From 120a0a679963b85d226d02dda781c6b5c58653b1 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Mon, 1 Jun 2020 23:31:02 -0400
Subject: [PATCH] Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...quest-object-use-after-free-in-send-.patch | 93 +++++++++++++++++++
 queue-4.9/series                              |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 queue-4.9/scsi-zfcp-fix-request-object-use-after-free-in-send-.patch

diff --git a/queue-4.9/scsi-zfcp-fix-request-object-use-after-free-in-send-.patch b/queue-4.9/scsi-zfcp-fix-request-object-use-after-free-in-send-.patch
new file mode 100644
index 00000000000..2c784e0e1a2
--- /dev/null
+++ b/queue-4.9/scsi-zfcp-fix-request-object-use-after-free-in-send-.patch
@@ -0,0 +1,93 @@
+From 3e8ffccc636737105c4be40fff979749de2d63e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2019 23:02:01 +0200
+Subject: scsi: zfcp: fix request object use-after-free in send path causing
+ wrong traces
+
+From: Benjamin Block <bblock@linux.ibm.com>
+
+[ Upstream commit 106d45f350c7cac876844dc685845cba4ffdb70b ]
+
+When tracing instances where we open and close WKA ports, we also pass the
+request-ID of the respective FSF command.
+
+But after successfully sending the FSF command we must not use the
+request-object anymore, as this might result in an use-after-free (see
+"zfcp: fix request object use-after-free in send path causing seqno
+errors" ).
+
+To fix this add a new variable that caches the request-ID before sending
+the request. This won't change during the hand-off to the FCP channel,
+and so it's safe to trace this cached request-ID later, instead of using
+the request object.
+
+Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
+Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Steffen Maier <maier@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_fsf.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
+index a3aaef4c53a3..0d2bcb33697f 100644
+--- a/drivers/s390/scsi/zfcp_fsf.c
++++ b/drivers/s390/scsi/zfcp_fsf.c
+@@ -1594,6 +1594,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ 	struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+ 	struct zfcp_fsf_req *req;
++	unsigned long req_id = 0;
+ 	int retval = -EIO;
+ 
+ 	spin_lock_irq(&qdio->req_q_lock);
+@@ -1616,6 +1617,8 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ 	hton24(req->qtcb->bottom.support.d_id, wka_port->d_id);
+ 	req->data = wka_port;
+ 
++	req_id = req->req_id;
++
+ 	zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ 	retval = zfcp_fsf_req_send(req);
+ 	if (retval)
+@@ -1623,7 +1626,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ out:
+ 	spin_unlock_irq(&qdio->req_q_lock);
+ 	if (!retval)
+-		zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
++		zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req_id);
+ 	return retval;
+ }
+ 
+@@ -1649,6 +1652,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ 	struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+ 	struct zfcp_fsf_req *req;
++	unsigned long req_id = 0;
+ 	int retval = -EIO;
+ 
+ 	spin_lock_irq(&qdio->req_q_lock);
+@@ -1671,6 +1675,8 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ 	req->data = wka_port;
+ 	req->qtcb->header.port_handle = wka_port->handle;
+ 
++	req_id = req->req_id;
++
+ 	zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ 	retval = zfcp_fsf_req_send(req);
+ 	if (retval)
+@@ -1678,7 +1684,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ out:
+ 	spin_unlock_irq(&qdio->req_q_lock);
+ 	if (!retval)
+-		zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
++		zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req_id);
+ 	return retval;
+ }
+ 
+-- 
+2.25.1
+
diff --git a/queue-4.9/series b/queue-4.9/series
index 7eb5275534c..3ad4fc0c494 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -56,3 +56,4 @@ net-rtnl_configure_link-fix-dev-flags-changes-arg-to-__dev_notify_flags.patch
 mm-vmalloc.c-don-t-dereference-possible-null-pointer-in-__vunmap.patch
 sc16is7xx-move-label-err_spi-to-correct-section.patch
 net-hns-fixes-the-missing-put_device-in-positive-leg-for-roce-reset.patch
+scsi-zfcp-fix-request-object-use-after-free-in-send-.patch
-- 
2.47.3