5.10-stable patches

added patches:
	can-isotp-isotp_sendmsg-fix-tx-buffer-concurrent-access-in-isotp_sendmsg.patch
	s390-pci-cleanup-resources-only-if-necessary.patch
	scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch

diff --git a/queue-5.10/can-isotp-isotp_sendmsg-fix-tx-buffer-concurrent-access-in-isotp_sendmsg.patch b/queue-5.10/can-isotp-isotp_sendmsg-fix-tx-buffer-concurrent-access-in-isotp_sendmsg.patch
new file mode 100644 (file)
index 0000000..c8a7a34
--- /dev/null
+++ b/queue-5.10/can-isotp-isotp_sendmsg-fix-tx-buffer-concurrent-access-in-isotp_sendmsg.patch
@@ -0,0 +1,130 @@
+From 43a08c3bdac4cb42eff8fe5e2278bffe0c5c3daa Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Sat, 9 Oct 2021 15:40:30 +0800
+Subject: can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 43a08c3bdac4cb42eff8fe5e2278bffe0c5c3daa upstream.
+
+When isotp_sendmsg() concurrent, tx.state of all TX processes can be
+ISOTP_IDLE. The conditions so->tx.state != ISOTP_IDLE and
+wq_has_sleeper(&so->wait) can not protect TX buffer from being
+accessed by multiple TX processes.
+
+We can use cmpxchg() to try to modify tx.state to ISOTP_SENDING firstly.
+If the modification of the previous process succeed, the later process
+must wait tx.state to ISOTP_IDLE firstly. Thus, we can ensure TX buffer
+is accessed by only one process at the same time. And we should also
+restore the original tx.state at the subsequent error processes.
+
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Link: https://lore.kernel.org/all/c2517874fbdf4188585cf9ddf67a8fa74d5dbde5.1633764159.git.william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c |   40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -121,7 +121,7 @@ enum {
+ struct tpcon {
+       int idx;
+       int len;
+-      u8 state;
++      u32 state;
+       u8 bs;
+       u8 sn;
+       u8 ll_dl;
+@@ -846,6 +846,7 @@ static int isotp_sendmsg(struct socket *
+ {
+       struct sock *sk = sock->sk;
+       struct isotp_sock *so = isotp_sk(sk);
++      u32 old_state = so->tx.state;
+       struct sk_buff *skb;
+       struct net_device *dev;
+       struct canfd_frame *cf;
+@@ -858,39 +859,45 @@ static int isotp_sendmsg(struct socket *
+               return -EADDRNOTAVAIL;
+ 
+       /* we do not support multiple buffers - for now */
+-      if (so->tx.state != ISOTP_IDLE || wq_has_sleeper(&so->wait)) {
+-              if (msg->msg_flags & MSG_DONTWAIT)
+-                      return -EAGAIN;
++      if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE ||
++          wq_has_sleeper(&so->wait)) {
++              if (msg->msg_flags & MSG_DONTWAIT) {
++                      err = -EAGAIN;
++                      goto err_out;
++              }
+ 
+               /* wait for complete transmission of current pdu */
+               err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
+               if (err)
+-                      return err;
++                      goto err_out;
+       }
+ 
+-      if (!size || size > MAX_MSG_LENGTH)
+-              return -EINVAL;
++      if (!size || size > MAX_MSG_LENGTH) {
++              err = -EINVAL;
++              goto err_out;
++      }
+ 
+       err = memcpy_from_msg(so->tx.buf, msg, size);
+       if (err < 0)
+-              return err;
++              goto err_out;
+ 
+       dev = dev_get_by_index(sock_net(sk), so->ifindex);
+-      if (!dev)
+-              return -ENXIO;
++      if (!dev) {
++              err = -ENXIO;
++              goto err_out;
++      }
+ 
+       skb = sock_alloc_send_skb(sk, so->ll.mtu + sizeof(struct can_skb_priv),
+                                 msg->msg_flags & MSG_DONTWAIT, &err);
+       if (!skb) {
+               dev_put(dev);
+-              return err;
++              goto err_out;
+       }
+ 
+       can_skb_reserve(skb);
+       can_skb_prv(skb)->ifindex = dev->ifindex;
+       can_skb_prv(skb)->skbcnt = 0;
+ 
+-      so->tx.state = ISOTP_SENDING;
+       so->tx.len = size;
+       so->tx.idx = 0;
+ 
+@@ -949,7 +956,7 @@ static int isotp_sendmsg(struct socket *
+       if (err) {
+               pr_notice_once("can-isotp: %s: can_send_ret %d\n",
+                              __func__, err);
+-              return err;
++              goto err_out;
+       }
+ 
+       if (wait_tx_done) {
+@@ -961,6 +968,13 @@ static int isotp_sendmsg(struct socket *
+       }
+ 
+       return size;
++
++err_out:
++      so->tx.state = old_state;
++      if (so->tx.state == ISOTP_IDLE)
++              wake_up_interruptible(&so->wait);
++
++      return err;
+ }
+ 
+ static int isotp_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,

diff --git a/queue-5.10/s390-pci-cleanup-resources-only-if-necessary.patch b/queue-5.10/s390-pci-cleanup-resources-only-if-necessary.patch
new file mode 100644 (file)
index 0000000..647ca93
--- /dev/null
+++ b/queue-5.10/s390-pci-cleanup-resources-only-if-necessary.patch
@@ -0,0 +1,35 @@
+From 02368b7cf6c7badefa13741aed7a8b91d9a11b19 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Fri, 6 Aug 2021 10:28:40 +0200
+Subject: s390/pci: cleanup resources only if necessary
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 02368b7cf6c7badefa13741aed7a8b91d9a11b19 upstream.
+
+It's currently safe to call zpci_cleanup_bus_resources() even if the
+resources were never created but it makes no sense so check
+zdev->has_resources before we call zpci_cleanup_bus_resources() in
+zpci_release_device().
+
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Acked-by: Pierre Morel <pmorel@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -802,7 +802,8 @@ void zpci_release_device(struct kref *kr
+       case ZPCI_FN_STATE_STANDBY:
+               if (zdev->has_hp_slot)
+                       zpci_exit_slot(zdev);
+-              zpci_cleanup_bus_resources(zdev);
++              if (zdev->has_resources)
++                      zpci_cleanup_bus_resources(zdev);
+               zpci_bus_device_unregister(zdev);
+               zpci_destroy_iommu(zdev);
+               fallthrough;

diff --git a/queue-5.10/scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch b/queue-5.10/scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch
new file mode 100644 (file)
index 0000000..4bfb513
--- /dev/null
+++ b/queue-5.10/scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch
@@ -0,0 +1,42 @@
+From 50b6cb3516365cb69753b006be2b61c966b70588 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 7 Oct 2021 21:35:46 -0700
+Subject: scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 50b6cb3516365cb69753b006be2b61c966b70588 upstream.
+
+After commit ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at
+can_queue"), a 416-CPU VM running on Hyper-V hangs during boot because the
+hv_storvsc driver sets scsi_driver.can_queue to an integer value that
+exceeds SHRT_MAX, and hence scsi_add_host_with_dma() sets
+shost->cmd_per_lun to a negative "short" value.
+
+Use min_t(int, ...) to work around the issue.
+
+Link: https://lore.kernel.org/r/20211008043546.6006-1-decui@microsoft.com
+Fixes: ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at can_queue")
+Cc: stable@vger.kernel.org
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -220,7 +220,8 @@ int scsi_add_host_with_dma(struct Scsi_H
+               goto fail;
+       }
+ 
+-      shost->cmd_per_lun = min_t(short, shost->cmd_per_lun,
++      /* Use min_t(int, ...) in case shost->can_queue exceeds SHRT_MAX */
++      shost->cmd_per_lun = min_t(int, shost->cmd_per_lun,
+                                  shost->can_queue);
+ 
+       error = scsi_init_sense_cache(shost);

diff --git a/queue-5.10/series b/queue-5.10/series
index 89a55ad14756a468c6a51b48bf156a3c1703618d..c9403eacfcf6ab5e5603f5c5158646841b9c95cd 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -82,3 +82,6 @@ scsi-iscsi-fix-set_param-handling.patch
 scsi-qla2xxx-fix-a-memory-leak-in-an-error-path-of-q.patch
 sched-scs-reset-the-shadow-stack-when-idle_task_exit.patch
 net-hns3-fix-for-miscalculation-of-rx-unused-desc.patch
+scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch
+can-isotp-isotp_sendmsg-fix-tx-buffer-concurrent-access-in-isotp_sendmsg.patch
+s390-pci-cleanup-resources-only-if-necessary.patch