5.15-stable patches

added patches:
	scsi-qla2xxx-array-index-may-go-out-of-bound.patch
	scsi-qla2xxx-avoid-fcport-pointer-dereference.patch
	scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
	scsi-qla2xxx-correct-the-index-of-array.patch
	scsi-qla2xxx-fix-buffer-overrun.patch
	scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
	scsi-qla2xxx-pointer-may-be-dereferenced.patch
	scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
	scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
	selftests-mptcp-depend-on-syn_cookies.patch
	selftests-mptcp-sockopt-return-error-if-wrong-mark.patch
	tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
	tracing-probes-fix-not-to-count-error-code-to-total-length.patch
	tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch

diff --git a/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch b/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch
new file mode 100644 (file)
index 0000000..03f71ed
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch
@@ -0,0 +1,36 @@
+From d721b591b95cf3f290f8a7cbe90aa2ee0368388d Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:36 +0530
+Subject: scsi: qla2xxx: Array index may go out of bound
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit d721b591b95cf3f290f8a7cbe90aa2ee0368388d upstream.
+
+Klocwork reports array 'vha->host_str' of size 16 may use index value(s)
+16..19.  Use snprintf() instead of sprintf().
+
+Cc: stable@vger.kernel.org
+Co-developed-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-2-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -5042,7 +5042,8 @@ struct scsi_qla_host *qla2x00_create_hos
+       }
+       INIT_DELAYED_WORK(&vha->scan.scan_work, qla_scan_work_fn);
+ 
+-      sprintf(vha->host_str, "%s_%lu", QLA2XXX_DRIVER_NAME, vha->host_no);
++      snprintf(vha->host_str, sizeof(vha->host_str), "%s_%lu",
++               QLA2XXX_DRIVER_NAME, vha->host_no);
+       ql_dbg(ql_dbg_init, vha, 0x0041,
+           "Allocated the host=%p hw=%p vha=%p dev_name=%s",
+           vha->host, vha->hw, vha,

diff --git a/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch b/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..c38a8c7
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch
@@ -0,0 +1,38 @@
+From 6b504d06976fe4a61cc05dedc68b84fadb397f77 Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:38 +0530
+Subject: scsi: qla2xxx: Avoid fcport pointer dereference
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit 6b504d06976fe4a61cc05dedc68b84fadb397f77 upstream.
+
+Klocwork reported warning of NULL pointer may be dereferenced.  The routine
+exits when sa_ctl is NULL and fcport is allocated after the exit call thus
+causing NULL fcport pointer to dereference at the time of exit.
+
+To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-4-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_edif.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_edif.c
++++ b/drivers/scsi/qla2xxx/qla_edif.c
+@@ -2230,8 +2230,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h
+       if (!sa_ctl) {
+               ql_dbg(ql_dbg_edif, vha, 0x70e6,
+                   "sa_ctl allocation failed\n");
+-              rval =  -ENOMEM;
+-              goto done;
++              rval = -ENOMEM;
++              return rval;
+       }
+ 
+       fcport = sa_ctl->fcport;

diff --git a/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
new file mode 100644 (file)
index 0000000..b4c6190
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
@@ -0,0 +1,37 @@
+From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:39 +0530
+Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream.
+
+Klocwork reported warning of rport maybe NULL and will be dereferenced.
+rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
+
+Check valid rport returned by fc_bsg_to_rport().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -283,6 +283,10 @@ qla2x00_process_els(struct bsg_job *bsg_
+ 
+       if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+               rport = fc_bsg_to_rport(bsg_job);
++              if (!rport) {
++                      rval = -ENOMEM;
++                      goto done;
++              }
+               fcport = *(fc_port_t **) rport->dd_data;
+               host = rport_to_shost(rport);
+               vha = shost_priv(host);

diff --git a/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch b/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch
new file mode 100644 (file)
index 0000000..f1f18d6
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch
@@ -0,0 +1,51 @@
+From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:42 +0530
+Subject: scsi: qla2xxx: Correct the index of array
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream.
+
+Klocwork reported array 'port_dstate_str' of size 10 may use index value(s)
+10..15.
+
+Add a fix to correct the index of array.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_inline.h |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -109,11 +109,13 @@ qla2x00_set_fcport_disc_state(fc_port_t
+ {
+       int old_val;
+       uint8_t shiftbits, mask;
++      uint8_t port_dstate_str_sz;
+ 
+       /* This will have to change when the max no. of states > 16 */
+       shiftbits = 4;
+       mask = (1 << shiftbits) - 1;
+ 
++      port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *);
+       fcport->disc_state = state;
+       while (1) {
+               old_val = atomic_read(&fcport->shadow_disc_state);
+@@ -121,7 +123,8 @@ qla2x00_set_fcport_disc_state(fc_port_t
+                   old_val, (old_val << shiftbits) | state)) {
+                       ql_dbg(ql_dbg_disc, fcport->vha, 0x2134,
+                           "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n",
+-                          fcport->port_name, port_dstate_str[old_val & mask],
++                          fcport->port_name, (old_val & mask) < port_dstate_str_sz ?
++                                  port_dstate_str[old_val & mask] : "Unknown",
+                           port_dstate_str[state], fcport->d_id.b24);
+                       return;
+               }

diff --git a/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch b/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch
new file mode 100644 (file)
index 0000000..e6547a8
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch
@@ -0,0 +1,38 @@
+From b68710a8094fdffe8dd4f7a82c82649f479bb453 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:40 +0530
+Subject: scsi: qla2xxx: Fix buffer overrun
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit b68710a8094fdffe8dd4f7a82c82649f479bb453 upstream.
+
+Klocwork warning: Buffer Overflow - Array Index Out of Bounds
+
+Driver uses fc_els_flogi to calculate size of buffer.  The actual buffer is
+nested inside of fc_els_flogi which is smaller.
+
+Replace structure name to allow proper size calculation.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -5359,7 +5359,7 @@ static void qla_get_login_template(scsi_
+       __be32 *q;
+ 
+       memset(ha->init_cb, 0, ha->init_cb_size);
+-      sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size);
++      sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size);
+       rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma,
+                                           ha->init_cb, sz);
+       if (rval != QLA_SUCCESS) {

diff --git a/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..6edcf7f
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
@@ -0,0 +1,35 @@
+From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:37 +0530
+Subject: scsi: qla2xxx: Fix potential NULL pointer dereference
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream.
+
+Klocwork tool reported 'cur_dsd' may be dereferenced.  Add fix to validate
+pointer before dereferencing the pointer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s
+       put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type);
+ 
+       /* No data transfer */
+-      if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) {
++      if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE ||
++          tot_dsds == 0) {
+               cmd_pkt->byte_count = cpu_to_le32(0);
+               return 0;
+       }

diff --git a/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch
new file mode 100644 (file)
index 0000000..5d87cc0
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch
@@ -0,0 +1,36 @@
+From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:41 +0530
+Subject: scsi: qla2xxx: Pointer may be dereferenced
+
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+
+commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream.
+
+Klocwork tool reported pointer 'rport' returned from call to function
+fc_bsg_to_rport() may be NULL and will be dereferenced.
+
+Add a fix to validate rport before dereferencing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -2903,6 +2903,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_
+ 
+       if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+               rport = fc_bsg_to_rport(bsg_job);
++              if (!rport)
++                      return ret;
+               host = rport_to_shost(rport);
+               vha = shost_priv(host);
+       } else {

diff --git a/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch b/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
new file mode 100644 (file)
index 0000000..7bf76f2
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
@@ -0,0 +1,91 @@
+From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001
+From: Manish Rangankar <mrangankar@marvell.com>
+Date: Thu, 15 Jun 2023 13:16:33 +0530
+Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
+
+From: Manish Rangankar <mrangankar@marvell.com>
+
+commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream.
+
+System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up
+gets called for uninitialized wait queue sp->nvme_ls_waitq.
+
+    qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0
+    qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11
+    BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+    PGD 0 P4D 0
+    Oops: 0000 [#1] SMP NOPTI
+    Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
+    Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]
+    RIP: 0010:__wake_up_common+0x4c/0x190
+    RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086
+    RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000
+    RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320
+    RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8
+    R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20
+    R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
+    FS:  0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0
+    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+    PKRU: 55555554
+    Call Trace:
+     __wake_up_common_lock+0x7c/0xc0
+     qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]
+     ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]
+     ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]
+     ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]
+
+Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed
+previously in the commits tagged Fixed: below.
+
+Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
+Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports")
+Cc: stable@vger.kernel.org
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h  |    1 -
+ drivers/scsi/qla2xxx/qla_nvme.c |    3 ---
+ 2 files changed, 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -676,7 +676,6 @@ typedef struct srb {
+       struct iocb_resource iores;
+       struct kref cmd_kref;   /* need to migrate ref_count over to this */
+       void *priv;
+-      wait_queue_head_t nvme_ls_waitq;
+       struct fc_port *fcport;
+       struct scsi_qla_host *vha;
+       unsigned int start_timer:1;
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -355,7 +355,6 @@ static int qla_nvme_ls_req(struct nvme_f
+       if (rval != QLA_SUCCESS) {
+               ql_log(ql_log_warn, vha, 0x700e,
+                   "qla2x00_start_sp failed = %d\n", rval);
+-              wake_up(&sp->nvme_ls_waitq);
+               sp->priv = NULL;
+               priv->sp = NULL;
+               qla2x00_rel_sp(sp);
+@@ -637,7 +636,6 @@ static int qla_nvme_post_cmd(struct nvme
+       if (!sp)
+               return -EBUSY;
+ 
+-      init_waitqueue_head(&sp->nvme_ls_waitq);
+       kref_init(&sp->cmd_kref);
+       spin_lock_init(&priv->cmd_lock);
+       sp->priv = priv;
+@@ -656,7 +654,6 @@ static int qla_nvme_post_cmd(struct nvme
+       if (rval != QLA_SUCCESS) {
+               ql_log(ql_log_warn, vha, 0x212d,
+                   "qla2x00_start_nvme_mq failed = %d\n", rval);
+-              wake_up(&sp->nvme_ls_waitq);
+               sp->priv = NULL;
+               priv->sp = NULL;
+               qla2xxx_rel_qpair_sp(sp->qpair, sp);

diff --git a/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
new file mode 100644 (file)
index 0000000..c0f2b99
--- /dev/null
+++ b/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
@@ -0,0 +1,71 @@
+From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:38 -0700
+Subject: scsi: qla2xxx: Wait for io return on terminate rport
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream.
+
+System crash due to use after free.
+Current code allows terminate_rport_io to exit before making
+sure all IOs has returned. For FCP-2 device, IO's can hang
+on in HW because driver has not tear down the session in FW at
+first sign of cable pull. When dev_loss_tmo timer pops,
+terminate_rport_io is called and upper layer is about to
+free various resources. Terminate_rport_io trigger qla to do
+the final cleanup, but the cleanup might not be fast enough where it
+leave qla still holding on to the same resource.
+
+Wait for IO's to return to upper layer before resources are freed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -2738,6 +2738,7 @@ static void
+ qla2x00_terminate_rport_io(struct fc_rport *rport)
+ {
+       fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
++      scsi_qla_host_t *vha;
+ 
+       if (!fcport)
+               return;
+@@ -2747,9 +2748,12 @@ qla2x00_terminate_rport_io(struct fc_rpo
+ 
+       if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
+               return;
++      vha = fcport->vha;
+ 
+       if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) {
+               qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16);
++              qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24,
++                      0, WAIT_TARGET);
+               return;
+       }
+       /*
+@@ -2774,6 +2778,15 @@ qla2x00_terminate_rport_io(struct fc_rpo
+                       qla2x00_port_logout(fcport->vha, fcport);
+               }
+       }
++
++      /* check for any straggling io left behind */
++      if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) {
++              ql_log(ql_log_warn, vha, 0x300b,
++                     "IO not return.  Resetting. \n");
++              set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
++              qla2xxx_wake_dpc(vha);
++              qla2x00_wait_for_chip_reset(vha);
++      }
+ }
+ 
+ static int

diff --git a/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch b/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch
new file mode 100644 (file)
index 0000000..c443063
--- /dev/null
+++ b/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch
@@ -0,0 +1,40 @@
+From 6c8880fcaa5c45355179b759c1d11737775e31fc Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:40 +0200
+Subject: selftests: mptcp: depend on SYN_COOKIES
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 6c8880fcaa5c45355179b759c1d11737775e31fc upstream.
+
+MPTCP selftests are using TCP SYN Cookies for quite a while now, since
+v5.9.
+
+Some CIs don't have this config option enabled and this is causing
+issues in the tests:
+
+  # ns1 MPTCP -> ns1 (10.0.1.1:10000      ) MPTCP     (duration   167ms) sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory
+  # [ OK ]./mptcp_connect.sh: line 554: [: -eq: unary operator expected
+
+There is no impact in the results but the test is not doing what it is
+supposed to do.
+
+Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/config |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/net/mptcp/config
++++ b/tools/testing/selftests/net/mptcp/config
+@@ -6,6 +6,7 @@ CONFIG_INET_DIAG=m
+ CONFIG_INET_MPTCP_DIAG=m
+ CONFIG_VETH=y
+ CONFIG_NET_SCH_NETEM=m
++CONFIG_SYN_COOKIES=y
+ CONFIG_NETFILTER=y
+ CONFIG_NETFILTER_ADVANCED=y
+ CONFIG_NETFILTER_NETLINK=m

diff --git a/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch b/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch
new file mode 100644 (file)
index 0000000..e9aea27
--- /dev/null
+++ b/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch
@@ -0,0 +1,55 @@
+From 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Tue, 4 Jul 2023 22:44:37 +0200
+Subject: selftests: mptcp: sockopt: return error if wrong mark
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 upstream.
+
+When an error was detected when checking the marks, a message was
+correctly printed mentioning the error but followed by another one
+saying everything was OK and the selftest was not marked as failed as
+expected.
+
+Now the 'ret' variable is directly set to 1 in order to make sure the
+exit is done with an error, similar to what is done in other functions.
+While at it, the error is correctly propagated to the caller.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+@@ -119,6 +119,7 @@ check_mark()
+       for v in $values; do
+               if [ $v -ne 0 ]; then
+                       echo "FAIL: got $tables $values in ns $ns , not 0 - not all expected packets marked" 1>&2
++                      ret=1
+                       return 1
+               fi
+       done
+@@ -213,11 +214,11 @@ do_transfer()
+       fi
+ 
+       if [ $local_addr = "::" ];then
+-              check_mark $listener_ns 6
+-              check_mark $connector_ns 6
++              check_mark $listener_ns 6 || retc=1
++              check_mark $connector_ns 6 || retc=1
+       else
+-              check_mark $listener_ns 4
+-              check_mark $connector_ns 4
++              check_mark $listener_ns 4 || retc=1
++              check_mark $connector_ns 4 || retc=1
+       fi
+ 
+       check_transfer $cin $sout "file received by server"

diff --git a/queue-5.15/series b/queue-5.15/series
index 6b56b7ad69608cf8fcfac937a0ac34f00866a736..ccce3c5f5551c0ecc304d36b90c3769b56f1c8a7 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -514,3 +514,17 @@ net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch
 ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch
 ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch
 xtensa-iss-fix-call-to-split_if_spec.patch
+tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
+selftests-mptcp-sockopt-return-error-if-wrong-mark.patch
+selftests-mptcp-depend-on-syn_cookies.patch
+tracing-probes-fix-not-to-count-error-code-to-total-length.patch
+tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch
+scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
+scsi-qla2xxx-array-index-may-go-out-of-bound.patch
+scsi-qla2xxx-avoid-fcport-pointer-dereference.patch
+scsi-qla2xxx-fix-buffer-overrun.patch
+scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
+scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
+scsi-qla2xxx-correct-the-index-of-array.patch
+scsi-qla2xxx-pointer-may-be-dereferenced.patch
+scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch

diff --git a/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch b/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
new file mode 100644 (file)
index 0000000..1ef0416
--- /dev/null
+++ b/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
@@ -0,0 +1,61 @@
+From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001
+From: Mateusz Stachyra <m.stachyra@samsung.com>
+Date: Tue, 4 Jul 2023 12:27:06 +0200
+Subject: tracing: Fix null pointer dereference in tracing_err_log_open()
+
+From: Mateusz Stachyra <m.stachyra@samsung.com>
+
+commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream.
+
+Fix an issue in function 'tracing_err_log_open'.
+The function doesn't call 'seq_open' if the file is opened only with
+write permissions, which results in 'file->private_data' being left as null.
+If we then use 'lseek' on that opened file, 'seq_lseek' dereferences
+'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic.
+Writing to this node requires root privileges, therefore this bug
+has very little security impact.
+
+Tracefs node: /sys/kernel/tracing/error_log
+
+Example Kernel panic:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+Call trace:
+ mutex_lock+0x30/0x110
+ seq_lseek+0x34/0xb8
+ __arm64_sys_lseek+0x6c/0xb8
+ invoke_syscall+0x58/0x13c
+ el0_svc_common+0xc4/0x10c
+ do_el0_svc+0x24/0x98
+ el0_svc+0x24/0x88
+ el0t_64_sync_handler+0x84/0xe4
+ el0t_64_sync+0x1b4/0x1b8
+Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)
+---[ end trace 561d1b49c12cf8a5 ]---
+Kernel panic - not syncing: Oops: Fatal exception
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4
+Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3
+
+Cc: stable@vger.kernel.org
+Fixes: 8a062902be725 ("tracing: Add tracing error log")
+Signed-off-by: Mateusz Stachyra <m.stachyra@samsung.com>
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8014,7 +8014,7 @@ static const struct file_operations trac
+       .open           = tracing_err_log_open,
+       .write          = tracing_err_log_write,
+       .read           = seq_read,
+-      .llseek         = seq_lseek,
++      .llseek         = tracing_lseek,
+       .release        = tracing_err_log_release,
+ };
+ 

diff --git a/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch b/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch
new file mode 100644 (file)
index 0000000..60fcee2
--- /dev/null
+++ b/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch
@@ -0,0 +1,38 @@
+From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:38 +0900
+Subject: tracing/probes: Fix not to count error code to total length
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit b41326b5e0f82e93592c4366359917b5d67b529f upstream.
+
+Fix not to count the error code (which is minus value) to the total
+used length of array, because it can mess up the return code of
+process_fetch_insn_bottom(). Also clear the 'ret' value because it
+will be used for calculating next data_loc entry.
+
+Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/
+Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_tmpl.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -143,6 +143,8 @@ stage3:
+ array:
+       /* the last stage: Loop on array */
+       if (code->op == FETCH_OP_LP_ARRAY) {
++              if (ret < 0)
++                      ret = 0;
+               total += ret;
+               if (++i < code->param) {
+                       code = s3;

diff --git a/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch b/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch
new file mode 100644 (file)
index 0000000..0fdb94d
--- /dev/null
+++ b/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch
@@ -0,0 +1,48 @@
+From e38e2c6a9efc435f9de344b7c91f7697e01b47d5 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 11 Jul 2023 23:15:48 +0900
+Subject: tracing/probes: Fix to update dynamic data counter if fetcharg uses it
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit e38e2c6a9efc435f9de344b7c91f7697e01b47d5 upstream.
+
+Fix to update dynamic data counter ('dyndata') and max length ('maxlen')
+only if the fetcharg uses the dynamic data. Also get out arg->dynamic
+from unlikely(). This makes dynamic data address wrong if
+process_fetch_insn() returns error on !arg->dynamic case.
+
+Link: https://lore.kernel.org/all/168908494781.123124.8160245359962103684.stgit@devnote2/
+
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Link: https://lore.kernel.org/all/20230710233400.5aaf024e@gandalf.local.home/
+Fixes: 9178412ddf5a ("tracing: probeevent: Return consumed bytes of dynamic area")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe_tmpl.h |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace_probe_tmpl.h
++++ b/kernel/trace/trace_probe_tmpl.h
+@@ -206,11 +206,13 @@ store_trace_args(void *data, struct trac
+               if (unlikely(arg->dynamic))
+                       *dl = make_data_loc(maxlen, dyndata - base);
+               ret = process_fetch_insn(arg->code, rec, dl, base);
+-              if (unlikely(ret < 0 && arg->dynamic)) {
+-                      *dl = make_data_loc(0, dyndata - base);
+-              } else {
+-                      dyndata += ret;
+-                      maxlen -= ret;
++              if (arg->dynamic) {
++                      if (unlikely(ret < 0)) {
++                              *dl = make_data_loc(0, dyndata - base);
++                      } else {
++                              dyndata += ret;
++                              maxlen -= ret;
++                      }
+               }
+       }
+ }