From: Greg Kroah-Hartman Date: Tue, 28 Jan 2020 08:52:32 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.212~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=262739bad97a47c7ea0cc1f041c9e32940481cc5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch media-v4l2-ioctl.c-zero-reserved-fields-for-s-try_fmt.patch scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch sd-fix-req_op_zone_report-completion-handling.patch --- diff --git a/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch b/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch new file mode 100644 index 00000000000..71e1dfc358a --- /dev/null +++ b/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch @@ -0,0 +1,45 @@ +From 730766bae3280a25d40ea76a53dc6342e84e6513 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 20 Jun 2019 16:12:36 -0600 +Subject: coresight: etb10: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +commit 730766bae3280a25d40ea76a53dc6342e84e6513 upstream. + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.6+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/hwtracing/coresight/coresight-etb10.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etb10.c ++++ b/drivers/hwtracing/coresight/coresight-etb10.c +@@ -287,9 +287,7 @@ static void *etb_alloc_buffer(struct cor + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu); + + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); + if (!buf) diff --git a/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch b/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch new file mode 100644 index 00000000000..4e41f4d1650 --- /dev/null +++ b/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch @@ -0,0 +1,63 @@ +From 024c1fd9dbcc1d8a847f1311f999d35783921b7f Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 20 Jun 2019 16:12:35 -0600 +Subject: coresight: tmc-etf: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f upstream. + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + caller is tmc_alloc_etf_buffer+0x5c/0x60 + CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344 + Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 + Call trace: + dump_backtrace+0x0/0x150 + show_stack+0x14/0x20 + dump_stack+0x9c/0xc4 + debug_smp_processor_id+0x10c/0x110 + tmc_alloc_etf_buffer+0x5c/0x60 + etm_setup_aux+0x1c4/0x230 + rb_alloc_aux+0x1b8/0x2b8 + perf_mmap+0x35c/0x478 + mmap_region+0x34c/0x4f0 + do_mmap+0x2d8/0x418 + vm_mmap_pgoff+0xd0/0xf8 + ksys_mmap_pgoff+0x88/0xf8 + __arm64_sys_mmap+0x28/0x38 + el0_svc_handler+0xd8/0x138 + el0_svc+0x8/0xc + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.7+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -308,9 +308,7 @@ static void *tmc_alloc_etf_buffer(struct + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu); + + /* Allocate memory structure for interaction with Perf */ + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); diff --git a/queue-4.14/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/queue-4.14/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch new file mode 100644 index 00000000000..cfbff5ef665 --- /dev/null +++ b/queue-4.14/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch @@ -0,0 +1,68 @@ +From e5e884b42639c74b5b57dc277909915c0aefc8bb Mon Sep 17 00:00:00 2001 +From: Wen Huang +Date: Thu, 28 Nov 2019 18:51:04 +0800 +Subject: libertas: Fix two buffer overflows at parsing bss descriptor + +From: Wen Huang + +commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. + +add_ie_rates() copys rates without checking the length +in bss descriptor from remote AP.when victim connects to +remote attacker, this may trigger buffer overflow. +lbs_ibss_join_existing() copys rates without checking the length +in bss descriptor from remote IBSS node.when victim connects to +remote attacker, this may trigger buffer overflow. +Fix them by putting the length check before performing copy. + +This fix addresses CVE-2019-14896 and CVE-2019-14897. +This also fix build warning of mixed declarations and code. + +Reported-by: kbuild test robot +Signed-off-by: Wen Huang +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas/cfg.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int + int hw, ap, ap_max = ie[1]; + u8 hw_rate; + ++ if (ap_max > MAX_RATES) { ++ lbs_deb_assoc("invalid rates\n"); ++ return tlv; ++ } + /* Advance past IE header */ + ie += 2; + +@@ -1720,6 +1724,9 @@ static int lbs_ibss_join_existing(struct + struct cmd_ds_802_11_ad_hoc_join cmd; + u8 preamble = RADIO_PREAMBLE_SHORT; + int ret = 0; ++ int hw, i; ++ u8 rates_max; ++ u8 *rates; + + /* TODO: set preamble based on scan result */ + ret = lbs_set_radio(priv, preamble, 1); +@@ -1778,9 +1785,12 @@ static int lbs_ibss_join_existing(struct + if (!rates_eid) { + lbs_add_rates(cmd.bss.rates); + } else { +- int hw, i; +- u8 rates_max = rates_eid[1]; +- u8 *rates = cmd.bss.rates; ++ rates_max = rates_eid[1]; ++ if (rates_max > MAX_RATES) { ++ lbs_deb_join("invalid rates"); ++ goto out; ++ } ++ rates = cmd.bss.rates; + for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { + u8 hw_rate = lbs_rates[hw].bitrate / 5; + for (i = 0; i < rates_max; i++) { diff --git a/queue-4.14/media-v4l2-ioctl.c-zero-reserved-fields-for-s-try_fmt.patch b/queue-4.14/media-v4l2-ioctl.c-zero-reserved-fields-for-s-try_fmt.patch new file mode 100644 index 00000000000..01e432ef7bd --- /dev/null +++ b/queue-4.14/media-v4l2-ioctl.c-zero-reserved-fields-for-s-try_fmt.patch @@ -0,0 +1,108 @@ +From ee8951e56c0f960b9621636603a822811cef3158 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sun, 10 Nov 2019 07:27:04 +0100 +Subject: media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT + +From: Hans Verkuil + +commit ee8951e56c0f960b9621636603a822811cef3158 upstream. + +v4l2_vbi_format, v4l2_sliced_vbi_format and v4l2_sdr_format +have a reserved array at the end that should be zeroed by drivers +as per the V4L2 spec. Older drivers often do not do this, so just +handle this in the core. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -1496,12 +1496,12 @@ static int v4l_s_fmt(const struct v4l2_i + case V4L2_BUF_TYPE_VBI_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_s_fmt_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_VIDEO_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_vid_out)) +@@ -1524,22 +1524,22 @@ static int v4l_s_fmt(const struct v4l2_i + case V4L2_BUF_TYPE_VBI_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_s_fmt_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SDR_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_sdr_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_s_fmt_sdr_cap(file, fh, arg); + case V4L2_BUF_TYPE_SDR_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_sdr_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_s_fmt_sdr_out(file, fh, arg); + case V4L2_BUF_TYPE_META_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_meta_cap)) +@@ -1583,12 +1583,12 @@ static int v4l_try_fmt(const struct v4l2 + case V4L2_BUF_TYPE_VBI_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_try_fmt_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_VIDEO_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_vid_out)) +@@ -1611,22 +1611,22 @@ static int v4l_try_fmt(const struct v4l2 + case V4L2_BUF_TYPE_VBI_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_try_fmt_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SDR_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_sdr_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_try_fmt_sdr_cap(file, fh, arg); + case V4L2_BUF_TYPE_SDR_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_sdr_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_try_fmt_sdr_out(file, fh, arg); + case V4L2_BUF_TYPE_META_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_meta_cap)) diff --git a/queue-4.14/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch b/queue-4.14/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch new file mode 100644 index 00000000000..02187c6296a --- /dev/null +++ b/queue-4.14/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch @@ -0,0 +1,109 @@ +From bba340c79bfe3644829db5c852fdfa9e33837d6d Mon Sep 17 00:00:00 2001 +From: Bo Wu +Date: Wed, 20 Nov 2019 13:26:17 +0000 +Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func + +From: Bo Wu + +commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream. + +In iscsi_if_rx func, after receiving one request through +iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to +reply to the request in a do-while loop. If the iscsi_if_send_reply +function keeps returning -EAGAIN, a deadlock will occur. + +For example, a client only send msg without calling recvmsg func, then +it will result in the watchdog soft lockup. The details are given as +follows: + + sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); + retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); + while (1) { + state_msg = sendmsg(sock_fd, &msg, 0); + //Note: recvmsg(sock_fd, &msg, 0) is not processed here. + } + close(sock_fd); + +watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: +curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 +deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: + TIMER: 992 + SCHED: 8 +Sample irqstat: + irq 2: delta 1003, curr: 3103802, arch_timer +CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 40400005 (nZcv daif +PAN -UAO) +pc : __alloc_skb+0x104/0x1b0 +lr : __alloc_skb+0x9c/0x1b0 +sp : ffff000033603a30 +x29: ffff000033603a30 x28: 00000000000002dd +x27: ffff800b34ced810 x26: ffff800ba7569f00 +x25: 00000000ffffffff x24: 0000000000000000 +x23: ffff800f7c43f600 x22: 0000000000480020 +x21: ffff0000091d9000 x20: ffff800b34eff200 +x19: ffff800ba7569f00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0001000101000100 +x13: 0000000101010000 x12: 0101000001010100 +x11: 0001010101010001 x10: 00000000000002dd +x9 : ffff000033603d58 x8 : ffff800b34eff400 +x7 : ffff800ba7569200 x6 : ffff800b34eff400 +x5 : 0000000000000000 x4 : 00000000ffffffff +x3 : 0000000000000000 x2 : 0000000000000001 +x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: +__alloc_skb+0x104/0x1b0 +iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] +netlink_unicast+0x1e0/0x258 +netlink_sendmsg+0x310/0x378 +sock_sendmsg+0x4c/0x70 +sock_write_iter+0x90/0xf0 +__vfs_write+0x11c/0x190 +vfs_write+0xac/0x1c0 +ksys_write+0x6c/0xd8 +__arm64_sys_write+0x24/0x30 +el0_svc_common+0x78/0x130 +el0_svc_handler+0x38/0x78 +el0_svc+0x8/0xc + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -37,6 +37,8 @@ + + #define ISCSI_TRANSPORT_VERSION "2.0-870" + ++#define ISCSI_SEND_MAX_ALLOWED 10 ++ + static int dbg_session; + module_param_named(debug_session, dbg_session, int, + S_IRUGO | S_IWUSR); +@@ -3680,6 +3682,7 @@ iscsi_if_rx(struct sk_buff *skb) + struct nlmsghdr *nlh; + struct iscsi_uevent *ev; + uint32_t group; ++ int retries = ISCSI_SEND_MAX_ALLOWED; + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || +@@ -3710,6 +3713,10 @@ iscsi_if_rx(struct sk_buff *skb) + break; + err = iscsi_if_send_reply(portid, nlh->nlmsg_type, + ev, sizeof(*ev)); ++ if (err == -EAGAIN && --retries < 0) { ++ printk(KERN_WARNING "Send reply failed, error %d\n", err); ++ break; ++ } + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } diff --git a/queue-4.14/sd-fix-req_op_zone_report-completion-handling.patch b/queue-4.14/sd-fix-req_op_zone_report-completion-handling.patch new file mode 100644 index 00000000000..6f5c0c06b9f --- /dev/null +++ b/queue-4.14/sd-fix-req_op_zone_report-completion-handling.patch @@ -0,0 +1,63 @@ +From masato.suzuki@wdc.com Tue Jan 28 09:03:58 2020 +From: Masato Suzuki +Date: Mon, 27 Jan 2020 14:07:46 +0900 +Subject: sd: Fix REQ_OP_ZONE_REPORT completion handling +To: stable@vger.kernel.org, Greg Kroah-Hartman , linux-scsi@vger.kernel.org, "Martin K . Petersen" +Cc: Damien Le Moal +Message-ID: <20200127050746.136440-1-masato.suzuki@wdc.com> + +From: Masato Suzuki + + +ZBC/ZAC report zones command may return less bytes than requested if the +number of matching zones for the report request is small. However, unlike +read or write commands, the remainder of incomplete report zones commands +cannot be automatically requested by the block layer: the start sector of +the next report cannot be known, and the report reply may not be 512B +aligned for SAS drives (a report zone reply size is always a multiple of +64B). The regular request completion code executing bio_advance() and +restart of the command remainder part currently causes invalid zone +descriptor data to be reported to the caller if the report zone size is +smaller than 512B (a case that can happen easily for a report of the last +zones of a SAS drive for example). + +Since blkdev_report_zones() handles report zone command processing in a +loop until completion (no more zones are being reported), we can safely +avoid that the block layer performs an incorrect bio_advance() call and +restart of the remainder of incomplete report zone BIOs. To do so, always +indicate a full completion of REQ_OP_ZONE_REPORT by setting good_bytes to +the request buffer size and by setting the command resid to 0. This does +not affect the post processing of the report zone reply done by +sd_zbc_complete() since the reply header indicates the number of zones +reported. + +Fixes: 89d947561077 ("sd: Implement support for ZBC devices") +Cc: # 4.19 +Cc: # 4.14 +Signed-off-by: Masato Suzuki +Reviewed-by: Damien Le Moal +Acked-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1981,9 +1981,13 @@ static int sd_done(struct scsi_cmnd *SCp + } + break; + case REQ_OP_ZONE_REPORT: ++ /* To avoid that the block layer performs an incorrect ++ * bio_advance() call and restart of the remainder of ++ * incomplete report zone BIOs, always indicate a full ++ * completion of REQ_OP_ZONE_REPORT. ++ */ + if (!result) { +- good_bytes = scsi_bufflen(SCpnt) +- - scsi_get_resid(SCpnt); ++ good_bytes = scsi_bufflen(SCpnt); + scsi_set_resid(SCpnt, 0); + } else { + good_bytes = 0; diff --git a/queue-4.14/series b/queue-4.14/series index 38ba59cb9c1..d481759c7b8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -30,3 +30,9 @@ hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch tracing-xen-ordered-comparison-of-function-pointers.patch do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch +sd-fix-req_op_zone_report-completion-handling.patch +coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch +coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch +libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +media-v4l2-ioctl.c-zero-reserved-fields-for-s-try_fmt.patch +scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch