2473c70b3b99da98af65ef4d Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Tue, 3 Dec 2019 00:44:59 +0900 +Subject: nvme: Namepace identification descriptor list is optional + +From: Keith Busch + +commit 22802bf742c25b1e2473c70b3b99da98af65ef4d upstream. + +Despite NVM Express specification 1.3 requires a controller claiming to +be 1.3 or higher implement Identify CNS 03h (Namespace Identification +Descriptor list), the driver doesn't really need this identification in +order to use a namespace. The code had already documented in comments +that we're not to consider an error to this command. + +Return success if the controller provided any response to an +namespace identification descriptors command. + +Fixes: 538af88ea7d9de24 ("nvme: make nvme_report_ns_ids propagate error back") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=205679 +Reported-by: Ingo Brunberg +Cc: Sagi Grimberg +Cc: stable@vger.kernel.org # 5.4+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1727,6 +1727,8 @@ static int nvme_report_ns_ids(struct nvm + if (ret) + dev_warn(ctrl->device, + "Identify Descriptors failed (%d)\n", ret); ++ if (ret > 0) ++ ret = 0; + } + return ret; + } diff --git a/queue-5.4/revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch b/queue-5.4/revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch new file mode 100644 index 00000000000..10b2dc4915a --- /dev/null +++ b/queue-5.4/revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch @@ -0,0 +1,46 @@ +From 655e7aee1f0398602627a485f7dca6c29cc96cae Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Thu, 31 Oct 2019 17:34:09 +0800 +Subject: Revert "nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T" + +From: Jian-Hong Pan + +commit 655e7aee1f0398602627a485f7dca6c29cc96cae upstream. + +Since e045fa29e893 ("PCI/MSI: Fix incorrect MSI-X masking on resume") is +merged, we can revert the previous quirk now. + +This reverts commit 19ea025e1d28c629b369c3532a85b3df478cc5c6. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204887 +Fixes: 19ea025e1d28 ("nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T") +Link: https://lore.kernel.org/r/20191031093408.9322-1-jian-hong@endlessm.com +Signed-off-by: Jian-Hong Pan +Signed-off-by: Bjorn Helgaas +Acked-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2406,16 +2406,6 @@ static const struct nvme_core_quirk_entr + .vid = 0x14a4, + .fr = "22301111", + .quirks = NVME_QUIRK_SIMPLE_SUSPEND, +- }, +- { +- /* +- * This Kingston E8FK11.T firmware version has no interrupt +- * after resume with actions related to suspend to idle +- * https://bugzilla.kernel.org/show_bug.cgi?id=204887 +- */ +- .vid = 0x2646, +- .fr = "E8FK11.T", +- .quirks = NVME_QUIRK_SIMPLE_SUSPEND, + } + }; + diff --git a/queue-5.4/scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch b/queue-5.4/scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch new file mode 100644 index 00000000000..cc0621890dc --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch @@ -0,0 +1,121 @@ +From 324e1c402069e8d277d2a2b18ce40bde1265b96a Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Fri, 18 Oct 2019 14:18:21 -0700 +Subject: scsi: lpfc: Fix bad ndlp ptr in xri aborted handling + +From: James Smart + +commit 324e1c402069e8d277d2a2b18ce40bde1265b96a upstream. + +In cases where I/O may be aborted, such as driver unload or link bounces, +the system will crash based on a bad ndlp pointer. + +Example: + RIP: 0010:lpfc_sli4_abts_err_handler+0x15/0x140 [lpfc] + ... + lpfc_sli4_io_xri_aborted+0x20d/0x270 [lpfc] + lpfc_sli4_sp_handle_abort_xri_wcqe.isra.54+0x84/0x170 [lpfc] + lpfc_sli4_fp_handle_cqe+0xc2/0x480 [lpfc] + __lpfc_sli4_process_cq+0xc6/0x230 [lpfc] + __lpfc_sli4_hba_process_cq+0x29/0xc0 [lpfc] + process_one_work+0x14c/0x390 + +Crash was caused by a bad ndlp address passed to I/O indicated by the XRI +aborted CQE. The address was not NULL so the routine deferenced the ndlp +ptr. The bad ndlp also caused the lpfc_sli4_io_xri_aborted to call an +erroneous io handler. Root cause for the bad ndlp was an lpfc_ncmd that +was aborted, put on the abort_io list, completed, taken off the abort_io +list, sent to lpfc_release_nvme_buf where it was put back on the abort_io +list because the lpfc_ncmd->flags setting LPFC_SBUF_XBUSY was not cleared +on the final completion. + +Rework the exchange busy handling to ensure the flags are properly set for +both scsi and nvme. + +Fixes: c490850a0947 ("scsi: lpfc: Adapt partitioned XRI lists to efficient sharing") +Cc: # v5.1+ +Link: https://lore.kernel.org/r/20191018211832.7917-6-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_scsi.c | 11 +++++++---- + drivers/scsi/lpfc/lpfc_sli.c | 5 ++++- + drivers/scsi/lpfc/lpfc_sli.h | 3 +-- + 3 files changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -526,7 +526,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba + &qp->lpfc_abts_io_buf_list, list) { + if (psb->cur_iocbq.sli4_xritag == xri) { + list_del_init(&psb->list); +- psb->exch_busy = 0; ++ psb->flags &= ~LPFC_SBUF_XBUSY; + psb->status = IOSTAT_SUCCESS; + if (psb->cur_iocbq.iocb_flag == LPFC_IO_NVME) { + qp->abts_nvme_io_bufs--; +@@ -566,7 +566,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba + if (iocbq->sli4_xritag != xri) + continue; + psb = container_of(iocbq, struct lpfc_io_buf, cur_iocbq); +- psb->exch_busy = 0; ++ psb->flags &= ~LPFC_SBUF_XBUSY; + spin_unlock_irqrestore(&phba->hbalock, iflag); + if (!list_empty(&pring->txq)) + lpfc_worker_wake_up(phba); +@@ -786,7 +786,7 @@ lpfc_release_scsi_buf_s4(struct lpfc_hba + psb->prot_seg_cnt = 0; + + qp = psb->hdwq; +- if (psb->exch_busy) { ++ if (psb->flags & LPFC_SBUF_XBUSY) { + spin_lock_irqsave(&qp->abts_io_buf_list_lock, iflag); + psb->pCmd = NULL; + list_add_tail(&psb->list, &qp->lpfc_abts_io_buf_list); +@@ -3835,7 +3835,10 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba + lpfc_cmd->result = (pIocbOut->iocb.un.ulpWord[4] & IOERR_PARAM_MASK); + lpfc_cmd->status = pIocbOut->iocb.ulpStatus; + /* pick up SLI4 exhange busy status from HBA */ +- lpfc_cmd->exch_busy = pIocbOut->iocb_flag & LPFC_EXCHANGE_BUSY; ++ if (pIocbOut->iocb_flag & LPFC_EXCHANGE_BUSY) ++ lpfc_cmd->flags |= LPFC_SBUF_XBUSY; ++ else ++ lpfc_cmd->flags &= ~LPFC_SBUF_XBUSY; + + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS + if (lpfc_cmd->prot_data_type) { +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -11736,7 +11736,10 @@ lpfc_sli_wake_iocb_wait(struct lpfc_hba + !(cmdiocbq->iocb_flag & LPFC_IO_LIBDFC)) { + lpfc_cmd = container_of(cmdiocbq, struct lpfc_io_buf, + cur_iocbq); +- lpfc_cmd->exch_busy = rspiocbq->iocb_flag & LPFC_EXCHANGE_BUSY; ++ if (rspiocbq && (rspiocbq->iocb_flag & LPFC_EXCHANGE_BUSY)) ++ lpfc_cmd->flags |= LPFC_SBUF_XBUSY; ++ else ++ lpfc_cmd->flags &= ~LPFC_SBUF_XBUSY; + } + + pdone_q = cmdiocbq->context_un.wait_queue; +--- a/drivers/scsi/lpfc/lpfc_sli.h ++++ b/drivers/scsi/lpfc/lpfc_sli.h +@@ -384,14 +384,13 @@ struct lpfc_io_buf { + + struct lpfc_nodelist *ndlp; + uint32_t timeout; +- uint16_t flags; /* TBD convert exch_busy to flags */ ++ uint16_t flags; + #define LPFC_SBUF_XBUSY 0x1 /* SLI4 hba reported XB on WCQE cmpl */ + #define LPFC_SBUF_BUMP_QDEPTH 0x2 /* bumped queue depth counter */ + /* External DIF device IO conversions */ + #define LPFC_SBUF_NORMAL_DIF 0x4 /* normal mode to insert/strip */ + #define LPFC_SBUF_PASS_DIF 0x8 /* insert/strip mode to passthru */ + #define LPFC_SBUF_NOT_POSTED 0x10 /* SGL failed post to FW. */ +- uint16_t exch_busy; /* SLI4 hba reported XB on complete WCQE */ + uint16_t status; /* From IOCB Word 7- ulpStatus */ + uint32_t result; /* From IOCB Word 4. */ + diff --git a/queue-5.4/scsi-qla2xxx-do-command-completion-on-abort-timeout.patch b/queue-5.4/scsi-qla2xxx-do-command-completion-on-abort-timeout.patch new file mode 100644 index 00000000000..375c59597f8 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-do-command-completion-on-abort-timeout.patch @@ -0,0 +1,80 @@ +From 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Tue, 5 Nov 2019 07:06:51 -0800 +Subject: scsi: qla2xxx: Do command completion on abort timeout + +From: Quinn Tran + +commit 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 upstream. + +On switch, fabric and mgt command timeout, driver send Abort to tell FW to +return the original command. If abort is timeout, then return both Abort +and original command for cleanup. + +Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Cc: stable@vger.kernel.org # 5.2 +Link: https://lore.kernel.org/r/20191105150657.8092-3-hmadhani@marvell.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_init.c | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -604,6 +604,7 @@ typedef struct srb { + const char *name; + int iocbs; + struct qla_qpair *qpair; ++ struct srb *cmd_sp; + struct list_head elem; + u32 gen1; /* scratch */ + u32 gen2; /* scratch */ +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -101,8 +101,22 @@ static void qla24xx_abort_iocb_timeout(v + u32 handle; + unsigned long flags; + ++ if (sp->cmd_sp) ++ ql_dbg(ql_dbg_async, sp->vha, 0x507c, ++ "Abort timeout - cmd hdl=%x, cmd type=%x hdl=%x, type=%x\n", ++ sp->cmd_sp->handle, sp->cmd_sp->type, ++ sp->handle, sp->type); ++ else ++ ql_dbg(ql_dbg_async, sp->vha, 0x507c, ++ "Abort timeout 2 - hdl=%x, type=%x\n", ++ sp->handle, sp->type); ++ + spin_lock_irqsave(qpair->qp_lock_ptr, flags); + for (handle = 1; handle < qpair->req->num_outstanding_cmds; handle++) { ++ if (sp->cmd_sp && (qpair->req->outstanding_cmds[handle] == ++ sp->cmd_sp)) ++ qpair->req->outstanding_cmds[handle] = NULL; ++ + /* removing the abort */ + if (qpair->req->outstanding_cmds[handle] == sp) { + qpair->req->outstanding_cmds[handle] = NULL; +@@ -111,6 +125,9 @@ static void qla24xx_abort_iocb_timeout(v + } + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + ++ if (sp->cmd_sp) ++ sp->cmd_sp->done(sp->cmd_sp, QLA_OS_TIMER_EXPIRED); ++ + abt->u.abt.comp_status = CS_TIMEOUT; + sp->done(sp, QLA_OS_TIMER_EXPIRED); + } +@@ -142,6 +159,7 @@ static int qla24xx_async_abort_cmd(srb_t + sp->type = SRB_ABT_CMD; + sp->name = "abort"; + sp->qpair = cmd_sp->qpair; ++ sp->cmd_sp = cmd_sp; + if (wait) + sp->flags = SRB_WAKEUP_ON_COMP; + diff --git a/queue-5.4/scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch b/queue-5.4/scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch new file mode 100644 index 00000000000..64cdeaffdbd --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch @@ -0,0 +1,324 @@ +From f45bca8c5052e8c59bab64ee90c44441678b9a52 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Tue, 5 Nov 2019 07:06:54 -0800 +Subject: scsi: qla2xxx: Fix double scsi_done for abort path + +From: Quinn Tran + +commit f45bca8c5052e8c59bab64ee90c44441678b9a52 upstream. + +Current code assumes abort will remove the original command from the active +list where scsi_done will not be called. Instead, the eh_abort thread will +do the scsi_done. That is not the case. Instead, we have a double +scsi_done calls triggering use after free. + +Abort will tell FW to release the command from FW possesion. The original +command will return to ULP with error in its normal fashion via scsi_done. +eh_abort path would wait for the original command completion before +returning. eh_abort path will not perform the scsi_done call. + +Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Cc: stable@vger.kernel.org # 5.2 +Link: https://lore.kernel.org/r/20191105150657.8092-6-hmadhani@marvell.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Quinn Tran +Signed-off-by: Arun Easi +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_def.h | 5 + + drivers/scsi/qla2xxx/qla_isr.c | 5 + + drivers/scsi/qla2xxx/qla_nvme.c | 4 - + drivers/scsi/qla2xxx/qla_os.c | 117 ++++++++++++++++++++-------------------- + 4 files changed, 72 insertions(+), 59 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -591,13 +591,16 @@ typedef struct srb { + */ + uint8_t cmd_type; + uint8_t pad[3]; +- atomic_t ref_count; + struct kref cmd_kref; /* need to migrate ref_count over to this */ + void *priv; + wait_queue_head_t nvme_ls_waitq; + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; ++ unsigned int abort:1; ++ unsigned int aborted:1; ++ unsigned int completed:1; ++ + uint32_t handle; + uint16_t flags; + uint16_t type; +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2466,6 +2466,11 @@ qla2x00_status_entry(scsi_qla_host_t *vh + return; + } + ++ if (sp->abort) ++ sp->aborted = 1; ++ else ++ sp->completed = 1; ++ + if (sp->cmd_type != TYPE_SRB) { + req->outstanding_cmds[handle] = NULL; + ql_dbg(ql_dbg_io, vha, 0x3015, +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -224,8 +224,8 @@ static void qla_nvme_abort_work(struct w + + if (ha->flags.host_shutting_down) { + ql_log(ql_log_info, sp->fcport->vha, 0xffff, +- "%s Calling done on sp: %p, type: 0x%x, sp->ref_count: 0x%x\n", +- __func__, sp, sp->type, atomic_read(&sp->ref_count)); ++ "%s Calling done on sp: %p, type: 0x%x\n", ++ __func__, sp, sp->type); + sp->done(sp, 0); + goto out; + } +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -698,11 +698,6 @@ void qla2x00_sp_compl(srb_t *sp, int res + struct scsi_cmnd *cmd = GET_CMD_SP(sp); + struct completion *comp = sp->comp; + +- if (WARN_ON_ONCE(atomic_read(&sp->ref_count) == 0)) +- return; +- +- atomic_dec(&sp->ref_count); +- + sp->free(sp); + cmd->result = res; + CMD_SP(cmd) = NULL; +@@ -794,11 +789,6 @@ void qla2xxx_qpair_sp_compl(srb_t *sp, i + struct scsi_cmnd *cmd = GET_CMD_SP(sp); + struct completion *comp = sp->comp; + +- if (WARN_ON_ONCE(atomic_read(&sp->ref_count) == 0)) +- return; +- +- atomic_dec(&sp->ref_count); +- + sp->free(sp); + cmd->result = res; + CMD_SP(cmd) = NULL; +@@ -903,7 +893,7 @@ qla2xxx_queuecommand(struct Scsi_Host *h + + sp->u.scmd.cmd = cmd; + sp->type = SRB_SCSI_CMD; +- atomic_set(&sp->ref_count, 1); ++ + CMD_SP(cmd) = (void *)sp; + sp->free = qla2x00_sp_free_dma; + sp->done = qla2x00_sp_compl; +@@ -985,11 +975,9 @@ qla2xxx_mqueuecommand(struct Scsi_Host * + + sp->u.scmd.cmd = cmd; + sp->type = SRB_SCSI_CMD; +- atomic_set(&sp->ref_count, 1); + CMD_SP(cmd) = (void *)sp; + sp->free = qla2xxx_qpair_sp_free_dma; + sp->done = qla2xxx_qpair_sp_compl; +- sp->qpair = qpair; + + rval = ha->isp_ops->start_scsi_mq(sp); + if (rval != QLA_SUCCESS) { +@@ -1184,16 +1172,6 @@ qla2x00_wait_for_chip_reset(scsi_qla_hos + return return_status; + } + +-static int +-sp_get(struct srb *sp) +-{ +- if (!refcount_inc_not_zero((refcount_t *)&sp->ref_count)) +- /* kref get fail */ +- return ENXIO; +- else +- return 0; +-} +- + #define ISP_REG_DISCONNECT 0xffffffffU + /************************************************************************** + * qla2x00_isp_reg_stat +@@ -1249,6 +1227,9 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + uint64_t lun; + int rval; + struct qla_hw_data *ha = vha->hw; ++ uint32_t ratov_j; ++ struct qla_qpair *qpair; ++ unsigned long flags; + + if (qla2x00_isp_reg_stat(ha)) { + ql_log(ql_log_info, vha, 0x8042, +@@ -1261,13 +1242,26 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + return ret; + + sp = scsi_cmd_priv(cmd); ++ qpair = sp->qpair; + +- if (sp->fcport && sp->fcport->deleted) ++ if ((sp->fcport && sp->fcport->deleted) || !qpair) + return SUCCESS; + +- /* Return if the command has already finished. */ +- if (sp_get(sp)) ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); ++ if (sp->completed) { ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + return SUCCESS; ++ } ++ ++ if (sp->abort || sp->aborted) { ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ return FAILED; ++ } ++ ++ sp->abort = 1; ++ sp->comp = ∁ ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ + + id = cmd->device->id; + lun = cmd->device->lun; +@@ -1276,47 +1270,37 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + "Aborting from RISC nexus=%ld:%d:%llu sp=%p cmd=%p handle=%x\n", + vha->host_no, id, lun, sp, cmd, sp->handle); + ++ /* ++ * Abort will release the original Command/sp from FW. Let the ++ * original command call scsi_done. In return, he will wakeup ++ * this sleeping thread. ++ */ + rval = ha->isp_ops->abort_command(sp); ++ + ql_dbg(ql_dbg_taskm, vha, 0x8003, + "Abort command mbx cmd=%p, rval=%x.\n", cmd, rval); + ++ /* Wait for the command completion. */ ++ ratov_j = ha->r_a_tov/10 * 4 * 1000; ++ ratov_j = msecs_to_jiffies(ratov_j); + switch (rval) { + case QLA_SUCCESS: +- /* +- * The command has been aborted. That means that the firmware +- * won't report a completion. +- */ +- sp->done(sp, DID_ABORT << 16); +- ret = SUCCESS; +- break; +- case QLA_FUNCTION_PARAMETER_ERROR: { +- /* Wait for the command completion. */ +- uint32_t ratov = ha->r_a_tov/10; +- uint32_t ratov_j = msecs_to_jiffies(4 * ratov * 1000); +- +- WARN_ON_ONCE(sp->comp); +- sp->comp = ∁ + if (!wait_for_completion_timeout(&comp, ratov_j)) { + ql_dbg(ql_dbg_taskm, vha, 0xffff, + "%s: Abort wait timer (4 * R_A_TOV[%d]) expired\n", +- __func__, ha->r_a_tov); ++ __func__, ha->r_a_tov/10); + ret = FAILED; + } else { + ret = SUCCESS; + } + break; +- } + default: +- /* +- * Either abort failed or abort and completion raced. Let +- * the SCSI core retry the abort in the former case. +- */ + ret = FAILED; + break; + } + + sp->comp = NULL; +- atomic_dec(&sp->ref_count); ++ + ql_log(ql_log_info, vha, 0x801c, + "Abort command issued nexus=%ld:%d:%llu -- %x.\n", + vha->host_no, id, lun, ret); +@@ -1708,32 +1692,53 @@ static void qla2x00_abort_srb(struct qla + scsi_qla_host_t *vha = qp->vha; + struct qla_hw_data *ha = vha->hw; + int rval; ++ bool ret_cmd; ++ uint32_t ratov_j; + +- if (sp_get(sp)) ++ if (qla2x00_chip_is_down(vha)) { ++ sp->done(sp, res); + return; ++ } + + if (sp->type == SRB_NVME_CMD || sp->type == SRB_NVME_LS || + (sp->type == SRB_SCSI_CMD && !ha->flags.eeh_busy && + !test_bit(ABORT_ISP_ACTIVE, &vha->dpc_flags) && + !qla2x00_isp_reg_stat(ha))) { ++ if (sp->comp) { ++ sp->done(sp, res); ++ return; ++ } ++ + sp->comp = ∁ ++ sp->abort = 1; + spin_unlock_irqrestore(qp->qp_lock_ptr, *flags); +- rval = ha->isp_ops->abort_command(sp); + ++ rval = ha->isp_ops->abort_command(sp); ++ /* Wait for command completion. */ ++ ret_cmd = false; ++ ratov_j = ha->r_a_tov/10 * 4 * 1000; ++ ratov_j = msecs_to_jiffies(ratov_j); + switch (rval) { + case QLA_SUCCESS: +- sp->done(sp, res); ++ if (wait_for_completion_timeout(&comp, ratov_j)) { ++ ql_dbg(ql_dbg_taskm, vha, 0xffff, ++ "%s: Abort wait timer (4 * R_A_TOV[%d]) expired\n", ++ __func__, ha->r_a_tov/10); ++ ret_cmd = true; ++ } ++ /* else FW return SP to driver */ + break; +- case QLA_FUNCTION_PARAMETER_ERROR: +- wait_for_completion(&comp); ++ default: ++ ret_cmd = true; + break; + } + + spin_lock_irqsave(qp->qp_lock_ptr, *flags); +- sp->comp = NULL; ++ if (ret_cmd && (!sp->completed || !sp->aborted)) ++ sp->done(sp, res); ++ } else { ++ sp->done(sp, res); + } +- +- atomic_dec(&sp->ref_count); + } + + static void +@@ -1755,7 +1760,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai + for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { + sp = req->outstanding_cmds[cnt]; + if (sp) { +- req->outstanding_cmds[cnt] = NULL; + switch (sp->cmd_type) { + case TYPE_SRB: + qla2x00_abort_srb(qp, sp, res, &flags); +@@ -1777,6 +1781,7 @@ __qla2x00_abort_all_cmds(struct qla_qpai + default: + break; + } ++ req->outstanding_cmds[cnt] = NULL; + } + } + spin_unlock_irqrestore(qp->qp_lock_ptr, flags); diff --git a/queue-5.4/scsi-qla2xxx-fix-driver-unload-hang.patch b/queue-5.4/scsi-qla2xxx-fix-driver-unload-hang.patch new file mode 100644 index 00000000000..ba9f2b77d13 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-driver-unload-hang.patch @@ -0,0 +1,35 @@ +From dd322b7f3efc8cda085bb60eadc4aee6324eadd8 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Tue, 5 Nov 2019 07:06:53 -0800 +Subject: scsi: qla2xxx: Fix driver unload hang + +From: Quinn Tran + +commit dd322b7f3efc8cda085bb60eadc4aee6324eadd8 upstream. + +This patch fixes driver unload hang by removing msleep() + +Fixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191105150657.8092-5-hmadhani@marvell.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -9021,8 +9021,6 @@ int qla2xxx_delete_qpair(struct scsi_qla + struct qla_hw_data *ha = qpair->hw; + + qpair->delete_in_progress = 1; +- while (atomic_read(&qpair->ref_count)) +- msleep(500); + + ret = qla25xx_delete_req_que(vha, qpair->req); + if (ret != QLA_SUCCESS) diff --git a/queue-5.4/scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch b/queue-5.4/scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch new file mode 100644 index 00000000000..9507d3b2935 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch @@ -0,0 +1,45 @@ +From 2f856d4e8c23f5ad5221f8da4a2f22d090627f19 Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Tue, 5 Nov 2019 07:06:55 -0800 +Subject: scsi: qla2xxx: Fix memory leak when sending I/O fails + +From: Arun Easi + +commit 2f856d4e8c23f5ad5221f8da4a2f22d090627f19 upstream. + +On heavy loads, a memory leak of the srb_t structure is observed. This +would make the qla2xxx_srbs cache gobble up memory. + +Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Cc: stable@vger.kernel.org # 5.2 +Link: https://lore.kernel.org/r/20191105150657.8092-7-hmadhani@marvell.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Arun Easi +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -909,6 +909,8 @@ qla2xxx_queuecommand(struct Scsi_Host *h + + qc24_host_busy_free_sp: + sp->free(sp); ++ CMD_SP(cmd) = NULL; ++ qla2x00_rel_sp(sp); + + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; +@@ -992,6 +994,8 @@ qla2xxx_mqueuecommand(struct Scsi_Host * + + qc24_host_busy_free_sp: + sp->free(sp); ++ CMD_SP(cmd) = NULL; ++ qla2xxx_rel_qpair_sp(sp->qpair, sp); + + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; diff --git a/queue-5.4/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch b/queue-5.4/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch new file mode 100644 index 00000000000..7eec3236f9e --- /dev/null +++ b/queue-5.4/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch @@ -0,0 +1,46 @@ +From 100843f176109af94600e500da0428e21030ca7f Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Fri, 25 Oct 2019 18:12:53 +0200 +Subject: scsi: zfcp: trace channel log even for FCP command responses + +From: Steffen Maier + +commit 100843f176109af94600e500da0428e21030ca7f upstream. + +While v2.6.26 commit b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug +trace") is right that we don't want to flood the (payload) trace ring +buffer, we don't trace successful FCP command responses by default. So we +can include the channel log for problem determination with failed responses +of any FSF request type. + +Fixes: b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug trace") +Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.") +Cc: #2.6.38+ +Link: https://lore.kernel.org/r/e37597b5c4ae123aaa85fd86c23a9f71e994e4a9.1572018132.git.bblock@linux.ibm.com +Reviewed-by: Benjamin Block +Signed-off-by: Steffen Maier +Signed-off-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_dbf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/s390/scsi/zfcp_dbf.c ++++ b/drivers/s390/scsi/zfcp_dbf.c +@@ -95,11 +95,9 @@ void zfcp_dbf_hba_fsf_res(char *tag, int + memcpy(rec->u.res.fsf_status_qual, &q_head->fsf_status_qual, + FSF_STATUS_QUALIFIER_SIZE); + +- if (q_head->fsf_command != FSF_QTCB_FCP_CMND) { +- rec->pl_len = q_head->log_length; +- zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start, +- rec->pl_len, "fsf_res", req->req_id); +- } ++ rec->pl_len = q_head->log_length; ++ zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start, ++ rec->pl_len, "fsf_res", req->req_id); + + debug_event(dbf->hba, level, rec, sizeof(*rec)); + spin_unlock_irqrestore(&dbf->hba_lock, flags); diff --git a/queue-5.4/series b/queue-5.4/series index 9b04749e51f..1ed1599cb27 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,2 +1,13 @@ usb-gadget-configfs-fix-missing-spin_lock_init.patch usb-gadget-pch_udc-fix-use-after-free.patch +nvme-namepace-identification-descriptor-list-is-optional.patch +revert-nvme-add-quirk-for-kingston-nvme-ssd-running-fw-e8fk11.t.patch +scsi-lpfc-fix-bad-ndlp-ptr-in-xri-aborted-handling.patch +scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch +scsi-qla2xxx-do-command-completion-on-abort-timeout.patch +scsi-qla2xxx-fix-driver-unload-hang.patch +scsi-qla2xxx-fix-double-scsi_done-for-abort-path.patch +scsi-qla2xxx-fix-memory-leak-when-sending-i-o-fails.patch +compat_ioctl-add-compat_ptr_ioctl.patch +ceph-fix-compat_ioctl-for-ceph_dir_operations.patch +media-venus-remove-invalid-compat_ioctl32-handler.patch