From: Greg Kroah-Hartman Date: Fri, 21 Jul 2023 14:47:06 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.121~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb47767d1cffad917ebf439793e75c16d5bdb10b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: scsi-qla2xxx-array-index-may-go-out-of-bound.patch scsi-qla2xxx-avoid-fcport-pointer-dereference.patch scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch scsi-qla2xxx-correct-the-index-of-array.patch scsi-qla2xxx-fix-buffer-overrun.patch scsi-qla2xxx-fix-potential-null-pointer-dereference.patch scsi-qla2xxx-pointer-may-be-dereferenced.patch scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch selftests-mptcp-depend-on-syn_cookies.patch selftests-mptcp-sockopt-return-error-if-wrong-mark.patch tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch tracing-probes-fix-not-to-count-error-code-to-total-length.patch tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch --- diff --git a/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch b/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch new file mode 100644 index 00000000000..03f71edf435 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-array-index-may-go-out-of-bound.patch @@ -0,0 +1,36 @@ +From d721b591b95cf3f290f8a7cbe90aa2ee0368388d Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:36 +0530 +Subject: scsi: qla2xxx: Array index may go out of bound + +From: Nilesh Javali + +commit d721b591b95cf3f290f8a7cbe90aa2ee0368388d upstream. + +Klocwork reports array 'vha->host_str' of size 16 may use index value(s) +16..19. Use snprintf() instead of sprintf(). + +Cc: stable@vger.kernel.org +Co-developed-by: Bikash Hazarika +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5042,7 +5042,8 @@ struct scsi_qla_host *qla2x00_create_hos + } + INIT_DELAYED_WORK(&vha->scan.scan_work, qla_scan_work_fn); + +- sprintf(vha->host_str, "%s_%lu", QLA2XXX_DRIVER_NAME, vha->host_no); ++ snprintf(vha->host_str, sizeof(vha->host_str), "%s_%lu", ++ QLA2XXX_DRIVER_NAME, vha->host_no); + ql_dbg(ql_dbg_init, vha, 0x0041, + "Allocated the host=%p hw=%p vha=%p dev_name=%s", + vha->host, vha->hw, vha, diff --git a/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch b/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch new file mode 100644 index 00000000000..c38a8c77b7a --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 6b504d06976fe4a61cc05dedc68b84fadb397f77 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:38 +0530 +Subject: scsi: qla2xxx: Avoid fcport pointer dereference + +From: Nilesh Javali + +commit 6b504d06976fe4a61cc05dedc68b84fadb397f77 upstream. + +Klocwork reported warning of NULL pointer may be dereferenced. The routine +exits when sa_ctl is NULL and fcport is allocated after the exit call thus +causing NULL fcport pointer to dereference at the time of exit. + +To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_edif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2230,8 +2230,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + if (!sa_ctl) { + ql_dbg(ql_dbg_edif, vha, 0x70e6, + "sa_ctl allocation failed\n"); +- rval = -ENOMEM; +- goto done; ++ rval = -ENOMEM; ++ return rval; + } + + fcport = sa_ctl->fcport; diff --git a/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch new file mode 100644 index 00000000000..b4c6190c93e --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch @@ -0,0 +1,37 @@ +From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:39 +0530 +Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() + +From: Nilesh Javali + +commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. + +Klocwork reported warning of rport maybe NULL and will be dereferenced. +rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. + +Check valid rport returned by fc_bsg_to_rport(). + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -283,6 +283,10 @@ qla2x00_process_els(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) { ++ rval = -ENOMEM; ++ goto done; ++ } + fcport = *(fc_port_t **) rport->dd_data; + host = rport_to_shost(rport); + vha = shost_priv(host); diff --git a/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch b/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch new file mode 100644 index 00000000000..f1f18d62683 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-correct-the-index-of-array.patch @@ -0,0 +1,51 @@ +From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:42 +0530 +Subject: scsi: qla2xxx: Correct the index of array + +From: Bikash Hazarika + +commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream. + +Klocwork reported array 'port_dstate_str' of size 10 may use index value(s) +10..15. + +Add a fix to correct the index of array. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_inline.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -109,11 +109,13 @@ qla2x00_set_fcport_disc_state(fc_port_t + { + int old_val; + uint8_t shiftbits, mask; ++ uint8_t port_dstate_str_sz; + + /* This will have to change when the max no. of states > 16 */ + shiftbits = 4; + mask = (1 << shiftbits) - 1; + ++ port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *); + fcport->disc_state = state; + while (1) { + old_val = atomic_read(&fcport->shadow_disc_state); +@@ -121,7 +123,8 @@ qla2x00_set_fcport_disc_state(fc_port_t + old_val, (old_val << shiftbits) | state)) { + ql_dbg(ql_dbg_disc, fcport->vha, 0x2134, + "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n", +- fcport->port_name, port_dstate_str[old_val & mask], ++ fcport->port_name, (old_val & mask) < port_dstate_str_sz ? ++ port_dstate_str[old_val & mask] : "Unknown", + port_dstate_str[state], fcport->d_id.b24); + return; + } diff --git a/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch b/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch new file mode 100644 index 00000000000..e6547a88cb3 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-buffer-overrun.patch @@ -0,0 +1,38 @@ +From b68710a8094fdffe8dd4f7a82c82649f479bb453 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 7 Jun 2023 17:08:40 +0530 +Subject: scsi: qla2xxx: Fix buffer overrun + +From: Quinn Tran + +commit b68710a8094fdffe8dd4f7a82c82649f479bb453 upstream. + +Klocwork warning: Buffer Overflow - Array Index Out of Bounds + +Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is +nested inside of fc_els_flogi which is smaller. + +Replace structure name to allow proper size calculation. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5359,7 +5359,7 @@ static void qla_get_login_template(scsi_ + __be32 *q; + + memset(ha->init_cb, 0, ha->init_cb_size); +- sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size); ++ sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size); + rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma, + ha->init_cb, sz); + if (rval != QLA_SUCCESS) { diff --git a/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..6edcf7fe28e --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:37 +0530 +Subject: scsi: qla2xxx: Fix potential NULL pointer dereference + +From: Bikash Hazarika + +commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. + +Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate +pointer before dereferencing the pointer. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s + put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type); + + /* No data transfer */ +- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { ++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || ++ tot_dsds == 0) { + cmd_pkt->byte_count = cpu_to_le32(0); + return 0; + } diff --git a/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch new file mode 100644 index 00000000000..5d87cc0c58e --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-pointer-may-be-dereferenced.patch @@ -0,0 +1,36 @@ +From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 +From: Shreyas Deodhar +Date: Wed, 7 Jun 2023 17:08:41 +0530 +Subject: scsi: qla2xxx: Pointer may be dereferenced + +From: Shreyas Deodhar + +commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. + +Klocwork tool reported pointer 'rport' returned from call to function +fc_bsg_to_rport() may be NULL and will be dereferenced. + +Add a fix to validate rport before dereferencing. + +Cc: stable@vger.kernel.org +Signed-off-by: Shreyas Deodhar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2903,6 +2903,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) ++ return ret; + host = rport_to_shost(rport); + vha = shost_priv(host); + } else { diff --git a/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch b/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch new file mode 100644 index 00000000000..7bf76f22056 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch @@ -0,0 +1,91 @@ +From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Thu, 15 Jun 2023 13:16:33 +0530 +Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue + +From: Manish Rangankar + +commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream. + +System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up +gets called for uninitialized wait queue sp->nvme_ls_waitq. + + qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 + qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP NOPTI + Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 + Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] + RIP: 0010:__wake_up_common+0x4c/0x190 + RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 + RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 + R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + __wake_up_common_lock+0x7c/0xc0 + qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] + ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] + ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] + ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] + +Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed +previously in the commits tagged Fixed: below. + +Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports") +Cc: stable@vger.kernel.org +Signed-off-by: Manish Rangankar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 1 - + drivers/scsi/qla2xxx/qla_nvme.c | 3 --- + 2 files changed, 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -676,7 +676,6 @@ typedef struct srb { + struct iocb_resource iores; + struct kref cmd_kref; /* need to migrate ref_count over to this */ + void *priv; +- wait_queue_head_t nvme_ls_waitq; + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -355,7 +355,6 @@ static int qla_nvme_ls_req(struct nvme_f + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x700e, + "qla2x00_start_sp failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2x00_rel_sp(sp); +@@ -637,7 +636,6 @@ static int qla_nvme_post_cmd(struct nvme + if (!sp) + return -EBUSY; + +- init_waitqueue_head(&sp->nvme_ls_waitq); + kref_init(&sp->cmd_kref); + spin_lock_init(&priv->cmd_lock); + sp->priv = priv; +@@ -656,7 +654,6 @@ static int qla_nvme_post_cmd(struct nvme + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x212d, + "qla2x00_start_nvme_mq failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2xxx_rel_qpair_sp(sp->qpair, sp); diff --git a/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch new file mode 100644 index 00000000000..c0f2b991e5d --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch @@ -0,0 +1,71 @@ +From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:38 -0700 +Subject: scsi: qla2xxx: Wait for io return on terminate rport + +From: Quinn Tran + +commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. + +System crash due to use after free. +Current code allows terminate_rport_io to exit before making +sure all IOs has returned. For FCP-2 device, IO's can hang +on in HW because driver has not tear down the session in FW at +first sign of cable pull. When dev_loss_tmo timer pops, +terminate_rport_io is called and upper layer is about to +free various resources. Terminate_rport_io trigger qla to do +the final cleanup, but the cleanup might not be fast enough where it +leave qla still holding on to the same resource. + +Wait for IO's to return to upper layer before resources are freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2738,6 +2738,7 @@ static void + qla2x00_terminate_rport_io(struct fc_rport *rport) + { + fc_port_t *fcport = *(fc_port_t **)rport->dd_data; ++ scsi_qla_host_t *vha; + + if (!fcport) + return; +@@ -2747,9 +2748,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) + return; ++ vha = fcport->vha; + + if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { + qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); ++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, ++ 0, WAIT_TARGET); + return; + } + /* +@@ -2774,6 +2778,15 @@ qla2x00_terminate_rport_io(struct fc_rpo + qla2x00_port_logout(fcport->vha, fcport); + } + } ++ ++ /* check for any straggling io left behind */ ++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { ++ ql_log(ql_log_warn, vha, 0x300b, ++ "IO not return. Resetting. \n"); ++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_chip_reset(vha); ++ } + } + + static int diff --git a/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch b/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch new file mode 100644 index 00000000000..c443063f0e3 --- /dev/null +++ b/queue-5.15/selftests-mptcp-depend-on-syn_cookies.patch @@ -0,0 +1,40 @@ +From 6c8880fcaa5c45355179b759c1d11737775e31fc Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:40 +0200 +Subject: selftests: mptcp: depend on SYN_COOKIES + +From: Matthieu Baerts + +commit 6c8880fcaa5c45355179b759c1d11737775e31fc upstream. + +MPTCP selftests are using TCP SYN Cookies for quite a while now, since +v5.9. + +Some CIs don't have this config option enabled and this is causing +issues in the tests: + + # ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 167ms) sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory + # [ OK ]./mptcp_connect.sh: line 554: [: -eq: unary operator expected + +There is no impact in the results but the test is not doing what it is +supposed to do. + +Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -6,6 +6,7 @@ CONFIG_INET_DIAG=m + CONFIG_INET_MPTCP_DIAG=m + CONFIG_VETH=y + CONFIG_NET_SCH_NETEM=m ++CONFIG_SYN_COOKIES=y + CONFIG_NETFILTER=y + CONFIG_NETFILTER_ADVANCED=y + CONFIG_NETFILTER_NETLINK=m diff --git a/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch b/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch new file mode 100644 index 00000000000..e9aea2710b9 --- /dev/null +++ b/queue-5.15/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch @@ -0,0 +1,55 @@ +From 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:37 +0200 +Subject: selftests: mptcp: sockopt: return error if wrong mark + +From: Matthieu Baerts + +commit 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 upstream. + +When an error was detected when checking the marks, a message was +correctly printed mentioning the error but followed by another one +saying everything was OK and the selftest was not marked as failed as +expected. + +Now the 'ret' variable is directly set to 1 in order to make sure the +exit is done with an error, similar to what is done in other functions. +While at it, the error is correctly propagated to the caller. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -119,6 +119,7 @@ check_mark() + for v in $values; do + if [ $v -ne 0 ]; then + echo "FAIL: got $tables $values in ns $ns , not 0 - not all expected packets marked" 1>&2 ++ ret=1 + return 1 + fi + done +@@ -213,11 +214,11 @@ do_transfer() + fi + + if [ $local_addr = "::" ];then +- check_mark $listener_ns 6 +- check_mark $connector_ns 6 ++ check_mark $listener_ns 6 || retc=1 ++ check_mark $connector_ns 6 || retc=1 + else +- check_mark $listener_ns 4 +- check_mark $connector_ns 4 ++ check_mark $listener_ns 4 || retc=1 ++ check_mark $connector_ns 4 || retc=1 + fi + + check_transfer $cin $sout "file received by server" diff --git a/queue-5.15/series b/queue-5.15/series index 6b56b7ad696..ccce3c5f555 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -514,3 +514,17 @@ net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch xtensa-iss-fix-call-to-split_if_spec.patch +tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch +selftests-mptcp-sockopt-return-error-if-wrong-mark.patch +selftests-mptcp-depend-on-syn_cookies.patch +tracing-probes-fix-not-to-count-error-code-to-total-length.patch +tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch +scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +scsi-qla2xxx-array-index-may-go-out-of-bound.patch +scsi-qla2xxx-avoid-fcport-pointer-dereference.patch +scsi-qla2xxx-fix-buffer-overrun.patch +scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +scsi-qla2xxx-correct-the-index-of-array.patch +scsi-qla2xxx-pointer-may-be-dereferenced.patch +scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch diff --git a/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch b/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch new file mode 100644 index 00000000000..1ef0416c55e --- /dev/null +++ b/queue-5.15/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch @@ -0,0 +1,61 @@ +From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001 +From: Mateusz Stachyra +Date: Tue, 4 Jul 2023 12:27:06 +0200 +Subject: tracing: Fix null pointer dereference in tracing_err_log_open() + +From: Mateusz Stachyra + +commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream. + +Fix an issue in function 'tracing_err_log_open'. +The function doesn't call 'seq_open' if the file is opened only with +write permissions, which results in 'file->private_data' being left as null. +If we then use 'lseek' on that opened file, 'seq_lseek' dereferences +'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. +Writing to this node requires root privileges, therefore this bug +has very little security impact. + +Tracefs node: /sys/kernel/tracing/error_log + +Example Kernel panic: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 +Call trace: + mutex_lock+0x30/0x110 + seq_lseek+0x34/0xb8 + __arm64_sys_lseek+0x6c/0xb8 + invoke_syscall+0x58/0x13c + el0_svc_common+0xc4/0x10c + do_el0_svc+0x24/0x98 + el0_svc+0x24/0x88 + el0t_64_sync_handler+0x84/0xe4 + el0t_64_sync+0x1b4/0x1b8 +Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) +---[ end trace 561d1b49c12cf8a5 ]--- +Kernel panic - not syncing: Oops: Fatal exception + +Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4 +Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3 + +Cc: stable@vger.kernel.org +Fixes: 8a062902be725 ("tracing: Add tracing error log") +Signed-off-by: Mateusz Stachyra +Suggested-by: Steven Rostedt +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8014,7 +8014,7 @@ static const struct file_operations trac + .open = tracing_err_log_open, + .write = tracing_err_log_write, + .read = seq_read, +- .llseek = seq_lseek, ++ .llseek = tracing_lseek, + .release = tracing_err_log_release, + }; + diff --git a/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch b/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch new file mode 100644 index 00000000000..60fcee2e7ad --- /dev/null +++ b/queue-5.15/tracing-probes-fix-not-to-count-error-code-to-total-length.patch @@ -0,0 +1,38 @@ +From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:38 +0900 +Subject: tracing/probes: Fix not to count error code to total length + +From: Masami Hiramatsu (Google) + +commit b41326b5e0f82e93592c4366359917b5d67b529f upstream. + +Fix not to count the error code (which is minus value) to the total +used length of array, because it can mess up the return code of +process_fetch_insn_bottom(). Also clear the 'ret' value because it +will be used for calculating next data_loc entry. + +Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/ + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/ +Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -143,6 +143,8 @@ stage3: + array: + /* the last stage: Loop on array */ + if (code->op == FETCH_OP_LP_ARRAY) { ++ if (ret < 0) ++ ret = 0; + total += ret; + if (++i < code->param) { + code = s3; diff --git a/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch b/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch new file mode 100644 index 00000000000..0fdb94dfe51 --- /dev/null +++ b/queue-5.15/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch @@ -0,0 +1,48 @@ +From e38e2c6a9efc435f9de344b7c91f7697e01b47d5 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:48 +0900 +Subject: tracing/probes: Fix to update dynamic data counter if fetcharg uses it + +From: Masami Hiramatsu (Google) + +commit e38e2c6a9efc435f9de344b7c91f7697e01b47d5 upstream. + +Fix to update dynamic data counter ('dyndata') and max length ('maxlen') +only if the fetcharg uses the dynamic data. Also get out arg->dynamic +from unlikely(). This makes dynamic data address wrong if +process_fetch_insn() returns error on !arg->dynamic case. + +Link: https://lore.kernel.org/all/168908494781.123124.8160245359962103684.stgit@devnote2/ + +Suggested-by: Steven Rostedt +Link: https://lore.kernel.org/all/20230710233400.5aaf024e@gandalf.local.home/ +Fixes: 9178412ddf5a ("tracing: probeevent: Return consumed bytes of dynamic area") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -206,11 +206,13 @@ store_trace_args(void *data, struct trac + if (unlikely(arg->dynamic)) + *dl = make_data_loc(maxlen, dyndata - base); + ret = process_fetch_insn(arg->code, rec, dl, base); +- if (unlikely(ret < 0 && arg->dynamic)) { +- *dl = make_data_loc(0, dyndata - base); +- } else { +- dyndata += ret; +- maxlen -= ret; ++ if (arg->dynamic) { ++ if (unlikely(ret < 0)) { ++ *dl = make_data_loc(0, dyndata - base); ++ } else { ++ dyndata += ret; ++ maxlen -= ret; ++ } + } + } + }