--- /dev/null
+From 195b9cb5b288fec1c871ef89f78cc9a7461aad3a Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 7 Jul 2023 23:03:19 +0900
+Subject: fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free()
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 195b9cb5b288fec1c871ef89f78cc9a7461aad3a upstream.
+
+Ensure running fprobe_exit_handler() has finished before
+calling rethook_free() in the unregister_fprobe() so that caller can free
+the fprobe right after unregister_fprobe().
+
+unregister_fprobe() ensured that all running fprobe_entry/exit_handler()
+have finished by calling unregister_ftrace_function() which synchronizes
+RCU. But commit 5f81018753df ("fprobe: Release rethook after the ftrace_ops
+is unregistered") changed to call rethook_free() after
+unregister_ftrace_function(). So call rethook_stop() to make rethook
+disabled before unregister_ftrace_function() and ensure it again.
+
+Here is the possible code flow that can call the exit handler after
+unregister_fprobe().
+
+------
+ CPU1 CPU2
+ call unregister_fprobe(fp)
+ ...
+ __fprobe_handler()
+ rethook_hook() on probed function
+ unregister_ftrace_function()
+ return from probed function
+ rethook hooks
+ find rh->handler == fprobe_exit_handler
+ call fprobe_exit_handler()
+ rethook_free():
+ set rh->handler = NULL;
+ return from unreigster_fprobe;
+ call fp->exit_handler() <- (*)
+------
+
+(*) At this point, the exit handler is called after returning from
+unregister_fprobe().
+
+This fixes it as following;
+------
+ CPU1 CPU2
+ call unregister_fprobe()
+ ...
+ rethook_stop():
+ set rh->handler = NULL;
+ __fprobe_handler()
+ rethook_hook() on probed function
+ unregister_ftrace_function()
+ return from probed function
+ rethook hooks
+ find rh->handler == NULL
+ return from rethook
+ rethook_free()
+ return from unreigster_fprobe;
+------
+
+Link: https://lore.kernel.org/all/168873859949.156157.13039240432299335849.stgit@devnote2/
+
+Fixes: 5f81018753df ("fprobe: Release rethook after the ftrace_ops is unregistered")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/rethook.h | 1 +
+ kernel/trace/fprobe.c | 3 +++
+ kernel/trace/rethook.c | 13 +++++++++++++
+ 3 files changed, 17 insertions(+)
+
+--- a/include/linux/rethook.h
++++ b/include/linux/rethook.h
+@@ -59,6 +59,7 @@ struct rethook_node {
+ };
+
+ struct rethook *rethook_alloc(void *data, rethook_handler_t handler);
++void rethook_stop(struct rethook *rh);
+ void rethook_free(struct rethook *rh);
+ void rethook_add_node(struct rethook *rh, struct rethook_node *node);
+ struct rethook_node *rethook_try_get(struct rethook *rh);
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -366,6 +366,9 @@ int unregister_fprobe(struct fprobe *fp)
+ fp->ops.saved_func != fprobe_kprobe_handler))
+ return -EINVAL;
+
++ if (fp->rethook)
++ rethook_stop(fp->rethook);
++
+ ret = unregister_ftrace_function(&fp->ops);
+ if (ret < 0)
+ return ret;
+--- a/kernel/trace/rethook.c
++++ b/kernel/trace/rethook.c
+@@ -54,6 +54,19 @@ static void rethook_free_rcu(struct rcu_
+ }
+
+ /**
++ * rethook_stop() - Stop using a rethook.
++ * @rh: the struct rethook to stop.
++ *
++ * Stop using a rethook to prepare for freeing it. If you want to wait for
++ * all running rethook handler before calling rethook_free(), you need to
++ * call this first and wait RCU, and call rethook_free().
++ */
++void rethook_stop(struct rethook *rh)
++{
++ WRITE_ONCE(rh->handler, NULL);
++}
++
++/**
+ * rethook_free() - Free struct rethook.
+ * @rh: the struct rethook to be freed.
+ *
--- /dev/null
+From 5f81018753dfd4989e33ece1f0cb6b8aae498b82 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 15 Jun 2023 13:52:36 +0200
+Subject: fprobe: Release rethook after the ftrace_ops is unregistered
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 5f81018753dfd4989e33ece1f0cb6b8aae498b82 upstream.
+
+While running bpf selftests it's possible to get following fault:
+
+ general protection fault, probably for non-canonical address \
+ 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
+ ...
+ Call Trace:
+ <TASK>
+ fprobe_handler+0xc1/0x270
+ ? __pfx_bpf_testmod_init+0x10/0x10
+ ? __pfx_bpf_testmod_init+0x10/0x10
+ ? bpf_fentry_test1+0x5/0x10
+ ? bpf_fentry_test1+0x5/0x10
+ ? bpf_testmod_init+0x22/0x80
+ ? do_one_initcall+0x63/0x2e0
+ ? rcu_is_watching+0xd/0x40
+ ? kmalloc_trace+0xaf/0xc0
+ ? do_init_module+0x60/0x250
+ ? __do_sys_finit_module+0xac/0x120
+ ? do_syscall_64+0x37/0x90
+ ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+ </TASK>
+
+In unregister_fprobe function we can't release fp->rethook while it's
+possible there are some of its users still running on another cpu.
+
+Moving rethook_free call after fp->ops is unregistered with
+unregister_ftrace_function call.
+
+Link: https://lore.kernel.org/all/20230615115236.3476617-1-jolsa@kernel.org/
+
+Fixes: 5b0ab78998e3 ("fprobe: Add exit_handler support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/fprobe.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -366,19 +366,13 @@ int unregister_fprobe(struct fprobe *fp)
+ fp->ops.saved_func != fprobe_kprobe_handler))
+ return -EINVAL;
+
+- /*
+- * rethook_free() starts disabling the rethook, but the rethook handlers
+- * may be running on other processors at this point. To make sure that all
+- * current running handlers are finished, call unregister_ftrace_function()
+- * after this.
+- */
+- if (fp->rethook)
+- rethook_free(fp->rethook);
+-
+ ret = unregister_ftrace_function(&fp->ops);
+ if (ret < 0)
+ return ret;
+
++ if (fp->rethook)
++ rethook_free(fp->rethook);
++
+ ftrace_free_filter(&fp->ops);
+
+ return ret;
--- /dev/null
+From 0226436acf2495cde4b93e7400e5a87305c26054 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 4 Jul 2023 22:44:34 +0200
+Subject: mptcp: do not rely on implicit state check in mptcp_listen()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 0226436acf2495cde4b93e7400e5a87305c26054 upstream.
+
+Since the blamed commit, closing the first subflow resets the first
+subflow socket state to SS_UNCONNECTED.
+
+The current mptcp listen implementation relies only on such
+state to prevent touching not-fully-disconnected sockets.
+
+Incoming mptcp fastclose (or paired endpoint removal) unconditionally
+closes the first subflow.
+
+All the above allows an incoming fastclose followed by a listen() call
+to successfully race with a blocking recvmsg(), potentially causing the
+latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window().
+
+Address the issue explicitly checking the msk socket state in
+mptcp_listen(). An alternative solution would be moving the first
+subflow socket state update into mptcp_disconnect(), but in the long
+term the first subflow socket should be removed: better avoid relaying
+on it for internal consistency check.
+
+Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
+Cc: stable@vger.kernel.org
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/414
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3697,6 +3697,11 @@ static int mptcp_listen(struct socket *s
+ pr_debug("msk=%p", msk);
+
+ lock_sock(sk);
++
++ err = -EINVAL;
++ if (sock->state != SS_UNCONNECTED || sock->type != SOCK_STREAM)
++ goto unlock;
++
+ ssock = __mptcp_nmpc_socket(msk);
+ if (IS_ERR(ssock)) {
+ err = PTR_ERR(ssock);
--- /dev/null
+From 3fffa15bfef48b0ad6424779c03e68ae8ace5acb Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 4 Jul 2023 22:44:33 +0200
+Subject: mptcp: ensure subflow is unhashed before cleaning the backlog
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 3fffa15bfef48b0ad6424779c03e68ae8ace5acb upstream.
+
+While tacking care of the mptcp-level listener I unintentionally
+moved the subflow level unhash after the subflow listener backlog
+cleanup.
+
+That could cause some nasty race and makes the code harder to read.
+
+Address the issue restoring the proper order of operations.
+
+Fixes: 57fc0f1ceaa4 ("mptcp: ensure listener is unhashed before updating the sk status")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2908,10 +2908,10 @@ static void mptcp_check_listen_stop(stru
+ return;
+
+ lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
++ tcp_set_state(ssk, TCP_CLOSE);
+ mptcp_subflow_queue_clean(sk, ssk);
+ inet_csk_listen_stop(ssk);
+ mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CLOSED);
+- tcp_set_state(ssk, TCP_CLOSE);
+ release_sock(ssk);
+ }
+
--- /dev/null
+From 4ed8f337dee32df71435689c19d22e4ee846e15a Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:57 +0900
+Subject: Revert "tracing: Add "(fault)" name injection to kernel probes"
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 4ed8f337dee32df71435689c19d22e4ee846e15a upstream.
+
+This reverts commit 2e9906f84fc7c99388bb7123ade167250d50f1c0.
+
+It was turned out that commit 2e9906f84fc7 ("tracing: Add "(fault)"
+name injection to kernel probes") did not work correctly and probe
+events still show just '(fault)' (instead of '"(fault)"'). Also,
+current '(fault)' is more explicit that it faulted.
+
+This also moves FAULT_STRING macro to trace.h so that synthetic
+event can keep using it, and uses it in trace_probe.c too.
+
+Link: https://lore.kernel.org/all/168908495772.123124.1250788051922100079.stgit@devnote2/
+Link: https://lore.kernel.org/all/20230706230642.3793a593@rorschach.local.home/
+
+Cc: stable@vger.kernel.org
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.h | 2 ++
+ kernel/trace/trace_probe.c | 2 +-
+ kernel/trace/trace_probe_kernel.h | 31 ++++++-------------------------
+ 3 files changed, 9 insertions(+), 26 deletions(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -113,6 +113,8 @@ enum trace_type {
+ #define MEM_FAIL(condition, fmt, ...) \
+ DO_ONCE_LITE_IF(condition, pr_err, "ERROR: " fmt, ##__VA_ARGS__)
+
++#define FAULT_STRING "(fault)"
++
+ #define HIST_STACKTRACE_DEPTH 16
+ #define HIST_STACKTRACE_SIZE (HIST_STACKTRACE_DEPTH * sizeof(unsigned long))
+ #define HIST_STACKTRACE_SKIP 5
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -65,7 +65,7 @@ int PRINT_TYPE_FUNC_NAME(string)(struct
+ int len = *(u32 *)data >> 16;
+
+ if (!len)
+- trace_seq_puts(s, "(fault)");
++ trace_seq_puts(s, FAULT_STRING);
+ else
+ trace_seq_printf(s, "\"%s\"",
+ (const char *)get_loc_data(data, ent));
+--- a/kernel/trace/trace_probe_kernel.h
++++ b/kernel/trace/trace_probe_kernel.h
+@@ -2,8 +2,6 @@
+ #ifndef __TRACE_PROBE_KERNEL_H_
+ #define __TRACE_PROBE_KERNEL_H_
+
+-#define FAULT_STRING "(fault)"
+-
+ /*
+ * This depends on trace_probe.h, but can not include it due to
+ * the way trace_probe_tmpl.h is used by trace_kprobe.c and trace_eprobe.c.
+@@ -15,16 +13,8 @@ static nokprobe_inline int
+ fetch_store_strlen_user(unsigned long addr)
+ {
+ const void __user *uaddr = (__force const void __user *)addr;
+- int ret;
+
+- ret = strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+- /*
+- * strnlen_user_nofault returns zero on fault, insert the
+- * FAULT_STRING when that occurs.
+- */
+- if (ret <= 0)
+- return strlen(FAULT_STRING) + 1;
+- return ret;
++ return strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+ }
+
+ /* Return the length of string -- including null terminal byte */
+@@ -44,18 +34,7 @@ fetch_store_strlen(unsigned long addr)
+ len++;
+ } while (c && ret == 0 && len < MAX_STRING_SIZE);
+
+- /* For faults, return enough to hold the FAULT_STRING */
+- return (ret < 0) ? strlen(FAULT_STRING) + 1 : len;
+-}
+-
+-static nokprobe_inline void set_data_loc(int ret, void *dest, void *__dest, void *base, int len)
+-{
+- if (ret >= 0) {
+- *(u32 *)dest = make_data_loc(ret, __dest - base);
+- } else {
+- strscpy(__dest, FAULT_STRING, len);
+- ret = strlen(__dest) + 1;
+- }
++ return (ret < 0) ? ret : len;
+ }
+
+ /*
+@@ -76,7 +55,8 @@ fetch_store_string_user(unsigned long ad
+ __dest = get_loc_data(dest, base);
+
+ ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
+- set_data_loc(ret, dest, __dest, base, maxlen);
++ if (ret >= 0)
++ *(u32 *)dest = make_data_loc(ret, __dest - base);
+
+ return ret;
+ }
+@@ -107,7 +87,8 @@ fetch_store_string(unsigned long addr, v
+ * probing.
+ */
+ ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
+- set_data_loc(ret, dest, __dest, base, maxlen);
++ if (ret >= 0)
++ *(u32 *)dest = make_data_loc(ret, __dest - base);
+
+ return ret;
+ }
--- /dev/null
+From d721b591b95cf3f290f8a7cbe90aa2ee0368388d Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:36 +0530
+Subject: scsi: qla2xxx: Array index may go out of bound
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit d721b591b95cf3f290f8a7cbe90aa2ee0368388d upstream.
+
+Klocwork reports array 'vha->host_str' of size 16 may use index value(s)
+16..19. Use snprintf() instead of sprintf().
+
+Cc: stable@vger.kernel.org
+Co-developed-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-2-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -5088,7 +5088,8 @@ struct scsi_qla_host *qla2x00_create_hos
+ }
+ INIT_DELAYED_WORK(&vha->scan.scan_work, qla_scan_work_fn);
+
+- sprintf(vha->host_str, "%s_%lu", QLA2XXX_DRIVER_NAME, vha->host_no);
++ snprintf(vha->host_str, sizeof(vha->host_str), "%s_%lu",
++ QLA2XXX_DRIVER_NAME, vha->host_no);
+ ql_dbg(ql_dbg_init, vha, 0x0041,
+ "Allocated the host=%p hw=%p vha=%p dev_name=%s",
+ vha->host, vha->hw, vha,
--- /dev/null
+From 6b504d06976fe4a61cc05dedc68b84fadb397f77 Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:38 +0530
+Subject: scsi: qla2xxx: Avoid fcport pointer dereference
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit 6b504d06976fe4a61cc05dedc68b84fadb397f77 upstream.
+
+Klocwork reported warning of NULL pointer may be dereferenced. The routine
+exits when sa_ctl is NULL and fcport is allocated after the exit call thus
+causing NULL fcport pointer to dereference at the time of exit.
+
+To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-4-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_edif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_edif.c
++++ b/drivers/scsi/qla2xxx/qla_edif.c
+@@ -2361,8 +2361,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h
+ if (!sa_ctl) {
+ ql_dbg(ql_dbg_edif, vha, 0x70e6,
+ "sa_ctl allocation failed\n");
+- rval = -ENOMEM;
+- goto done;
++ rval = -ENOMEM;
++ return rval;
+ }
+
+ fcport = sa_ctl->fcport;
--- /dev/null
+From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:39 +0530
+Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream.
+
+Klocwork reported warning of rport maybe NULL and will be dereferenced.
+rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
+
+Check valid rport returned by fc_bsg_to_rport().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -283,6 +283,10 @@ qla2x00_process_els(struct bsg_job *bsg_
+
+ if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ rport = fc_bsg_to_rport(bsg_job);
++ if (!rport) {
++ rval = -ENOMEM;
++ goto done;
++ }
+ fcport = *(fc_port_t **) rport->dd_data;
+ host = rport_to_shost(rport);
+ vha = shost_priv(host);
--- /dev/null
+From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:42 +0530
+Subject: scsi: qla2xxx: Correct the index of array
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream.
+
+Klocwork reported array 'port_dstate_str' of size 10 may use index value(s)
+10..15.
+
+Add a fix to correct the index of array.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_inline.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -109,11 +109,13 @@ qla2x00_set_fcport_disc_state(fc_port_t
+ {
+ int old_val;
+ uint8_t shiftbits, mask;
++ uint8_t port_dstate_str_sz;
+
+ /* This will have to change when the max no. of states > 16 */
+ shiftbits = 4;
+ mask = (1 << shiftbits) - 1;
+
++ port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *);
+ fcport->disc_state = state;
+ while (1) {
+ old_val = atomic_read(&fcport->shadow_disc_state);
+@@ -121,7 +123,8 @@ qla2x00_set_fcport_disc_state(fc_port_t
+ old_val, (old_val << shiftbits) | state)) {
+ ql_dbg(ql_dbg_disc, fcport->vha, 0x2134,
+ "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n",
+- fcport->port_name, port_dstate_str[old_val & mask],
++ fcport->port_name, (old_val & mask) < port_dstate_str_sz ?
++ port_dstate_str[old_val & mask] : "Unknown",
+ port_dstate_str[state], fcport->d_id.b24);
+ return;
+ }
--- /dev/null
+From b68710a8094fdffe8dd4f7a82c82649f479bb453 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:40 +0530
+Subject: scsi: qla2xxx: Fix buffer overrun
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit b68710a8094fdffe8dd4f7a82c82649f479bb453 upstream.
+
+Klocwork warning: Buffer Overflow - Array Index Out of Bounds
+
+Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is
+nested inside of fc_els_flogi which is smaller.
+
+Replace structure name to allow proper size calculation.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -5549,7 +5549,7 @@ static void qla_get_login_template(scsi_
+ __be32 *q;
+
+ memset(ha->init_cb, 0, ha->init_cb_size);
+- sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size);
++ sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size);
+ rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma,
+ ha->init_cb, sz);
+ if (rval != QLA_SUCCESS) {
--- /dev/null
+From 9ae615c5bfd37bd091772969b1153de5335ea986 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:36 -0700
+Subject: scsi: qla2xxx: Fix hang in task management
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 9ae615c5bfd37bd091772969b1153de5335ea986 upstream.
+
+Task management command hangs where a side
+band chip reset failed to nudge the TMF
+from it's current send path.
+
+Add additional error check to block TMF
+from entering during chip reset and along
+the TMF path to cause it to bail out, skip
+over abort of marker.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 4 ++
+ drivers/scsi/qla2xxx/qla_init.c | 60 ++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 61 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -5516,4 +5516,8 @@ struct ql_vnd_tgt_stats_resp {
+ _fp->disc_state, _fp->scan_state, _fp->loop_id, _fp->deleted, \
+ _fp->flags
+
++#define TMF_NOT_READY(_fcport) \
++ (!_fcport || IS_SESSION_DELETED(_fcport) || atomic_read(&_fcport->state) != FCS_ONLINE || \
++ !_fcport->vha->hw->flags.fw_started)
++
+ #endif
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -1996,6 +1996,11 @@ qla2x00_tmf_iocb_timeout(void *data)
+ int rc, h;
+ unsigned long flags;
+
++ if (sp->type == SRB_MARKER) {
++ complete(&tmf->u.tmf.comp);
++ return;
++ }
++
+ rc = qla24xx_async_abort_cmd(sp, false);
+ if (rc) {
+ spin_lock_irqsave(sp->qpair->qp_lock_ptr, flags);
+@@ -2023,6 +2028,7 @@ static void qla_marker_sp_done(srb_t *sp
+ sp->handle, sp->fcport->d_id.b24, sp->u.iocb_cmd.u.tmf.flags,
+ sp->u.iocb_cmd.u.tmf.lun, sp->qpair->id);
+
++ sp->u.iocb_cmd.u.tmf.data = res;
+ complete(&tmf->u.tmf.comp);
+ }
+
+@@ -2039,6 +2045,11 @@ static void qla_marker_sp_done(srb_t *sp
+ } while (cnt); \
+ }
+
++/**
++ * qla26xx_marker: send marker IOCB and wait for the completion of it.
++ * @arg: pointer to argument list.
++ * It is assume caller will provide an fcport pointer and modifier
++ */
+ static int
+ qla26xx_marker(struct tmf_arg *arg)
+ {
+@@ -2048,6 +2059,14 @@ qla26xx_marker(struct tmf_arg *arg)
+ int rval = QLA_FUNCTION_FAILED;
+ fc_port_t *fcport = arg->fcport;
+
++ if (TMF_NOT_READY(arg->fcport)) {
++ ql_dbg(ql_dbg_taskm, vha, 0x8039,
++ "FC port not ready for marker loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d.\n",
++ fcport->loop_id, fcport->d_id.b24,
++ arg->modifier, arg->lun, arg->qpair->id);
++ return QLA_SUSPENDED;
++ }
++
+ /* ref: INIT */
+ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL);
+ if (!sp)
+@@ -2074,11 +2093,19 @@ qla26xx_marker(struct tmf_arg *arg)
+
+ if (rval != QLA_SUCCESS) {
+ ql_log(ql_log_warn, vha, 0x8031,
+- "Marker IOCB failed (%x).\n", rval);
++ "Marker IOCB send failure (%x).\n", rval);
+ goto done_free_sp;
+ }
+
+ wait_for_completion(&tm_iocb->u.tmf.comp);
++ rval = tm_iocb->u.tmf.data;
++
++ if (rval != QLA_SUCCESS) {
++ ql_log(ql_log_warn, vha, 0x8019,
++ "Marker failed hdl=%x loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d rval %d.\n",
++ sp->handle, fcport->loop_id, fcport->d_id.b24,
++ arg->modifier, arg->lun, sp->qpair->id, rval);
++ }
+
+ done_free_sp:
+ /* ref: INIT */
+@@ -2091,6 +2118,8 @@ static void qla2x00_tmf_sp_done(srb_t *s
+ {
+ struct srb_iocb *tmf = &sp->u.iocb_cmd;
+
++ if (res)
++ tmf->u.tmf.data = res;
+ complete(&tmf->u.tmf.comp);
+ }
+
+@@ -2104,6 +2133,14 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a
+
+ fc_port_t *fcport = arg->fcport;
+
++ if (TMF_NOT_READY(arg->fcport)) {
++ ql_dbg(ql_dbg_taskm, vha, 0x8032,
++ "FC port not ready for TM command loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d.\n",
++ fcport->loop_id, fcport->d_id.b24,
++ arg->modifier, arg->lun, arg->qpair->id);
++ return QLA_SUSPENDED;
++ }
++
+ /* ref: INIT */
+ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL);
+ if (!sp)
+@@ -2178,7 +2215,9 @@ int qla_get_tmf(fc_port_t *fcport)
+ msleep(1);
+
+ spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+- if (fcport->deleted) {
++ if (TMF_NOT_READY(fcport)) {
++ ql_log(ql_log_warn, vha, 0x802c,
++ "Unable to acquire TM resource due to disruption.\n");
+ rc = EIO;
+ break;
+ }
+@@ -2204,7 +2243,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ struct scsi_qla_host *vha = fcport->vha;
+ struct qla_qpair *qpair;
+ struct tmf_arg a;
+- int i, rval;
++ int i, rval = QLA_SUCCESS;
++
++ if (TMF_NOT_READY(fcport))
++ return QLA_SUSPENDED;
+
+ a.vha = fcport->vha;
+ a.fcport = fcport;
+@@ -2223,6 +2265,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ qpair = vha->hw->queue_pair_map[i];
+ if (!qpair)
+ continue;
++
++ if (TMF_NOT_READY(fcport)) {
++ ql_log(ql_log_warn, vha, 0x8026,
++ "Unable to send TM due to disruption.\n");
++ rval = QLA_SUSPENDED;
++ break;
++ }
++
+ a.qpair = qpair;
+ a.flags = flags|TCF_NOTMCMD_TO_TARGET;
+ rval = __qla2x00_async_tm_cmd(&a);
+@@ -2231,10 +2281,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ }
+ }
+
++ if (rval)
++ goto bailout;
++
+ a.qpair = vha->hw->base_qpair;
+ a.flags = flags;
+ rval = __qla2x00_async_tm_cmd(&a);
+
++bailout:
+ if (a.modifier == MK_SYNC_ID_LUN)
+ qla_put_tmf(fcport);
+
--- /dev/null
+From b843adde8d490934d042fbe9e3e46697cb3a64d2 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:37 -0700
+Subject: scsi: qla2xxx: Fix mem access after free
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit b843adde8d490934d042fbe9e3e46697cb3a64d2 upstream.
+
+System crash, where driver is accessing scsi layer's
+memory (scsi_cmnd->device->host) to search for a well known internal
+pointer (vha). The scsi_cmnd was released back to upper layer which
+could be freed, but the driver is still accessing it.
+
+7 [ffffa8e8d2c3f8d0] page_fault at ffffffff86c010fe
+ [exception RIP: __qla2x00_eh_wait_for_pending_commands+240]
+ RIP: ffffffffc0642350 RSP: ffffa8e8d2c3f988 RFLAGS: 00010286
+ RAX: 0000000000000165 RBX: 0000000000000002 RCX: 00000000000036d8
+ RDX: 0000000000000000 RSI: ffff9c5c56535188 RDI: 0000000000000286
+ RBP: ffff9c5bf7aa4a58 R8: ffff9c589aecdb70 R9: 00000000000003d1
+ R10: 0000000000000001 R11: 0000000000380000 R12: ffff9c5c5392bc78
+ R13: ffff9c57044ff5c0 R14: ffff9c56b5a3aa00 R15: 00000000000006db
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+8 [ffffa8e8d2c3f9c8] qla2x00_eh_wait_for_pending_commands at ffffffffc0646dd5 [qla2xxx]
+9 [ffffa8e8d2c3fa00] __qla2x00_async_tm_cmd at ffffffffc0658094 [qla2xxx]
+
+Remove access of freed memory. Currently the driver was checking to see if
+scsi_done was called by seeing if the sp->type has changed. Instead,
+check to see if the command has left the oustanding_cmds[] array as
+sign of scsi_done was called.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 38 +++++++++--
+ drivers/scsi/qla2xxx/qla_os.c | 130 ++++++++++++++++++++---------------------
+ 2 files changed, 95 insertions(+), 73 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1862,9 +1862,9 @@ qla2x00_process_completed_request(struct
+ }
+ }
+
+-srb_t *
+-qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func,
+- struct req_que *req, void *iocb)
++static srb_t *
++qla_get_sp_from_handle(scsi_qla_host_t *vha, const char *func,
++ struct req_que *req, void *iocb, u16 *ret_index)
+ {
+ struct qla_hw_data *ha = vha->hw;
+ sts_entry_t *pkt = iocb;
+@@ -1899,12 +1899,25 @@ qla2x00_get_sp_from_handle(scsi_qla_host
+ return NULL;
+ }
+
+- req->outstanding_cmds[index] = NULL;
+-
++ *ret_index = index;
+ qla_put_fw_resources(sp->qpair, &sp->iores);
+ return sp;
+ }
+
++srb_t *
++qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func,
++ struct req_que *req, void *iocb)
++{
++ uint16_t index;
++ srb_t *sp;
++
++ sp = qla_get_sp_from_handle(vha, func, req, iocb, &index);
++ if (sp)
++ req->outstanding_cmds[index] = NULL;
++
++ return sp;
++}
++
+ static void
+ qla2x00_mbx_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
+ struct mbx_entry *mbx)
+@@ -3237,13 +3250,13 @@ qla2x00_status_entry(scsi_qla_host_t *vh
+ return;
+ }
+
+- req->outstanding_cmds[handle] = NULL;
+ cp = GET_CMD_SP(sp);
+ if (cp == NULL) {
+ ql_dbg(ql_dbg_io, vha, 0x3018,
+ "Command already returned (0x%x/%p).\n",
+ sts->handle, sp);
+
++ req->outstanding_cmds[handle] = NULL;
+ return;
+ }
+
+@@ -3514,6 +3527,9 @@ out:
+
+ if (rsp->status_srb == NULL)
+ sp->done(sp, res);
++
++ /* for io's, clearing of outstanding_cmds[handle] means scsi_done was called */
++ req->outstanding_cmds[handle] = NULL;
+ }
+
+ /**
+@@ -3590,6 +3606,7 @@ qla2x00_error_entry(scsi_qla_host_t *vha
+ uint16_t que = MSW(pkt->handle);
+ struct req_que *req = NULL;
+ int res = DID_ERROR << 16;
++ u16 index;
+
+ ql_dbg(ql_dbg_async, vha, 0x502a,
+ "iocb type %xh with error status %xh, handle %xh, rspq id %d\n",
+@@ -3608,7 +3625,6 @@ qla2x00_error_entry(scsi_qla_host_t *vha
+
+ switch (pkt->entry_type) {
+ case NOTIFY_ACK_TYPE:
+- case STATUS_TYPE:
+ case STATUS_CONT_TYPE:
+ case LOGINOUT_PORT_IOCB_TYPE:
+ case CT_IOCB_TYPE:
+@@ -3628,6 +3644,14 @@ qla2x00_error_entry(scsi_qla_host_t *vha
+ case CTIO_TYPE7:
+ case CTIO_CRC2:
+ return 1;
++ case STATUS_TYPE:
++ sp = qla_get_sp_from_handle(vha, func, req, pkt, &index);
++ if (sp) {
++ sp->done(sp, res);
++ req->outstanding_cmds[index] = NULL;
++ return 0;
++ }
++ break;
+ }
+ fatal:
+ ql_log(ql_log_warn, vha, 0x5030,
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1079,43 +1079,6 @@ qc24_fail_command:
+ }
+
+ /*
+- * qla2x00_eh_wait_on_command
+- * Waits for the command to be returned by the Firmware for some
+- * max time.
+- *
+- * Input:
+- * cmd = Scsi Command to wait on.
+- *
+- * Return:
+- * Completed in time : QLA_SUCCESS
+- * Did not complete in time : QLA_FUNCTION_FAILED
+- */
+-static int
+-qla2x00_eh_wait_on_command(struct scsi_cmnd *cmd)
+-{
+-#define ABORT_POLLING_PERIOD 1000
+-#define ABORT_WAIT_ITER ((2 * 1000) / (ABORT_POLLING_PERIOD))
+- unsigned long wait_iter = ABORT_WAIT_ITER;
+- scsi_qla_host_t *vha = shost_priv(cmd->device->host);
+- struct qla_hw_data *ha = vha->hw;
+- srb_t *sp = scsi_cmd_priv(cmd);
+- int ret = QLA_SUCCESS;
+-
+- if (unlikely(pci_channel_offline(ha->pdev)) || ha->flags.eeh_busy) {
+- ql_dbg(ql_dbg_taskm, vha, 0x8005,
+- "Return:eh_wait.\n");
+- return ret;
+- }
+-
+- while (sp->type && wait_iter--)
+- msleep(ABORT_POLLING_PERIOD);
+- if (sp->type)
+- ret = QLA_FUNCTION_FAILED;
+-
+- return ret;
+-}
+-
+-/*
+ * qla2x00_wait_for_hba_online
+ * Wait till the HBA is online after going through
+ * <= MAX_RETRIES_OF_ISP_ABORT or
+@@ -1365,6 +1328,9 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
+ return ret;
+ }
+
++#define ABORT_POLLING_PERIOD 1000
++#define ABORT_WAIT_ITER ((2 * 1000) / (ABORT_POLLING_PERIOD))
++
+ /*
+ * Returns: QLA_SUCCESS or QLA_FUNCTION_FAILED.
+ */
+@@ -1378,41 +1344,73 @@ __qla2x00_eh_wait_for_pending_commands(s
+ struct req_que *req = qpair->req;
+ srb_t *sp;
+ struct scsi_cmnd *cmd;
++ unsigned long wait_iter = ABORT_WAIT_ITER;
++ bool found;
++ struct qla_hw_data *ha = vha->hw;
+
+ status = QLA_SUCCESS;
+
+- spin_lock_irqsave(qpair->qp_lock_ptr, flags);
+- for (cnt = 1; status == QLA_SUCCESS &&
+- cnt < req->num_outstanding_cmds; cnt++) {
+- sp = req->outstanding_cmds[cnt];
+- if (!sp)
+- continue;
+- if (sp->type != SRB_SCSI_CMD)
+- continue;
+- if (vha->vp_idx != sp->vha->vp_idx)
+- continue;
+- match = 0;
+- cmd = GET_CMD_SP(sp);
+- switch (type) {
+- case WAIT_HOST:
+- match = 1;
+- break;
+- case WAIT_TARGET:
+- match = cmd->device->id == t;
+- break;
+- case WAIT_LUN:
+- match = (cmd->device->id == t &&
+- cmd->device->lun == l);
+- break;
+- }
+- if (!match)
+- continue;
++ while (wait_iter--) {
++ found = false;
+
+- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+- status = qla2x00_eh_wait_on_command(cmd);
+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
++ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
++ sp = req->outstanding_cmds[cnt];
++ if (!sp)
++ continue;
++ if (sp->type != SRB_SCSI_CMD)
++ continue;
++ if (vha->vp_idx != sp->vha->vp_idx)
++ continue;
++ match = 0;
++ cmd = GET_CMD_SP(sp);
++ switch (type) {
++ case WAIT_HOST:
++ match = 1;
++ break;
++ case WAIT_TARGET:
++ if (sp->fcport)
++ match = sp->fcport->d_id.b24 == t;
++ else
++ match = 0;
++ break;
++ case WAIT_LUN:
++ if (sp->fcport)
++ match = (sp->fcport->d_id.b24 == t &&
++ cmd->device->lun == l);
++ else
++ match = 0;
++ break;
++ }
++ if (!match)
++ continue;
++
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++
++ if (unlikely(pci_channel_offline(ha->pdev)) ||
++ ha->flags.eeh_busy) {
++ ql_dbg(ql_dbg_taskm, vha, 0x8005,
++ "Return:eh_wait.\n");
++ return status;
++ }
++
++ /*
++ * SRB_SCSI_CMD is still in the outstanding_cmds array.
++ * it means scsi_done has not called. Wait for it to
++ * clear from outstanding_cmds.
++ */
++ msleep(ABORT_POLLING_PERIOD);
++ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
++ found = true;
++ }
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++
++ if (!found)
++ break;
+ }
+- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++
++ if (!wait_iter && found)
++ status = QLA_FUNCTION_FAILED;
+
+ return status;
+ }
--- /dev/null
+From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:37 +0530
+Subject: scsi: qla2xxx: Fix potential NULL pointer dereference
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream.
+
+Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate
+pointer before dereferencing the pointer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -607,7 +607,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s
+ put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type);
+
+ /* No data transfer */
+- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) {
++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE ||
++ tot_dsds == 0) {
+ cmd_pkt->byte_count = cpu_to_le32(0);
+ return 0;
+ }
--- /dev/null
+From 6a87679626b51b53fbb6be417ad8eb083030b617 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:35 -0700
+Subject: scsi: qla2xxx: Fix task management cmd fail due to unavailable resource
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 6a87679626b51b53fbb6be417ad8eb083030b617 upstream.
+
+Task management command failed with status 2Ch which is
+a result of too many task management commands sent
+to the same target. Hence limit task management commands
+to 8 per target.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/oe-kbuild-all/202304271952.NKNmoFzv-lkp@intel.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-4-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 3 +
+ drivers/scsi/qla2xxx/qla_init.c | 63 ++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -2542,6 +2542,7 @@ enum rscn_addr_format {
+ typedef struct fc_port {
+ struct list_head list;
+ struct scsi_qla_host *vha;
++ struct list_head tmf_pending;
+
+ unsigned int conf_compl_supported:1;
+ unsigned int deleted:2;
+@@ -2562,6 +2563,8 @@ typedef struct fc_port {
+ unsigned int do_prli_nvme:1;
+
+ uint8_t nvme_flag;
++ uint8_t active_tmf;
++#define MAX_ACTIVE_TMF 8
+
+ uint8_t node_name[WWN_SIZE];
+ uint8_t port_name[WWN_SIZE];
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2149,6 +2149,54 @@ done:
+ return rval;
+ }
+
++static void qla_put_tmf(fc_port_t *fcport)
++{
++ struct scsi_qla_host *vha = fcport->vha;
++ struct qla_hw_data *ha = vha->hw;
++ unsigned long flags;
++
++ spin_lock_irqsave(&ha->tgt.sess_lock, flags);
++ fcport->active_tmf--;
++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++}
++
++static
++int qla_get_tmf(fc_port_t *fcport)
++{
++ struct scsi_qla_host *vha = fcport->vha;
++ struct qla_hw_data *ha = vha->hw;
++ unsigned long flags;
++ int rc = 0;
++ LIST_HEAD(tmf_elem);
++
++ spin_lock_irqsave(&ha->tgt.sess_lock, flags);
++ list_add_tail(&tmf_elem, &fcport->tmf_pending);
++
++ while (fcport->active_tmf >= MAX_ACTIVE_TMF) {
++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++
++ msleep(1);
++
++ spin_lock_irqsave(&ha->tgt.sess_lock, flags);
++ if (fcport->deleted) {
++ rc = EIO;
++ break;
++ }
++ if (fcport->active_tmf < MAX_ACTIVE_TMF &&
++ list_is_first(&tmf_elem, &fcport->tmf_pending))
++ break;
++ }
++
++ list_del(&tmf_elem);
++
++ if (!rc)
++ fcport->active_tmf++;
++
++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++
++ return rc;
++}
++
+ int
+ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint64_t lun,
+ uint32_t tag)
+@@ -2156,18 +2204,19 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ struct scsi_qla_host *vha = fcport->vha;
+ struct qla_qpair *qpair;
+ struct tmf_arg a;
+- struct completion comp;
+ int i, rval;
+
+- init_completion(&comp);
+ a.vha = fcport->vha;
+ a.fcport = fcport;
+ a.lun = lun;
+-
+- if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA))
++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) {
+ a.modifier = MK_SYNC_ID_LUN;
+- else
++
++ if (qla_get_tmf(fcport))
++ return QLA_FUNCTION_FAILED;
++ } else {
+ a.modifier = MK_SYNC_ID;
++ }
+
+ if (vha->hw->mqenable) {
+ for (i = 0; i < vha->hw->num_qpairs; i++) {
+@@ -2186,6 +2235,9 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ a.flags = flags;
+ rval = __qla2x00_async_tm_cmd(&a);
+
++ if (a.modifier == MK_SYNC_ID_LUN)
++ qla_put_tmf(fcport);
++
+ return rval;
+ }
+
+@@ -5400,6 +5452,7 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vh
+ INIT_WORK(&fcport->reg_work, qla_register_fcport_fn);
+ INIT_LIST_HEAD(&fcport->gnl_entry);
+ INIT_LIST_HEAD(&fcport->list);
++ INIT_LIST_HEAD(&fcport->tmf_pending);
+
+ INIT_LIST_HEAD(&fcport->sess_cmd_list);
+ spin_lock_init(&fcport->sess_cmd_lock);
--- /dev/null
+From 9803fb5d27597ea98f2e05b0b6cfc48ae808458e Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:34 -0700
+Subject: scsi: qla2xxx: Fix task management cmd failure
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 9803fb5d27597ea98f2e05b0b6cfc48ae808458e upstream.
+
+Task management cmd failed with status 30h which means
+FW is not able to finish processing one task management
+before another task management for the same lun.
+Hence add wait for completion of marker to space it out.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/oe-kbuild-all/202304271802.uCZfwQC1-lkp@intel.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com <mailto:himanshu.madhani@oracle.com>>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 6 ++
+ drivers/scsi/qla2xxx/qla_init.c | 102 +++++++++++++++++++++++++++++++++-------
+ drivers/scsi/qla2xxx/qla_iocb.c | 28 +++++++++-
+ drivers/scsi/qla2xxx/qla_isr.c | 26 +++++++++-
+ 4 files changed, 139 insertions(+), 23 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -471,6 +471,7 @@ struct tmf_arg {
+ struct scsi_qla_host *vha;
+ u64 lun;
+ u32 flags;
++ uint8_t modifier;
+ };
+
+ struct els_logo_payload {
+@@ -552,6 +553,10 @@ struct srb_iocb {
+ uint32_t data;
+ struct completion comp;
+ __le16 comp_status;
++
++ uint8_t modifier;
++ uint8_t vp_index;
++ uint16_t loop_id;
+ } tmf;
+ struct {
+ #define SRB_FXDISC_REQ_DMA_VALID BIT_0
+@@ -655,6 +660,7 @@ struct srb_iocb {
+ #define SRB_SA_UPDATE 25
+ #define SRB_ELS_CMD_HST_NOLOGIN 26
+ #define SRB_SA_REPLACE 27
++#define SRB_MARKER 28
+
+ struct qla_els_pt_arg {
+ u8 els_opcode;
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2013,6 +2013,80 @@ qla2x00_tmf_iocb_timeout(void *data)
+ }
+ }
+
++static void qla_marker_sp_done(srb_t *sp, int res)
++{
++ struct srb_iocb *tmf = &sp->u.iocb_cmd;
++
++ if (res != QLA_SUCCESS)
++ ql_dbg(ql_dbg_taskm, sp->vha, 0x8004,
++ "Async-marker fail hdl=%x portid=%06x ctrl=%x lun=%lld qp=%d.\n",
++ sp->handle, sp->fcport->d_id.b24, sp->u.iocb_cmd.u.tmf.flags,
++ sp->u.iocb_cmd.u.tmf.lun, sp->qpair->id);
++
++ complete(&tmf->u.tmf.comp);
++}
++
++#define START_SP_W_RETRIES(_sp, _rval) \
++{\
++ int cnt = 5; \
++ do { \
++ _rval = qla2x00_start_sp(_sp); \
++ if (_rval == EAGAIN) \
++ msleep(1); \
++ else \
++ break; \
++ cnt--; \
++ } while (cnt); \
++}
++
++static int
++qla26xx_marker(struct tmf_arg *arg)
++{
++ struct scsi_qla_host *vha = arg->vha;
++ struct srb_iocb *tm_iocb;
++ srb_t *sp;
++ int rval = QLA_FUNCTION_FAILED;
++ fc_port_t *fcport = arg->fcport;
++
++ /* ref: INIT */
++ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL);
++ if (!sp)
++ goto done;
++
++ sp->type = SRB_MARKER;
++ sp->name = "marker";
++ qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha), qla_marker_sp_done);
++ sp->u.iocb_cmd.timeout = qla2x00_tmf_iocb_timeout;
++
++ tm_iocb = &sp->u.iocb_cmd;
++ init_completion(&tm_iocb->u.tmf.comp);
++ tm_iocb->u.tmf.modifier = arg->modifier;
++ tm_iocb->u.tmf.lun = arg->lun;
++ tm_iocb->u.tmf.loop_id = fcport->loop_id;
++ tm_iocb->u.tmf.vp_index = vha->vp_idx;
++
++ START_SP_W_RETRIES(sp, rval);
++
++ ql_dbg(ql_dbg_taskm, vha, 0x8006,
++ "Async-marker hdl=%x loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d rval %d.\n",
++ sp->handle, fcport->loop_id, fcport->d_id.b24,
++ arg->modifier, arg->lun, sp->qpair->id, rval);
++
++ if (rval != QLA_SUCCESS) {
++ ql_log(ql_log_warn, vha, 0x8031,
++ "Marker IOCB failed (%x).\n", rval);
++ goto done_free_sp;
++ }
++
++ wait_for_completion(&tm_iocb->u.tmf.comp);
++
++done_free_sp:
++ /* ref: INIT */
++ kref_put(&sp->cmd_kref, qla2x00_sp_release);
++done:
++ return rval;
++}
++
+ static void qla2x00_tmf_sp_done(srb_t *sp, int res)
+ {
+ struct srb_iocb *tmf = &sp->u.iocb_cmd;
+@@ -2026,7 +2100,6 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a
+ struct scsi_qla_host *vha = arg->vha;
+ struct srb_iocb *tm_iocb;
+ srb_t *sp;
+- unsigned long flags;
+ int rval = QLA_FUNCTION_FAILED;
+
+ fc_port_t *fcport = arg->fcport;
+@@ -2048,11 +2121,12 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a
+ tm_iocb->u.tmf.flags = arg->flags;
+ tm_iocb->u.tmf.lun = arg->lun;
+
+- rval = qla2x00_start_sp(sp);
++ START_SP_W_RETRIES(sp, rval);
++
+ ql_dbg(ql_dbg_taskm, vha, 0x802f,
+- "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x ctrl=%x.\n",
+- sp->handle, fcport->loop_id, fcport->d_id.b.domain,
+- fcport->d_id.b.area, fcport->d_id.b.al_pa, arg->flags);
++ "Async-tmf hdl=%x loop-id=%x portid=%06x ctrl=%x lun=%lld qp=%d rval=%x.\n",
++ sp->handle, fcport->loop_id, fcport->d_id.b24,
++ arg->flags, arg->lun, sp->qpair->id, rval);
+
+ if (rval != QLA_SUCCESS)
+ goto done_free_sp;
+@@ -2065,17 +2139,8 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a
+ "TM IOCB failed (%x).\n", rval);
+ }
+
+- if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw)) {
+- flags = tm_iocb->u.tmf.flags;
+- if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|
+- TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA))
+- flags = MK_SYNC_ID_LUN;
+- else
+- flags = MK_SYNC_ID;
+-
+- qla2x00_marker(vha, sp->qpair,
+- sp->fcport->loop_id, arg->lun, flags);
+- }
++ if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw))
++ rval = qla26xx_marker(arg);
+
+ done_free_sp:
+ /* ref: INIT */
+@@ -2099,6 +2164,11 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+ a.fcport = fcport;
+ a.lun = lun;
+
++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA))
++ a.modifier = MK_SYNC_ID_LUN;
++ else
++ a.modifier = MK_SYNC_ID;
++
+ if (vha->hw->mqenable) {
+ for (i = 0; i < vha->hw->num_qpairs; i++) {
+ qpair = vha->hw->queue_pair_map[i];
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -522,21 +522,25 @@ __qla2x00_marker(struct scsi_qla_host *v
+ return (QLA_FUNCTION_FAILED);
+ }
+
++ mrk24 = (struct mrk_entry_24xx *)mrk;
++
+ mrk->entry_type = MARKER_TYPE;
+ mrk->modifier = type;
+ if (type != MK_SYNC_ALL) {
+ if (IS_FWI2_CAPABLE(ha)) {
+- mrk24 = (struct mrk_entry_24xx *) mrk;
+ mrk24->nport_handle = cpu_to_le16(loop_id);
+ int_to_scsilun(lun, (struct scsi_lun *)&mrk24->lun);
+ host_to_fcp_swap(mrk24->lun, sizeof(mrk24->lun));
+ mrk24->vp_index = vha->vp_idx;
+- mrk24->handle = make_handle(req->id, mrk24->handle);
+ } else {
+ SET_TARGET_ID(ha, mrk->target, loop_id);
+ mrk->lun = cpu_to_le16((uint16_t)lun);
+ }
+ }
++
++ if (IS_FWI2_CAPABLE(ha))
++ mrk24->handle = QLA_SKIP_HANDLE;
++
+ wmb();
+
+ qla2x00_start_iocbs(vha, req);
+@@ -3853,9 +3857,9 @@ static int qla_get_iocbs_resource(struct
+ case SRB_NACK_LOGO:
+ case SRB_LOGOUT_CMD:
+ case SRB_CTRL_VP:
+- push_it_through = true;
+- fallthrough;
++ case SRB_MARKER:
+ default:
++ push_it_through = true;
+ get_exch = false;
+ }
+
+@@ -3871,6 +3875,19 @@ static int qla_get_iocbs_resource(struct
+ return qla_get_fw_resources(sp->qpair, &sp->iores);
+ }
+
++static void
++qla_marker_iocb(srb_t *sp, struct mrk_entry_24xx *mrk)
++{
++ mrk->entry_type = MARKER_TYPE;
++ mrk->modifier = sp->u.iocb_cmd.u.tmf.modifier;
++ if (sp->u.iocb_cmd.u.tmf.modifier != MK_SYNC_ALL) {
++ mrk->nport_handle = cpu_to_le16(sp->u.iocb_cmd.u.tmf.loop_id);
++ int_to_scsilun(sp->u.iocb_cmd.u.tmf.lun, (struct scsi_lun *)&mrk->lun);
++ host_to_fcp_swap(mrk->lun, sizeof(mrk->lun));
++ mrk->vp_index = sp->u.iocb_cmd.u.tmf.vp_index;
++ }
++}
++
+ int
+ qla2x00_start_sp(srb_t *sp)
+ {
+@@ -3974,6 +3991,9 @@ qla2x00_start_sp(srb_t *sp)
+ case SRB_SA_REPLACE:
+ qla24xx_sa_replace_iocb(sp, pkt);
+ break;
++ case SRB_MARKER:
++ qla_marker_iocb(sp, pkt);
++ break;
+ default:
+ break;
+ }
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -3750,6 +3750,28 @@ static int qla_chk_cont_iocb_avail(struc
+ return rc;
+ }
+
++static void qla_marker_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
++ struct mrk_entry_24xx *pkt)
++{
++ const char func[] = "MRK-IOCB";
++ srb_t *sp;
++ int res = QLA_SUCCESS;
++
++ if (!IS_FWI2_CAPABLE(vha->hw))
++ return;
++
++ sp = qla2x00_get_sp_from_handle(vha, func, req, pkt);
++ if (!sp)
++ return;
++
++ if (pkt->entry_status) {
++ ql_dbg(ql_dbg_taskm, vha, 0x8025, "marker failure.\n");
++ res = QLA_COMMAND_ERROR;
++ }
++ sp->u.iocb_cmd.u.tmf.data = res;
++ sp->done(sp, res);
++}
++
+ /**
+ * qla24xx_process_response_queue() - Process response queue entries.
+ * @vha: SCSI driver HA context
+@@ -3866,9 +3888,7 @@ process_err:
+ (struct nack_to_isp *)pkt);
+ break;
+ case MARKER_TYPE:
+- /* Do nothing in this case, this check is to prevent it
+- * from falling into default case
+- */
++ qla_marker_iocb_entry(vha, rsp->req, (struct mrk_entry_24xx *)pkt);
+ break;
+ case ABORT_IOCB_TYPE:
+ qla24xx_abort_iocb_entry(vha, rsp->req,
--- /dev/null
+From d90171dd0da50212f5950cc708240831e82f2f91 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:33 -0700
+Subject: scsi: qla2xxx: Multi-que support for TMF
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit d90171dd0da50212f5950cc708240831e82f2f91 upstream.
+
+Add queue flush for task management command, before
+placing it on the wire.
+Do IO flush for all Request Q's.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/oe-kbuild-all/202304271702.GpIL391S-lkp@intel.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-2-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com <mailto:himanshu.madhani@oracle.com>>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 8 ++++
+ drivers/scsi/qla2xxx/qla_gbl.h | 2 -
+ drivers/scsi/qla2xxx/qla_init.c | 69 +++++++++++++++++++++++++++++++---------
+ drivers/scsi/qla2xxx/qla_iocb.c | 5 +-
+ 4 files changed, 66 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -465,6 +465,14 @@ static inline be_id_t port_id_to_be_id(p
+ return res;
+ }
+
++struct tmf_arg {
++ struct qla_qpair *qpair;
++ struct fc_port *fcport;
++ struct scsi_qla_host *vha;
++ u64 lun;
++ u32 flags;
++};
++
+ struct els_logo_payload {
+ uint8_t opcode;
+ uint8_t rsvd[3];
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -69,7 +69,7 @@ extern int qla2x00_async_logout(struct s
+ extern int qla2x00_async_prlo(struct scsi_qla_host *, fc_port_t *);
+ extern int qla2x00_async_adisc(struct scsi_qla_host *, fc_port_t *,
+ uint16_t *);
+-extern int qla2x00_async_tm_cmd(fc_port_t *, uint32_t, uint32_t, uint32_t);
++extern int qla2x00_async_tm_cmd(fc_port_t *, uint32_t, uint64_t, uint32_t);
+ struct qla_work_evt *qla2x00_alloc_work(struct scsi_qla_host *,
+ enum qla_work_type);
+ extern int qla24xx_async_gnl(struct scsi_qla_host *, fc_port_t *);
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2020,17 +2020,19 @@ static void qla2x00_tmf_sp_done(srb_t *s
+ complete(&tmf->u.tmf.comp);
+ }
+
+-int
+-qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
+- uint32_t tag)
++static int
++__qla2x00_async_tm_cmd(struct tmf_arg *arg)
+ {
+- struct scsi_qla_host *vha = fcport->vha;
++ struct scsi_qla_host *vha = arg->vha;
+ struct srb_iocb *tm_iocb;
+ srb_t *sp;
++ unsigned long flags;
+ int rval = QLA_FUNCTION_FAILED;
+
++ fc_port_t *fcport = arg->fcport;
++
+ /* ref: INIT */
+- sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL);
++ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL);
+ if (!sp)
+ goto done;
+
+@@ -2043,15 +2045,15 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+
+ tm_iocb = &sp->u.iocb_cmd;
+ init_completion(&tm_iocb->u.tmf.comp);
+- tm_iocb->u.tmf.flags = flags;
+- tm_iocb->u.tmf.lun = lun;
++ tm_iocb->u.tmf.flags = arg->flags;
++ tm_iocb->u.tmf.lun = arg->lun;
+
++ rval = qla2x00_start_sp(sp);
+ ql_dbg(ql_dbg_taskm, vha, 0x802f,
+- "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x.\n",
++ "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x ctrl=%x.\n",
+ sp->handle, fcport->loop_id, fcport->d_id.b.domain,
+- fcport->d_id.b.area, fcport->d_id.b.al_pa);
++ fcport->d_id.b.area, fcport->d_id.b.al_pa, arg->flags);
+
+- rval = qla2x00_start_sp(sp);
+ if (rval != QLA_SUCCESS)
+ goto done_free_sp;
+ wait_for_completion(&tm_iocb->u.tmf.comp);
+@@ -2065,12 +2067,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+
+ if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw)) {
+ flags = tm_iocb->u.tmf.flags;
+- lun = (uint16_t)tm_iocb->u.tmf.lun;
++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|
++ TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA))
++ flags = MK_SYNC_ID_LUN;
++ else
++ flags = MK_SYNC_ID;
+
+- /* Issue Marker IOCB */
+- qla2x00_marker(vha, vha->hw->base_qpair,
+- fcport->loop_id, lun,
+- flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
++ qla2x00_marker(vha, sp->qpair,
++ sp->fcport->loop_id, arg->lun, flags);
+ }
+
+ done_free_sp:
+@@ -2080,6 +2084,41 @@ done:
+ return rval;
+ }
+
++int
++qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint64_t lun,
++ uint32_t tag)
++{
++ struct scsi_qla_host *vha = fcport->vha;
++ struct qla_qpair *qpair;
++ struct tmf_arg a;
++ struct completion comp;
++ int i, rval;
++
++ init_completion(&comp);
++ a.vha = fcport->vha;
++ a.fcport = fcport;
++ a.lun = lun;
++
++ if (vha->hw->mqenable) {
++ for (i = 0; i < vha->hw->num_qpairs; i++) {
++ qpair = vha->hw->queue_pair_map[i];
++ if (!qpair)
++ continue;
++ a.qpair = qpair;
++ a.flags = flags|TCF_NOTMCMD_TO_TARGET;
++ rval = __qla2x00_async_tm_cmd(&a);
++ if (rval)
++ break;
++ }
++ }
++
++ a.qpair = vha->hw->base_qpair;
++ a.flags = flags;
++ rval = __qla2x00_async_tm_cmd(&a);
++
++ return rval;
++}
++
+ int
+ qla24xx_async_abort_command(srb_t *sp)
+ {
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2541,7 +2541,7 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg
+ scsi_qla_host_t *vha = fcport->vha;
+ struct qla_hw_data *ha = vha->hw;
+ struct srb_iocb *iocb = &sp->u.iocb_cmd;
+- struct req_que *req = vha->req;
++ struct req_que *req = sp->qpair->req;
+
+ flags = iocb->u.tmf.flags;
+ lun = iocb->u.tmf.lun;
+@@ -2557,7 +2557,8 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg
+ tsk->port_id[2] = fcport->d_id.b.domain;
+ tsk->vp_index = fcport->vha->vp_idx;
+
+- if (flags == TCF_LUN_RESET) {
++ if (flags & (TCF_LUN_RESET | TCF_ABORT_TASK_SET|
++ TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) {
+ int_to_scsilun(lun, &tsk->lun);
+ host_to_fcp_swap((uint8_t *)&tsk->lun,
+ sizeof(tsk->lun));
--- /dev/null
+From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:41 +0530
+Subject: scsi: qla2xxx: Pointer may be dereferenced
+
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+
+commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream.
+
+Klocwork tool reported pointer 'rport' returned from call to function
+fc_bsg_to_rport() may be NULL and will be dereferenced.
+
+Add a fix to validate rport before dereferencing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -2996,6 +2996,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_
+
+ if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ rport = fc_bsg_to_rport(bsg_job);
++ if (!rport)
++ return ret;
+ host = rport_to_shost(rport);
+ vha = shost_priv(host);
+ } else {
--- /dev/null
+From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001
+From: Manish Rangankar <mrangankar@marvell.com>
+Date: Thu, 15 Jun 2023 13:16:33 +0530
+Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
+
+From: Manish Rangankar <mrangankar@marvell.com>
+
+commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream.
+
+System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up
+gets called for uninitialized wait queue sp->nvme_ls_waitq.
+
+ qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0
+ qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP NOPTI
+ Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
+ Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]
+ RIP: 0010:__wake_up_common+0x4c/0x190
+ RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086
+ RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000
+ RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320
+ RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8
+ R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20
+ R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ __wake_up_common_lock+0x7c/0xc0
+ qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]
+ ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]
+ ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]
+ ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]
+
+Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed
+previously in the commits tagged Fixed: below.
+
+Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
+Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports")
+Cc: stable@vger.kernel.org
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 1 -
+ drivers/scsi/qla2xxx/qla_nvme.c | 3 ---
+ 2 files changed, 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -703,7 +703,6 @@ typedef struct srb {
+ struct iocb_resource iores;
+ struct kref cmd_kref; /* need to migrate ref_count over to this */
+ void *priv;
+- wait_queue_head_t nvme_ls_waitq;
+ struct fc_port *fcport;
+ struct scsi_qla_host *vha;
+ unsigned int start_timer:1;
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -360,7 +360,6 @@ static int qla_nvme_ls_req(struct nvme_f
+ if (rval != QLA_SUCCESS) {
+ ql_log(ql_log_warn, vha, 0x700e,
+ "qla2x00_start_sp failed = %d\n", rval);
+- wake_up(&sp->nvme_ls_waitq);
+ sp->priv = NULL;
+ priv->sp = NULL;
+ qla2x00_rel_sp(sp);
+@@ -652,7 +651,6 @@ static int qla_nvme_post_cmd(struct nvme
+ if (!sp)
+ return -EBUSY;
+
+- init_waitqueue_head(&sp->nvme_ls_waitq);
+ kref_init(&sp->cmd_kref);
+ spin_lock_init(&priv->cmd_lock);
+ sp->priv = priv;
+@@ -671,7 +669,6 @@ static int qla_nvme_post_cmd(struct nvme
+ if (rval != QLA_SUCCESS) {
+ ql_log(ql_log_warn, vha, 0x212d,
+ "qla2x00_start_nvme_mq failed = %d\n", rval);
+- wake_up(&sp->nvme_ls_waitq);
+ sp->priv = NULL;
+ priv->sp = NULL;
+ qla2xxx_rel_qpair_sp(sp->qpair, sp);
--- /dev/null
+From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:38 -0700
+Subject: scsi: qla2xxx: Wait for io return on terminate rport
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream.
+
+System crash due to use after free.
+Current code allows terminate_rport_io to exit before making
+sure all IOs has returned. For FCP-2 device, IO's can hang
+on in HW because driver has not tear down the session in FW at
+first sign of cable pull. When dev_loss_tmo timer pops,
+terminate_rport_io is called and upper layer is about to
+free various resources. Terminate_rport_io trigger qla to do
+the final cleanup, but the cleanup might not be fast enough where it
+leave qla still holding on to the same resource.
+
+Wait for IO's to return to upper layer before resources are freed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -2750,6 +2750,7 @@ static void
+ qla2x00_terminate_rport_io(struct fc_rport *rport)
+ {
+ fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
++ scsi_qla_host_t *vha;
+
+ if (!fcport)
+ return;
+@@ -2759,9 +2760,12 @@ qla2x00_terminate_rport_io(struct fc_rpo
+
+ if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
+ return;
++ vha = fcport->vha;
+
+ if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) {
+ qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16);
++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24,
++ 0, WAIT_TARGET);
+ return;
+ }
+ /*
+@@ -2786,6 +2790,15 @@ qla2x00_terminate_rport_io(struct fc_rpo
+ qla2x00_port_logout(fcport->vha, fcport);
+ }
+ }
++
++ /* check for any straggling io left behind */
++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) {
++ ql_log(ql_log_warn, vha, 0x300b,
++ "IO not return. Resetting. \n");
++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
++ qla2xxx_wake_dpc(vha);
++ qla2x00_wait_for_chip_reset(vha);
++ }
+ }
+
+ static int
--- /dev/null
+From 221e4550454a822f9a11834e30694c7d1d65747c Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:35 +0200
+Subject: selftests: mptcp: connect: fail if nft supposed to work
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 221e4550454a822f9a11834e30694c7d1d65747c upstream.
+
+In case of "external" errors when preparing the environment for the
+TProxy tests, the subtests were marked as skipped.
+
+This is fine but it means these errors are ignored. On MPTCP Public CI,
+we do want to catch such issues and mark the selftest as failed if there
+are such issues. We can then use mptcp_lib_fail_if_expected_feature()
+helper that has been recently added to fail if needed.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: 5fb62e9cd3ad ("selftests: mptcp: add tproxy test case")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -718,6 +718,7 @@ table inet mangle {
+ EOF
+ if [ $? -ne 0 ]; then
+ echo "SKIP: $msg, could not load nft ruleset"
++ mptcp_lib_fail_if_expected_feature "nft rules"
+ return
+ fi
+
+@@ -733,6 +734,7 @@ EOF
+ if [ $? -ne 0 ]; then
+ ip netns exec "$listener_ns" nft flush ruleset
+ echo "SKIP: $msg, ip $r6flag rule failed"
++ mptcp_lib_fail_if_expected_feature "ip rule"
+ return
+ fi
+
+@@ -741,6 +743,7 @@ EOF
+ ip netns exec "$listener_ns" nft flush ruleset
+ ip -net "$listener_ns" $r6flag rule del fwmark 1 lookup 100
+ echo "SKIP: $msg, ip route add local $local_addr failed"
++ mptcp_lib_fail_if_expected_feature "ip route"
+ return
+ fi
+
--- /dev/null
+From 6c8880fcaa5c45355179b759c1d11737775e31fc Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:40 +0200
+Subject: selftests: mptcp: depend on SYN_COOKIES
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 6c8880fcaa5c45355179b759c1d11737775e31fc upstream.
+
+MPTCP selftests are using TCP SYN Cookies for quite a while now, since
+v5.9.
+
+Some CIs don't have this config option enabled and this is causing
+issues in the tests:
+
+ # ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 167ms) sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory
+ # [ OK ]./mptcp_connect.sh: line 554: [: -eq: unary operator expected
+
+There is no impact in the results but the test is not doing what it is
+supposed to do.
+
+Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/config | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/net/mptcp/config
++++ b/tools/testing/selftests/net/mptcp/config
+@@ -6,6 +6,7 @@ CONFIG_INET_DIAG=m
+ CONFIG_INET_MPTCP_DIAG=m
+ CONFIG_VETH=y
+ CONFIG_NET_SCH_NETEM=m
++CONFIG_SYN_COOKIES=y
+ CONFIG_NETFILTER=y
+ CONFIG_NETFILTER_ADVANCED=y
+ CONFIG_NETFILTER_NETLINK=m
--- /dev/null
+From 61d9658050260dbcbf9055479b7ac5bbbe1e8831 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:41 +0200
+Subject: selftests: mptcp: pm_nl_ctl: fix 32-bit support
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 61d9658050260dbcbf9055479b7ac5bbbe1e8831 upstream.
+
+When using pm_nl_ctl to validate userspace path-manager's behaviours, it
+was failing on 32-bit architectures ~half of the time.
+
+pm_nl_ctl was not reporting any error but the command was not doing what
+it was expected to do. As a result, the expected linked event was not
+triggered after and the test failed.
+
+This is due to the fact the token given in argument to the application
+was parsed as an integer with atoi(): in a 32-bit arch, if the number
+was bigger than INT_MAX, 2147483647 was used instead.
+
+This can simply be fixed by using strtoul() instead of atoi().
+
+The errors have been seen "by chance" when manually looking at the
+results from LKFT.
+
+Fixes: 9a0b36509df0 ("selftests: mptcp: support MPTCP_PM_CMD_ANNOUNCE")
+Cc: stable@vger.kernel.org
+Fixes: ecd2a77d672f ("selftests: mptcp: support MPTCP_PM_CMD_REMOVE")
+Fixes: cf8d0a6dfd64 ("selftests: mptcp: support MPTCP_PM_CMD_SUBFLOW_CREATE")
+Fixes: 57cc361b8d38 ("selftests: mptcp: support MPTCP_PM_CMD_SUBFLOW_DESTROY")
+Fixes: ca188a25d43f ("selftests: mptcp: userspace PM support for MP_PRIO signals")
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
+@@ -425,7 +425,7 @@ int dsf(int fd, int pm_family, int argc,
+ }
+
+ /* token */
+- token = atoi(params[4]);
++ token = strtoul(params[4], NULL, 10);
+ rta = (void *)(data + off);
+ rta->rta_type = MPTCP_PM_ATTR_TOKEN;
+ rta->rta_len = RTA_LENGTH(4);
+@@ -551,7 +551,7 @@ int csf(int fd, int pm_family, int argc,
+ }
+
+ /* token */
+- token = atoi(params[4]);
++ token = strtoul(params[4], NULL, 10);
+ rta = (void *)(data + off);
+ rta->rta_type = MPTCP_PM_ATTR_TOKEN;
+ rta->rta_len = RTA_LENGTH(4);
+@@ -598,7 +598,7 @@ int remove_addr(int fd, int pm_family, i
+ if (++arg >= argc)
+ error(1, 0, " missing token value");
+
+- token = atoi(argv[arg]);
++ token = strtoul(argv[arg], NULL, 10);
+ rta = (void *)(data + off);
+ rta->rta_type = MPTCP_PM_ATTR_TOKEN;
+ rta->rta_len = RTA_LENGTH(4);
+@@ -710,7 +710,7 @@ int announce_addr(int fd, int pm_family,
+ if (++arg >= argc)
+ error(1, 0, " missing token value");
+
+- token = atoi(argv[arg]);
++ token = strtoul(argv[arg], NULL, 10);
+ } else
+ error(1, 0, "unknown keyword %s", argv[arg]);
+ }
+@@ -1347,7 +1347,7 @@ int set_flags(int fd, int pm_family, int
+ error(1, 0, " missing token value");
+
+ /* token */
+- token = atoi(argv[arg]);
++ token = strtoul(argv[arg], NULL, 10);
+ } else if (!strcmp(argv[arg], "flags")) {
+ char *tok, *str;
+
--- /dev/null
+From 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:37 +0200
+Subject: selftests: mptcp: sockopt: return error if wrong mark
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 upstream.
+
+When an error was detected when checking the marks, a message was
+correctly printed mentioning the error but followed by another one
+saying everything was OK and the selftest was not marked as failed as
+expected.
+
+Now the 'ret' variable is directly set to 1 in order to make sure the
+exit is done with an error, similar to what is done in other functions.
+While at it, the error is correctly propagated to the caller.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+@@ -128,6 +128,7 @@ check_mark()
+ for v in $values; do
+ if [ $v -ne 0 ]; then
+ echo "FAIL: got $tables $values in ns $ns , not 0 - not all expected packets marked" 1>&2
++ ret=1
+ return 1
+ fi
+ done
+@@ -227,11 +228,11 @@ do_transfer()
+ fi
+
+ if [ $local_addr = "::" ];then
+- check_mark $listener_ns 6
+- check_mark $connector_ns 6
++ check_mark $listener_ns 6 || retc=1
++ check_mark $connector_ns 6 || retc=1
+ else
+- check_mark $listener_ns 4
+- check_mark $connector_ns 4
++ check_mark $listener_ns 4 || retc=1
++ check_mark $connector_ns 4 || retc=1
+ fi
+
+ check_transfer $cin $sout "file received by server"
--- /dev/null
+From a5a5990c099dd354e05e89ee77cd2dbf6655d4a1 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:36 +0200
+Subject: selftests: mptcp: sockopt: use 'iptables-legacy' if available
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit a5a5990c099dd354e05e89ee77cd2dbf6655d4a1 upstream.
+
+IPTables commands using 'iptables-nft' fail on old kernels, at least
+on v5.15 because it doesn't see the default IPTables chains:
+
+ $ iptables -L
+ iptables/1.8.2 Failed to initialize nft: Protocol not supported
+
+As a first step before switching to NFTables, we can use iptables-legacy
+if available.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+@@ -12,6 +12,8 @@ ksft_skip=4
+ timeout_poll=30
+ timeout_test=$((timeout_poll * 2 + 1))
+ mptcp_connect=""
++iptables="iptables"
++ip6tables="ip6tables"
+
+ sec=$(date +%s)
+ rndh=$(printf %x $sec)-$(mktemp -u XXXXXX)
+@@ -25,7 +27,7 @@ add_mark_rules()
+ local m=$2
+
+ local t
+- for t in iptables ip6tables; do
++ for t in ${iptables} ${ip6tables}; do
+ # just to debug: check we have multiple subflows connection requests
+ ip netns exec $ns $t -A OUTPUT -p tcp --syn -m mark --mark $m -j ACCEPT
+
+@@ -95,14 +97,14 @@ if [ $? -ne 0 ];then
+ exit $ksft_skip
+ fi
+
+-iptables -V > /dev/null 2>&1
+-if [ $? -ne 0 ];then
++# Use the legacy version if available to support old kernel versions
++if iptables-legacy -V &> /dev/null; then
++ iptables="iptables-legacy"
++ ip6tables="ip6tables-legacy"
++elif ! iptables -V &> /dev/null; then
+ echo "SKIP: Could not run all tests without iptables tool"
+ exit $ksft_skip
+-fi
+-
+-ip6tables -V > /dev/null 2>&1
+-if [ $? -ne 0 ];then
++elif ! ip6tables -V &> /dev/null; then
+ echo "SKIP: Could not run all tests without ip6tables tool"
+ exit $ksft_skip
+ fi
+@@ -112,10 +114,10 @@ check_mark()
+ local ns=$1
+ local af=$2
+
+- local tables=iptables
++ local tables=${iptables}
+
+ if [ $af -eq 6 ];then
+- tables=ip6tables
++ tables=${ip6tables}
+ fi
+
+ local counters values
--- /dev/null
+From 966c6c3adfb1257ea8a839cdfad2b74092cc5532 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:39 +0200
+Subject: selftests: mptcp: userspace_pm: report errors with 'remove' tests
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 966c6c3adfb1257ea8a839cdfad2b74092cc5532 upstream.
+
+A message was mentioning an issue with the "remove" tests but the
+selftest was not marked as failed.
+
+Directly exit with an error like it is done everywhere else in this
+selftest.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh
++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh
+@@ -423,6 +423,7 @@ test_remove()
+ stdbuf -o0 -e0 printf "[OK]\n"
+ else
+ stdbuf -o0 -e0 printf "[FAIL]\n"
++ exit 1
+ fi
+
+ # RM_ADDR using an invalid addr id should result in no action
+@@ -437,6 +438,7 @@ test_remove()
+ stdbuf -o0 -e0 printf "[OK]\n"
+ else
+ stdbuf -o0 -e0 printf "[FAIL]\n"
++ exit 1
+ fi
+
+ # RM_ADDR from the client to server machine
--- /dev/null
+From d8566d0e03922217f70d9be2d401fcb860986374 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:38 +0200
+Subject: selftests: mptcp: userspace_pm: use correct server port
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit d8566d0e03922217f70d9be2d401fcb860986374 upstream.
+
+"server4_port" variable is not set but "app4_port" is the server port in
+v4 and the correct variable name to use.
+
+The port is optional so there was no visible impact.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: ca188a25d43f ("selftests: mptcp: userspace PM support for MP_PRIO signals")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh
++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh
+@@ -848,7 +848,7 @@ test_prio()
+ local count
+
+ # Send MP_PRIO signal from client to server machine
+- ip netns exec "$ns2" ./pm_nl_ctl set 10.0.1.2 port "$client4_port" flags backup token "$client4_token" rip 10.0.1.1 rport "$server4_port"
++ ip netns exec "$ns2" ./pm_nl_ctl set 10.0.1.2 port "$client4_port" flags backup token "$client4_token" rip 10.0.1.1 rport "$app4_port"
+ sleep 0.5
+
+ # Check TX
pwm-meson-fix-handling-of-period-duty-if-greater-than-uint_max.patch
accel-ivpu-fix-vpu-register-access-in-irq-disable.patch
accel-ivpu-clear-specific-interrupt-status-bits-on-c0.patch
+fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch
+fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch
+tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
+mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch
+mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch
+selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch
+selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch
+selftests-mptcp-sockopt-return-error-if-wrong-mark.patch
+selftests-mptcp-userspace_pm-use-correct-server-port.patch
+selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch
+selftests-mptcp-depend-on-syn_cookies.patch
+selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch
+smb-client-fix-wstringop-overflow-issues.patch
+tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch
+tracing-probes-fix-not-to-count-error-code-to-total-length.patch
+tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch
+revert-tracing-add-fault-name-injection-to-kernel-probes.patch
+tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch
+tracing-user_events-fix-struct-arg-size-match-check.patch
+scsi-qla2xxx-multi-que-support-for-tmf.patch
+scsi-qla2xxx-fix-task-management-cmd-failure.patch
+scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch
+scsi-qla2xxx-fix-hang-in-task-management.patch
+scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
+scsi-qla2xxx-fix-mem-access-after-free.patch
+scsi-qla2xxx-array-index-may-go-out-of-bound.patch
+scsi-qla2xxx-avoid-fcport-pointer-dereference.patch
+scsi-qla2xxx-fix-buffer-overrun.patch
+scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
+scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
+scsi-qla2xxx-correct-the-index-of-array.patch
+scsi-qla2xxx-pointer-may-be-dereferenced.patch
+scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
--- /dev/null
+From f1f047bd7ce0d73788e04ac02268060a565f7ecb Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Tue, 11 Jul 2023 17:12:31 -0600
+Subject: smb: client: Fix -Wstringop-overflow issues
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit f1f047bd7ce0d73788e04ac02268060a565f7ecb upstream.
+
+pSMB->hdr.Protocol is an array of size 4 bytes, hence when the compiler
+analyzes this line of code
+
+ parm_data = ((char *) &pSMB->hdr.Protocol) + offset;
+
+it legitimately complains about the fact that offset points outside the
+bounds of the array. Notice that the compiler gives priority to the object
+as an array, rather than merely the address of one more byte in a structure
+to wich offset should be added (which seems to be the actual intention of
+the original implementation).
+
+Fix this by explicitly instructing the compiler to treat the code as a
+sequence of bytes in struct smb_com_transaction2_spi_req, and not as an
+array accessed through pointer notation.
+
+Notice that ((char *)pSMB) + sizeof(pSMB->hdr.smb_buf_length) points to
+the same address as ((char *) &pSMB->hdr.Protocol), therefore this results
+in no differences in binary output.
+
+Fixes the following -Wstringop-overflow warnings when built s390
+architecture with defconfig (GCC 13):
+ CC [M] fs/smb/client/cifssmb.o
+In function 'cifs_init_ace',
+ inlined from 'posix_acl_to_cifs' at fs/smb/client/cifssmb.c:3046:3,
+ inlined from 'cifs_do_set_acl' at fs/smb/client/cifssmb.c:3191:15:
+fs/smb/client/cifssmb.c:2987:31: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
+ 2987 | cifs_ace->cifs_e_perm = local_ace->e_perm;
+ | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
+In file included from fs/smb/client/cifssmb.c:27:
+fs/smb/client/cifspdu.h: In function 'cifs_do_set_acl':
+fs/smb/client/cifspdu.h:384:14: note: at offset [7, 11] into destination object 'Protocol' of size 4
+ 384 | __u8 Protocol[4];
+ | ^~~~~~~~
+In function 'cifs_init_ace',
+ inlined from 'posix_acl_to_cifs' at fs/smb/client/cifssmb.c:3046:3,
+ inlined from 'cifs_do_set_acl' at fs/smb/client/cifssmb.c:3191:15:
+fs/smb/client/cifssmb.c:2988:30: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
+ 2988 | cifs_ace->cifs_e_tag = local_ace->e_tag;
+ | ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
+fs/smb/client/cifspdu.h: In function 'cifs_do_set_acl':
+fs/smb/client/cifspdu.h:384:14: note: at offset [6, 10] into destination object 'Protocol' of size 4
+ 384 | __u8 Protocol[4];
+ | ^~~~~~~~
+
+This helps with the ongoing efforts to globally enable
+-Wstringop-overflow.
+
+Link: https://github.com/KSPP/linux/issues/310
+Fixes: dc1af4c4b472 ("cifs: implement set acl method")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifssmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index 19f7385abeec..9dee267f1893 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -3184,7 +3184,7 @@ setAclRetry:
+ param_offset = offsetof(struct smb_com_transaction2_spi_req,
+ InformationLevel) - 4;
+ offset = param_offset + params;
+- parm_data = ((char *) &pSMB->hdr.Protocol) + offset;
++ parm_data = ((char *)pSMB) + sizeof(pSMB->hdr.smb_buf_length) + offset;
+ pSMB->ParameterOffset = cpu_to_le16(param_offset);
+
+ /* convert to on the wire format for POSIX ACL */
+--
+2.41.0
+
--- /dev/null
+From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001
+From: Mateusz Stachyra <m.stachyra@samsung.com>
+Date: Tue, 4 Jul 2023 12:27:06 +0200
+Subject: tracing: Fix null pointer dereference in tracing_err_log_open()
+
+From: Mateusz Stachyra <m.stachyra@samsung.com>
+
+commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream.
+
+Fix an issue in function 'tracing_err_log_open'.
+The function doesn't call 'seq_open' if the file is opened only with
+write permissions, which results in 'file->private_data' being left as null.
+If we then use 'lseek' on that opened file, 'seq_lseek' dereferences
+'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic.
+Writing to this node requires root privileges, therefore this bug
+has very little security impact.
+
+Tracefs node: /sys/kernel/tracing/error_log
+
+Example Kernel panic:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+Call trace:
+ mutex_lock+0x30/0x110
+ seq_lseek+0x34/0xb8
+ __arm64_sys_lseek+0x6c/0xb8
+ invoke_syscall+0x58/0x13c
+ el0_svc_common+0xc4/0x10c
+ do_el0_svc+0x24/0x98
+ el0_svc+0x24/0x88
+ el0t_64_sync_handler+0x84/0xe4
+ el0t_64_sync+0x1b4/0x1b8
+Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)
+---[ end trace 561d1b49c12cf8a5 ]---
+Kernel panic - not syncing: Oops: Fatal exception
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4
+Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3
+
+Cc: stable@vger.kernel.org
+Fixes: 8a062902be725 ("tracing: Add tracing error log")
+Signed-off-by: Mateusz Stachyra <m.stachyra@samsung.com>
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8136,7 +8136,7 @@ static const struct file_operations trac
+ .open = tracing_err_log_open,
+ .write = tracing_err_log_write,
+ .read = seq_read,
+- .llseek = seq_lseek,
++ .llseek = tracing_lseek,
+ .release = tracing_err_log_release,
+ };
+
--- /dev/null
+From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:38 +0900
+Subject: tracing/probes: Fix not to count error code to total length
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit b41326b5e0f82e93592c4366359917b5d67b529f upstream.
+
+Fix not to count the error code (which is minus value) to the total
+used length of array, because it can mess up the return code of
+process_fetch_insn_bottom(). Also clear the 'ret' value because it
+will be used for calculating next data_loc entry.
+
+Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/
+Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_tmpl.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -204,6 +204,8 @@ stage3:
+ array:
+ /* the last stage: Loop on array */
+ if (code->op == FETCH_OP_LP_ARRAY) {
++ if (ret < 0)
++ ret = 0;
+ total += ret;
+ if (++i < code->param) {
+ code = s3;
--- /dev/null
+From 66bcf65d6cf0ca6540e2341e88ee7ef02dbdda08 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:29 +0900
+Subject: tracing/probes: Fix to avoid double count of the string length on the array
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 66bcf65d6cf0ca6540e2341e88ee7ef02dbdda08 upstream.
+
+If an array is specified with the ustring or symstr, the length of the
+strings are accumlated on both of 'ret' and 'total', which means the
+length is double counted.
+Just set the length to the 'ret' value for avoiding double counting.
+
+Link: https://lore.kernel.org/all/168908492917.123124.15076463491122036025.stgit@devnote2/
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/
+Fixes: 88903c464321 ("tracing/probe: Add ustring type for user-space string")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_tmpl.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -156,11 +156,11 @@ stage3:
+ code++;
+ goto array;
+ case FETCH_OP_ST_USTRING:
+- ret += fetch_store_strlen_user(val + code->offset);
++ ret = fetch_store_strlen_user(val + code->offset);
+ code++;
+ goto array;
+ case FETCH_OP_ST_SYMSTR:
+- ret += fetch_store_symstrlen(val + code->offset);
++ ret = fetch_store_symstrlen(val + code->offset);
+ code++;
+ goto array;
+ default:
--- /dev/null
+From 797311bce5c2ac90b8d65e357603cfd410d36ebb Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:16:07 +0900
+Subject: tracing/probes: Fix to record 0-length data_loc in fetch_store_string*() if fails
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 797311bce5c2ac90b8d65e357603cfd410d36ebb upstream.
+
+Fix to record 0-length data to data_loc in fetch_store_string*() if it fails
+to get the string data.
+Currently those expect that the data_loc is updated by store_trace_args() if
+it returns the error code. However, that does not work correctly if the
+argument is an array of strings. In that case, store_trace_args() only clears
+the first entry of the array (which may have no error) and leaves other
+entries. So it should be cleared by fetch_store_string*() itself.
+Also, 'dyndata' and 'maxlen' in store_trace_args() should be updated
+only if it is used (ret > 0 and argument is a dynamic data.)
+
+Link: https://lore.kernel.org/all/168908496683.123124.4761206188794205601.stgit@devnote2/
+
+Fixes: 40b53b771806 ("tracing: probeevent: Add array type support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_kernel.h | 13 +++++++++----
+ kernel/trace/trace_probe_tmpl.h | 10 +++-------
+ kernel/trace/trace_uprobe.c | 3 ++-
+ 3 files changed, 14 insertions(+), 12 deletions(-)
+
+--- a/kernel/trace/trace_probe_kernel.h
++++ b/kernel/trace/trace_probe_kernel.h
+@@ -37,6 +37,13 @@ fetch_store_strlen(unsigned long addr)
+ return (ret < 0) ? ret : len;
+ }
+
++static nokprobe_inline void set_data_loc(int ret, void *dest, void *__dest, void *base)
++{
++ if (ret < 0)
++ ret = 0;
++ *(u32 *)dest = make_data_loc(ret, __dest - base);
++}
++
+ /*
+ * Fetch a null-terminated string from user. Caller MUST set *(u32 *)buf
+ * with max length and relative data location.
+@@ -55,8 +62,7 @@ fetch_store_string_user(unsigned long ad
+ __dest = get_loc_data(dest, base);
+
+ ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
+- if (ret >= 0)
+- *(u32 *)dest = make_data_loc(ret, __dest - base);
++ set_data_loc(ret, dest, __dest, base);
+
+ return ret;
+ }
+@@ -87,8 +93,7 @@ fetch_store_string(unsigned long addr, v
+ * probing.
+ */
+ ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
+- if (ret >= 0)
+- *(u32 *)dest = make_data_loc(ret, __dest - base);
++ set_data_loc(ret, dest, __dest, base);
+
+ return ret;
+ }
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -267,13 +267,9 @@ store_trace_args(void *data, struct trac
+ if (unlikely(arg->dynamic))
+ *dl = make_data_loc(maxlen, dyndata - base);
+ ret = process_fetch_insn(arg->code, rec, dl, base);
+- if (arg->dynamic) {
+- if (unlikely(ret < 0)) {
+- *dl = make_data_loc(0, dyndata - base);
+- } else {
+- dyndata += ret;
+- maxlen -= ret;
+- }
++ if (arg->dynamic && likely(ret > 0)) {
++ dyndata += ret;
++ maxlen -= ret;
+ }
+ }
+ }
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -170,7 +170,8 @@ fetch_store_string(unsigned long addr, v
+ */
+ ret++;
+ *(u32 *)dest = make_data_loc(ret, (void *)dst - base);
+- }
++ } else
++ *(u32 *)dest = make_data_loc(0, (void *)dst - base);
+
+ return ret;
+ }
--- /dev/null
+From e38e2c6a9efc435f9de344b7c91f7697e01b47d5 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:48 +0900
+Subject: tracing/probes: Fix to update dynamic data counter if fetcharg uses it
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit e38e2c6a9efc435f9de344b7c91f7697e01b47d5 upstream.
+
+Fix to update dynamic data counter ('dyndata') and max length ('maxlen')
+only if the fetcharg uses the dynamic data. Also get out arg->dynamic
+from unlikely(). This makes dynamic data address wrong if
+process_fetch_insn() returns error on !arg->dynamic case.
+
+Link: https://lore.kernel.org/all/168908494781.123124.8160245359962103684.stgit@devnote2/
+
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Link: https://lore.kernel.org/all/20230710233400.5aaf024e@gandalf.local.home/
+Fixes: 9178412ddf5a ("tracing: probeevent: Return consumed bytes of dynamic area")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_tmpl.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -267,11 +267,13 @@ store_trace_args(void *data, struct trac
+ if (unlikely(arg->dynamic))
+ *dl = make_data_loc(maxlen, dyndata - base);
+ ret = process_fetch_insn(arg->code, rec, dl, base);
+- if (unlikely(ret < 0 && arg->dynamic)) {
+- *dl = make_data_loc(0, dyndata - base);
+- } else {
+- dyndata += ret;
+- maxlen -= ret;
++ if (arg->dynamic) {
++ if (unlikely(ret < 0)) {
++ *dl = make_data_loc(0, dyndata - base);
++ } else {
++ dyndata += ret;
++ maxlen -= ret;
++ }
+ }
+ }
+ }
--- /dev/null
+From d0a3022f30629a208e5944022caeca3568add9e7 Mon Sep 17 00:00:00 2001
+From: Beau Belgrave <beaub@linux.microsoft.com>
+Date: Thu, 29 Jun 2023 23:50:48 +0000
+Subject: tracing/user_events: Fix struct arg size match check
+
+From: Beau Belgrave <beaub@linux.microsoft.com>
+
+commit d0a3022f30629a208e5944022caeca3568add9e7 upstream.
+
+When users register an event the name of the event and it's argument are
+checked to ensure they match if the event already exists. Normally all
+arguments are in the form of "type name", except for when the type
+starts with "struct ". In those cases, the size of the struct is passed
+in addition to the name, IE: "struct my_struct a 20" for an argument
+that is of type "struct my_struct" with a field name of "a" and has the
+size of 20 bytes.
+
+The current code does not honor the above case properly when comparing
+a match. This causes the event register to fail even when the same
+string was used for events that contain a struct argument within them.
+The example above "struct my_struct a 20" generates a match string of
+"struct my_struct a" omitting the size field.
+
+Add the struct size of the existing field when generating a comparison
+string for a struct field to ensure proper match checking.
+
+Link: https://lkml.kernel.org/r/20230629235049.581-2-beaub@linux.microsoft.com
+
+Cc: stable@vger.kernel.org
+Fixes: e6f89a149872 ("tracing/user_events: Ensure user provided strings are safely formatted")
+Signed-off-by: Beau Belgrave <beaub@linux.microsoft.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/trace/trace_events_user.c
++++ b/kernel/trace/trace_events_user.c
+@@ -1317,6 +1317,9 @@ static int user_field_set_string(struct
+ pos += snprintf(buf + pos, LEN_OR_ZERO, " ");
+ pos += snprintf(buf + pos, LEN_OR_ZERO, "%s", field->name);
+
++ if (str_has_prefix(field->type, "struct "))
++ pos += snprintf(buf + pos, LEN_OR_ZERO, " %d", field->size);
++
+ if (colon)
+ pos += snprintf(buf + pos, LEN_OR_ZERO, ";");
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
