From 86ca7e3c4bf3a6ea51c4bc1bb9f2198627535012 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 21 Jul 2023 16:46:10 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
	scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
	scsi-qla2xxx-pointer-may-be-dereferenced.patch
	scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
---
 ...id-rport-returned-by-fc_bsg_to_rport.patch | 37 ++++++++++
 ...x-potential-null-pointer-dereference.patch | 35 +++++++++
 ...-qla2xxx-pointer-may-be-dereferenced.patch | 36 ++++++++++
 ...ait-for-io-return-on-terminate-rport.patch | 71 +++++++++++++++++++
 queue-4.19/series                             |  4 ++
 5 files changed, 183 insertions(+)
 create mode 100644 queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
 create mode 100644 queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
 create mode 100644 queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch
 create mode 100644 queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch

diff --git a/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
new file mode 100644
index 00000000000..5f6202254b3
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
@@ -0,0 +1,37 @@
+From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:39 +0530
+Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
+
+From: Nilesh Javali <njavali@marvell.com>
+
+commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream.
+
+Klocwork reported warning of rport maybe NULL and will be dereferenced.
+rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
+
+Check valid rport returned by fc_bsg_to_rport().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -264,6 +264,10 @@ qla2x00_process_els(struct bsg_job *bsg_
+ 
+ 	if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ 		rport = fc_bsg_to_rport(bsg_job);
++		if (!rport) {
++			rval = -ENOMEM;
++			goto done;
++		}
+ 		fcport = *(fc_port_t **) rport->dd_data;
+ 		host = rport_to_shost(rport);
+ 		vha = shost_priv(host);
diff --git a/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
new file mode 100644
index 00000000000..fc83ca5c714
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
@@ -0,0 +1,35 @@
+From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001
+From: Bikash Hazarika <bhazarika@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:37 +0530
+Subject: scsi: qla2xxx: Fix potential NULL pointer dereference
+
+From: Bikash Hazarika <bhazarika@marvell.com>
+
+commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream.
+
+Klocwork tool reported 'cur_dsd' may be dereferenced.  Add fix to validate
+pointer before dereferencing the pointer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s
+ 	*((uint32_t *)(&cmd_pkt->entry_type)) = cpu_to_le32(COMMAND_TYPE_6);
+ 
+ 	/* No data transfer */
+-	if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) {
++	if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE ||
++	    tot_dsds == 0) {
+ 		cmd_pkt->byte_count = cpu_to_le32(0);
+ 		return 0;
+ 	}
diff --git a/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch
new file mode 100644
index 00000000000..bac98cf9cbc
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch
@@ -0,0 +1,36 @@
+From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+Date: Wed, 7 Jun 2023 17:08:41 +0530
+Subject: scsi: qla2xxx: Pointer may be dereferenced
+
+From: Shreyas Deodhar <sdeodhar@marvell.com>
+
+commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream.
+
+Klocwork tool reported pointer 'rport' returned from call to function
+fc_bsg_to_rport() may be NULL and will be dereferenced.
+
+Add a fix to validate rport before dereferencing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -2488,6 +2488,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_
+ 
+ 	if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+ 		rport = fc_bsg_to_rport(bsg_job);
++		if (!rport)
++			return ret;
+ 		host = rport_to_shost(rport);
+ 		vha = shost_priv(host);
+ 	} else {
diff --git a/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
new file mode 100644
index 00000000000..045198311f1
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
@@ -0,0 +1,71 @@
+From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 28 Apr 2023 00:53:38 -0700
+Subject: scsi: qla2xxx: Wait for io return on terminate rport
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream.
+
+System crash due to use after free.
+Current code allows terminate_rport_io to exit before making
+sure all IOs has returned. For FCP-2 device, IO's can hang
+on in HW because driver has not tear down the session in FW at
+first sign of cable pull. When dev_loss_tmo timer pops,
+terminate_rport_io is called and upper layer is about to
+free various resources. Terminate_rport_io trigger qla to do
+the final cleanup, but the cleanup might not be fast enough where it
+leave qla still holding on to the same resource.
+
+Wait for IO's to return to upper layer before resources are freed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -1800,6 +1800,7 @@ static void
+ qla2x00_terminate_rport_io(struct fc_rport *rport)
+ {
+ 	fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
++	scsi_qla_host_t *vha;
+ 
+ 	if (!fcport)
+ 		return;
+@@ -1809,9 +1810,12 @@ qla2x00_terminate_rport_io(struct fc_rpo
+ 
+ 	if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
+ 		return;
++	vha = fcport->vha;
+ 
+ 	if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) {
+ 		qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16);
++		qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24,
++			0, WAIT_TARGET);
+ 		return;
+ 	}
+ 	/*
+@@ -1826,6 +1830,15 @@ qla2x00_terminate_rport_io(struct fc_rpo
+ 		else
+ 			qla2x00_port_logout(fcport->vha, fcport);
+ 	}
++
++	/* check for any straggling io left behind */
++	if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) {
++		ql_log(ql_log_warn, vha, 0x300b,
++		       "IO not return.  Resetting. \n");
++		set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
++		qla2xxx_wake_dpc(vha);
++		qla2x00_wait_for_chip_reset(vha);
++	}
+ }
+ 
+ static int
diff --git a/queue-4.19/series b/queue-4.19/series
index e2f59cf33ef..bb891c30b45 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -181,3 +181,7 @@ tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-err
 tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
 ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch
 xtensa-iss-fix-call-to-split_if_spec.patch
+scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
+scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
+scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
+scsi-qla2xxx-pointer-may-be-dereferenced.patch
-- 
2.47.3