From: Greg Kroah-Hartman Date: Sun, 13 Aug 2023 20:46:49 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.323~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d051284cb17d383dc900cecb10b4e466ccb8637;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-scan-create-platform-device-for-cs35l56.patch alpha-remove-__init-annotation-from-exported-page_is_ram.patch platform-x86-serial-multi-instantiate-auto-detect-irq-resource-for-csc3551.patch sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch scsi-53c700-check-that-command-slot-is-not-null.patch scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch scsi-core-fix-possible-memory-leak-if-device_add-fails.patch scsi-fnic-replace-return-codes-in-fnic_clean_pending_aborts.patch scsi-qedf-fix-firmware-halt-over-suspend-and-resume.patch scsi-qedi-fix-firmware-halt-over-suspend-and-resume.patch scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch scsi-ufs-renesas-fix-private-allocation.patch --- diff --git a/queue-6.1/acpi-scan-create-platform-device-for-cs35l56.patch b/queue-6.1/acpi-scan-create-platform-device-for-cs35l56.patch new file mode 100644 index 00000000000..0e83ffff613 --- /dev/null +++ b/queue-6.1/acpi-scan-create-platform-device-for-cs35l56.patch @@ -0,0 +1,73 @@ +From 1cd0302be5645420f73090aee26fa787287e1096 Mon Sep 17 00:00:00 2001 +From: Simon Trimmer +Date: Fri, 28 Jul 2023 12:13:45 +0100 +Subject: ACPI: scan: Create platform device for CS35L56 + +From: Simon Trimmer + +commit 1cd0302be5645420f73090aee26fa787287e1096 upstream. + +The ACPI device CSC3556 is a Cirrus Logic CS35L56 mono amplifier which +is used in multiples, and can be connected either to I2C or SPI. + +There will be multiple instances under the same Device() node. Add it +to ignore_serial_bus_ids and handle it in the serial-multi-instantiate +driver. + +There can be a 5th I2cSerialBusV2, but this is an alias address and doesn't +represent a real device. Ignore this by having a dummy 5th entry in the +serial-multi-instantiate instance list with the name of a non-existent +driver, on the same pattern as done for bsg2150. + +Signed-off-by: Simon Trimmer +Signed-off-by: Richard Fitzgerald +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20230728111345.7224-1-rf@opensource.cirrus.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 1 + + drivers/platform/x86/serial-multi-instantiate.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1712,6 +1712,7 @@ static bool acpi_device_enumeration_by_p + {"BSG1160", }, + {"BSG2150", }, + {"CSC3551", }, ++ {"CSC3556", }, + {"INT33FE", }, + {"INT3515", }, + /* Non-conforming _HID for Cirrus Logic already released */ +--- a/drivers/platform/x86/serial-multi-instantiate.c ++++ b/drivers/platform/x86/serial-multi-instantiate.c +@@ -330,6 +330,19 @@ static const struct smi_node cs35l41_hda + .bus_type = SMI_AUTO_DETECT, + }; + ++static const struct smi_node cs35l56_hda = { ++ .instances = { ++ { "cs35l56-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l56-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l56-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l56-hda", IRQ_RESOURCE_AUTO, 0 }, ++ /* a 5th entry is an alias address, not a real device */ ++ { "cs35l56-hda_dummy_dev" }, ++ {} ++ }, ++ .bus_type = SMI_AUTO_DETECT, ++}; ++ + /* + * Note new device-ids must also be added to ignore_serial_bus_ids in + * drivers/acpi/scan.c: acpi_device_enumeration_by_parent(). +@@ -338,6 +351,7 @@ static const struct acpi_device_id smi_a + { "BSG1160", (unsigned long)&bsg1160_data }, + { "BSG2150", (unsigned long)&bsg2150_data }, + { "CSC3551", (unsigned long)&cs35l41_hda }, ++ { "CSC3556", (unsigned long)&cs35l56_hda }, + { "INT3515", (unsigned long)&int3515_data }, + /* Non-conforming _HID for Cirrus Logic already released */ + { "CLSA0100", (unsigned long)&cs35l41_hda }, diff --git a/queue-6.1/alpha-remove-__init-annotation-from-exported-page_is_ram.patch b/queue-6.1/alpha-remove-__init-annotation-from-exported-page_is_ram.patch new file mode 100644 index 00000000000..73f9cf50667 --- /dev/null +++ b/queue-6.1/alpha-remove-__init-annotation-from-exported-page_is_ram.patch @@ -0,0 +1,40 @@ +From 6ccbd7fd474674654019a20177c943359469103a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sat, 29 Jul 2023 16:42:23 +0900 +Subject: alpha: remove __init annotation from exported page_is_ram() + +From: Masahiro Yamada + +commit 6ccbd7fd474674654019a20177c943359469103a upstream. + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. + +Commit c5a130325f13 ("ACPI/APEI: Add parameter check before error +injection") exported page_is_ram(), hence the __init annotation should +be removed. + +This fixes the modpost warning in ARCH=alpha builds: + + WARNING: modpost: vmlinux: page_is_ram: EXPORT_SYMBOL used for init symbol. Remove __init or EXPORT_SYMBOL. + +Fixes: c5a130325f13 ("ACPI/APEI: Add parameter check before error injection") +Signed-off-by: Masahiro Yamada +Reviewed-by: Randy Dunlap +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/setup.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/alpha/kernel/setup.c ++++ b/arch/alpha/kernel/setup.c +@@ -385,8 +385,7 @@ setup_memory(void *kernel_end) + #endif /* CONFIG_BLK_DEV_INITRD */ + } + +-int __init +-page_is_ram(unsigned long pfn) ++int page_is_ram(unsigned long pfn) + { + struct memclust_struct * cluster; + struct memdesc_struct * memdesc; diff --git a/queue-6.1/platform-x86-serial-multi-instantiate-auto-detect-irq-resource-for-csc3551.patch b/queue-6.1/platform-x86-serial-multi-instantiate-auto-detect-irq-resource-for-csc3551.patch new file mode 100644 index 00000000000..ce20e4c87e8 --- /dev/null +++ b/queue-6.1/platform-x86-serial-multi-instantiate-auto-detect-irq-resource-for-csc3551.patch @@ -0,0 +1,77 @@ +From 676b7c5ecab36274442887ceadd6dee8248a244f Mon Sep 17 00:00:00 2001 +From: David Xu +Date: Thu, 13 Jul 2023 21:35:28 +0800 +Subject: platform/x86: serial-multi-instantiate: Auto detect IRQ resource for CSC3551 + +From: David Xu + +commit 676b7c5ecab36274442887ceadd6dee8248a244f upstream. + +The current code assumes that the CSC3551(multiple cs35l41) always have +its interrupt pin connected to GPIO thus the IRQ can be acquired with +acpi_dev_gpio_irq_get. However on some newer laptop models this is no +longer the case as they have the CSC3551's interrupt pin connected to +APIC. This causes smi_i2c_probe to fail on these machines. + +To support these machines, a new macro IRQ_RESOURCE_AUTO was introduced +for cs35l41 smi_node, and smi_get_irq function was modified so it tries +to get GPIO irq resource first and if failed, tries to get +APIC irq resource for cs35l41. + +This patch affects only the cs35l41's probing and brings no negative +influence on machines that indeed have the cs35l41's interrupt pin +connected to GPIO. + +Signed-off-by: David Xu +Link: https://lore.kernel.org/r/SY4P282MB18350CD8288687B87FFD2243E037A@SY4P282MB1835.AUSP282.PROD.OUTLOOK.COM +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/serial-multi-instantiate.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/platform/x86/serial-multi-instantiate.c ++++ b/drivers/platform/x86/serial-multi-instantiate.c +@@ -21,6 +21,7 @@ + #define IRQ_RESOURCE_NONE 0 + #define IRQ_RESOURCE_GPIO 1 + #define IRQ_RESOURCE_APIC 2 ++#define IRQ_RESOURCE_AUTO 3 + + enum smi_bus_type { + SMI_I2C, +@@ -52,6 +53,18 @@ static int smi_get_irq(struct platform_d + int ret; + + switch (inst->flags & IRQ_RESOURCE_TYPE) { ++ case IRQ_RESOURCE_AUTO: ++ ret = acpi_dev_gpio_irq_get(adev, inst->irq_idx); ++ if (ret > 0) { ++ dev_dbg(&pdev->dev, "Using gpio irq\n"); ++ break; ++ } ++ ret = platform_get_irq(pdev, inst->irq_idx); ++ if (ret > 0) { ++ dev_dbg(&pdev->dev, "Using platform irq\n"); ++ break; ++ } ++ break; + case IRQ_RESOURCE_GPIO: + ret = acpi_dev_gpio_irq_get(adev, inst->irq_idx); + break; +@@ -308,10 +321,10 @@ static const struct smi_node int3515_dat + + static const struct smi_node cs35l41_hda = { + .instances = { +- { "cs35l41-hda", IRQ_RESOURCE_GPIO, 0 }, +- { "cs35l41-hda", IRQ_RESOURCE_GPIO, 0 }, +- { "cs35l41-hda", IRQ_RESOURCE_GPIO, 0 }, +- { "cs35l41-hda", IRQ_RESOURCE_GPIO, 0 }, ++ { "cs35l41-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l41-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l41-hda", IRQ_RESOURCE_AUTO, 0 }, ++ { "cs35l41-hda", IRQ_RESOURCE_AUTO, 0 }, + {} + }, + .bus_type = SMI_AUTO_DETECT, diff --git a/queue-6.1/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch b/queue-6.1/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch new file mode 100644 index 00000000000..9455c632ca4 --- /dev/null +++ b/queue-6.1/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch @@ -0,0 +1,148 @@ +From 11b73313c12403f617b47752db0ab3deef201af7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 22 Jun 2023 18:15:03 +0000 +Subject: sch_netem: fix issues in netem_change() vs get_dist_table() + +From: Eric Dumazet + +commit 11b73313c12403f617b47752db0ab3deef201af7 upstream. + +In blamed commit, I missed that get_dist_table() was allocating +memory using GFP_KERNEL, and acquiring qdisc lock to perform +the swap of newly allocated table with current one. + +In this patch, get_dist_table() is allocating memory and +copy user data before we acquire the qdisc lock. + +Then we perform swap operations while being protected by the lock. + +Note that after this patch netem_change() no longer can do partial changes. +If an error is returned, qdisc conf is left unchanged. + +Fixes: 2174a08db80d ("sch_netem: acquire qdisc lock in netem_change()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Stephen Hemminger +Acked-by: Jamal Hadi Salim +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230622181503.2327695-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 59 +++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 34 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -773,12 +773,10 @@ static void dist_free(struct disttable * + * signed 16 bit values. + */ + +-static int get_dist_table(struct Qdisc *sch, struct disttable **tbl, +- const struct nlattr *attr) ++static int get_dist_table(struct disttable **tbl, const struct nlattr *attr) + { + size_t n = nla_len(attr)/sizeof(__s16); + const __s16 *data = nla_data(attr); +- spinlock_t *root_lock; + struct disttable *d; + int i; + +@@ -793,13 +791,7 @@ static int get_dist_table(struct Qdisc * + for (i = 0; i < n; i++) + d->table[i] = data[i]; + +- root_lock = qdisc_root_sleeping_lock(sch); +- +- spin_lock_bh(root_lock); +- swap(*tbl, d); +- spin_unlock_bh(root_lock); +- +- dist_free(d); ++ *tbl = d; + return 0; + } + +@@ -956,6 +948,8 @@ static int netem_change(struct Qdisc *sc + { + struct netem_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_NETEM_MAX + 1]; ++ struct disttable *delay_dist = NULL; ++ struct disttable *slot_dist = NULL; + struct tc_netem_qopt *qopt; + struct clgstate old_clg; + int old_loss_model = CLG_RANDOM; +@@ -966,6 +960,18 @@ static int netem_change(struct Qdisc *sc + if (ret < 0) + return ret; + ++ if (tb[TCA_NETEM_DELAY_DIST]) { ++ ret = get_dist_table(&delay_dist, tb[TCA_NETEM_DELAY_DIST]); ++ if (ret) ++ goto table_free; ++ } ++ ++ if (tb[TCA_NETEM_SLOT_DIST]) { ++ ret = get_dist_table(&slot_dist, tb[TCA_NETEM_SLOT_DIST]); ++ if (ret) ++ goto table_free; ++ } ++ + sch_tree_lock(sch); + /* backup q->clg and q->loss_model */ + old_clg = q->clg; +@@ -975,26 +981,17 @@ static int netem_change(struct Qdisc *sc + ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]); + if (ret) { + q->loss_model = old_loss_model; ++ q->clg = old_clg; + goto unlock; + } + } else { + q->loss_model = CLG_RANDOM; + } + +- if (tb[TCA_NETEM_DELAY_DIST]) { +- ret = get_dist_table(sch, &q->delay_dist, +- tb[TCA_NETEM_DELAY_DIST]); +- if (ret) +- goto get_table_failure; +- } +- +- if (tb[TCA_NETEM_SLOT_DIST]) { +- ret = get_dist_table(sch, &q->slot_dist, +- tb[TCA_NETEM_SLOT_DIST]); +- if (ret) +- goto get_table_failure; +- } +- ++ if (delay_dist) ++ swap(q->delay_dist, delay_dist); ++ if (slot_dist) ++ swap(q->slot_dist, slot_dist); + sch->limit = qopt->limit; + + q->latency = PSCHED_TICKS2NS(qopt->latency); +@@ -1044,17 +1041,11 @@ static int netem_change(struct Qdisc *sc + + unlock: + sch_tree_unlock(sch); +- return ret; + +-get_table_failure: +- /* recover clg and loss_model, in case of +- * q->clg and q->loss_model were modified +- * in get_loss_clg() +- */ +- q->clg = old_clg; +- q->loss_model = old_loss_model; +- +- goto unlock; ++table_free: ++ dist_free(delay_dist); ++ dist_free(slot_dist); ++ return ret; + } + + static int netem_init(struct Qdisc *sch, struct nlattr *opt, diff --git a/queue-6.1/scsi-53c700-check-that-command-slot-is-not-null.patch b/queue-6.1/scsi-53c700-check-that-command-slot-is-not-null.patch new file mode 100644 index 00000000000..2a5665333a5 --- /dev/null +++ b/queue-6.1/scsi-53c700-check-that-command-slot-is-not-null.patch @@ -0,0 +1,36 @@ +From 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Fri, 28 Jul 2023 15:35:21 +0300 +Subject: scsi: 53c700: Check that command slot is not NULL + +From: Alexandra Diupina + +commit 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 upstream. + +Add a check for the command slot value to avoid dereferencing a NULL +pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Vladimir Telezhnikov +Signed-off-by: Vladimir Telezhnikov +Signed-off-by: Alexandra Diupina +Link: https://lore.kernel.org/r/20230728123521.18293-1-adiupina@astralinux.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/53c700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/53c700.c ++++ b/drivers/scsi/53c700.c +@@ -1598,7 +1598,7 @@ NCR_700_intr(int irq, void *dev_id) + printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); + #endif + resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; +- } else if(dsp >= to32bit(&slot->pSG[0].ins) && ++ } else if (slot && dsp >= to32bit(&slot->pSG[0].ins) && + dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { + int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff; + int SGcount = (dsp - to32bit(&slot->pSG[0].ins))/sizeof(struct NCR_700_SG_List); diff --git a/queue-6.1/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch b/queue-6.1/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch new file mode 100644 index 00000000000..e4ad8d3a3bd --- /dev/null +++ b/queue-6.1/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch @@ -0,0 +1,106 @@ +From 9426d3cef5000824e5f24f80ed5f42fb935f2488 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Mon, 24 Jul 2023 14:25:40 -0400 +Subject: scsi: core: Fix legacy /proc parsing buffer overflow + +From: Tony Battersby + +commit 9426d3cef5000824e5f24f80ed5f42fb935f2488 upstream. + +(lightly modified commit message mostly by Linus Torvalds) + +The parsing code for /proc/scsi/scsi is disgusting and broken. We should +have just used 'sscanf()' or something simple like that, but the logic may +actually predate our kernel sscanf library routine for all I know. It +certainly predates both git and BK histories. + +And we can't change it to be something sane like that now, because the +string matching at the start is done case-insensitively, and the separator +parsing between numbers isn't done at all, so *any* separator will work, +including a possible terminating NUL character. + +This interface is root-only, and entirely for legacy use, so there is +absolutely no point in trying to tighten up the parsing. Because any +separator has traditionally worked, it's entirely possible that people have +used random characters rather than the suggested space. + +So don't bother to try to pretty it up, and let's just make a minimal patch +that can be back-ported and we can forget about this whole sorry thing for +another two decades. + +Just make it at least not read past the end of the supplied data. + +Link: https://lore.kernel.org/linux-scsi/b570f5fe-cb7c-863a-6ed9-f6774c219b88@cybernetics.com/ +Cc: Linus Torvalds +Cc: Martin K Petersen +Cc: James Bottomley +Cc: Willy Tarreau +Cc: stable@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tony Battersby +Signed-off-by: Martin K Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_proc.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/scsi_proc.c ++++ b/drivers/scsi/scsi_proc.c +@@ -311,7 +311,7 @@ static ssize_t proc_scsi_write(struct fi + size_t length, loff_t *ppos) + { + int host, channel, id, lun; +- char *buffer, *p; ++ char *buffer, *end, *p; + int err; + + if (!buf || length > PAGE_SIZE) +@@ -326,10 +326,14 @@ static ssize_t proc_scsi_write(struct fi + goto out; + + err = -EINVAL; +- if (length < PAGE_SIZE) +- buffer[length] = '\0'; +- else if (buffer[PAGE_SIZE-1]) +- goto out; ++ if (length < PAGE_SIZE) { ++ end = buffer + length; ++ *end = '\0'; ++ } else { ++ end = buffer + PAGE_SIZE - 1; ++ if (*end) ++ goto out; ++ } + + /* + * Usage: echo "scsi add-single-device 0 1 2 3" >/proc/scsi/scsi +@@ -338,10 +342,10 @@ static ssize_t proc_scsi_write(struct fi + if (!strncmp("scsi add-single-device", buffer, 22)) { + p = buffer + 23; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_add_single_device(host, channel, id, lun); + +@@ -352,10 +356,10 @@ static ssize_t proc_scsi_write(struct fi + } else if (!strncmp("scsi remove-single-device", buffer, 25)) { + p = buffer + 26; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_remove_single_device(host, channel, id, lun); + } diff --git a/queue-6.1/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch b/queue-6.1/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..eadcc32886b --- /dev/null +++ b/queue-6.1/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Thu, 3 Aug 2023 10:02:30 +0800 +Subject: scsi: core: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to decrease the reference count in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: ee959b00c335 ("SCSI: convert struct class_device to struct device") +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230803020230.226903-1-wangzhu9@huawei.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/raid_class.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -248,6 +248,7 @@ int raid_component_add(struct raid_templ + return 0; + + err_out: ++ put_device(&rc->dev); + list_del(&rc->node); + rd->component_count--; + put_device(component_dev); diff --git a/queue-6.1/scsi-fnic-replace-return-codes-in-fnic_clean_pending_aborts.patch b/queue-6.1/scsi-fnic-replace-return-codes-in-fnic_clean_pending_aborts.patch new file mode 100644 index 00000000000..842de42f40e --- /dev/null +++ b/queue-6.1/scsi-fnic-replace-return-codes-in-fnic_clean_pending_aborts.patch @@ -0,0 +1,60 @@ +From 5a43b07a87835660f91d88a4db11abfea8c523b7 Mon Sep 17 00:00:00 2001 +From: Karan Tilak Kumar +Date: Thu, 27 Jul 2023 12:39:19 -0700 +Subject: scsi: fnic: Replace return codes in fnic_clean_pending_aborts() + +From: Karan Tilak Kumar + +commit 5a43b07a87835660f91d88a4db11abfea8c523b7 upstream. + +fnic_clean_pending_aborts() was returning a non-zero value irrespective of +failure or success. This caused the caller of this function to assume that +the device reset had failed, even though it would succeed in most cases. As +a consequence, a successful device reset would escalate to host reset. + +Reviewed-by: Sesidhar Baddela +Tested-by: Karan Tilak Kumar +Signed-off-by: Karan Tilak Kumar +Link: https://lore.kernel.org/r/20230727193919.2519-1-kartilak@cisco.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/fnic/fnic.h | 2 +- + drivers/scsi/fnic/fnic_scsi.c | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/fnic/fnic.h ++++ b/drivers/scsi/fnic/fnic.h +@@ -27,7 +27,7 @@ + + #define DRV_NAME "fnic" + #define DRV_DESCRIPTION "Cisco FCoE HBA Driver" +-#define DRV_VERSION "1.6.0.54" ++#define DRV_VERSION "1.6.0.55" + #define PFX DRV_NAME ": " + #define DFX DRV_NAME "%d: " + +--- a/drivers/scsi/fnic/fnic_scsi.c ++++ b/drivers/scsi/fnic/fnic_scsi.c +@@ -2139,7 +2139,7 @@ static int fnic_clean_pending_aborts(str + bool new_sc) + + { +- int ret = SUCCESS; ++ int ret = 0; + struct fnic_pending_aborts_iter_data iter_data = { + .fnic = fnic, + .lun_dev = lr_sc->device, +@@ -2159,9 +2159,11 @@ static int fnic_clean_pending_aborts(str + + /* walk again to check, if IOs are still pending in fw */ + if (fnic_is_abts_pending(fnic, lr_sc)) +- ret = FAILED; ++ ret = 1; + + clean_pending_aborts_end: ++ FNIC_SCSI_DBG(KERN_INFO, fnic->lport->host, ++ "%s: exit status: %d\n", __func__, ret); + return ret; + } + diff --git a/queue-6.1/scsi-qedf-fix-firmware-halt-over-suspend-and-resume.patch b/queue-6.1/scsi-qedf-fix-firmware-halt-over-suspend-and-resume.patch new file mode 100644 index 00000000000..cf20c98074b --- /dev/null +++ b/queue-6.1/scsi-qedf-fix-firmware-halt-over-suspend-and-resume.patch @@ -0,0 +1,71 @@ +From ef222f551e7c4e2008fc442ffc9edcd1a7fd8f63 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Mon, 7 Aug 2023 15:07:24 +0530 +Subject: scsi: qedf: Fix firmware halt over suspend and resume + +From: Nilesh Javali + +commit ef222f551e7c4e2008fc442ffc9edcd1a7fd8f63 upstream. + +While performing certain power-off sequences, PCI drivers are called to +suspend and resume their underlying devices through PCI PM (power +management) interface. However the hardware does not support PCI PM +suspend/resume operations so system wide suspend/resume leads to bad MFW +(management firmware) state which causes various follow-up errors in driver +when communicating with the device/firmware. + +To fix this driver implements PCI PM suspend handler to indicate +unsupported operation to the PCI subsystem explicitly, thus avoiding system +to go into suspended/standby mode. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230807093725.46829-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qedf/qedf_main.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -31,6 +31,7 @@ static void qedf_remove(struct pci_dev * + static void qedf_shutdown(struct pci_dev *pdev); + static void qedf_schedule_recovery_handler(void *dev); + static void qedf_recovery_handler(struct work_struct *work); ++static int qedf_suspend(struct pci_dev *pdev, pm_message_t state); + + /* + * Driver module parameters. +@@ -3276,6 +3277,7 @@ static struct pci_driver qedf_pci_driver + .probe = qedf_probe, + .remove = qedf_remove, + .shutdown = qedf_shutdown, ++ .suspend = qedf_suspend, + }; + + static int __qedf_probe(struct pci_dev *pdev, int mode) +@@ -4005,6 +4007,22 @@ static void qedf_shutdown(struct pci_dev + __qedf_remove(pdev, QEDF_MODE_NORMAL); + } + ++static int qedf_suspend(struct pci_dev *pdev, pm_message_t state) ++{ ++ struct qedf_ctx *qedf; ++ ++ if (!pdev) { ++ QEDF_ERR(NULL, "pdev is NULL.\n"); ++ return -ENODEV; ++ } ++ ++ qedf = pci_get_drvdata(pdev); ++ ++ QEDF_ERR(&qedf->dbg_ctx, "%s: Device does not support suspend operation\n", __func__); ++ ++ return -EPERM; ++} ++ + /* + * Recovery handler code + */ diff --git a/queue-6.1/scsi-qedi-fix-firmware-halt-over-suspend-and-resume.patch b/queue-6.1/scsi-qedi-fix-firmware-halt-over-suspend-and-resume.patch new file mode 100644 index 00000000000..97ef513d400 --- /dev/null +++ b/queue-6.1/scsi-qedi-fix-firmware-halt-over-suspend-and-resume.patch @@ -0,0 +1,70 @@ +From 1516ee035df32115197cd93ae3619dba7b020986 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Mon, 7 Aug 2023 15:07:25 +0530 +Subject: scsi: qedi: Fix firmware halt over suspend and resume + +From: Nilesh Javali + +commit 1516ee035df32115197cd93ae3619dba7b020986 upstream. + +While performing certain power-off sequences, PCI drivers are called to +suspend and resume their underlying devices through PCI PM (power +management) interface. However the hardware does not support PCI PM +suspend/resume operations so system wide suspend/resume leads to bad MFW +(management firmware) state which causes various follow-up errors in driver +when communicating with the device/firmware. + +To fix this driver implements PCI PM suspend handler to indicate +unsupported operation to the PCI subsystem explicitly, thus avoiding system +to go into suspended/standby mode. + +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230807093725.46829-2-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qedi/qedi_main.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -69,6 +69,7 @@ static struct nvm_iscsi_block *qedi_get_ + static void qedi_recovery_handler(struct work_struct *work); + static void qedi_schedule_hw_err_handler(void *dev, + enum qed_hw_err_type err_type); ++static int qedi_suspend(struct pci_dev *pdev, pm_message_t state); + + static int qedi_iscsi_event_cb(void *context, u8 fw_event_code, void *fw_handle) + { +@@ -2510,6 +2511,22 @@ static void qedi_shutdown(struct pci_dev + __qedi_remove(pdev, QEDI_MODE_SHUTDOWN); + } + ++static int qedi_suspend(struct pci_dev *pdev, pm_message_t state) ++{ ++ struct qedi_ctx *qedi; ++ ++ if (!pdev) { ++ QEDI_ERR(NULL, "pdev is NULL.\n"); ++ return -ENODEV; ++ } ++ ++ qedi = pci_get_drvdata(pdev); ++ ++ QEDI_ERR(&qedi->dbg_ctx, "%s: Device does not support suspend operation\n", __func__); ++ ++ return -EPERM; ++} ++ + static int __qedi_probe(struct pci_dev *pdev, int mode) + { + struct qedi_ctx *qedi; +@@ -2868,6 +2885,7 @@ static struct pci_driver qedi_pci_driver + .remove = qedi_remove, + .shutdown = qedi_shutdown, + .err_handler = &qedi_err_handler, ++ .suspend = qedi_suspend, + }; + + static int __init qedi_init(void) diff --git a/queue-6.1/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch b/queue-6.1/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..73f7fac50b2 --- /dev/null +++ b/queue-6.1/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 41320b18a0e0dfb236dba4edb9be12dba1878156 Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Tue, 1 Aug 2023 19:14:21 +0800 +Subject: scsi: snic: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 41320b18a0e0dfb236dba4edb9be12dba1878156 upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to give up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") +Signed-off-by: Zhu Wang +Acked-by: Narsimhulu Musini +Link: https://lore.kernel.org/r/20230801111421.63651-1-wangzhu9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/snic/snic_disc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -303,6 +303,7 @@ snic_tgt_create(struct snic *snic, struc + "Snic Tgt: device_add, with err = %d\n", + ret); + ++ put_device(&tgt->dev); + put_device(&snic->shost->shost_gendev); + spin_lock_irqsave(snic->shost->host_lock, flags); + list_del(&tgt->list); diff --git a/queue-6.1/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch b/queue-6.1/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch new file mode 100644 index 00000000000..8cef221d1e5 --- /dev/null +++ b/queue-6.1/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch @@ -0,0 +1,62 @@ +From 175544ad48cbf56affeef2a679c6a4d4fb1e2881 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Fri, 28 Jul 2023 21:59:24 -0700 +Subject: scsi: storvsc: Fix handling of virtual Fibre Channel timeouts + +From: Michael Kelley + +commit 175544ad48cbf56affeef2a679c6a4d4fb1e2881 upstream. + +Hyper-V provides the ability to connect Fibre Channel LUNs to the host +system and present them in a guest VM as a SCSI device. I/O to the vFC +device is handled by the storvsc driver. The storvsc driver includes a +partial integration with the FC transport implemented in the generic +portion of the Linux SCSI subsystem so that FC attributes can be displayed +in /sys. However, the partial integration means that some aspects of vFC +don't work properly. Unfortunately, a full and correct integration isn't +practical because of limitations in what Hyper-V provides to the guest. + +In particular, in the context of Hyper-V storvsc, the FC transport timeout +function fc_eh_timed_out() causes a kernel panic because it can't find the +rport and dereferences a NULL pointer. The original patch that added the +call from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this +regard. + +In many cases a timeout is due to a transient condition, so the situation +can be improved by just continuing to wait like with other I/O requests +issued by storvsc, and avoiding the guaranteed panic. For a permanent +failure, continuing to wait may result in a hung thread instead of a panic, +which again may be better. + +So fix the panic by removing the storvsc call to fc_eh_timed_out(). This +allows storvsc to keep waiting for a response. The change has been tested +by users who experienced a panic in fc_eh_timed_out() due to transient +timeouts, and it solves their problem. + +In the future we may want to deprecate the vFC functionality in storvsc +since it can't be fully fixed. But it has current users for whom it is +working well enough, so it should probably stay for a while longer. + +Fixes: 3930d7309807 ("scsi: storvsc: use default I/O timeout handler for FC devices") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1690606764-79669-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1670,10 +1670,6 @@ static int storvsc_host_reset_handler(st + */ + static enum blk_eh_timer_return storvsc_eh_timed_out(struct scsi_cmnd *scmnd) + { +-#if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) +- if (scmnd->device->host->transportt == fc_transport_template) +- return fc_eh_timed_out(scmnd); +-#endif + return BLK_EH_RESET_TIMER; + } + diff --git a/queue-6.1/scsi-ufs-renesas-fix-private-allocation.patch b/queue-6.1/scsi-ufs-renesas-fix-private-allocation.patch new file mode 100644 index 00000000000..1a5b3b3b1f4 --- /dev/null +++ b/queue-6.1/scsi-ufs-renesas-fix-private-allocation.patch @@ -0,0 +1,38 @@ +From b6d128f89a85771433a004e8656090ccbe1fb969 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Thu, 3 Aug 2023 17:18:12 +0900 +Subject: scsi: ufs: renesas: Fix private allocation + +From: Yoshihiro Shimoda + +commit b6d128f89a85771433a004e8656090ccbe1fb969 upstream. + +Should use devm_kzalloc() for struct ufs_renesas_priv because the +.initialized should be false as default. + +Fixes: d69520288efd ("scsi: ufs: ufs-renesas: Add support for Renesas R-Car UFS controller") +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20230803081812.1446282-1-yoshihiro.shimoda.uh@renesas.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-renesas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-renesas.c b/drivers/ufs/host/ufs-renesas.c +index f8a5e79ed3b4..ab0652d8705a 100644 +--- a/drivers/ufs/host/ufs-renesas.c ++++ b/drivers/ufs/host/ufs-renesas.c +@@ -359,7 +359,7 @@ static int ufs_renesas_init(struct ufs_hba *hba) + { + struct ufs_renesas_priv *priv; + +- priv = devm_kmalloc(hba->dev, sizeof(*priv), GFP_KERNEL); ++ priv = devm_kzalloc(hba->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + ufshcd_set_variant(hba, priv); +-- +2.41.0 + diff --git a/queue-6.1/series b/queue-6.1/series index a0555961bec..0cab302d327 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -133,3 +133,16 @@ btrfs-set-cache_block_group_error-if-we-find-an-error.patch nvme-tcp-fix-potential-unbalanced-freeze-unfreeze.patch nvme-rdma-fix-potential-unbalanced-freeze-unfreeze.patch netfilter-nf_tables-report-use-refcount-overflow.patch +scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch +scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch +scsi-ufs-renesas-fix-private-allocation.patch +scsi-53c700-check-that-command-slot-is-not-null.patch +scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch +scsi-core-fix-possible-memory-leak-if-device_add-fails.patch +scsi-fnic-replace-return-codes-in-fnic_clean_pending_aborts.patch +scsi-qedi-fix-firmware-halt-over-suspend-and-resume.patch +scsi-qedf-fix-firmware-halt-over-suspend-and-resume.patch +platform-x86-serial-multi-instantiate-auto-detect-irq-resource-for-csc3551.patch +acpi-scan-create-platform-device-for-cs35l56.patch +alpha-remove-__init-annotation-from-exported-page_is_ram.patch +sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch