From d4c21c0fcfd7db37f7654088a2666f51d0cd2ee9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 21 Jul 2023 17:06:16 +0200 Subject: [PATCH] 6.4-stable patches added patches: fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch revert-tracing-add-fault-name-injection-to-kernel-probes.patch scsi-qla2xxx-array-index-may-go-out-of-bound.patch scsi-qla2xxx-avoid-fcport-pointer-dereference.patch scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch scsi-qla2xxx-correct-the-index-of-array.patch scsi-qla2xxx-fix-buffer-overrun.patch scsi-qla2xxx-fix-hang-in-task-management.patch scsi-qla2xxx-fix-mem-access-after-free.patch scsi-qla2xxx-fix-potential-null-pointer-dereference.patch scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch scsi-qla2xxx-fix-task-management-cmd-failure.patch scsi-qla2xxx-multi-que-support-for-tmf.patch scsi-qla2xxx-pointer-may-be-dereferenced.patch scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch selftests-mptcp-depend-on-syn_cookies.patch selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch selftests-mptcp-sockopt-return-error-if-wrong-mark.patch selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch selftests-mptcp-userspace_pm-use-correct-server-port.patch smb-client-fix-wstringop-overflow-issues.patch tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch tracing-probes-fix-not-to-count-error-code-to-total-length.patch tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch tracing-user_events-fix-struct-arg-size-match-check.patch --- ...finished-before-calling-rethook_free.patch | 118 +++++++ ...after-the-ftrace_ops-is-unregistered.patch | 75 +++++ ...implicit-state-check-in-mptcp_listen.patch | 55 +++ ...unhashed-before-cleaning-the-backlog.patch | 42 +++ ...ault-name-injection-to-kernel-probes.patch | 125 +++++++ ...2xxx-array-index-may-go-out-of-bound.patch | 36 ++ ...xxx-avoid-fcport-pointer-dereference.patch | 38 +++ ...id-rport-returned-by-fc_bsg_to_rport.patch | 37 +++ ...i-qla2xxx-correct-the-index-of-array.patch | 51 +++ .../scsi-qla2xxx-fix-buffer-overrun.patch | 38 +++ ...-qla2xxx-fix-hang-in-task-management.patch | 188 +++++++++++ ...si-qla2xxx-fix-mem-access-after-free.patch | 301 +++++++++++++++++ ...x-potential-null-pointer-dereference.patch | 35 ++ ...cmd-fail-due-to-unavailable-resource.patch | 147 ++++++++ ...2xxx-fix-task-management-cmd-failure.patch | 313 ++++++++++++++++++ ...si-qla2xxx-multi-que-support-for-tmf.patch | 188 +++++++++++ ...-qla2xxx-pointer-may-be-dereferenced.patch | 36 ++ ...move-unused-nvme_ls_waitq-wait-queue.patch | 91 +++++ ...ait-for-io-return-on-terminate-rport.patch | 71 ++++ ...connect-fail-if-nft-supposed-to-work.patch | 54 +++ ...elftests-mptcp-depend-on-syn_cookies.patch | 40 +++ ...s-mptcp-pm_nl_ctl-fix-32-bit-support.patch | 85 +++++ ...p-sockopt-return-error-if-wrong-mark.patch | 55 +++ ...opt-use-iptables-legacy-if-available.patch | 83 +++++ ...e_pm-report-errors-with-remove-tests.patch | 44 +++ ...userspace_pm-use-correct-server-port.patch | 36 ++ queue-6.4/series | 33 ++ ...client-fix-wstringop-overflow-issues.patch | 83 +++++ ...-dereference-in-tracing_err_log_open.patch | 61 ++++ ...-to-count-error-code-to-total-length.patch | 38 +++ ...nt-of-the-string-length-on-the-array.patch | 43 +++ ...a_loc-in-fetch_store_string-if-fails.patch | 99 ++++++ ...mic-data-counter-if-fetcharg-uses-it.patch | 48 +++ ...ents-fix-struct-arg-size-match-check.patch | 49 +++ 34 files changed, 2836 insertions(+) create mode 100644 queue-6.4/fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch create mode 100644 queue-6.4/fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch create mode 100644 queue-6.4/mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch create mode 100644 queue-6.4/mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch create mode 100644 queue-6.4/revert-tracing-add-fault-name-injection-to-kernel-probes.patch create mode 100644 queue-6.4/scsi-qla2xxx-array-index-may-go-out-of-bound.patch create mode 100644 queue-6.4/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch create mode 100644 queue-6.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch create mode 100644 queue-6.4/scsi-qla2xxx-correct-the-index-of-array.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-buffer-overrun.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-hang-in-task-management.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-mem-access-after-free.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch create mode 100644 queue-6.4/scsi-qla2xxx-fix-task-management-cmd-failure.patch create mode 100644 queue-6.4/scsi-qla2xxx-multi-que-support-for-tmf.patch create mode 100644 queue-6.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch create mode 100644 queue-6.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch create mode 100644 queue-6.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch create mode 100644 queue-6.4/selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch create mode 100644 queue-6.4/selftests-mptcp-depend-on-syn_cookies.patch create mode 100644 queue-6.4/selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch create mode 100644 queue-6.4/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch create mode 100644 queue-6.4/selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch create mode 100644 queue-6.4/selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch create mode 100644 queue-6.4/selftests-mptcp-userspace_pm-use-correct-server-port.patch create mode 100644 queue-6.4/smb-client-fix-wstringop-overflow-issues.patch create mode 100644 queue-6.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch create mode 100644 queue-6.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch create mode 100644 queue-6.4/tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch create mode 100644 queue-6.4/tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch create mode 100644 queue-6.4/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch create mode 100644 queue-6.4/tracing-user_events-fix-struct-arg-size-match-check.patch diff --git a/queue-6.4/fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch b/queue-6.4/fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch new file mode 100644 index 00000000000..bb45f072c30 --- /dev/null +++ b/queue-6.4/fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch @@ -0,0 +1,118 @@ +From 195b9cb5b288fec1c871ef89f78cc9a7461aad3a Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Fri, 7 Jul 2023 23:03:19 +0900 +Subject: fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free() + +From: Masami Hiramatsu (Google) + +commit 195b9cb5b288fec1c871ef89f78cc9a7461aad3a upstream. + +Ensure running fprobe_exit_handler() has finished before +calling rethook_free() in the unregister_fprobe() so that caller can free +the fprobe right after unregister_fprobe(). + +unregister_fprobe() ensured that all running fprobe_entry/exit_handler() +have finished by calling unregister_ftrace_function() which synchronizes +RCU. But commit 5f81018753df ("fprobe: Release rethook after the ftrace_ops +is unregistered") changed to call rethook_free() after +unregister_ftrace_function(). So call rethook_stop() to make rethook +disabled before unregister_ftrace_function() and ensure it again. + +Here is the possible code flow that can call the exit handler after +unregister_fprobe(). + +------ + CPU1 CPU2 + call unregister_fprobe(fp) + ... + __fprobe_handler() + rethook_hook() on probed function + unregister_ftrace_function() + return from probed function + rethook hooks + find rh->handler == fprobe_exit_handler + call fprobe_exit_handler() + rethook_free(): + set rh->handler = NULL; + return from unreigster_fprobe; + call fp->exit_handler() <- (*) +------ + +(*) At this point, the exit handler is called after returning from +unregister_fprobe(). + +This fixes it as following; +------ + CPU1 CPU2 + call unregister_fprobe() + ... + rethook_stop(): + set rh->handler = NULL; + __fprobe_handler() + rethook_hook() on probed function + unregister_ftrace_function() + return from probed function + rethook hooks + find rh->handler == NULL + return from rethook + rethook_free() + return from unreigster_fprobe; +------ + +Link: https://lore.kernel.org/all/168873859949.156157.13039240432299335849.stgit@devnote2/ + +Fixes: 5f81018753df ("fprobe: Release rethook after the ftrace_ops is unregistered") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/rethook.h | 1 + + kernel/trace/fprobe.c | 3 +++ + kernel/trace/rethook.c | 13 +++++++++++++ + 3 files changed, 17 insertions(+) + +--- a/include/linux/rethook.h ++++ b/include/linux/rethook.h +@@ -59,6 +59,7 @@ struct rethook_node { + }; + + struct rethook *rethook_alloc(void *data, rethook_handler_t handler); ++void rethook_stop(struct rethook *rh); + void rethook_free(struct rethook *rh); + void rethook_add_node(struct rethook *rh, struct rethook_node *node); + struct rethook_node *rethook_try_get(struct rethook *rh); +--- a/kernel/trace/fprobe.c ++++ b/kernel/trace/fprobe.c +@@ -366,6 +366,9 @@ int unregister_fprobe(struct fprobe *fp) + fp->ops.saved_func != fprobe_kprobe_handler)) + return -EINVAL; + ++ if (fp->rethook) ++ rethook_stop(fp->rethook); ++ + ret = unregister_ftrace_function(&fp->ops); + if (ret < 0) + return ret; +--- a/kernel/trace/rethook.c ++++ b/kernel/trace/rethook.c +@@ -54,6 +54,19 @@ static void rethook_free_rcu(struct rcu_ + } + + /** ++ * rethook_stop() - Stop using a rethook. ++ * @rh: the struct rethook to stop. ++ * ++ * Stop using a rethook to prepare for freeing it. If you want to wait for ++ * all running rethook handler before calling rethook_free(), you need to ++ * call this first and wait RCU, and call rethook_free(). ++ */ ++void rethook_stop(struct rethook *rh) ++{ ++ WRITE_ONCE(rh->handler, NULL); ++} ++ ++/** + * rethook_free() - Free struct rethook. + * @rh: the struct rethook to be freed. + * diff --git a/queue-6.4/fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch b/queue-6.4/fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch new file mode 100644 index 00000000000..168c7911efa --- /dev/null +++ b/queue-6.4/fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch @@ -0,0 +1,75 @@ +From 5f81018753dfd4989e33ece1f0cb6b8aae498b82 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 15 Jun 2023 13:52:36 +0200 +Subject: fprobe: Release rethook after the ftrace_ops is unregistered + +From: Jiri Olsa + +commit 5f81018753dfd4989e33ece1f0cb6b8aae498b82 upstream. + +While running bpf selftests it's possible to get following fault: + + general protection fault, probably for non-canonical address \ + 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI + ... + Call Trace: + + fprobe_handler+0xc1/0x270 + ? __pfx_bpf_testmod_init+0x10/0x10 + ? __pfx_bpf_testmod_init+0x10/0x10 + ? bpf_fentry_test1+0x5/0x10 + ? bpf_fentry_test1+0x5/0x10 + ? bpf_testmod_init+0x22/0x80 + ? do_one_initcall+0x63/0x2e0 + ? rcu_is_watching+0xd/0x40 + ? kmalloc_trace+0xaf/0xc0 + ? do_init_module+0x60/0x250 + ? __do_sys_finit_module+0xac/0x120 + ? do_syscall_64+0x37/0x90 + ? entry_SYSCALL_64_after_hwframe+0x72/0xdc + + +In unregister_fprobe function we can't release fp->rethook while it's +possible there are some of its users still running on another cpu. + +Moving rethook_free call after fp->ops is unregistered with +unregister_ftrace_function call. + +Link: https://lore.kernel.org/all/20230615115236.3476617-1-jolsa@kernel.org/ + +Fixes: 5b0ab78998e3 ("fprobe: Add exit_handler support") +Cc: stable@vger.kernel.org +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Jiri Olsa +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/fprobe.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/kernel/trace/fprobe.c ++++ b/kernel/trace/fprobe.c +@@ -366,19 +366,13 @@ int unregister_fprobe(struct fprobe *fp) + fp->ops.saved_func != fprobe_kprobe_handler)) + return -EINVAL; + +- /* +- * rethook_free() starts disabling the rethook, but the rethook handlers +- * may be running on other processors at this point. To make sure that all +- * current running handlers are finished, call unregister_ftrace_function() +- * after this. +- */ +- if (fp->rethook) +- rethook_free(fp->rethook); +- + ret = unregister_ftrace_function(&fp->ops); + if (ret < 0) + return ret; + ++ if (fp->rethook) ++ rethook_free(fp->rethook); ++ + ftrace_free_filter(&fp->ops); + + return ret; diff --git a/queue-6.4/mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch b/queue-6.4/mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch new file mode 100644 index 00000000000..c6fea0089db --- /dev/null +++ b/queue-6.4/mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch @@ -0,0 +1,55 @@ +From 0226436acf2495cde4b93e7400e5a87305c26054 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 4 Jul 2023 22:44:34 +0200 +Subject: mptcp: do not rely on implicit state check in mptcp_listen() + +From: Paolo Abeni + +commit 0226436acf2495cde4b93e7400e5a87305c26054 upstream. + +Since the blamed commit, closing the first subflow resets the first +subflow socket state to SS_UNCONNECTED. + +The current mptcp listen implementation relies only on such +state to prevent touching not-fully-disconnected sockets. + +Incoming mptcp fastclose (or paired endpoint removal) unconditionally +closes the first subflow. + +All the above allows an incoming fastclose followed by a listen() call +to successfully race with a blocking recvmsg(), potentially causing the +latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). + +Address the issue explicitly checking the msk socket state in +mptcp_listen(). An alternative solution would be moving the first +subflow socket state update into mptcp_disconnect(), but in the long +term the first subflow socket should be removed: better avoid relaying +on it for internal consistency check. + +Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation") +Cc: stable@vger.kernel.org +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/414 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3697,6 +3697,11 @@ static int mptcp_listen(struct socket *s + pr_debug("msk=%p", msk); + + lock_sock(sk); ++ ++ err = -EINVAL; ++ if (sock->state != SS_UNCONNECTED || sock->type != SOCK_STREAM) ++ goto unlock; ++ + ssock = __mptcp_nmpc_socket(msk); + if (IS_ERR(ssock)) { + err = PTR_ERR(ssock); diff --git a/queue-6.4/mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch b/queue-6.4/mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch new file mode 100644 index 00000000000..1f565e0e74e --- /dev/null +++ b/queue-6.4/mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch @@ -0,0 +1,42 @@ +From 3fffa15bfef48b0ad6424779c03e68ae8ace5acb Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 4 Jul 2023 22:44:33 +0200 +Subject: mptcp: ensure subflow is unhashed before cleaning the backlog + +From: Paolo Abeni + +commit 3fffa15bfef48b0ad6424779c03e68ae8ace5acb upstream. + +While tacking care of the mptcp-level listener I unintentionally +moved the subflow level unhash after the subflow listener backlog +cleanup. + +That could cause some nasty race and makes the code harder to read. + +Address the issue restoring the proper order of operations. + +Fixes: 57fc0f1ceaa4 ("mptcp: ensure listener is unhashed before updating the sk status") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2908,10 +2908,10 @@ static void mptcp_check_listen_stop(stru + return; + + lock_sock_nested(ssk, SINGLE_DEPTH_NESTING); ++ tcp_set_state(ssk, TCP_CLOSE); + mptcp_subflow_queue_clean(sk, ssk); + inet_csk_listen_stop(ssk); + mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CLOSED); +- tcp_set_state(ssk, TCP_CLOSE); + release_sock(ssk); + } + diff --git a/queue-6.4/revert-tracing-add-fault-name-injection-to-kernel-probes.patch b/queue-6.4/revert-tracing-add-fault-name-injection-to-kernel-probes.patch new file mode 100644 index 00000000000..01840990a7c --- /dev/null +++ b/queue-6.4/revert-tracing-add-fault-name-injection-to-kernel-probes.patch @@ -0,0 +1,125 @@ +From 4ed8f337dee32df71435689c19d22e4ee846e15a Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:57 +0900 +Subject: Revert "tracing: Add "(fault)" name injection to kernel probes" + +From: Masami Hiramatsu (Google) + +commit 4ed8f337dee32df71435689c19d22e4ee846e15a upstream. + +This reverts commit 2e9906f84fc7c99388bb7123ade167250d50f1c0. + +It was turned out that commit 2e9906f84fc7 ("tracing: Add "(fault)" +name injection to kernel probes") did not work correctly and probe +events still show just '(fault)' (instead of '"(fault)"'). Also, +current '(fault)' is more explicit that it faulted. + +This also moves FAULT_STRING macro to trace.h so that synthetic +event can keep using it, and uses it in trace_probe.c too. + +Link: https://lore.kernel.org/all/168908495772.123124.1250788051922100079.stgit@devnote2/ +Link: https://lore.kernel.org/all/20230706230642.3793a593@rorschach.local.home/ + +Cc: stable@vger.kernel.org +Cc: Andrew Morton +Cc: Tom Zanussi +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 2 ++ + kernel/trace/trace_probe.c | 2 +- + kernel/trace/trace_probe_kernel.h | 31 ++++++------------------------- + 3 files changed, 9 insertions(+), 26 deletions(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -113,6 +113,8 @@ enum trace_type { + #define MEM_FAIL(condition, fmt, ...) \ + DO_ONCE_LITE_IF(condition, pr_err, "ERROR: " fmt, ##__VA_ARGS__) + ++#define FAULT_STRING "(fault)" ++ + #define HIST_STACKTRACE_DEPTH 16 + #define HIST_STACKTRACE_SIZE (HIST_STACKTRACE_DEPTH * sizeof(unsigned long)) + #define HIST_STACKTRACE_SKIP 5 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -65,7 +65,7 @@ int PRINT_TYPE_FUNC_NAME(string)(struct + int len = *(u32 *)data >> 16; + + if (!len) +- trace_seq_puts(s, "(fault)"); ++ trace_seq_puts(s, FAULT_STRING); + else + trace_seq_printf(s, "\"%s\"", + (const char *)get_loc_data(data, ent)); +--- a/kernel/trace/trace_probe_kernel.h ++++ b/kernel/trace/trace_probe_kernel.h +@@ -2,8 +2,6 @@ + #ifndef __TRACE_PROBE_KERNEL_H_ + #define __TRACE_PROBE_KERNEL_H_ + +-#define FAULT_STRING "(fault)" +- + /* + * This depends on trace_probe.h, but can not include it due to + * the way trace_probe_tmpl.h is used by trace_kprobe.c and trace_eprobe.c. +@@ -15,16 +13,8 @@ static nokprobe_inline int + fetch_store_strlen_user(unsigned long addr) + { + const void __user *uaddr = (__force const void __user *)addr; +- int ret; + +- ret = strnlen_user_nofault(uaddr, MAX_STRING_SIZE); +- /* +- * strnlen_user_nofault returns zero on fault, insert the +- * FAULT_STRING when that occurs. +- */ +- if (ret <= 0) +- return strlen(FAULT_STRING) + 1; +- return ret; ++ return strnlen_user_nofault(uaddr, MAX_STRING_SIZE); + } + + /* Return the length of string -- including null terminal byte */ +@@ -44,18 +34,7 @@ fetch_store_strlen(unsigned long addr) + len++; + } while (c && ret == 0 && len < MAX_STRING_SIZE); + +- /* For faults, return enough to hold the FAULT_STRING */ +- return (ret < 0) ? strlen(FAULT_STRING) + 1 : len; +-} +- +-static nokprobe_inline void set_data_loc(int ret, void *dest, void *__dest, void *base, int len) +-{ +- if (ret >= 0) { +- *(u32 *)dest = make_data_loc(ret, __dest - base); +- } else { +- strscpy(__dest, FAULT_STRING, len); +- ret = strlen(__dest) + 1; +- } ++ return (ret < 0) ? ret : len; + } + + /* +@@ -76,7 +55,8 @@ fetch_store_string_user(unsigned long ad + __dest = get_loc_data(dest, base); + + ret = strncpy_from_user_nofault(__dest, uaddr, maxlen); +- set_data_loc(ret, dest, __dest, base, maxlen); ++ if (ret >= 0) ++ *(u32 *)dest = make_data_loc(ret, __dest - base); + + return ret; + } +@@ -107,7 +87,8 @@ fetch_store_string(unsigned long addr, v + * probing. + */ + ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen); +- set_data_loc(ret, dest, __dest, base, maxlen); ++ if (ret >= 0) ++ *(u32 *)dest = make_data_loc(ret, __dest - base); + + return ret; + } diff --git a/queue-6.4/scsi-qla2xxx-array-index-may-go-out-of-bound.patch b/queue-6.4/scsi-qla2xxx-array-index-may-go-out-of-bound.patch new file mode 100644 index 00000000000..30d09581dd3 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-array-index-may-go-out-of-bound.patch @@ -0,0 +1,36 @@ +From d721b591b95cf3f290f8a7cbe90aa2ee0368388d Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:36 +0530 +Subject: scsi: qla2xxx: Array index may go out of bound + +From: Nilesh Javali + +commit d721b591b95cf3f290f8a7cbe90aa2ee0368388d upstream. + +Klocwork reports array 'vha->host_str' of size 16 may use index value(s) +16..19. Use snprintf() instead of sprintf(). + +Cc: stable@vger.kernel.org +Co-developed-by: Bikash Hazarika +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5088,7 +5088,8 @@ struct scsi_qla_host *qla2x00_create_hos + } + INIT_DELAYED_WORK(&vha->scan.scan_work, qla_scan_work_fn); + +- sprintf(vha->host_str, "%s_%lu", QLA2XXX_DRIVER_NAME, vha->host_no); ++ snprintf(vha->host_str, sizeof(vha->host_str), "%s_%lu", ++ QLA2XXX_DRIVER_NAME, vha->host_no); + ql_dbg(ql_dbg_init, vha, 0x0041, + "Allocated the host=%p hw=%p vha=%p dev_name=%s", + vha->host, vha->hw, vha, diff --git a/queue-6.4/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch b/queue-6.4/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch new file mode 100644 index 00000000000..c33aecd0f59 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-avoid-fcport-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 6b504d06976fe4a61cc05dedc68b84fadb397f77 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:38 +0530 +Subject: scsi: qla2xxx: Avoid fcport pointer dereference + +From: Nilesh Javali + +commit 6b504d06976fe4a61cc05dedc68b84fadb397f77 upstream. + +Klocwork reported warning of NULL pointer may be dereferenced. The routine +exits when sa_ctl is NULL and fcport is allocated after the exit call thus +causing NULL fcport pointer to dereference at the time of exit. + +To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_edif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2361,8 +2361,8 @@ qla24xx_issue_sa_replace_iocb(scsi_qla_h + if (!sa_ctl) { + ql_dbg(ql_dbg_edif, vha, 0x70e6, + "sa_ctl allocation failed\n"); +- rval = -ENOMEM; +- goto done; ++ rval = -ENOMEM; ++ return rval; + } + + fcport = sa_ctl->fcport; diff --git a/queue-6.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/queue-6.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch new file mode 100644 index 00000000000..b4c6190c93e --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch @@ -0,0 +1,37 @@ +From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:39 +0530 +Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() + +From: Nilesh Javali + +commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. + +Klocwork reported warning of rport maybe NULL and will be dereferenced. +rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. + +Check valid rport returned by fc_bsg_to_rport(). + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -283,6 +283,10 @@ qla2x00_process_els(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) { ++ rval = -ENOMEM; ++ goto done; ++ } + fcport = *(fc_port_t **) rport->dd_data; + host = rport_to_shost(rport); + vha = shost_priv(host); diff --git a/queue-6.4/scsi-qla2xxx-correct-the-index-of-array.patch b/queue-6.4/scsi-qla2xxx-correct-the-index-of-array.patch new file mode 100644 index 00000000000..f1f18d62683 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-correct-the-index-of-array.patch @@ -0,0 +1,51 @@ +From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:42 +0530 +Subject: scsi: qla2xxx: Correct the index of array + +From: Bikash Hazarika + +commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream. + +Klocwork reported array 'port_dstate_str' of size 10 may use index value(s) +10..15. + +Add a fix to correct the index of array. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_inline.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -109,11 +109,13 @@ qla2x00_set_fcport_disc_state(fc_port_t + { + int old_val; + uint8_t shiftbits, mask; ++ uint8_t port_dstate_str_sz; + + /* This will have to change when the max no. of states > 16 */ + shiftbits = 4; + mask = (1 << shiftbits) - 1; + ++ port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *); + fcport->disc_state = state; + while (1) { + old_val = atomic_read(&fcport->shadow_disc_state); +@@ -121,7 +123,8 @@ qla2x00_set_fcport_disc_state(fc_port_t + old_val, (old_val << shiftbits) | state)) { + ql_dbg(ql_dbg_disc, fcport->vha, 0x2134, + "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n", +- fcport->port_name, port_dstate_str[old_val & mask], ++ fcport->port_name, (old_val & mask) < port_dstate_str_sz ? ++ port_dstate_str[old_val & mask] : "Unknown", + port_dstate_str[state], fcport->d_id.b24); + return; + } diff --git a/queue-6.4/scsi-qla2xxx-fix-buffer-overrun.patch b/queue-6.4/scsi-qla2xxx-fix-buffer-overrun.patch new file mode 100644 index 00000000000..2351ca005f9 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-buffer-overrun.patch @@ -0,0 +1,38 @@ +From b68710a8094fdffe8dd4f7a82c82649f479bb453 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 7 Jun 2023 17:08:40 +0530 +Subject: scsi: qla2xxx: Fix buffer overrun + +From: Quinn Tran + +commit b68710a8094fdffe8dd4f7a82c82649f479bb453 upstream. + +Klocwork warning: Buffer Overflow - Array Index Out of Bounds + +Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is +nested inside of fc_els_flogi which is smaller. + +Replace structure name to allow proper size calculation. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5549,7 +5549,7 @@ static void qla_get_login_template(scsi_ + __be32 *q; + + memset(ha->init_cb, 0, ha->init_cb_size); +- sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size); ++ sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size); + rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma, + ha->init_cb, sz); + if (rval != QLA_SUCCESS) { diff --git a/queue-6.4/scsi-qla2xxx-fix-hang-in-task-management.patch b/queue-6.4/scsi-qla2xxx-fix-hang-in-task-management.patch new file mode 100644 index 00000000000..5ab8829cb6d --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-hang-in-task-management.patch @@ -0,0 +1,188 @@ +From 9ae615c5bfd37bd091772969b1153de5335ea986 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:36 -0700 +Subject: scsi: qla2xxx: Fix hang in task management + +From: Quinn Tran + +commit 9ae615c5bfd37bd091772969b1153de5335ea986 upstream. + +Task management command hangs where a side +band chip reset failed to nudge the TMF +from it's current send path. + +Add additional error check to block TMF +from entering during chip reset and along +the TMF path to cause it to bail out, skip +over abort of marker. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 4 ++ + drivers/scsi/qla2xxx/qla_init.c | 60 ++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 61 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -5516,4 +5516,8 @@ struct ql_vnd_tgt_stats_resp { + _fp->disc_state, _fp->scan_state, _fp->loop_id, _fp->deleted, \ + _fp->flags + ++#define TMF_NOT_READY(_fcport) \ ++ (!_fcport || IS_SESSION_DELETED(_fcport) || atomic_read(&_fcport->state) != FCS_ONLINE || \ ++ !_fcport->vha->hw->flags.fw_started) ++ + #endif +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1996,6 +1996,11 @@ qla2x00_tmf_iocb_timeout(void *data) + int rc, h; + unsigned long flags; + ++ if (sp->type == SRB_MARKER) { ++ complete(&tmf->u.tmf.comp); ++ return; ++ } ++ + rc = qla24xx_async_abort_cmd(sp, false); + if (rc) { + spin_lock_irqsave(sp->qpair->qp_lock_ptr, flags); +@@ -2023,6 +2028,7 @@ static void qla_marker_sp_done(srb_t *sp + sp->handle, sp->fcport->d_id.b24, sp->u.iocb_cmd.u.tmf.flags, + sp->u.iocb_cmd.u.tmf.lun, sp->qpair->id); + ++ sp->u.iocb_cmd.u.tmf.data = res; + complete(&tmf->u.tmf.comp); + } + +@@ -2039,6 +2045,11 @@ static void qla_marker_sp_done(srb_t *sp + } while (cnt); \ + } + ++/** ++ * qla26xx_marker: send marker IOCB and wait for the completion of it. ++ * @arg: pointer to argument list. ++ * It is assume caller will provide an fcport pointer and modifier ++ */ + static int + qla26xx_marker(struct tmf_arg *arg) + { +@@ -2048,6 +2059,14 @@ qla26xx_marker(struct tmf_arg *arg) + int rval = QLA_FUNCTION_FAILED; + fc_port_t *fcport = arg->fcport; + ++ if (TMF_NOT_READY(arg->fcport)) { ++ ql_dbg(ql_dbg_taskm, vha, 0x8039, ++ "FC port not ready for marker loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d.\n", ++ fcport->loop_id, fcport->d_id.b24, ++ arg->modifier, arg->lun, arg->qpair->id); ++ return QLA_SUSPENDED; ++ } ++ + /* ref: INIT */ + sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL); + if (!sp) +@@ -2074,11 +2093,19 @@ qla26xx_marker(struct tmf_arg *arg) + + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x8031, +- "Marker IOCB failed (%x).\n", rval); ++ "Marker IOCB send failure (%x).\n", rval); + goto done_free_sp; + } + + wait_for_completion(&tm_iocb->u.tmf.comp); ++ rval = tm_iocb->u.tmf.data; ++ ++ if (rval != QLA_SUCCESS) { ++ ql_log(ql_log_warn, vha, 0x8019, ++ "Marker failed hdl=%x loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d rval %d.\n", ++ sp->handle, fcport->loop_id, fcport->d_id.b24, ++ arg->modifier, arg->lun, sp->qpair->id, rval); ++ } + + done_free_sp: + /* ref: INIT */ +@@ -2091,6 +2118,8 @@ static void qla2x00_tmf_sp_done(srb_t *s + { + struct srb_iocb *tmf = &sp->u.iocb_cmd; + ++ if (res) ++ tmf->u.tmf.data = res; + complete(&tmf->u.tmf.comp); + } + +@@ -2104,6 +2133,14 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a + + fc_port_t *fcport = arg->fcport; + ++ if (TMF_NOT_READY(arg->fcport)) { ++ ql_dbg(ql_dbg_taskm, vha, 0x8032, ++ "FC port not ready for TM command loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d.\n", ++ fcport->loop_id, fcport->d_id.b24, ++ arg->modifier, arg->lun, arg->qpair->id); ++ return QLA_SUSPENDED; ++ } ++ + /* ref: INIT */ + sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL); + if (!sp) +@@ -2178,7 +2215,9 @@ int qla_get_tmf(fc_port_t *fcport) + msleep(1); + + spin_lock_irqsave(&ha->tgt.sess_lock, flags); +- if (fcport->deleted) { ++ if (TMF_NOT_READY(fcport)) { ++ ql_log(ql_log_warn, vha, 0x802c, ++ "Unable to acquire TM resource due to disruption.\n"); + rc = EIO; + break; + } +@@ -2204,7 +2243,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + struct scsi_qla_host *vha = fcport->vha; + struct qla_qpair *qpair; + struct tmf_arg a; +- int i, rval; ++ int i, rval = QLA_SUCCESS; ++ ++ if (TMF_NOT_READY(fcport)) ++ return QLA_SUSPENDED; + + a.vha = fcport->vha; + a.fcport = fcport; +@@ -2223,6 +2265,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + qpair = vha->hw->queue_pair_map[i]; + if (!qpair) + continue; ++ ++ if (TMF_NOT_READY(fcport)) { ++ ql_log(ql_log_warn, vha, 0x8026, ++ "Unable to send TM due to disruption.\n"); ++ rval = QLA_SUSPENDED; ++ break; ++ } ++ + a.qpair = qpair; + a.flags = flags|TCF_NOTMCMD_TO_TARGET; + rval = __qla2x00_async_tm_cmd(&a); +@@ -2231,10 +2281,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + } + } + ++ if (rval) ++ goto bailout; ++ + a.qpair = vha->hw->base_qpair; + a.flags = flags; + rval = __qla2x00_async_tm_cmd(&a); + ++bailout: + if (a.modifier == MK_SYNC_ID_LUN) + qla_put_tmf(fcport); + diff --git a/queue-6.4/scsi-qla2xxx-fix-mem-access-after-free.patch b/queue-6.4/scsi-qla2xxx-fix-mem-access-after-free.patch new file mode 100644 index 00000000000..6cf65e6240f --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-mem-access-after-free.patch @@ -0,0 +1,301 @@ +From b843adde8d490934d042fbe9e3e46697cb3a64d2 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:37 -0700 +Subject: scsi: qla2xxx: Fix mem access after free + +From: Quinn Tran + +commit b843adde8d490934d042fbe9e3e46697cb3a64d2 upstream. + +System crash, where driver is accessing scsi layer's +memory (scsi_cmnd->device->host) to search for a well known internal +pointer (vha). The scsi_cmnd was released back to upper layer which +could be freed, but the driver is still accessing it. + +7 [ffffa8e8d2c3f8d0] page_fault at ffffffff86c010fe + [exception RIP: __qla2x00_eh_wait_for_pending_commands+240] + RIP: ffffffffc0642350 RSP: ffffa8e8d2c3f988 RFLAGS: 00010286 + RAX: 0000000000000165 RBX: 0000000000000002 RCX: 00000000000036d8 + RDX: 0000000000000000 RSI: ffff9c5c56535188 RDI: 0000000000000286 + RBP: ffff9c5bf7aa4a58 R8: ffff9c589aecdb70 R9: 00000000000003d1 + R10: 0000000000000001 R11: 0000000000380000 R12: ffff9c5c5392bc78 + R13: ffff9c57044ff5c0 R14: ffff9c56b5a3aa00 R15: 00000000000006db + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 +8 [ffffa8e8d2c3f9c8] qla2x00_eh_wait_for_pending_commands at ffffffffc0646dd5 [qla2xxx] +9 [ffffa8e8d2c3fa00] __qla2x00_async_tm_cmd at ffffffffc0658094 [qla2xxx] + +Remove access of freed memory. Currently the driver was checking to see if +scsi_done was called by seeing if the sp->type has changed. Instead, +check to see if the command has left the oustanding_cmds[] array as +sign of scsi_done was called. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_isr.c | 38 +++++++++-- + drivers/scsi/qla2xxx/qla_os.c | 130 ++++++++++++++++++++--------------------- + 2 files changed, 95 insertions(+), 73 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1862,9 +1862,9 @@ qla2x00_process_completed_request(struct + } + } + +-srb_t * +-qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, +- struct req_que *req, void *iocb) ++static srb_t * ++qla_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, ++ struct req_que *req, void *iocb, u16 *ret_index) + { + struct qla_hw_data *ha = vha->hw; + sts_entry_t *pkt = iocb; +@@ -1899,12 +1899,25 @@ qla2x00_get_sp_from_handle(scsi_qla_host + return NULL; + } + +- req->outstanding_cmds[index] = NULL; +- ++ *ret_index = index; + qla_put_fw_resources(sp->qpair, &sp->iores); + return sp; + } + ++srb_t * ++qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, ++ struct req_que *req, void *iocb) ++{ ++ uint16_t index; ++ srb_t *sp; ++ ++ sp = qla_get_sp_from_handle(vha, func, req, iocb, &index); ++ if (sp) ++ req->outstanding_cmds[index] = NULL; ++ ++ return sp; ++} ++ + static void + qla2x00_mbx_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, + struct mbx_entry *mbx) +@@ -3237,13 +3250,13 @@ qla2x00_status_entry(scsi_qla_host_t *vh + return; + } + +- req->outstanding_cmds[handle] = NULL; + cp = GET_CMD_SP(sp); + if (cp == NULL) { + ql_dbg(ql_dbg_io, vha, 0x3018, + "Command already returned (0x%x/%p).\n", + sts->handle, sp); + ++ req->outstanding_cmds[handle] = NULL; + return; + } + +@@ -3514,6 +3527,9 @@ out: + + if (rsp->status_srb == NULL) + sp->done(sp, res); ++ ++ /* for io's, clearing of outstanding_cmds[handle] means scsi_done was called */ ++ req->outstanding_cmds[handle] = NULL; + } + + /** +@@ -3590,6 +3606,7 @@ qla2x00_error_entry(scsi_qla_host_t *vha + uint16_t que = MSW(pkt->handle); + struct req_que *req = NULL; + int res = DID_ERROR << 16; ++ u16 index; + + ql_dbg(ql_dbg_async, vha, 0x502a, + "iocb type %xh with error status %xh, handle %xh, rspq id %d\n", +@@ -3608,7 +3625,6 @@ qla2x00_error_entry(scsi_qla_host_t *vha + + switch (pkt->entry_type) { + case NOTIFY_ACK_TYPE: +- case STATUS_TYPE: + case STATUS_CONT_TYPE: + case LOGINOUT_PORT_IOCB_TYPE: + case CT_IOCB_TYPE: +@@ -3628,6 +3644,14 @@ qla2x00_error_entry(scsi_qla_host_t *vha + case CTIO_TYPE7: + case CTIO_CRC2: + return 1; ++ case STATUS_TYPE: ++ sp = qla_get_sp_from_handle(vha, func, req, pkt, &index); ++ if (sp) { ++ sp->done(sp, res); ++ req->outstanding_cmds[index] = NULL; ++ return 0; ++ } ++ break; + } + fatal: + ql_log(ql_log_warn, vha, 0x5030, +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1079,43 +1079,6 @@ qc24_fail_command: + } + + /* +- * qla2x00_eh_wait_on_command +- * Waits for the command to be returned by the Firmware for some +- * max time. +- * +- * Input: +- * cmd = Scsi Command to wait on. +- * +- * Return: +- * Completed in time : QLA_SUCCESS +- * Did not complete in time : QLA_FUNCTION_FAILED +- */ +-static int +-qla2x00_eh_wait_on_command(struct scsi_cmnd *cmd) +-{ +-#define ABORT_POLLING_PERIOD 1000 +-#define ABORT_WAIT_ITER ((2 * 1000) / (ABORT_POLLING_PERIOD)) +- unsigned long wait_iter = ABORT_WAIT_ITER; +- scsi_qla_host_t *vha = shost_priv(cmd->device->host); +- struct qla_hw_data *ha = vha->hw; +- srb_t *sp = scsi_cmd_priv(cmd); +- int ret = QLA_SUCCESS; +- +- if (unlikely(pci_channel_offline(ha->pdev)) || ha->flags.eeh_busy) { +- ql_dbg(ql_dbg_taskm, vha, 0x8005, +- "Return:eh_wait.\n"); +- return ret; +- } +- +- while (sp->type && wait_iter--) +- msleep(ABORT_POLLING_PERIOD); +- if (sp->type) +- ret = QLA_FUNCTION_FAILED; +- +- return ret; +-} +- +-/* + * qla2x00_wait_for_hba_online + * Wait till the HBA is online after going through + * <= MAX_RETRIES_OF_ISP_ABORT or +@@ -1365,6 +1328,9 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + return ret; + } + ++#define ABORT_POLLING_PERIOD 1000 ++#define ABORT_WAIT_ITER ((2 * 1000) / (ABORT_POLLING_PERIOD)) ++ + /* + * Returns: QLA_SUCCESS or QLA_FUNCTION_FAILED. + */ +@@ -1378,41 +1344,73 @@ __qla2x00_eh_wait_for_pending_commands(s + struct req_que *req = qpair->req; + srb_t *sp; + struct scsi_cmnd *cmd; ++ unsigned long wait_iter = ABORT_WAIT_ITER; ++ bool found; ++ struct qla_hw_data *ha = vha->hw; + + status = QLA_SUCCESS; + +- spin_lock_irqsave(qpair->qp_lock_ptr, flags); +- for (cnt = 1; status == QLA_SUCCESS && +- cnt < req->num_outstanding_cmds; cnt++) { +- sp = req->outstanding_cmds[cnt]; +- if (!sp) +- continue; +- if (sp->type != SRB_SCSI_CMD) +- continue; +- if (vha->vp_idx != sp->vha->vp_idx) +- continue; +- match = 0; +- cmd = GET_CMD_SP(sp); +- switch (type) { +- case WAIT_HOST: +- match = 1; +- break; +- case WAIT_TARGET: +- match = cmd->device->id == t; +- break; +- case WAIT_LUN: +- match = (cmd->device->id == t && +- cmd->device->lun == l); +- break; +- } +- if (!match) +- continue; ++ while (wait_iter--) { ++ found = false; + +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); +- status = qla2x00_eh_wait_on_command(cmd); + spin_lock_irqsave(qpair->qp_lock_ptr, flags); ++ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { ++ sp = req->outstanding_cmds[cnt]; ++ if (!sp) ++ continue; ++ if (sp->type != SRB_SCSI_CMD) ++ continue; ++ if (vha->vp_idx != sp->vha->vp_idx) ++ continue; ++ match = 0; ++ cmd = GET_CMD_SP(sp); ++ switch (type) { ++ case WAIT_HOST: ++ match = 1; ++ break; ++ case WAIT_TARGET: ++ if (sp->fcport) ++ match = sp->fcport->d_id.b24 == t; ++ else ++ match = 0; ++ break; ++ case WAIT_LUN: ++ if (sp->fcport) ++ match = (sp->fcport->d_id.b24 == t && ++ cmd->device->lun == l); ++ else ++ match = 0; ++ break; ++ } ++ if (!match) ++ continue; ++ ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ if (unlikely(pci_channel_offline(ha->pdev)) || ++ ha->flags.eeh_busy) { ++ ql_dbg(ql_dbg_taskm, vha, 0x8005, ++ "Return:eh_wait.\n"); ++ return status; ++ } ++ ++ /* ++ * SRB_SCSI_CMD is still in the outstanding_cmds array. ++ * it means scsi_done has not called. Wait for it to ++ * clear from outstanding_cmds. ++ */ ++ msleep(ABORT_POLLING_PERIOD); ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); ++ found = true; ++ } ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ if (!found) ++ break; + } +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ if (!wait_iter && found) ++ status = QLA_FUNCTION_FAILED; + + return status; + } diff --git a/queue-6.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/queue-6.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..5340f077429 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:37 +0530 +Subject: scsi: qla2xxx: Fix potential NULL pointer dereference + +From: Bikash Hazarika + +commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. + +Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate +pointer before dereferencing the pointer. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -607,7 +607,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s + put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type); + + /* No data transfer */ +- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { ++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || ++ tot_dsds == 0) { + cmd_pkt->byte_count = cpu_to_le32(0); + return 0; + } diff --git a/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch b/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch new file mode 100644 index 00000000000..30ac261151f --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch @@ -0,0 +1,147 @@ +From 6a87679626b51b53fbb6be417ad8eb083030b617 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:35 -0700 +Subject: scsi: qla2xxx: Fix task management cmd fail due to unavailable resource + +From: Quinn Tran + +commit 6a87679626b51b53fbb6be417ad8eb083030b617 upstream. + +Task management command failed with status 2Ch which is +a result of too many task management commands sent +to the same target. Hence limit task management commands +to 8 per target. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202304271952.NKNmoFzv-lkp@intel.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 3 + + drivers/scsi/qla2xxx/qla_init.c | 63 ++++++++++++++++++++++++++++++++++++---- + 2 files changed, 61 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -2542,6 +2542,7 @@ enum rscn_addr_format { + typedef struct fc_port { + struct list_head list; + struct scsi_qla_host *vha; ++ struct list_head tmf_pending; + + unsigned int conf_compl_supported:1; + unsigned int deleted:2; +@@ -2562,6 +2563,8 @@ typedef struct fc_port { + unsigned int do_prli_nvme:1; + + uint8_t nvme_flag; ++ uint8_t active_tmf; ++#define MAX_ACTIVE_TMF 8 + + uint8_t node_name[WWN_SIZE]; + uint8_t port_name[WWN_SIZE]; +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2149,6 +2149,54 @@ done: + return rval; + } + ++static void qla_put_tmf(fc_port_t *fcport) ++{ ++ struct scsi_qla_host *vha = fcport->vha; ++ struct qla_hw_data *ha = vha->hw; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&ha->tgt.sess_lock, flags); ++ fcport->active_tmf--; ++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); ++} ++ ++static ++int qla_get_tmf(fc_port_t *fcport) ++{ ++ struct scsi_qla_host *vha = fcport->vha; ++ struct qla_hw_data *ha = vha->hw; ++ unsigned long flags; ++ int rc = 0; ++ LIST_HEAD(tmf_elem); ++ ++ spin_lock_irqsave(&ha->tgt.sess_lock, flags); ++ list_add_tail(&tmf_elem, &fcport->tmf_pending); ++ ++ while (fcport->active_tmf >= MAX_ACTIVE_TMF) { ++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); ++ ++ msleep(1); ++ ++ spin_lock_irqsave(&ha->tgt.sess_lock, flags); ++ if (fcport->deleted) { ++ rc = EIO; ++ break; ++ } ++ if (fcport->active_tmf < MAX_ACTIVE_TMF && ++ list_is_first(&tmf_elem, &fcport->tmf_pending)) ++ break; ++ } ++ ++ list_del(&tmf_elem); ++ ++ if (!rc) ++ fcport->active_tmf++; ++ ++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); ++ ++ return rc; ++} ++ + int + qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint64_t lun, + uint32_t tag) +@@ -2156,18 +2204,19 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + struct scsi_qla_host *vha = fcport->vha; + struct qla_qpair *qpair; + struct tmf_arg a; +- struct completion comp; + int i, rval; + +- init_completion(&comp); + a.vha = fcport->vha; + a.fcport = fcport; + a.lun = lun; +- +- if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) ++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) { + a.modifier = MK_SYNC_ID_LUN; +- else ++ ++ if (qla_get_tmf(fcport)) ++ return QLA_FUNCTION_FAILED; ++ } else { + a.modifier = MK_SYNC_ID; ++ } + + if (vha->hw->mqenable) { + for (i = 0; i < vha->hw->num_qpairs; i++) { +@@ -2186,6 +2235,9 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + a.flags = flags; + rval = __qla2x00_async_tm_cmd(&a); + ++ if (a.modifier == MK_SYNC_ID_LUN) ++ qla_put_tmf(fcport); ++ + return rval; + } + +@@ -5400,6 +5452,7 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vh + INIT_WORK(&fcport->reg_work, qla_register_fcport_fn); + INIT_LIST_HEAD(&fcport->gnl_entry); + INIT_LIST_HEAD(&fcport->list); ++ INIT_LIST_HEAD(&fcport->tmf_pending); + + INIT_LIST_HEAD(&fcport->sess_cmd_list); + spin_lock_init(&fcport->sess_cmd_lock); diff --git a/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-failure.patch b/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-failure.patch new file mode 100644 index 00000000000..88f57f120fb --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-fix-task-management-cmd-failure.patch @@ -0,0 +1,313 @@ +From 9803fb5d27597ea98f2e05b0b6cfc48ae808458e Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:34 -0700 +Subject: scsi: qla2xxx: Fix task management cmd failure + +From: Quinn Tran + +commit 9803fb5d27597ea98f2e05b0b6cfc48ae808458e upstream. + +Task management cmd failed with status 30h which means +FW is not able to finish processing one task management +before another task management for the same lun. +Hence add wait for completion of marker to space it out. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202304271802.uCZfwQC1-lkp@intel.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani > +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 6 ++ + drivers/scsi/qla2xxx/qla_init.c | 102 +++++++++++++++++++++++++++++++++------- + drivers/scsi/qla2xxx/qla_iocb.c | 28 +++++++++- + drivers/scsi/qla2xxx/qla_isr.c | 26 +++++++++- + 4 files changed, 139 insertions(+), 23 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -471,6 +471,7 @@ struct tmf_arg { + struct scsi_qla_host *vha; + u64 lun; + u32 flags; ++ uint8_t modifier; + }; + + struct els_logo_payload { +@@ -552,6 +553,10 @@ struct srb_iocb { + uint32_t data; + struct completion comp; + __le16 comp_status; ++ ++ uint8_t modifier; ++ uint8_t vp_index; ++ uint16_t loop_id; + } tmf; + struct { + #define SRB_FXDISC_REQ_DMA_VALID BIT_0 +@@ -655,6 +660,7 @@ struct srb_iocb { + #define SRB_SA_UPDATE 25 + #define SRB_ELS_CMD_HST_NOLOGIN 26 + #define SRB_SA_REPLACE 27 ++#define SRB_MARKER 28 + + struct qla_els_pt_arg { + u8 els_opcode; +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2013,6 +2013,80 @@ qla2x00_tmf_iocb_timeout(void *data) + } + } + ++static void qla_marker_sp_done(srb_t *sp, int res) ++{ ++ struct srb_iocb *tmf = &sp->u.iocb_cmd; ++ ++ if (res != QLA_SUCCESS) ++ ql_dbg(ql_dbg_taskm, sp->vha, 0x8004, ++ "Async-marker fail hdl=%x portid=%06x ctrl=%x lun=%lld qp=%d.\n", ++ sp->handle, sp->fcport->d_id.b24, sp->u.iocb_cmd.u.tmf.flags, ++ sp->u.iocb_cmd.u.tmf.lun, sp->qpair->id); ++ ++ complete(&tmf->u.tmf.comp); ++} ++ ++#define START_SP_W_RETRIES(_sp, _rval) \ ++{\ ++ int cnt = 5; \ ++ do { \ ++ _rval = qla2x00_start_sp(_sp); \ ++ if (_rval == EAGAIN) \ ++ msleep(1); \ ++ else \ ++ break; \ ++ cnt--; \ ++ } while (cnt); \ ++} ++ ++static int ++qla26xx_marker(struct tmf_arg *arg) ++{ ++ struct scsi_qla_host *vha = arg->vha; ++ struct srb_iocb *tm_iocb; ++ srb_t *sp; ++ int rval = QLA_FUNCTION_FAILED; ++ fc_port_t *fcport = arg->fcport; ++ ++ /* ref: INIT */ ++ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL); ++ if (!sp) ++ goto done; ++ ++ sp->type = SRB_MARKER; ++ sp->name = "marker"; ++ qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha), qla_marker_sp_done); ++ sp->u.iocb_cmd.timeout = qla2x00_tmf_iocb_timeout; ++ ++ tm_iocb = &sp->u.iocb_cmd; ++ init_completion(&tm_iocb->u.tmf.comp); ++ tm_iocb->u.tmf.modifier = arg->modifier; ++ tm_iocb->u.tmf.lun = arg->lun; ++ tm_iocb->u.tmf.loop_id = fcport->loop_id; ++ tm_iocb->u.tmf.vp_index = vha->vp_idx; ++ ++ START_SP_W_RETRIES(sp, rval); ++ ++ ql_dbg(ql_dbg_taskm, vha, 0x8006, ++ "Async-marker hdl=%x loop-id=%x portid=%06x modifier=%x lun=%lld qp=%d rval %d.\n", ++ sp->handle, fcport->loop_id, fcport->d_id.b24, ++ arg->modifier, arg->lun, sp->qpair->id, rval); ++ ++ if (rval != QLA_SUCCESS) { ++ ql_log(ql_log_warn, vha, 0x8031, ++ "Marker IOCB failed (%x).\n", rval); ++ goto done_free_sp; ++ } ++ ++ wait_for_completion(&tm_iocb->u.tmf.comp); ++ ++done_free_sp: ++ /* ref: INIT */ ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++done: ++ return rval; ++} ++ + static void qla2x00_tmf_sp_done(srb_t *sp, int res) + { + struct srb_iocb *tmf = &sp->u.iocb_cmd; +@@ -2026,7 +2100,6 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a + struct scsi_qla_host *vha = arg->vha; + struct srb_iocb *tm_iocb; + srb_t *sp; +- unsigned long flags; + int rval = QLA_FUNCTION_FAILED; + + fc_port_t *fcport = arg->fcport; +@@ -2048,11 +2121,12 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a + tm_iocb->u.tmf.flags = arg->flags; + tm_iocb->u.tmf.lun = arg->lun; + +- rval = qla2x00_start_sp(sp); ++ START_SP_W_RETRIES(sp, rval); ++ + ql_dbg(ql_dbg_taskm, vha, 0x802f, +- "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x ctrl=%x.\n", +- sp->handle, fcport->loop_id, fcport->d_id.b.domain, +- fcport->d_id.b.area, fcport->d_id.b.al_pa, arg->flags); ++ "Async-tmf hdl=%x loop-id=%x portid=%06x ctrl=%x lun=%lld qp=%d rval=%x.\n", ++ sp->handle, fcport->loop_id, fcport->d_id.b24, ++ arg->flags, arg->lun, sp->qpair->id, rval); + + if (rval != QLA_SUCCESS) + goto done_free_sp; +@@ -2065,17 +2139,8 @@ __qla2x00_async_tm_cmd(struct tmf_arg *a + "TM IOCB failed (%x).\n", rval); + } + +- if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw)) { +- flags = tm_iocb->u.tmf.flags; +- if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET| +- TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) +- flags = MK_SYNC_ID_LUN; +- else +- flags = MK_SYNC_ID; +- +- qla2x00_marker(vha, sp->qpair, +- sp->fcport->loop_id, arg->lun, flags); +- } ++ if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw)) ++ rval = qla26xx_marker(arg); + + done_free_sp: + /* ref: INIT */ +@@ -2099,6 +2164,11 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + a.fcport = fcport; + a.lun = lun; + ++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET|TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) ++ a.modifier = MK_SYNC_ID_LUN; ++ else ++ a.modifier = MK_SYNC_ID; ++ + if (vha->hw->mqenable) { + for (i = 0; i < vha->hw->num_qpairs; i++) { + qpair = vha->hw->queue_pair_map[i]; +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -522,21 +522,25 @@ __qla2x00_marker(struct scsi_qla_host *v + return (QLA_FUNCTION_FAILED); + } + ++ mrk24 = (struct mrk_entry_24xx *)mrk; ++ + mrk->entry_type = MARKER_TYPE; + mrk->modifier = type; + if (type != MK_SYNC_ALL) { + if (IS_FWI2_CAPABLE(ha)) { +- mrk24 = (struct mrk_entry_24xx *) mrk; + mrk24->nport_handle = cpu_to_le16(loop_id); + int_to_scsilun(lun, (struct scsi_lun *)&mrk24->lun); + host_to_fcp_swap(mrk24->lun, sizeof(mrk24->lun)); + mrk24->vp_index = vha->vp_idx; +- mrk24->handle = make_handle(req->id, mrk24->handle); + } else { + SET_TARGET_ID(ha, mrk->target, loop_id); + mrk->lun = cpu_to_le16((uint16_t)lun); + } + } ++ ++ if (IS_FWI2_CAPABLE(ha)) ++ mrk24->handle = QLA_SKIP_HANDLE; ++ + wmb(); + + qla2x00_start_iocbs(vha, req); +@@ -3853,9 +3857,9 @@ static int qla_get_iocbs_resource(struct + case SRB_NACK_LOGO: + case SRB_LOGOUT_CMD: + case SRB_CTRL_VP: +- push_it_through = true; +- fallthrough; ++ case SRB_MARKER: + default: ++ push_it_through = true; + get_exch = false; + } + +@@ -3871,6 +3875,19 @@ static int qla_get_iocbs_resource(struct + return qla_get_fw_resources(sp->qpair, &sp->iores); + } + ++static void ++qla_marker_iocb(srb_t *sp, struct mrk_entry_24xx *mrk) ++{ ++ mrk->entry_type = MARKER_TYPE; ++ mrk->modifier = sp->u.iocb_cmd.u.tmf.modifier; ++ if (sp->u.iocb_cmd.u.tmf.modifier != MK_SYNC_ALL) { ++ mrk->nport_handle = cpu_to_le16(sp->u.iocb_cmd.u.tmf.loop_id); ++ int_to_scsilun(sp->u.iocb_cmd.u.tmf.lun, (struct scsi_lun *)&mrk->lun); ++ host_to_fcp_swap(mrk->lun, sizeof(mrk->lun)); ++ mrk->vp_index = sp->u.iocb_cmd.u.tmf.vp_index; ++ } ++} ++ + int + qla2x00_start_sp(srb_t *sp) + { +@@ -3974,6 +3991,9 @@ qla2x00_start_sp(srb_t *sp) + case SRB_SA_REPLACE: + qla24xx_sa_replace_iocb(sp, pkt); + break; ++ case SRB_MARKER: ++ qla_marker_iocb(sp, pkt); ++ break; + default: + break; + } +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3750,6 +3750,28 @@ static int qla_chk_cont_iocb_avail(struc + return rc; + } + ++static void qla_marker_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, ++ struct mrk_entry_24xx *pkt) ++{ ++ const char func[] = "MRK-IOCB"; ++ srb_t *sp; ++ int res = QLA_SUCCESS; ++ ++ if (!IS_FWI2_CAPABLE(vha->hw)) ++ return; ++ ++ sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); ++ if (!sp) ++ return; ++ ++ if (pkt->entry_status) { ++ ql_dbg(ql_dbg_taskm, vha, 0x8025, "marker failure.\n"); ++ res = QLA_COMMAND_ERROR; ++ } ++ sp->u.iocb_cmd.u.tmf.data = res; ++ sp->done(sp, res); ++} ++ + /** + * qla24xx_process_response_queue() - Process response queue entries. + * @vha: SCSI driver HA context +@@ -3866,9 +3888,7 @@ process_err: + (struct nack_to_isp *)pkt); + break; + case MARKER_TYPE: +- /* Do nothing in this case, this check is to prevent it +- * from falling into default case +- */ ++ qla_marker_iocb_entry(vha, rsp->req, (struct mrk_entry_24xx *)pkt); + break; + case ABORT_IOCB_TYPE: + qla24xx_abort_iocb_entry(vha, rsp->req, diff --git a/queue-6.4/scsi-qla2xxx-multi-que-support-for-tmf.patch b/queue-6.4/scsi-qla2xxx-multi-que-support-for-tmf.patch new file mode 100644 index 00000000000..89460176a3e --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-multi-que-support-for-tmf.patch @@ -0,0 +1,188 @@ +From d90171dd0da50212f5950cc708240831e82f2f91 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:33 -0700 +Subject: scsi: qla2xxx: Multi-que support for TMF + +From: Quinn Tran + +commit d90171dd0da50212f5950cc708240831e82f2f91 upstream. + +Add queue flush for task management command, before +placing it on the wire. +Do IO flush for all Request Q's. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202304271702.GpIL391S-lkp@intel.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani > +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 8 ++++ + drivers/scsi/qla2xxx/qla_gbl.h | 2 - + drivers/scsi/qla2xxx/qla_init.c | 69 +++++++++++++++++++++++++++++++--------- + drivers/scsi/qla2xxx/qla_iocb.c | 5 +- + 4 files changed, 66 insertions(+), 18 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -465,6 +465,14 @@ static inline be_id_t port_id_to_be_id(p + return res; + } + ++struct tmf_arg { ++ struct qla_qpair *qpair; ++ struct fc_port *fcport; ++ struct scsi_qla_host *vha; ++ u64 lun; ++ u32 flags; ++}; ++ + struct els_logo_payload { + uint8_t opcode; + uint8_t rsvd[3]; +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -69,7 +69,7 @@ extern int qla2x00_async_logout(struct s + extern int qla2x00_async_prlo(struct scsi_qla_host *, fc_port_t *); + extern int qla2x00_async_adisc(struct scsi_qla_host *, fc_port_t *, + uint16_t *); +-extern int qla2x00_async_tm_cmd(fc_port_t *, uint32_t, uint32_t, uint32_t); ++extern int qla2x00_async_tm_cmd(fc_port_t *, uint32_t, uint64_t, uint32_t); + struct qla_work_evt *qla2x00_alloc_work(struct scsi_qla_host *, + enum qla_work_type); + extern int qla24xx_async_gnl(struct scsi_qla_host *, fc_port_t *); +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2020,17 +2020,19 @@ static void qla2x00_tmf_sp_done(srb_t *s + complete(&tmf->u.tmf.comp); + } + +-int +-qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, +- uint32_t tag) ++static int ++__qla2x00_async_tm_cmd(struct tmf_arg *arg) + { +- struct scsi_qla_host *vha = fcport->vha; ++ struct scsi_qla_host *vha = arg->vha; + struct srb_iocb *tm_iocb; + srb_t *sp; ++ unsigned long flags; + int rval = QLA_FUNCTION_FAILED; + ++ fc_port_t *fcport = arg->fcport; ++ + /* ref: INIT */ +- sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL); ++ sp = qla2xxx_get_qpair_sp(vha, arg->qpair, fcport, GFP_KERNEL); + if (!sp) + goto done; + +@@ -2043,15 +2045,15 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + + tm_iocb = &sp->u.iocb_cmd; + init_completion(&tm_iocb->u.tmf.comp); +- tm_iocb->u.tmf.flags = flags; +- tm_iocb->u.tmf.lun = lun; ++ tm_iocb->u.tmf.flags = arg->flags; ++ tm_iocb->u.tmf.lun = arg->lun; + ++ rval = qla2x00_start_sp(sp); + ql_dbg(ql_dbg_taskm, vha, 0x802f, +- "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x.\n", ++ "Async-tmf hdl=%x loop-id=%x portid=%02x%02x%02x ctrl=%x.\n", + sp->handle, fcport->loop_id, fcport->d_id.b.domain, +- fcport->d_id.b.area, fcport->d_id.b.al_pa); ++ fcport->d_id.b.area, fcport->d_id.b.al_pa, arg->flags); + +- rval = qla2x00_start_sp(sp); + if (rval != QLA_SUCCESS) + goto done_free_sp; + wait_for_completion(&tm_iocb->u.tmf.comp); +@@ -2065,12 +2067,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + + if (!test_bit(UNLOADING, &vha->dpc_flags) && !IS_QLAFX00(vha->hw)) { + flags = tm_iocb->u.tmf.flags; +- lun = (uint16_t)tm_iocb->u.tmf.lun; ++ if (flags & (TCF_LUN_RESET|TCF_ABORT_TASK_SET| ++ TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) ++ flags = MK_SYNC_ID_LUN; ++ else ++ flags = MK_SYNC_ID; + +- /* Issue Marker IOCB */ +- qla2x00_marker(vha, vha->hw->base_qpair, +- fcport->loop_id, lun, +- flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID); ++ qla2x00_marker(vha, sp->qpair, ++ sp->fcport->loop_id, arg->lun, flags); + } + + done_free_sp: +@@ -2080,6 +2084,41 @@ done: + return rval; + } + ++int ++qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint64_t lun, ++ uint32_t tag) ++{ ++ struct scsi_qla_host *vha = fcport->vha; ++ struct qla_qpair *qpair; ++ struct tmf_arg a; ++ struct completion comp; ++ int i, rval; ++ ++ init_completion(&comp); ++ a.vha = fcport->vha; ++ a.fcport = fcport; ++ a.lun = lun; ++ ++ if (vha->hw->mqenable) { ++ for (i = 0; i < vha->hw->num_qpairs; i++) { ++ qpair = vha->hw->queue_pair_map[i]; ++ if (!qpair) ++ continue; ++ a.qpair = qpair; ++ a.flags = flags|TCF_NOTMCMD_TO_TARGET; ++ rval = __qla2x00_async_tm_cmd(&a); ++ if (rval) ++ break; ++ } ++ } ++ ++ a.qpair = vha->hw->base_qpair; ++ a.flags = flags; ++ rval = __qla2x00_async_tm_cmd(&a); ++ ++ return rval; ++} ++ + int + qla24xx_async_abort_command(srb_t *sp) + { +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2541,7 +2541,7 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg + scsi_qla_host_t *vha = fcport->vha; + struct qla_hw_data *ha = vha->hw; + struct srb_iocb *iocb = &sp->u.iocb_cmd; +- struct req_que *req = vha->req; ++ struct req_que *req = sp->qpair->req; + + flags = iocb->u.tmf.flags; + lun = iocb->u.tmf.lun; +@@ -2557,7 +2557,8 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg + tsk->port_id[2] = fcport->d_id.b.domain; + tsk->vp_index = fcport->vha->vp_idx; + +- if (flags == TCF_LUN_RESET) { ++ if (flags & (TCF_LUN_RESET | TCF_ABORT_TASK_SET| ++ TCF_CLEAR_TASK_SET|TCF_CLEAR_ACA)) { + int_to_scsilun(lun, &tsk->lun); + host_to_fcp_swap((uint8_t *)&tsk->lun, + sizeof(tsk->lun)); diff --git a/queue-6.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/queue-6.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch new file mode 100644 index 00000000000..823a0f601ae --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch @@ -0,0 +1,36 @@ +From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 +From: Shreyas Deodhar +Date: Wed, 7 Jun 2023 17:08:41 +0530 +Subject: scsi: qla2xxx: Pointer may be dereferenced + +From: Shreyas Deodhar + +commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. + +Klocwork tool reported pointer 'rport' returned from call to function +fc_bsg_to_rport() may be NULL and will be dereferenced. + +Add a fix to validate rport before dereferencing. + +Cc: stable@vger.kernel.org +Signed-off-by: Shreyas Deodhar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2996,6 +2996,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) ++ return ret; + host = rport_to_shost(rport); + vha = shost_priv(host); + } else { diff --git a/queue-6.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch b/queue-6.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch new file mode 100644 index 00000000000..249584ee933 --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch @@ -0,0 +1,91 @@ +From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Thu, 15 Jun 2023 13:16:33 +0530 +Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue + +From: Manish Rangankar + +commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream. + +System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up +gets called for uninitialized wait queue sp->nvme_ls_waitq. + + qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 + qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP NOPTI + Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 + Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] + RIP: 0010:__wake_up_common+0x4c/0x190 + RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 + RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 + R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + __wake_up_common_lock+0x7c/0xc0 + qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] + ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] + ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] + ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] + +Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed +previously in the commits tagged Fixed: below. + +Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports") +Cc: stable@vger.kernel.org +Signed-off-by: Manish Rangankar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 1 - + drivers/scsi/qla2xxx/qla_nvme.c | 3 --- + 2 files changed, 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -703,7 +703,6 @@ typedef struct srb { + struct iocb_resource iores; + struct kref cmd_kref; /* need to migrate ref_count over to this */ + void *priv; +- wait_queue_head_t nvme_ls_waitq; + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -360,7 +360,6 @@ static int qla_nvme_ls_req(struct nvme_f + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x700e, + "qla2x00_start_sp failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2x00_rel_sp(sp); +@@ -652,7 +651,6 @@ static int qla_nvme_post_cmd(struct nvme + if (!sp) + return -EBUSY; + +- init_waitqueue_head(&sp->nvme_ls_waitq); + kref_init(&sp->cmd_kref); + spin_lock_init(&priv->cmd_lock); + sp->priv = priv; +@@ -671,7 +669,6 @@ static int qla_nvme_post_cmd(struct nvme + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x212d, + "qla2x00_start_nvme_mq failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2xxx_rel_qpair_sp(sp->qpair, sp); diff --git a/queue-6.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/queue-6.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch new file mode 100644 index 00000000000..1dcf7283ffc --- /dev/null +++ b/queue-6.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch @@ -0,0 +1,71 @@ +From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:38 -0700 +Subject: scsi: qla2xxx: Wait for io return on terminate rport + +From: Quinn Tran + +commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. + +System crash due to use after free. +Current code allows terminate_rport_io to exit before making +sure all IOs has returned. For FCP-2 device, IO's can hang +on in HW because driver has not tear down the session in FW at +first sign of cable pull. When dev_loss_tmo timer pops, +terminate_rport_io is called and upper layer is about to +free various resources. Terminate_rport_io trigger qla to do +the final cleanup, but the cleanup might not be fast enough where it +leave qla still holding on to the same resource. + +Wait for IO's to return to upper layer before resources are freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2750,6 +2750,7 @@ static void + qla2x00_terminate_rport_io(struct fc_rport *rport) + { + fc_port_t *fcport = *(fc_port_t **)rport->dd_data; ++ scsi_qla_host_t *vha; + + if (!fcport) + return; +@@ -2759,9 +2760,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) + return; ++ vha = fcport->vha; + + if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { + qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); ++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, ++ 0, WAIT_TARGET); + return; + } + /* +@@ -2786,6 +2790,15 @@ qla2x00_terminate_rport_io(struct fc_rpo + qla2x00_port_logout(fcport->vha, fcport); + } + } ++ ++ /* check for any straggling io left behind */ ++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { ++ ql_log(ql_log_warn, vha, 0x300b, ++ "IO not return. Resetting. \n"); ++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_chip_reset(vha); ++ } + } + + static int diff --git a/queue-6.4/selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch b/queue-6.4/selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch new file mode 100644 index 00000000000..fa9b8e97635 --- /dev/null +++ b/queue-6.4/selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch @@ -0,0 +1,54 @@ +From 221e4550454a822f9a11834e30694c7d1d65747c Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:35 +0200 +Subject: selftests: mptcp: connect: fail if nft supposed to work + +From: Matthieu Baerts + +commit 221e4550454a822f9a11834e30694c7d1d65747c upstream. + +In case of "external" errors when preparing the environment for the +TProxy tests, the subtests were marked as skipped. + +This is fine but it means these errors are ignored. On MPTCP Public CI, +we do want to catch such issues and mark the selftest as failed if there +are such issues. We can then use mptcp_lib_fail_if_expected_feature() +helper that has been recently added to fail if needed. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: 5fb62e9cd3ad ("selftests: mptcp: add tproxy test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -718,6 +718,7 @@ table inet mangle { + EOF + if [ $? -ne 0 ]; then + echo "SKIP: $msg, could not load nft ruleset" ++ mptcp_lib_fail_if_expected_feature "nft rules" + return + fi + +@@ -733,6 +734,7 @@ EOF + if [ $? -ne 0 ]; then + ip netns exec "$listener_ns" nft flush ruleset + echo "SKIP: $msg, ip $r6flag rule failed" ++ mptcp_lib_fail_if_expected_feature "ip rule" + return + fi + +@@ -741,6 +743,7 @@ EOF + ip netns exec "$listener_ns" nft flush ruleset + ip -net "$listener_ns" $r6flag rule del fwmark 1 lookup 100 + echo "SKIP: $msg, ip route add local $local_addr failed" ++ mptcp_lib_fail_if_expected_feature "ip route" + return + fi + diff --git a/queue-6.4/selftests-mptcp-depend-on-syn_cookies.patch b/queue-6.4/selftests-mptcp-depend-on-syn_cookies.patch new file mode 100644 index 00000000000..c443063f0e3 --- /dev/null +++ b/queue-6.4/selftests-mptcp-depend-on-syn_cookies.patch @@ -0,0 +1,40 @@ +From 6c8880fcaa5c45355179b759c1d11737775e31fc Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:40 +0200 +Subject: selftests: mptcp: depend on SYN_COOKIES + +From: Matthieu Baerts + +commit 6c8880fcaa5c45355179b759c1d11737775e31fc upstream. + +MPTCP selftests are using TCP SYN Cookies for quite a while now, since +v5.9. + +Some CIs don't have this config option enabled and this is causing +issues in the tests: + + # ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 167ms) sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory + # [ OK ]./mptcp_connect.sh: line 554: [: -eq: unary operator expected + +There is no impact in the results but the test is not doing what it is +supposed to do. + +Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -6,6 +6,7 @@ CONFIG_INET_DIAG=m + CONFIG_INET_MPTCP_DIAG=m + CONFIG_VETH=y + CONFIG_NET_SCH_NETEM=m ++CONFIG_SYN_COOKIES=y + CONFIG_NETFILTER=y + CONFIG_NETFILTER_ADVANCED=y + CONFIG_NETFILTER_NETLINK=m diff --git a/queue-6.4/selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch b/queue-6.4/selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch new file mode 100644 index 00000000000..ab7d44f0046 --- /dev/null +++ b/queue-6.4/selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch @@ -0,0 +1,85 @@ +From 61d9658050260dbcbf9055479b7ac5bbbe1e8831 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:41 +0200 +Subject: selftests: mptcp: pm_nl_ctl: fix 32-bit support + +From: Matthieu Baerts + +commit 61d9658050260dbcbf9055479b7ac5bbbe1e8831 upstream. + +When using pm_nl_ctl to validate userspace path-manager's behaviours, it +was failing on 32-bit architectures ~half of the time. + +pm_nl_ctl was not reporting any error but the command was not doing what +it was expected to do. As a result, the expected linked event was not +triggered after and the test failed. + +This is due to the fact the token given in argument to the application +was parsed as an integer with atoi(): in a 32-bit arch, if the number +was bigger than INT_MAX, 2147483647 was used instead. + +This can simply be fixed by using strtoul() instead of atoi(). + +The errors have been seen "by chance" when manually looking at the +results from LKFT. + +Fixes: 9a0b36509df0 ("selftests: mptcp: support MPTCP_PM_CMD_ANNOUNCE") +Cc: stable@vger.kernel.org +Fixes: ecd2a77d672f ("selftests: mptcp: support MPTCP_PM_CMD_REMOVE") +Fixes: cf8d0a6dfd64 ("selftests: mptcp: support MPTCP_PM_CMD_SUBFLOW_CREATE") +Fixes: 57cc361b8d38 ("selftests: mptcp: support MPTCP_PM_CMD_SUBFLOW_DESTROY") +Fixes: ca188a25d43f ("selftests: mptcp: userspace PM support for MP_PRIO signals") +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c ++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +@@ -425,7 +425,7 @@ int dsf(int fd, int pm_family, int argc, + } + + /* token */ +- token = atoi(params[4]); ++ token = strtoul(params[4], NULL, 10); + rta = (void *)(data + off); + rta->rta_type = MPTCP_PM_ATTR_TOKEN; + rta->rta_len = RTA_LENGTH(4); +@@ -551,7 +551,7 @@ int csf(int fd, int pm_family, int argc, + } + + /* token */ +- token = atoi(params[4]); ++ token = strtoul(params[4], NULL, 10); + rta = (void *)(data + off); + rta->rta_type = MPTCP_PM_ATTR_TOKEN; + rta->rta_len = RTA_LENGTH(4); +@@ -598,7 +598,7 @@ int remove_addr(int fd, int pm_family, i + if (++arg >= argc) + error(1, 0, " missing token value"); + +- token = atoi(argv[arg]); ++ token = strtoul(argv[arg], NULL, 10); + rta = (void *)(data + off); + rta->rta_type = MPTCP_PM_ATTR_TOKEN; + rta->rta_len = RTA_LENGTH(4); +@@ -710,7 +710,7 @@ int announce_addr(int fd, int pm_family, + if (++arg >= argc) + error(1, 0, " missing token value"); + +- token = atoi(argv[arg]); ++ token = strtoul(argv[arg], NULL, 10); + } else + error(1, 0, "unknown keyword %s", argv[arg]); + } +@@ -1347,7 +1347,7 @@ int set_flags(int fd, int pm_family, int + error(1, 0, " missing token value"); + + /* token */ +- token = atoi(argv[arg]); ++ token = strtoul(argv[arg], NULL, 10); + } else if (!strcmp(argv[arg], "flags")) { + char *tok, *str; + diff --git a/queue-6.4/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch b/queue-6.4/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch new file mode 100644 index 00000000000..9237eca3575 --- /dev/null +++ b/queue-6.4/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch @@ -0,0 +1,55 @@ +From 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:37 +0200 +Subject: selftests: mptcp: sockopt: return error if wrong mark + +From: Matthieu Baerts + +commit 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 upstream. + +When an error was detected when checking the marks, a message was +correctly printed mentioning the error but followed by another one +saying everything was OK and the selftest was not marked as failed as +expected. + +Now the 'ret' variable is directly set to 1 in order to make sure the +exit is done with an error, similar to what is done in other functions. +While at it, the error is correctly propagated to the caller. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -128,6 +128,7 @@ check_mark() + for v in $values; do + if [ $v -ne 0 ]; then + echo "FAIL: got $tables $values in ns $ns , not 0 - not all expected packets marked" 1>&2 ++ ret=1 + return 1 + fi + done +@@ -227,11 +228,11 @@ do_transfer() + fi + + if [ $local_addr = "::" ];then +- check_mark $listener_ns 6 +- check_mark $connector_ns 6 ++ check_mark $listener_ns 6 || retc=1 ++ check_mark $connector_ns 6 || retc=1 + else +- check_mark $listener_ns 4 +- check_mark $connector_ns 4 ++ check_mark $listener_ns 4 || retc=1 ++ check_mark $connector_ns 4 || retc=1 + fi + + check_transfer $cin $sout "file received by server" diff --git a/queue-6.4/selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch b/queue-6.4/selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch new file mode 100644 index 00000000000..65796016fbf --- /dev/null +++ b/queue-6.4/selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch @@ -0,0 +1,83 @@ +From a5a5990c099dd354e05e89ee77cd2dbf6655d4a1 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:36 +0200 +Subject: selftests: mptcp: sockopt: use 'iptables-legacy' if available + +From: Matthieu Baerts + +commit a5a5990c099dd354e05e89ee77cd2dbf6655d4a1 upstream. + +IPTables commands using 'iptables-nft' fail on old kernels, at least +on v5.15 because it doesn't see the default IPTables chains: + + $ iptables -L + iptables/1.8.2 Failed to initialize nft: Protocol not supported + +As a first step before switching to NFTables, we can use iptables-legacy +if available. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -12,6 +12,8 @@ ksft_skip=4 + timeout_poll=30 + timeout_test=$((timeout_poll * 2 + 1)) + mptcp_connect="" ++iptables="iptables" ++ip6tables="ip6tables" + + sec=$(date +%s) + rndh=$(printf %x $sec)-$(mktemp -u XXXXXX) +@@ -25,7 +27,7 @@ add_mark_rules() + local m=$2 + + local t +- for t in iptables ip6tables; do ++ for t in ${iptables} ${ip6tables}; do + # just to debug: check we have multiple subflows connection requests + ip netns exec $ns $t -A OUTPUT -p tcp --syn -m mark --mark $m -j ACCEPT + +@@ -95,14 +97,14 @@ if [ $? -ne 0 ];then + exit $ksft_skip + fi + +-iptables -V > /dev/null 2>&1 +-if [ $? -ne 0 ];then ++# Use the legacy version if available to support old kernel versions ++if iptables-legacy -V &> /dev/null; then ++ iptables="iptables-legacy" ++ ip6tables="ip6tables-legacy" ++elif ! iptables -V &> /dev/null; then + echo "SKIP: Could not run all tests without iptables tool" + exit $ksft_skip +-fi +- +-ip6tables -V > /dev/null 2>&1 +-if [ $? -ne 0 ];then ++elif ! ip6tables -V &> /dev/null; then + echo "SKIP: Could not run all tests without ip6tables tool" + exit $ksft_skip + fi +@@ -112,10 +114,10 @@ check_mark() + local ns=$1 + local af=$2 + +- local tables=iptables ++ local tables=${iptables} + + if [ $af -eq 6 ];then +- tables=ip6tables ++ tables=${ip6tables} + fi + + local counters values diff --git a/queue-6.4/selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch b/queue-6.4/selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch new file mode 100644 index 00000000000..c0d59d83381 --- /dev/null +++ b/queue-6.4/selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch @@ -0,0 +1,44 @@ +From 966c6c3adfb1257ea8a839cdfad2b74092cc5532 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:39 +0200 +Subject: selftests: mptcp: userspace_pm: report errors with 'remove' tests + +From: Matthieu Baerts + +commit 966c6c3adfb1257ea8a839cdfad2b74092cc5532 upstream. + +A message was mentioning an issue with the "remove" tests but the +selftest was not marked as failed. + +Directly exit with an error like it is done everywhere else in this +selftest. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -423,6 +423,7 @@ test_remove() + stdbuf -o0 -e0 printf "[OK]\n" + else + stdbuf -o0 -e0 printf "[FAIL]\n" ++ exit 1 + fi + + # RM_ADDR using an invalid addr id should result in no action +@@ -437,6 +438,7 @@ test_remove() + stdbuf -o0 -e0 printf "[OK]\n" + else + stdbuf -o0 -e0 printf "[FAIL]\n" ++ exit 1 + fi + + # RM_ADDR from the client to server machine diff --git a/queue-6.4/selftests-mptcp-userspace_pm-use-correct-server-port.patch b/queue-6.4/selftests-mptcp-userspace_pm-use-correct-server-port.patch new file mode 100644 index 00000000000..e93368f2a9a --- /dev/null +++ b/queue-6.4/selftests-mptcp-userspace_pm-use-correct-server-port.patch @@ -0,0 +1,36 @@ +From d8566d0e03922217f70d9be2d401fcb860986374 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:38 +0200 +Subject: selftests: mptcp: userspace_pm: use correct server port + +From: Matthieu Baerts + +commit d8566d0e03922217f70d9be2d401fcb860986374 upstream. + +"server4_port" variable is not set but "app4_port" is the server port in +v4 and the correct variable name to use. + +The port is optional so there was no visible impact. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: ca188a25d43f ("selftests: mptcp: userspace PM support for MP_PRIO signals") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -848,7 +848,7 @@ test_prio() + local count + + # Send MP_PRIO signal from client to server machine +- ip netns exec "$ns2" ./pm_nl_ctl set 10.0.1.2 port "$client4_port" flags backup token "$client4_token" rip 10.0.1.1 rport "$server4_port" ++ ip netns exec "$ns2" ./pm_nl_ctl set 10.0.1.2 port "$client4_port" flags backup token "$client4_token" rip 10.0.1.1 rport "$app4_port" + sleep 0.5 + + # Check TX diff --git a/queue-6.4/series b/queue-6.4/series index 292d5873947..7c61efef026 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -253,3 +253,36 @@ pwm-meson-modify-and-simplify-calculation-in-meson_pwm_get_state.patch pwm-meson-fix-handling-of-period-duty-if-greater-than-uint_max.patch accel-ivpu-fix-vpu-register-access-in-irq-disable.patch accel-ivpu-clear-specific-interrupt-status-bits-on-c0.patch +fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch +fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch +tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch +mptcp-do-not-rely-on-implicit-state-check-in-mptcp_listen.patch +mptcp-ensure-subflow-is-unhashed-before-cleaning-the-backlog.patch +selftests-mptcp-sockopt-use-iptables-legacy-if-available.patch +selftests-mptcp-connect-fail-if-nft-supposed-to-work.patch +selftests-mptcp-sockopt-return-error-if-wrong-mark.patch +selftests-mptcp-userspace_pm-use-correct-server-port.patch +selftests-mptcp-userspace_pm-report-errors-with-remove-tests.patch +selftests-mptcp-depend-on-syn_cookies.patch +selftests-mptcp-pm_nl_ctl-fix-32-bit-support.patch +smb-client-fix-wstringop-overflow-issues.patch +tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch +tracing-probes-fix-not-to-count-error-code-to-total-length.patch +tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch +revert-tracing-add-fault-name-injection-to-kernel-probes.patch +tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch +tracing-user_events-fix-struct-arg-size-match-check.patch +scsi-qla2xxx-multi-que-support-for-tmf.patch +scsi-qla2xxx-fix-task-management-cmd-failure.patch +scsi-qla2xxx-fix-task-management-cmd-fail-due-to-unavailable-resource.patch +scsi-qla2xxx-fix-hang-in-task-management.patch +scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +scsi-qla2xxx-fix-mem-access-after-free.patch +scsi-qla2xxx-array-index-may-go-out-of-bound.patch +scsi-qla2xxx-avoid-fcport-pointer-dereference.patch +scsi-qla2xxx-fix-buffer-overrun.patch +scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +scsi-qla2xxx-correct-the-index-of-array.patch +scsi-qla2xxx-pointer-may-be-dereferenced.patch +scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch diff --git a/queue-6.4/smb-client-fix-wstringop-overflow-issues.patch b/queue-6.4/smb-client-fix-wstringop-overflow-issues.patch new file mode 100644 index 00000000000..0d43a8ca59a --- /dev/null +++ b/queue-6.4/smb-client-fix-wstringop-overflow-issues.patch @@ -0,0 +1,83 @@ +From f1f047bd7ce0d73788e04ac02268060a565f7ecb Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 11 Jul 2023 17:12:31 -0600 +Subject: smb: client: Fix -Wstringop-overflow issues + +From: Gustavo A. R. Silva + +commit f1f047bd7ce0d73788e04ac02268060a565f7ecb upstream. + +pSMB->hdr.Protocol is an array of size 4 bytes, hence when the compiler +analyzes this line of code + + parm_data = ((char *) &pSMB->hdr.Protocol) + offset; + +it legitimately complains about the fact that offset points outside the +bounds of the array. Notice that the compiler gives priority to the object +as an array, rather than merely the address of one more byte in a structure +to wich offset should be added (which seems to be the actual intention of +the original implementation). + +Fix this by explicitly instructing the compiler to treat the code as a +sequence of bytes in struct smb_com_transaction2_spi_req, and not as an +array accessed through pointer notation. + +Notice that ((char *)pSMB) + sizeof(pSMB->hdr.smb_buf_length) points to +the same address as ((char *) &pSMB->hdr.Protocol), therefore this results +in no differences in binary output. + +Fixes the following -Wstringop-overflow warnings when built s390 +architecture with defconfig (GCC 13): + CC [M] fs/smb/client/cifssmb.o +In function 'cifs_init_ace', + inlined from 'posix_acl_to_cifs' at fs/smb/client/cifssmb.c:3046:3, + inlined from 'cifs_do_set_acl' at fs/smb/client/cifssmb.c:3191:15: +fs/smb/client/cifssmb.c:2987:31: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] + 2987 | cifs_ace->cifs_e_perm = local_ace->e_perm; + | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ +In file included from fs/smb/client/cifssmb.c:27: +fs/smb/client/cifspdu.h: In function 'cifs_do_set_acl': +fs/smb/client/cifspdu.h:384:14: note: at offset [7, 11] into destination object 'Protocol' of size 4 + 384 | __u8 Protocol[4]; + | ^~~~~~~~ +In function 'cifs_init_ace', + inlined from 'posix_acl_to_cifs' at fs/smb/client/cifssmb.c:3046:3, + inlined from 'cifs_do_set_acl' at fs/smb/client/cifssmb.c:3191:15: +fs/smb/client/cifssmb.c:2988:30: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] + 2988 | cifs_ace->cifs_e_tag = local_ace->e_tag; + | ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ +fs/smb/client/cifspdu.h: In function 'cifs_do_set_acl': +fs/smb/client/cifspdu.h:384:14: note: at offset [6, 10] into destination object 'Protocol' of size 4 + 384 | __u8 Protocol[4]; + | ^~~~~~~~ + +This helps with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/310 +Fixes: dc1af4c4b472 ("cifs: implement set acl method") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c +index 19f7385abeec..9dee267f1893 100644 +--- a/fs/smb/client/cifssmb.c ++++ b/fs/smb/client/cifssmb.c +@@ -3184,7 +3184,7 @@ setAclRetry: + param_offset = offsetof(struct smb_com_transaction2_spi_req, + InformationLevel) - 4; + offset = param_offset + params; +- parm_data = ((char *) &pSMB->hdr.Protocol) + offset; ++ parm_data = ((char *)pSMB) + sizeof(pSMB->hdr.smb_buf_length) + offset; + pSMB->ParameterOffset = cpu_to_le16(param_offset); + + /* convert to on the wire format for POSIX ACL */ +-- +2.41.0 + diff --git a/queue-6.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch b/queue-6.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch new file mode 100644 index 00000000000..58a32b5bf0a --- /dev/null +++ b/queue-6.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch @@ -0,0 +1,61 @@ +From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001 +From: Mateusz Stachyra +Date: Tue, 4 Jul 2023 12:27:06 +0200 +Subject: tracing: Fix null pointer dereference in tracing_err_log_open() + +From: Mateusz Stachyra + +commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream. + +Fix an issue in function 'tracing_err_log_open'. +The function doesn't call 'seq_open' if the file is opened only with +write permissions, which results in 'file->private_data' being left as null. +If we then use 'lseek' on that opened file, 'seq_lseek' dereferences +'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. +Writing to this node requires root privileges, therefore this bug +has very little security impact. + +Tracefs node: /sys/kernel/tracing/error_log + +Example Kernel panic: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 +Call trace: + mutex_lock+0x30/0x110 + seq_lseek+0x34/0xb8 + __arm64_sys_lseek+0x6c/0xb8 + invoke_syscall+0x58/0x13c + el0_svc_common+0xc4/0x10c + do_el0_svc+0x24/0x98 + el0_svc+0x24/0x88 + el0t_64_sync_handler+0x84/0xe4 + el0t_64_sync+0x1b4/0x1b8 +Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) +---[ end trace 561d1b49c12cf8a5 ]--- +Kernel panic - not syncing: Oops: Fatal exception + +Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4 +Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3 + +Cc: stable@vger.kernel.org +Fixes: 8a062902be725 ("tracing: Add tracing error log") +Signed-off-by: Mateusz Stachyra +Suggested-by: Steven Rostedt +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8136,7 +8136,7 @@ static const struct file_operations trac + .open = tracing_err_log_open, + .write = tracing_err_log_write, + .read = seq_read, +- .llseek = seq_lseek, ++ .llseek = tracing_lseek, + .release = tracing_err_log_release, + }; + diff --git a/queue-6.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch b/queue-6.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch new file mode 100644 index 00000000000..89f7566b999 --- /dev/null +++ b/queue-6.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch @@ -0,0 +1,38 @@ +From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:38 +0900 +Subject: tracing/probes: Fix not to count error code to total length + +From: Masami Hiramatsu (Google) + +commit b41326b5e0f82e93592c4366359917b5d67b529f upstream. + +Fix not to count the error code (which is minus value) to the total +used length of array, because it can mess up the return code of +process_fetch_insn_bottom(). Also clear the 'ret' value because it +will be used for calculating next data_loc entry. + +Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/ + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/ +Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -204,6 +204,8 @@ stage3: + array: + /* the last stage: Loop on array */ + if (code->op == FETCH_OP_LP_ARRAY) { ++ if (ret < 0) ++ ret = 0; + total += ret; + if (++i < code->param) { + code = s3; diff --git a/queue-6.4/tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch b/queue-6.4/tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch new file mode 100644 index 00000000000..9badd28fa5e --- /dev/null +++ b/queue-6.4/tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch @@ -0,0 +1,43 @@ +From 66bcf65d6cf0ca6540e2341e88ee7ef02dbdda08 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:29 +0900 +Subject: tracing/probes: Fix to avoid double count of the string length on the array + +From: Masami Hiramatsu (Google) + +commit 66bcf65d6cf0ca6540e2341e88ee7ef02dbdda08 upstream. + +If an array is specified with the ustring or symstr, the length of the +strings are accumlated on both of 'ret' and 'total', which means the +length is double counted. +Just set the length to the 'ret' value for avoiding double counting. + +Link: https://lore.kernel.org/all/168908492917.123124.15076463491122036025.stgit@devnote2/ + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/ +Fixes: 88903c464321 ("tracing/probe: Add ustring type for user-space string") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -156,11 +156,11 @@ stage3: + code++; + goto array; + case FETCH_OP_ST_USTRING: +- ret += fetch_store_strlen_user(val + code->offset); ++ ret = fetch_store_strlen_user(val + code->offset); + code++; + goto array; + case FETCH_OP_ST_SYMSTR: +- ret += fetch_store_symstrlen(val + code->offset); ++ ret = fetch_store_symstrlen(val + code->offset); + code++; + goto array; + default: diff --git a/queue-6.4/tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch b/queue-6.4/tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch new file mode 100644 index 00000000000..8609e0f4b05 --- /dev/null +++ b/queue-6.4/tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch @@ -0,0 +1,99 @@ +From 797311bce5c2ac90b8d65e357603cfd410d36ebb Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:16:07 +0900 +Subject: tracing/probes: Fix to record 0-length data_loc in fetch_store_string*() if fails + +From: Masami Hiramatsu (Google) + +commit 797311bce5c2ac90b8d65e357603cfd410d36ebb upstream. + +Fix to record 0-length data to data_loc in fetch_store_string*() if it fails +to get the string data. +Currently those expect that the data_loc is updated by store_trace_args() if +it returns the error code. However, that does not work correctly if the +argument is an array of strings. In that case, store_trace_args() only clears +the first entry of the array (which may have no error) and leaves other +entries. So it should be cleared by fetch_store_string*() itself. +Also, 'dyndata' and 'maxlen' in store_trace_args() should be updated +only if it is used (ret > 0 and argument is a dynamic data.) + +Link: https://lore.kernel.org/all/168908496683.123124.4761206188794205601.stgit@devnote2/ + +Fixes: 40b53b771806 ("tracing: probeevent: Add array type support") +Cc: stable@vger.kernel.org +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_kernel.h | 13 +++++++++---- + kernel/trace/trace_probe_tmpl.h | 10 +++------- + kernel/trace/trace_uprobe.c | 3 ++- + 3 files changed, 14 insertions(+), 12 deletions(-) + +--- a/kernel/trace/trace_probe_kernel.h ++++ b/kernel/trace/trace_probe_kernel.h +@@ -37,6 +37,13 @@ fetch_store_strlen(unsigned long addr) + return (ret < 0) ? ret : len; + } + ++static nokprobe_inline void set_data_loc(int ret, void *dest, void *__dest, void *base) ++{ ++ if (ret < 0) ++ ret = 0; ++ *(u32 *)dest = make_data_loc(ret, __dest - base); ++} ++ + /* + * Fetch a null-terminated string from user. Caller MUST set *(u32 *)buf + * with max length and relative data location. +@@ -55,8 +62,7 @@ fetch_store_string_user(unsigned long ad + __dest = get_loc_data(dest, base); + + ret = strncpy_from_user_nofault(__dest, uaddr, maxlen); +- if (ret >= 0) +- *(u32 *)dest = make_data_loc(ret, __dest - base); ++ set_data_loc(ret, dest, __dest, base); + + return ret; + } +@@ -87,8 +93,7 @@ fetch_store_string(unsigned long addr, v + * probing. + */ + ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen); +- if (ret >= 0) +- *(u32 *)dest = make_data_loc(ret, __dest - base); ++ set_data_loc(ret, dest, __dest, base); + + return ret; + } +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -267,13 +267,9 @@ store_trace_args(void *data, struct trac + if (unlikely(arg->dynamic)) + *dl = make_data_loc(maxlen, dyndata - base); + ret = process_fetch_insn(arg->code, rec, dl, base); +- if (arg->dynamic) { +- if (unlikely(ret < 0)) { +- *dl = make_data_loc(0, dyndata - base); +- } else { +- dyndata += ret; +- maxlen -= ret; +- } ++ if (arg->dynamic && likely(ret > 0)) { ++ dyndata += ret; ++ maxlen -= ret; + } + } + } +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -170,7 +170,8 @@ fetch_store_string(unsigned long addr, v + */ + ret++; + *(u32 *)dest = make_data_loc(ret, (void *)dst - base); +- } ++ } else ++ *(u32 *)dest = make_data_loc(0, (void *)dst - base); + + return ret; + } diff --git a/queue-6.4/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch b/queue-6.4/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch new file mode 100644 index 00000000000..da22c6faa15 --- /dev/null +++ b/queue-6.4/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch @@ -0,0 +1,48 @@ +From e38e2c6a9efc435f9de344b7c91f7697e01b47d5 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:48 +0900 +Subject: tracing/probes: Fix to update dynamic data counter if fetcharg uses it + +From: Masami Hiramatsu (Google) + +commit e38e2c6a9efc435f9de344b7c91f7697e01b47d5 upstream. + +Fix to update dynamic data counter ('dyndata') and max length ('maxlen') +only if the fetcharg uses the dynamic data. Also get out arg->dynamic +from unlikely(). This makes dynamic data address wrong if +process_fetch_insn() returns error on !arg->dynamic case. + +Link: https://lore.kernel.org/all/168908494781.123124.8160245359962103684.stgit@devnote2/ + +Suggested-by: Steven Rostedt +Link: https://lore.kernel.org/all/20230710233400.5aaf024e@gandalf.local.home/ +Fixes: 9178412ddf5a ("tracing: probeevent: Return consumed bytes of dynamic area") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -267,11 +267,13 @@ store_trace_args(void *data, struct trac + if (unlikely(arg->dynamic)) + *dl = make_data_loc(maxlen, dyndata - base); + ret = process_fetch_insn(arg->code, rec, dl, base); +- if (unlikely(ret < 0 && arg->dynamic)) { +- *dl = make_data_loc(0, dyndata - base); +- } else { +- dyndata += ret; +- maxlen -= ret; ++ if (arg->dynamic) { ++ if (unlikely(ret < 0)) { ++ *dl = make_data_loc(0, dyndata - base); ++ } else { ++ dyndata += ret; ++ maxlen -= ret; ++ } + } + } + } diff --git a/queue-6.4/tracing-user_events-fix-struct-arg-size-match-check.patch b/queue-6.4/tracing-user_events-fix-struct-arg-size-match-check.patch new file mode 100644 index 00000000000..4ee6ecc273c --- /dev/null +++ b/queue-6.4/tracing-user_events-fix-struct-arg-size-match-check.patch @@ -0,0 +1,49 @@ +From d0a3022f30629a208e5944022caeca3568add9e7 Mon Sep 17 00:00:00 2001 +From: Beau Belgrave +Date: Thu, 29 Jun 2023 23:50:48 +0000 +Subject: tracing/user_events: Fix struct arg size match check + +From: Beau Belgrave + +commit d0a3022f30629a208e5944022caeca3568add9e7 upstream. + +When users register an event the name of the event and it's argument are +checked to ensure they match if the event already exists. Normally all +arguments are in the form of "type name", except for when the type +starts with "struct ". In those cases, the size of the struct is passed +in addition to the name, IE: "struct my_struct a 20" for an argument +that is of type "struct my_struct" with a field name of "a" and has the +size of 20 bytes. + +The current code does not honor the above case properly when comparing +a match. This causes the event register to fail even when the same +string was used for events that contain a struct argument within them. +The example above "struct my_struct a 20" generates a match string of +"struct my_struct a" omitting the size field. + +Add the struct size of the existing field when generating a comparison +string for a struct field to ensure proper match checking. + +Link: https://lkml.kernel.org/r/20230629235049.581-2-beaub@linux.microsoft.com + +Cc: stable@vger.kernel.org +Fixes: e6f89a149872 ("tracing/user_events: Ensure user provided strings are safely formatted") +Signed-off-by: Beau Belgrave +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_events_user.c ++++ b/kernel/trace/trace_events_user.c +@@ -1317,6 +1317,9 @@ static int user_field_set_string(struct + pos += snprintf(buf + pos, LEN_OR_ZERO, " "); + pos += snprintf(buf + pos, LEN_OR_ZERO, "%s", field->name); + ++ if (str_has_prefix(field->type, "struct ")) ++ pos += snprintf(buf + pos, LEN_OR_ZERO, " %d", field->size); ++ + if (colon) + pos += snprintf(buf + pos, LEN_OR_ZERO, ";"); + -- 2.47.3