From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 15 Nov 2018 01:07:16 +0000 (-0800)
Subject: 4.18-stable patches
X-Git-Tag: v4.19.3~46
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b53db296c109eb86f1c34e57ec1f6a5827741723;p=thirdparty%2Fkernel%2Fstable-queue.git

4.18-stable patches

added patches:
	fuse-fix-blocked_waitq-wakeup.patch
	fuse-fix-use-after-free-in-fuse_dev_do_read.patch
	fuse-fix-use-after-free-in-fuse_dev_do_write.patch
	fuse-set-fr_sent-while-locked.patch
	scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
	scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
---

diff --git a/queue-4.18/fuse-fix-blocked_waitq-wakeup.patch b/queue-4.18/fuse-fix-blocked_waitq-wakeup.patch
new file mode 100644
index 00000000000..602eaa85acf
--- /dev/null
+++ b/queue-4.18/fuse-fix-blocked_waitq-wakeup.patch
@@ -0,0 +1,49 @@
+From 908a572b80f6e9577b45e81b3dfe2e22111286b8 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: fix blocked_waitq wakeup
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream.
+
+Using waitqueue_active() is racy.  Make sure we issue a wake_up()
+unconditionally after storing into fc->blocked.  After that it's okay to
+optimize with waitqueue_active() since the first wake up provides the
+necessary barrier for all waiters, not the just the woken one.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3c18ef8117f0 ("fuse: optimize wake_up")
+Cc: <stable@vger.kernel.org> # v3.10
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |   15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -391,12 +391,19 @@ static void request_end(struct fuse_conn
+ 	if (test_bit(FR_BACKGROUND, &req->flags)) {
+ 		spin_lock(&fc->lock);
+ 		clear_bit(FR_BACKGROUND, &req->flags);
+-		if (fc->num_background == fc->max_background)
++		if (fc->num_background == fc->max_background) {
+ 			fc->blocked = 0;
+-
+-		/* Wake up next waiter, if any */
+-		if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
+ 			wake_up(&fc->blocked_waitq);
++		} else if (!fc->blocked) {
++			/*
++			 * Wake up next waiter, if any.  It's okay to use
++			 * waitqueue_active(), as we've already synced up
++			 * fc->blocked with waiters with the wake_up() call
++			 * above.
++			 */
++			if (waitqueue_active(&fc->blocked_waitq))
++				wake_up(&fc->blocked_waitq);
++		}
+ 
+ 		if (fc->num_background == fc->congestion_threshold && fc->sb) {
+ 			clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
diff --git a/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_read.patch b/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_read.patch
new file mode 100644
index 00000000000..9f6ffe2db6d
--- /dev/null
+++ b/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_read.patch
@@ -0,0 +1,50 @@
+From bc78abbd55dd28e2287ec6d6502b842321a17c87 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:28:55 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_read()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream.
+
+We may pick freed req in this way:
+
+[cpu0]                                  [cpu1]
+fuse_dev_do_read()                      fuse_dev_do_write()
+   list_move_tail(&req->list, ...);     ...
+   spin_unlock(&fpq->lock);             ...
+   ...                                  request_end(fc, req);
+   ...                                    fuse_put_request(fc, req);
+   if (test_bit(FR_INTERRUPTED, ...))
+         queue_interrupt(fiq, req);
+
+Fix that by keeping req alive until we finish all manipulations.
+
+Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1311,12 +1311,14 @@ static ssize_t fuse_dev_do_read(struct f
+ 		goto out_end;
+ 	}
+ 	list_move_tail(&req->list, &fpq->processing);
++	__fuse_get_request(req);
+ 	spin_unlock(&fpq->lock);
+ 	set_bit(FR_SENT, &req->flags);
+ 	/* matches barrier in request_wait_answer() */
+ 	smp_mb__after_atomic();
+ 	if (test_bit(FR_INTERRUPTED, &req->flags))
+ 		queue_interrupt(fiq, req);
++	fuse_put_request(fc, req);
+ 
+ 	return reqsize;
+ 
diff --git a/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_write.patch b/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_write.patch
new file mode 100644
index 00000000000..ad33fd9ba26
--- /dev/null
+++ b/queue-4.18/fuse-fix-use-after-free-in-fuse_dev_do_write.patch
@@ -0,0 +1,60 @@
+From d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:52:42 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_write()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream.
+
+After we found req in request_find() and released the lock,
+everything may happen with the req in parallel:
+
+cpu0                              cpu1
+fuse_dev_do_write()               fuse_dev_do_write()
+  req = request_find(fpq, ...)    ...
+  spin_unlock(&fpq->lock)         ...
+  ...                             req = request_find(fpq, oh.unique)
+  ...                             spin_unlock(&fpq->lock)
+  queue_interrupt(&fc->iq, req);   ...
+  ...                              ...
+  ...                              ...
+  request_end(fc, req);
+    fuse_put_request(fc, req);
+  ...                              queue_interrupt(&fc->iq, req);
+
+
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct
+ 
+ 	/* Is it an interrupt reply? */
+ 	if (req->intr_unique == oh.unique) {
++		__fuse_get_request(req);
+ 		spin_unlock(&fpq->lock);
+ 
+ 		err = -EINVAL;
+-		if (nbytes != sizeof(struct fuse_out_header))
++		if (nbytes != sizeof(struct fuse_out_header)) {
++			fuse_put_request(fc, req);
+ 			goto err_finish;
++		}
+ 
+ 		if (oh.error == -ENOSYS)
+ 			fc->no_interrupt = 1;
+ 		else if (oh.error == -EAGAIN)
+ 			queue_interrupt(&fc->iq, req);
++		fuse_put_request(fc, req);
+ 
+ 		fuse_copy_finish(cs);
+ 		return nbytes;
diff --git a/queue-4.18/fuse-set-fr_sent-while-locked.patch b/queue-4.18/fuse-set-fr_sent-while-locked.patch
new file mode 100644
index 00000000000..ef4b622dcd2
--- /dev/null
+++ b/queue-4.18/fuse-set-fr_sent-while-locked.patch
@@ -0,0 +1,35 @@
+From 4c316f2f3ff315cb48efb7435621e5bfb81df96d Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: set FR_SENT while locked
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d upstream.
+
+Otherwise fuse_dev_do_write() could come in and finish off the request, and
+the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...))
+in request_end().
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1319,8 +1319,8 @@ static ssize_t fuse_dev_do_read(struct f
+ 	}
+ 	list_move_tail(&req->list, &fpq->processing);
+ 	__fuse_get_request(req);
+-	spin_unlock(&fpq->lock);
+ 	set_bit(FR_SENT, &req->flags);
++	spin_unlock(&fpq->lock);
+ 	/* matches barrier in request_wait_answer() */
+ 	smp_mb__after_atomic();
+ 	if (test_bit(FR_INTERRUPTED, &req->flags))
diff --git a/queue-4.18/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch b/queue-4.18/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
new file mode 100644
index 00000000000..e6f86ecbcff
--- /dev/null
+++ b/queue-4.18/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
@@ -0,0 +1,36 @@
+From 39553065f77c297239308470ee313841f4e07db4 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:15 -0700
+Subject: scsi: qla2xxx: Fix driver hang when FC-NVMe LUNs are configured
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 39553065f77c297239308470ee313841f4e07db4 upstream.
+
+This patch fixes multiple call for qla_nvme_unregister_remote_port() as part
+of qlt_schedule_session_for_deletion(), Do not call it again during
+qla_nvme_delete()
+
+Fixes: e473b3074104 ("scsi: qla2xxx: Add FC-NVMe abort processing")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_nvme.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -657,9 +657,6 @@ void qla_nvme_delete(struct scsi_qla_hos
+ 		    __func__, fcport);
+ 
+ 		nvme_fc_set_remoteport_devloss(fcport->nvme_remote_port, 0);
+-		init_completion(&fcport->nvme_del_done);
+-		nvme_fc_unregister_remoteport(fcport->nvme_remote_port);
+-		wait_for_completion(&fcport->nvme_del_done);
+ 	}
+ 
+ 	if (vha->nvme_local_port) {
diff --git a/queue-4.18/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch b/queue-4.18/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
new file mode 100644
index 00000000000..c56696b8851
--- /dev/null
+++ b/queue-4.18/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
@@ -0,0 +1,40 @@
+From 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:13 -0700
+Subject: scsi: qla2xxx: Fix duplicate switch database entries
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 upstream.
+
+The response data buffer used in switch scan is reused 4 times.  (For example,
+for commands GPN_FT, GNN_FT for FCP and FC-NVME) Before driver reuses this
+buffer, clear it to prevent duplicate entries in our database.
+
+Fixes: a4239945b8ad1 ("scsi: qla2xxx: Add switch command to simplify fabric discovery"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_gs.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -4410,9 +4410,9 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ 	sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout;
+ 	qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
+ 
+-	rspsz = sizeof(struct ct_sns_gpnft_rsp) +
+-		((vha->hw->max_fibre_devices - 1) *
+-		    sizeof(struct ct_sns_gpn_ft_data));
++	rspsz = sp->u.iocb_cmd.u.ctarg.rsp_size;
++	memset(sp->u.iocb_cmd.u.ctarg.rsp, 0, sp->u.iocb_cmd.u.ctarg.rsp_size);
++	memset(sp->u.iocb_cmd.u.ctarg.req, 0, sp->u.iocb_cmd.u.ctarg.req_size);
+ 
+ 	ct_sns = (struct ct_sns_pkt *)sp->u.iocb_cmd.u.ctarg.req;
+ 	/* CT_IU preamble  */
diff --git a/queue-4.18/series b/queue-4.18/series
index 95f651e2f11..dae60fa0c4b 100644
--- a/queue-4.18/series
+++ b/queue-4.18/series
@@ -40,5 +40,11 @@ scsi-qla2xxx-fix-incorrect-port-speed-being-set-for-fc-adapters.patch
 scsi-qla2xxx-fix-process-response-queue-for-isp26xx-and-above.patch
 scsi-qla2xxx-remove-stale-debug-trace-message-from-tcm_qla2xxx.patch
 scsi-qla2xxx-shutdown-chip-if-reset-fail.patch
+scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
+scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
+fuse-fix-use-after-free-in-fuse_dev_do_read.patch
+fuse-fix-use-after-free-in-fuse_dev_do_write.patch
+fuse-fix-blocked_waitq-wakeup.patch
+fuse-set-fr_sent-while-locked.patch
 scsi-qla2xxx-fix-re-using-loopid-when-handle-is-in-use.patch
 scsi-qla2xxx-fix-nvme-session-hang-on-unload.patch