From 41c639ab81859e460e173ea57d1216816cd7e590 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Jan 2020 09:03:50 +0100 Subject: [PATCH] 4.14-stable patches added patches: perf-probe-fix-wrong-address-verification.patch regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch scsi-bnx2i-fix-potential-use-after-free.patch scsi-core-scsi_trace-use-get_unaligned_be.patch scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch scsi-qla4xxx-fix-double-free-bug.patch scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch scsi-target-core-fix-a-pr_debug-argument.patch --- ...probe-fix-wrong-address-verification.patch | 126 +++++++++++ ...clkreq-from-enum-ab8505_regulator_id.patch | 39 ++++ ...opnotsupp-in-reiserfs_for_each_xattr.patch | 51 +++++ ...i-bnx2i-fix-potential-use-after-free.patch | 39 ++++ ...core-scsi_trace-use-get_unaligned_be.patch | 206 ++++++++++++++++++ ...on-error-in-esas2r_nvram_read_direct.patch | 31 +++ ...xxx-fix-qla2x00_request_irqs-for-msi.patch | 56 +++++ ...ing-mark-as-lost-in-sync-fabric-scan.patch | 47 ++++ .../scsi-qla4xxx-fix-double-free-bug.patch | 36 +++ ...ix-memory-leak-when-removing-devices.patch | 119 ++++++++++ ...-target-core-fix-a-pr_debug-argument.patch | 34 +++ queue-4.14/series | 11 + 12 files changed, 795 insertions(+) create mode 100644 queue-4.14/perf-probe-fix-wrong-address-verification.patch create mode 100644 queue-4.14/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch create mode 100644 queue-4.14/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch create mode 100644 queue-4.14/scsi-bnx2i-fix-potential-use-after-free.patch create mode 100644 queue-4.14/scsi-core-scsi_trace-use-get_unaligned_be.patch create mode 100644 queue-4.14/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch create mode 100644 queue-4.14/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch create mode 100644 queue-4.14/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch create mode 100644 queue-4.14/scsi-qla4xxx-fix-double-free-bug.patch create mode 100644 queue-4.14/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch create mode 100644 queue-4.14/scsi-target-core-fix-a-pr_debug-argument.patch diff --git a/queue-4.14/perf-probe-fix-wrong-address-verification.patch b/queue-4.14/perf-probe-fix-wrong-address-verification.patch new file mode 100644 index 00000000000..2c14af316d0 --- /dev/null +++ b/queue-4.14/perf-probe-fix-wrong-address-verification.patch @@ -0,0 +1,126 @@ +From 07d369857808b7e8e471bbbbb0074a6718f89b31 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 25 Oct 2019 17:46:25 +0900 +Subject: perf probe: Fix wrong address verification + +From: Masami Hiramatsu + +commit 07d369857808b7e8e471bbbbb0074a6718f89b31 upstream. + +Since there are some DIE which has only ranges instead of the +combination of entrypc/highpc, address verification must use +dwarf_haspc() instead of dwarf_entrypc/dwarf_highpc. + +Also, the ranges only DIE will have a partial code in different section +(e.g. unlikely code will be in text.unlikely as "FUNC.cold" symbol). In +that case, we can not use dwarf_entrypc() or die_entrypc(), because the +offset from original DIE can be a minus value. + +Instead, this simply gets the symbol and offset from symtab. + +Without this patch; + + # perf probe -D clear_tasks_mm_cpumask:1 + Failed to get entry address of clear_tasks_mm_cpumask + Error: Failed to add events. + +And with this patch: + + # perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0 + p:probe/clear_tasks_mm_cpumask_1 clear_tasks_mm_cpumask+5 + p:probe/clear_tasks_mm_cpumask_2 clear_tasks_mm_cpumask+8 + p:probe/clear_tasks_mm_cpumask_3 clear_tasks_mm_cpumask+16 + p:probe/clear_tasks_mm_cpumask_4 clear_tasks_mm_cpumask+82 + +Committer testing: + +I managed to reproduce the above: + + [root@quaco ~]# perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask _text+919968 + p:probe/clear_tasks_mm_cpumask_1 _text+919973 + p:probe/clear_tasks_mm_cpumask_2 _text+919976 + [root@quaco ~]# + +But then when trying to actually put the probe in place, it fails if I +use :0 as the offset: + + [root@quaco ~]# perf probe -L clear_tasks_mm_cpumask | head -5 + + 0 void clear_tasks_mm_cpumask(int cpu) + 1 { + 2 struct task_struct *p; + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + [root@quaco + +The next patch is needed to fix this case. + +Fixes: 576b523721b7 ("perf probe: Fix probing symbols with optimization suffix") +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Signed-off-by: Masami Hiramatsu +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199318513.8075.10463906803299647907.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/probe-finder.c | 32 ++++++++++---------------------- + 1 file changed, 10 insertions(+), 22 deletions(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -615,38 +615,26 @@ static int convert_to_trace_point(Dwarf_ + const char *function, + struct probe_trace_point *tp) + { +- Dwarf_Addr eaddr, highaddr; ++ Dwarf_Addr eaddr; + GElf_Sym sym; + const char *symbol; + + /* Verify the address is correct */ +- if (dwarf_entrypc(sp_die, &eaddr) != 0) { +- pr_warning("Failed to get entry address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (dwarf_highpc(sp_die, &highaddr) != 0) { +- pr_warning("Failed to get end address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (paddr > highaddr) { +- pr_warning("Offset specified is greater than size of %s\n", ++ if (!dwarf_haspc(sp_die, paddr)) { ++ pr_warning("Specified offset is out of %s\n", + dwarf_diename(sp_die)); + return -EINVAL; + } + +- symbol = dwarf_diename(sp_die); ++ /* Try to get actual symbol name from symtab */ ++ symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); + if (!symbol) { +- /* Try to get the symbol name from symtab */ +- symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); +- if (!symbol) { +- pr_warning("Failed to find symbol at 0x%lx\n", +- (unsigned long)paddr); +- return -ENOENT; +- } +- eaddr = sym.st_value; ++ pr_warning("Failed to find symbol at 0x%lx\n", ++ (unsigned long)paddr); ++ return -ENOENT; + } ++ eaddr = sym.st_value; ++ + tp->offset = (unsigned long)(paddr - eaddr); + tp->address = (unsigned long)paddr; + tp->symbol = strdup(symbol); diff --git a/queue-4.14/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch b/queue-4.14/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch new file mode 100644 index 00000000000..91222c9baaa --- /dev/null +++ b/queue-4.14/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch @@ -0,0 +1,39 @@ +From 458ea3ad033fc86e291712ce50cbe60c3428cf30 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 6 Nov 2019 18:31:25 +0100 +Subject: regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id + +From: Stephan Gerhold + +commit 458ea3ad033fc86e291712ce50cbe60c3428cf30 upstream. + +Those regulators are not actually supported by the AB8500 regulator +driver. There is no ab8500_regulator_info for them and no entry in +ab8505_regulator_match. + +As such, they cannot be registered successfully, and looking them +up in ab8505_regulator_match causes an out-of-bounds array read. + +Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") +Cc: Linus Walleij +Signed-off-by: Stephan Gerhold +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20191106173125.14496-2-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/regulator/ab8500.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/include/linux/regulator/ab8500.h ++++ b/include/linux/regulator/ab8500.h +@@ -43,8 +43,6 @@ enum ab8505_regulator_id { + AB8505_LDO_ANAMIC2, + AB8505_LDO_AUX8, + AB8505_LDO_ANA, +- AB8505_SYSCLKREQ_2, +- AB8505_SYSCLKREQ_4, + AB8505_NUM_REGULATORS, + }; + diff --git a/queue-4.14/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch b/queue-4.14/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch new file mode 100644 index 00000000000..96b2a7640ed --- /dev/null +++ b/queue-4.14/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch @@ -0,0 +1,51 @@ +From 394440d469413fa9b74f88a11f144d76017221f2 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Wed, 15 Jan 2020 13:00:59 -0500 +Subject: reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr + +From: Jeff Mahoney + +commit 394440d469413fa9b74f88a11f144d76017221f2 upstream. + +Commit 60e4cf67a58 (reiserfs: fix extended attributes on the root +directory) introduced a regression open_xa_root started returning +-EOPNOTSUPP but it was not handled properly in reiserfs_for_each_xattr. + +When the reiserfs module is built without CONFIG_REISERFS_FS_XATTR, +deleting an inode would result in a warning and chowning an inode +would also result in a warning and then fail to complete. + +With CONFIG_REISERFS_FS_XATTR enabled, the xattr root would always be +present for read-write operations. + +This commit handles -EOPNOSUPP in the same way -ENODATA is handled. + +Fixes: 60e4cf67a582 ("reiserfs: fix extended attributes on the root directory") +CC: stable@vger.kernel.org # Commit 60e4cf67a58 was picked up by stable +Link: https://lore.kernel.org/r/20200115180059.6935-1-jeffm@suse.com +Reported-by: Michael Brunnbauer +Signed-off-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/xattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -319,8 +319,12 @@ static int reiserfs_for_each_xattr(struc + out_dir: + dput(dir); + out: +- /* -ENODATA isn't an error */ +- if (err == -ENODATA) ++ /* ++ * -ENODATA: this object doesn't have any xattrs ++ * -EOPNOTSUPP: this file system doesn't have xattrs enabled on disk. ++ * Neither are errors ++ */ ++ if (err == -ENODATA || err == -EOPNOTSUPP) + err = 0; + return err; + } diff --git a/queue-4.14/scsi-bnx2i-fix-potential-use-after-free.patch b/queue-4.14/scsi-bnx2i-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..450c17e0d1f --- /dev/null +++ b/queue-4.14/scsi-bnx2i-fix-potential-use-after-free.patch @@ -0,0 +1,39 @@ +From 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 6 Nov 2019 20:32:21 +0800 +Subject: scsi: bnx2i: fix potential use after free + +From: Pan Bian + +commit 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 upstream. + +The member hba->pcidev may be used after its reference is dropped. Move the +put function to where it is never used to avoid potential use after free +issues. + +Fixes: a77171806515 ("[SCSI] bnx2i: Removed the reference to the netdev->base_addr") +Link: https://lore.kernel.org/r/1573043541-19126-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c ++++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c +@@ -915,12 +915,12 @@ void bnx2i_free_hba(struct bnx2i_hba *hb + INIT_LIST_HEAD(&hba->ep_ofld_list); + INIT_LIST_HEAD(&hba->ep_active_list); + INIT_LIST_HEAD(&hba->ep_destroy_list); +- pci_dev_put(hba->pcidev); + + if (hba->regview) { + pci_iounmap(hba->pcidev, hba->regview); + hba->regview = NULL; + } ++ pci_dev_put(hba->pcidev); + bnx2i_free_mp_bdt(hba); + bnx2i_release_free_cid_que(hba); + iscsi_host_free(shost); diff --git a/queue-4.14/scsi-core-scsi_trace-use-get_unaligned_be.patch b/queue-4.14/scsi-core-scsi_trace-use-get_unaligned_be.patch new file mode 100644 index 00000000000..2c5ce5c2095 --- /dev/null +++ b/queue-4.14/scsi-core-scsi_trace-use-get_unaligned_be.patch @@ -0,0 +1,206 @@ +From b1335f5b0486f61fb66b123b40f8e7a98e49605d Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 1 Nov 2019 14:14:47 -0700 +Subject: scsi: core: scsi_trace: Use get_unaligned_be*() + +From: Bart Van Assche + +commit b1335f5b0486f61fb66b123b40f8e7a98e49605d upstream. + +This patch fixes an unintended sign extension on left shifts. From Colin +King: "Shifting a u8 left will cause the value to be promoted to an +integer. If the top bit of the u8 is set then the following conversion to +an u64 will sign extend the value causing the upper 32 bits to be set in +the result." + +Fix this by using get_unaligned_be*() instead. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org +Reported-by: Colin Ian King +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_trace.c | 103 ++++++++++++---------------------------------- + 1 file changed, 28 insertions(+), 75 deletions(-) + +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -21,7 +21,7 @@ + #include + + #define SERVICE_ACTION16(cdb) (cdb[1] & 0x1f) +-#define SERVICE_ACTION32(cdb) ((cdb[8] << 8) | cdb[9]) ++#define SERVICE_ACTION32(cdb) (get_unaligned_be16(&cdb[8])) + + static const char * + scsi_trace_misc(struct trace_seq *, unsigned char *, int); +@@ -51,17 +51,12 @@ static const char * + scsi_trace_rw10(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[7] << 8); +- txlen |= cdb[8]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be16(&cdb[7]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME) +@@ -76,19 +71,12 @@ static const char * + scsi_trace_rw12(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[6] << 24); +- txlen |= (cdb[7] << 16); +- txlen |= (cdb[8] << 8); +- txlen |= cdb[9]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[6]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + trace_seq_putc(p, 0); + +@@ -99,23 +87,13 @@ static const char * + scsi_trace_rw16(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u64 lba; ++ u32 txlen; + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- txlen |= (cdb[10] << 24); +- txlen |= (cdb[11] << 16); +- txlen |= (cdb[12] << 8); +- txlen |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%llu txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME_16) +@@ -130,8 +108,8 @@ static const char * + scsi_trace_rw32(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p), *cmd; +- sector_t lba = 0, txlen = 0; +- u32 ei_lbrt = 0; ++ u64 lba; ++ u32 ei_lbrt, txlen; + + switch (SERVICE_ACTION32(cdb)) { + case READ_32: +@@ -151,26 +129,12 @@ scsi_trace_rw32(struct trace_seq *p, uns + goto out; + } + +- lba |= ((u64)cdb[12] << 56); +- lba |= ((u64)cdb[13] << 48); +- lba |= ((u64)cdb[14] << 40); +- lba |= ((u64)cdb[15] << 32); +- lba |= (cdb[16] << 24); +- lba |= (cdb[17] << 16); +- lba |= (cdb[18] << 8); +- lba |= cdb[19]; +- ei_lbrt |= (cdb[20] << 24); +- ei_lbrt |= (cdb[21] << 16); +- ei_lbrt |= (cdb[22] << 8); +- ei_lbrt |= cdb[23]; +- txlen |= (cdb[28] << 24); +- txlen |= (cdb[29] << 16); +- txlen |= (cdb[30] << 8); +- txlen |= cdb[31]; +- +- trace_seq_printf(p, "%s_32 lba=%llu txlen=%llu protect=%u ei_lbrt=%u", +- cmd, (unsigned long long)lba, +- (unsigned long long)txlen, cdb[10] >> 5, ei_lbrt); ++ lba = get_unaligned_be64(&cdb[12]); ++ ei_lbrt = get_unaligned_be32(&cdb[20]); ++ txlen = get_unaligned_be32(&cdb[28]); ++ ++ trace_seq_printf(p, "%s_32 lba=%llu txlen=%u protect=%u ei_lbrt=%u", ++ cmd, lba, txlen, cdb[10] >> 5, ei_lbrt); + + if (SERVICE_ACTION32(cdb) == WRITE_SAME_32) + trace_seq_printf(p, " unmap=%u", cdb[10] >> 3 & 1); +@@ -185,7 +149,7 @@ static const char * + scsi_trace_unmap(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- unsigned int regions = cdb[7] << 8 | cdb[8]; ++ unsigned int regions = get_unaligned_be16(&cdb[7]); + + trace_seq_printf(p, "regions=%u", (regions - 8) / 16); + trace_seq_putc(p, 0); +@@ -197,8 +161,8 @@ static const char * + scsi_trace_service_action_in(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p), *cmd; +- sector_t lba = 0; +- u32 alloc_len = 0; ++ u64 lba; ++ u32 alloc_len; + + switch (SERVICE_ACTION16(cdb)) { + case SAI_READ_CAPACITY_16: +@@ -212,21 +176,10 @@ scsi_trace_service_action_in(struct trac + goto out; + } + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- alloc_len |= (cdb[10] << 24); +- alloc_len |= (cdb[11] << 16); +- alloc_len |= (cdb[12] << 8); +- alloc_len |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ alloc_len = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, +- (unsigned long long)lba, alloc_len); ++ trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, lba, alloc_len); + + out: + trace_seq_putc(p, 0); diff --git a/queue-4.14/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch b/queue-4.14/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch new file mode 100644 index 00000000000..4aaadcdcc59 --- /dev/null +++ b/queue-4.14/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch @@ -0,0 +1,31 @@ +From 906ca6353ac09696c1bf0892513c8edffff5e0a6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Oct 2019 13:23:24 +0300 +Subject: scsi: esas2r: unlock on error in esas2r_nvram_read_direct() + +From: Dan Carpenter + +commit 906ca6353ac09696c1bf0892513c8edffff5e0a6 upstream. + +This error path is missing an unlock. + +Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver") +Link: https://lore.kernel.org/r/20191022102324.GA27540@mwanda +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/esas2r/esas2r_flash.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/esas2r/esas2r_flash.c ++++ b/drivers/scsi/esas2r/esas2r_flash.c +@@ -1197,6 +1197,7 @@ bool esas2r_nvram_read_direct(struct esa + if (!esas2r_read_flash_block(a, a->nvram, FLS_OFFSET_NVR, + sizeof(struct esas2r_sas_nvram))) { + esas2r_hdebug("NVRAM read failed, using defaults"); ++ up(&a->nvram_semaphore); + return false; + } + diff --git a/queue-4.14/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch b/queue-4.14/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch new file mode 100644 index 00000000000..77ef03de698 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch @@ -0,0 +1,56 @@ +From 45dc8f2d9c94ed74a5e31e63e9136a19a7e16081 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 21 Nov 2019 13:40:47 +0800 +Subject: scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI + +From: Huacai Chen + +commit 45dc8f2d9c94ed74a5e31e63e9136a19a7e16081 upstream. + +Commit 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/ +pci_free_irq_vectors calls.") use pci_alloc_irq_vectors() to replace +pci_enable_msi() but it didn't handle the return value correctly. This bug +make qla2x00 always fail to setup MSI if MSI-X fail, so fix it. + +BTW, improve the log message of return value in qla2x00_request_irqs() to +avoid confusion. + +Fixes: 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/pci_free_irq_vectors calls.") +Cc: Michael Hernandez +Link: https://lore.kernel.org/r/1574314847-14280-1-git-send-email-chenhc@lemote.com +Signed-off-by: Huacai Chen +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3519,7 +3519,7 @@ qla2x00_request_irqs(struct qla_hw_data + skip_msix: + + ql_log(ql_log_info, vha, 0x0037, +- "Falling back-to MSI mode -%d.\n", ret); ++ "Falling back-to MSI mode -- ret=%d.\n", ret); + + if (!IS_QLA24XX(ha) && !IS_QLA2532(ha) && !IS_QLA8432(ha) && + !IS_QLA8001(ha) && !IS_P3P_TYPE(ha) && !IS_QLAFX00(ha) && +@@ -3527,13 +3527,13 @@ skip_msix: + goto skip_msi; + + ret = pci_alloc_irq_vectors(ha->pdev, 1, 1, PCI_IRQ_MSI); +- if (!ret) { ++ if (ret > 0) { + ql_dbg(ql_dbg_init, vha, 0x0038, + "MSI: Enabled.\n"); + ha->flags.msi_enabled = 1; + } else + ql_log(ql_log_warn, vha, 0x0039, +- "Falling back-to INTa mode -- %d.\n", ret); ++ "Falling back-to INTa mode -- ret=%d.\n", ret); + skip_msi: + + /* Skip INTx on ISP82xx. */ diff --git a/queue-4.14/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch b/queue-4.14/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch new file mode 100644 index 00000000000..7871ee438de --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch @@ -0,0 +1,47 @@ +From d341e9a8f2cffe4000c610225c629f62c7489c74 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 22 Nov 2019 22:19:22 +0000 +Subject: scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan + +From: Martin Wilck + +commit d341e9a8f2cffe4000c610225c629f62c7489c74 upstream. + +In qla2x00_find_all_fabric_devs(), fcport->flags & FCF_LOGIN_NEEDED is a +necessary condition for logging into new rports, but not for dropping lost +ones. + +Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") +Link: https://lore.kernel.org/r/20191122221912.20100-2-martin.wilck@suse.com +Tested-by: David Bond +Signed-off-by: Martin Wilck +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5145,8 +5145,7 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho + if (test_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags)) + break; + +- if ((fcport->flags & FCF_FABRIC_DEVICE) == 0 || +- (fcport->flags & FCF_LOGIN_NEEDED) == 0) ++ if ((fcport->flags & FCF_FABRIC_DEVICE) == 0) + continue; + + if (fcport->scan_state == QLA_FCPORT_SCAN) { +@@ -5171,7 +5170,8 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho + } + } + +- if (fcport->scan_state == QLA_FCPORT_FOUND) ++ if (fcport->scan_state == QLA_FCPORT_FOUND && ++ (fcport->flags & FCF_LOGIN_NEEDED) != 0) + qla24xx_fcport_handle_login(vha, fcport); + } + return (rval); diff --git a/queue-4.14/scsi-qla4xxx-fix-double-free-bug.patch b/queue-4.14/scsi-qla4xxx-fix-double-free-bug.patch new file mode 100644 index 00000000000..5a5e2dd0b13 --- /dev/null +++ b/queue-4.14/scsi-qla4xxx-fix-double-free-bug.patch @@ -0,0 +1,36 @@ +From 3fe3d2428b62822b7b030577cd612790bdd8c941 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Tue, 5 Nov 2019 17:25:27 +0800 +Subject: scsi: qla4xxx: fix double free bug + +From: Pan Bian + +commit 3fe3d2428b62822b7b030577cd612790bdd8c941 upstream. + +The variable init_fw_cb is released twice, resulting in a double free +bug. The call to the function dma_free_coherent() before goto is removed to +get rid of potential double free. + +Fixes: 2a49a78ed3c8 ("[SCSI] qla4xxx: added IPv6 support.") +Link: https://lore.kernel.org/r/1572945927-27796-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla4xxx/ql4_mbx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/scsi/qla4xxx/ql4_mbx.c ++++ b/drivers/scsi/qla4xxx/ql4_mbx.c +@@ -641,9 +641,6 @@ int qla4xxx_initialize_fw_cb(struct scsi + + if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) != + QLA_SUCCESS) { +- dma_free_coherent(&ha->pdev->dev, +- sizeof(struct addr_ctrl_blk), +- init_fw_cb, init_fw_cb_dma); + goto exit_init_fw_cb; + } + diff --git a/queue-4.14/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch b/queue-4.14/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch new file mode 100644 index 00000000000..b06be9a6728 --- /dev/null +++ b/queue-4.14/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch @@ -0,0 +1,119 @@ +From 82ea3e0e129e2ab913dd6684bab7a6e5e9896dee Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Wed, 20 Nov 2019 17:39:15 +0800 +Subject: scsi: scsi_transport_sas: Fix memory leak when removing devices + +From: John Garry + +commit 82ea3e0e129e2ab913dd6684bab7a6e5e9896dee upstream. + +Removing a non-host rphy causes a memory leak: + +root@(none)$ echo 0 > /sys/devices/platform/HISI0162:01/host0/port-0:0/expander-0:0/port-0:0:10/phy-0:0:10/sas_phy/phy-0:0:10/enable +[ 79.857888] hisi_sas_v2_hw HISI0162:01: dev[7:1] is gone +root@(none)$ echo scan > /sys/kernel/debug/kmemleak +[ 131.656603] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +root@(none)$ more /sys/kernel/debug/kmemleak +unreferenced object 0xffff041da5c66000 (size 256): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 5e c6 a5 1d 04 ff ff 01 00 00 00 00 00 00 00 .^.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] kmem_cache_alloc+0x188/0x260 + [<(____ptrval____)>] bsg_setup_queue+0x48/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +unreferenced object 0xffff041d8c075400 (size 128): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 40 25 97 1d 00 ff ff 00 00 00 00 00 00 00 00 .@%............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8 + [<(____ptrval____)>] blk_mq_realloc_tag_set_tags.part.70+0x48/0xd8 + [<(____ptrval____)>] blk_mq_alloc_tag_set+0x1dc/0x530 + [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +unreferenced object 0xffff041da5c65e00 (size 256): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8 + [<(____ptrval____)>] blk_mq_alloc_tag_set+0x254/0x530 + [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +root@(none)$ + +It turns out that we don't clean up the request queue fully for bsg +devices, as the blk mq tags for the request queue are not freed. + +Fix by doing the queue removal in one place - in sas_rphy_remove() - +instead of unregistering the queue in sas_rphy_remove() and finally +cleaning up the queue in calling blk_cleanup_queue() from +sas_end_device_release() or sas_expander_release(). + +Function bsg_remove_queue() can handle a NULL pointer q, so remove the +precheck in sas_rphy_remove(). + +Fixes: 651a013649943 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough") +Link: https://lore.kernel.org/r/1574242755-94156-1-git-send-email-john.garry@huawei.com +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_sas.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/scsi/scsi_transport_sas.c ++++ b/drivers/scsi/scsi_transport_sas.c +@@ -1409,9 +1409,6 @@ static void sas_expander_release(struct + struct sas_rphy *rphy = dev_to_rphy(dev); + struct sas_expander_device *edev = rphy_to_expander_device(rphy); + +- if (rphy->q) +- blk_cleanup_queue(rphy->q); +- + put_device(dev->parent); + kfree(edev); + } +@@ -1421,9 +1418,6 @@ static void sas_end_device_release(struc + struct sas_rphy *rphy = dev_to_rphy(dev); + struct sas_end_device *edev = rphy_to_end_device(rphy); + +- if (rphy->q) +- blk_cleanup_queue(rphy->q); +- + put_device(dev->parent); + kfree(edev); + } +@@ -1652,8 +1646,7 @@ sas_rphy_remove(struct sas_rphy *rphy) + } + + sas_rphy_unlink(rphy); +- if (rphy->q) +- bsg_unregister_queue(rphy->q); ++ bsg_remove_queue(rphy->q); + transport_remove_device(dev); + device_del(dev); + } diff --git a/queue-4.14/scsi-target-core-fix-a-pr_debug-argument.patch b/queue-4.14/scsi-target-core-fix-a-pr_debug-argument.patch new file mode 100644 index 00000000000..ef89c331cc3 --- /dev/null +++ b/queue-4.14/scsi-target-core-fix-a-pr_debug-argument.patch @@ -0,0 +1,34 @@ +From c941e0d172605731de9b4628bd4146d35cf2e7d6 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 7 Nov 2019 13:55:25 -0800 +Subject: scsi: target: core: Fix a pr_debug() argument + +From: Bart Van Assche + +commit c941e0d172605731de9b4628bd4146d35cf2e7d6 upstream. + +Print the string for which conversion failed instead of printing the +function name twice. + +Fixes: 2650d71e244f ("target: move transport ID handling to the core") +Cc: Christoph Hellwig +Link: https://lore.kernel.org/r/20191107215525.64415-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_fabric_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_fabric_lib.c ++++ b/drivers/target/target_core_fabric_lib.c +@@ -131,7 +131,7 @@ static int srp_get_pr_transport_id( + memset(buf + 8, 0, leading_zero_bytes); + rc = hex2bin(buf + 8 + leading_zero_bytes, p, count); + if (rc < 0) { +- pr_debug("hex2bin failed for %s: %d\n", __func__, rc); ++ pr_debug("hex2bin failed for %s: %d\n", p, rc); + return rc; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 3a2721de161..2ad21a39183 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -53,3 +53,14 @@ arm64-dts-meson-gxl-s905x-khadas-vim-fix-gpio-keys-polled-node.patch cfg80211-check-for-set_wiphy_params.patch tick-sched-annotate-lockless-access-to-last_jiffies_update.patch revert-arm64-dts-juno-add-dma-ranges-property.patch +reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch +scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch +scsi-qla4xxx-fix-double-free-bug.patch +scsi-bnx2i-fix-potential-use-after-free.patch +scsi-target-core-fix-a-pr_debug-argument.patch +scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch +scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch +scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch +scsi-core-scsi_trace-use-get_unaligned_be.patch +perf-probe-fix-wrong-address-verification.patch +regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch -- 2.47.3