From: Greg Kroah-Hartman Date: Mon, 19 Mar 2018 17:10:08 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.15.12~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e602f319c5e43831de240f3fa6d5d88a7ac4950;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch usb-dwc3-fix-gdbgfifospace_type-values.patch usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch --- diff --git a/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch b/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch new file mode 100644 index 00000000000..3cfa4573b42 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch @@ -0,0 +1,163 @@ +From 6a2cf8d3663e13e19af636c2a8d92e766261dc45 Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Mon, 5 Mar 2018 00:02:55 -0500 +Subject: scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure + +From: Bill Kuzeja + +commit 6a2cf8d3663e13e19af636c2a8d92e766261dc45 upstream. + +Because of the shifting around of code in qla2x00_probe_one recently, +failures during adapter initialization can lead to problems, i.e. NULL +pointer crashes and doubly freed data structures which cause eventual +panics. + +This V2 version makes the relevant memory free routines idempotent, so +repeat calls won't cause any harm. I also removed the problematic +probe_init_failed exit point as it is not needed. + +Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure") +Signed-off-by: Bill Kuzeja +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++++++++++++++++++++---------------- + 1 file changed, 37 insertions(+), 22 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -442,7 +442,7 @@ static int qla2x00_alloc_queues(struct q + ha->req_q_map[0] = req; + set_bit(0, ha->rsp_qid_map); + set_bit(0, ha->req_qid_map); +- return 1; ++ return 0; + + fail_qpair_map: + kfree(ha->base_qpair); +@@ -459,6 +459,9 @@ fail_req_map: + + static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) + { ++ if (!ha->req_q_map) ++ return; ++ + if (IS_QLAFX00(ha)) { + if (req && req->ring_fx00) + dma_free_coherent(&ha->pdev->dev, +@@ -469,14 +472,17 @@ static void qla2x00_free_req_que(struct + (req->length + 1) * sizeof(request_t), + req->ring, req->dma); + +- if (req) ++ if (req) { + kfree(req->outstanding_cmds); +- +- kfree(req); ++ kfree(req); ++ } + } + + static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) + { ++ if (!ha->rsp_q_map) ++ return; ++ + if (IS_QLAFX00(ha)) { + if (rsp && rsp->ring) + dma_free_coherent(&ha->pdev->dev, +@@ -487,7 +493,8 @@ static void qla2x00_free_rsp_que(struct + (rsp->length + 1) * sizeof(response_t), + rsp->ring, rsp->dma); + } +- kfree(rsp); ++ if (rsp) ++ kfree(rsp); + } + + static void qla2x00_free_queues(struct qla_hw_data *ha) +@@ -1710,6 +1717,8 @@ qla2x00_abort_all_cmds(scsi_qla_host_t * + struct qla_tgt_cmd *cmd; + uint8_t trace = 0; + ++ if (!ha->req_q_map) ++ return; + spin_lock_irqsave(&ha->hardware_lock, flags); + for (que = 0; que < ha->max_req_queues; que++) { + req = ha->req_q_map[que]; +@@ -3063,14 +3072,14 @@ qla2x00_probe_one(struct pci_dev *pdev, + /* Set up the irqs */ + ret = qla2x00_request_irqs(ha, rsp); + if (ret) +- goto probe_hw_failed; ++ goto probe_failed; + + /* Alloc arrays of request and response ring ptrs */ +- if (!qla2x00_alloc_queues(ha, req, rsp)) { ++ if (qla2x00_alloc_queues(ha, req, rsp)) { + ql_log(ql_log_fatal, base_vha, 0x003d, + "Failed to allocate memory for queue pointers..." + "aborting.\n"); +- goto probe_init_failed; ++ goto probe_failed; + } + + if (ha->mqenable && shost_use_blk_mq(host)) { +@@ -3347,15 +3356,6 @@ skip_dpc: + + return 0; + +-probe_init_failed: +- qla2x00_free_req_que(ha, req); +- ha->req_q_map[0] = NULL; +- clear_bit(0, ha->req_qid_map); +- qla2x00_free_rsp_que(ha, rsp); +- ha->rsp_q_map[0] = NULL; +- clear_bit(0, ha->rsp_qid_map); +- ha->max_req_queues = ha->max_rsp_queues = 0; +- + probe_failed: + if (base_vha->timer_active) + qla2x00_stop_timer(base_vha); +@@ -4435,11 +4435,17 @@ qla2x00_mem_free(struct qla_hw_data *ha) + if (ha->init_cb) + dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, + ha->init_cb, ha->init_cb_dma); +- vfree(ha->optrom_buffer); +- kfree(ha->nvram); +- kfree(ha->npiv_info); +- kfree(ha->swl); +- kfree(ha->loop_id_map); ++ ++ if (ha->optrom_buffer) ++ vfree(ha->optrom_buffer); ++ if (ha->nvram) ++ kfree(ha->nvram); ++ if (ha->npiv_info) ++ kfree(ha->npiv_info); ++ if (ha->swl) ++ kfree(ha->swl); ++ if (ha->loop_id_map) ++ kfree(ha->loop_id_map); + + ha->srb_mempool = NULL; + ha->ctx_mempool = NULL; +@@ -4455,6 +4461,15 @@ qla2x00_mem_free(struct qla_hw_data *ha) + ha->ex_init_cb_dma = 0; + ha->async_pd = NULL; + ha->async_pd_dma = 0; ++ ha->loop_id_map = NULL; ++ ha->npiv_info = NULL; ++ ha->optrom_buffer = NULL; ++ ha->swl = NULL; ++ ha->nvram = NULL; ++ ha->mctp_dump = NULL; ++ ha->dcbx_tlv = NULL; ++ ha->xgmac_data = NULL; ++ ha->sfp_data = NULL; + + ha->s_dma_pool = NULL; + ha->dl_dma_pool = NULL; diff --git a/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch b/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch new file mode 100644 index 00000000000..a9738c4bcf0 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch @@ -0,0 +1,37 @@ +From a2390348c19d0819d525d375414a7cfdacb51a68 Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Mon, 22 Jan 2018 12:04:20 -0800 +Subject: scsi: qla2xxx: Fix logo flag for qlt_free_session_done() + +From: Himanshu Madhani + +commit a2390348c19d0819d525d375414a7cfdacb51a68 upstream. + +Commit 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target +re-login.")fixed the target re-login after session relogin is complete, +but missed out the qlt_free_session_done() path. + +This patch clears send_els_logo flag in qlt_free_session_done() +callback. + +[mkp: checkpatch] + +Fixes: 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target re-login.") +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_target.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -971,6 +971,7 @@ static void qlt_free_session_done(struct + + logo.id = sess->d_id; + logo.cmd_count = 0; ++ sess->send_els_logo = 0; + qlt_send_first_logo(vha, &logo); + } + diff --git a/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch b/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch new file mode 100644 index 00000000000..5f28e1f20c7 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch @@ -0,0 +1,46 @@ +From 5c25d451163cab9be80744cbc5448d6b95ab8d1a Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Thu, 28 Dec 2017 12:33:09 -0800 +Subject: scsi: qla2xxx: Fix NULL pointer access for fcport structure + +From: Quinn Tran + +commit 5c25d451163cab9be80744cbc5448d6b95ab8d1a upstream. + +when processing iocb in a timeout case, driver was trying to log messages +without verifying if the fcport structure could have valid data. This +results in a NULL pointer access. + +Fixes: 726b85487067("qla2xxx: Add framework for async fabric discovery") +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -102,11 +102,16 @@ qla2x00_async_iocb_timeout(void *data) + struct srb_iocb *lio = &sp->u.iocb_cmd; + struct event_arg ea; + +- ql_dbg(ql_dbg_disc, fcport->vha, 0x2071, +- "Async-%s timeout - hdl=%x portid=%06x %8phC.\n", +- sp->name, sp->handle, fcport->d_id.b24, fcport->port_name); ++ if (fcport) { ++ ql_dbg(ql_dbg_disc, fcport->vha, 0x2071, ++ "Async-%s timeout - hdl=%x portid=%06x %8phC.\n", ++ sp->name, sp->handle, fcport->d_id.b24, fcport->port_name); + +- fcport->flags &= ~FCF_ASYNC_SENT; ++ fcport->flags &= ~FCF_ASYNC_SENT; ++ } else { ++ pr_info("Async-%s timeout - hdl=%x.\n", ++ sp->name, sp->handle); ++ } + + switch (sp->type) { + case SRB_LOGIN_CMD: diff --git a/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch b/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch new file mode 100644 index 00000000000..e72b116a55b --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch @@ -0,0 +1,51 @@ +From 62aa281470fdb7c0796d63a1cc918a8c1f02dde2 Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Sat, 16 Dec 2017 16:05:09 -0800 +Subject: scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que + +From: Himanshu Madhani + +commit 62aa281470fdb7c0796d63a1cc918a8c1f02dde2 upstream. + +This patch fixes following warnings reported by smatch: + +drivers/scsi/qla2xxx/qla_mid.c:586 qla25xx_delete_req_que() +error: we previously assumed 'req' could be null (see line 580) + +drivers/scsi/qla2xxx/qla_mid.c:602 qla25xx_delete_rsp_que() +error: we previously assumed 'rsp' could be null (see line 596) + +Fixes: 7867b98dceb7 ("scsi: qla2xxx: Fix memory leak in dual/target mode") +Reported-by: Dan Carpenter +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_mid.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -582,8 +582,9 @@ qla25xx_delete_req_que(struct scsi_qla_h + ret = qla25xx_init_req_que(vha, req); + if (ret != QLA_SUCCESS) + return QLA_FUNCTION_FAILED; ++ ++ qla25xx_free_req_que(vha, req); + } +- qla25xx_free_req_que(vha, req); + + return ret; + } +@@ -598,8 +599,9 @@ qla25xx_delete_rsp_que(struct scsi_qla_h + ret = qla25xx_init_rsp_que(vha, rsp); + if (ret != QLA_SUCCESS) + return QLA_FUNCTION_FAILED; ++ ++ qla25xx_free_rsp_que(vha, rsp); + } +- qla25xx_free_rsp_que(vha, rsp); + + return ret; + } diff --git a/queue-4.14/series b/queue-4.14/series index 3694e4bacbf..3d542ebd377 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,9 @@ btrfs-alloc_chunk-fix-dup-stripe-size-handling.patch btrfs-fix-use-after-free-when-cleaning-up-fs_devs-with-a-single-stale-device.patch btrfs-remove-spurious-warn_on-ref-count-0-in-find_parent_nodes.patch btrfs-fix-memory-barriers-usage-with-device-stats-counters.patch +scsi-qla2xxx-fix-smatch-warning-in-qla25xx_delete_-rsp-req-_que.patch +scsi-qla2xxx-fix-null-pointer-access-for-fcport-structure.patch +scsi-qla2xxx-fix-logo-flag-for-qlt_free_session_done.patch +scsi-qla2xxx-fix-crashes-in-qla2x00_probe_one-on-probe-failure.patch +usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch +usb-dwc3-fix-gdbgfifospace_type-values.patch diff --git a/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch b/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch new file mode 100644 index 00000000000..ab0f96d696b --- /dev/null +++ b/queue-4.14/usb-dwc3-fix-gdbgfifospace_type-values.patch @@ -0,0 +1,48 @@ +From b16ea8b9492e99e03b1269fe93ebdbf8e4eabf8a Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 2 Feb 2018 13:21:35 -0800 +Subject: usb: dwc3: Fix GDBGFIFOSPACE_TYPE values + +From: Thinh Nguyen + +commit b16ea8b9492e99e03b1269fe93ebdbf8e4eabf8a upstream. + +The FIFO/Queue type values are incorrect. Correct them according to +DWC_usb3 programming guide section 1.2.27 (or DWC_usb31 section 1.2.25). + +Additionally, this patch includes ProtocolStatusQ and AuxEventQ types. + +Fixes: cf6d867d3b57 ("usb: dwc3: core: add fifo space helper") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -166,13 +166,15 @@ + #define DWC3_GDBGFIFOSPACE_TYPE(n) (((n) << 5) & 0x1e0) + #define DWC3_GDBGFIFOSPACE_SPACE_AVAILABLE(n) (((n) >> 16) & 0xffff) + +-#define DWC3_TXFIFOQ 1 +-#define DWC3_RXFIFOQ 3 +-#define DWC3_TXREQQ 5 +-#define DWC3_RXREQQ 7 +-#define DWC3_RXINFOQ 9 +-#define DWC3_DESCFETCHQ 13 +-#define DWC3_EVENTQ 15 ++#define DWC3_TXFIFOQ 0 ++#define DWC3_RXFIFOQ 1 ++#define DWC3_TXREQQ 2 ++#define DWC3_RXREQQ 3 ++#define DWC3_RXINFOQ 4 ++#define DWC3_PSTATQ 5 ++#define DWC3_DESCFETCHQ 6 ++#define DWC3_EVENTQ 7 ++#define DWC3_AUXEVENTQ 8 + + /* Global RX Threshold Configuration Register */ + #define DWC3_GRXTHRCFG_MAXRXBURSTSIZE(n) (((n) & 0x1f) << 19) diff --git a/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch b/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch new file mode 100644 index 00000000000..ff48129c36a --- /dev/null +++ b/queue-4.14/usb-gadget-udc-add-missing-platform_device_put-on-error-in-bdc_pci_probe.patch @@ -0,0 +1,31 @@ +From 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 23 Jan 2018 09:35:14 +0000 +Subject: USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() + +From: Wei Yongjun + +commit 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 upstream. + +Add the missing platform_device_put() before return from bdc_pci_probe() +in the platform_device_add_resources() error handling case. + +Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC") +Signed-off-by: Wei Yongjun +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/bdc/bdc_pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/udc/bdc/bdc_pci.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_pci.c +@@ -82,6 +82,7 @@ static int bdc_pci_probe(struct pci_dev + if (ret) { + dev_err(&pci->dev, + "couldn't add resources to bdc device\n"); ++ platform_device_put(bdc); + return ret; + } +