Bart Van Assche [Thu, 7 Nov 2019 21:55:25 +0000 (13:55 -0800)]
scsi: target: core: Fix a pr_debug() argument
Print the string for which conversion failed instead of printing the
function name twice.
Fixes: 2650d71e244f ("target: move transport ID handling to the core") Cc: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20191107215525.64415-1-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Anatol Pomazau [Sat, 16 Nov 2019 00:47:35 +0000 (19:47 -0500)]
scsi: iscsi: Don't send data to unbound connection
If a faulty initiator fails to bind the socket to the iSCSI connection
before emitting a command, for instance, a subsequent send_pdu, it will
crash the kernel due to a null pointer dereference in sock_sendmsg(), as
shown in the log below. This patch makes sure the bind succeeded before
trying to use the socket.
Bart Van Assche [Wed, 13 Nov 2019 22:05:08 +0000 (14:05 -0800)]
scsi: target: iscsi: Wait for all commands to finish before freeing a session
The iSCSI target driver is the only target driver that does not wait for
ongoing commands to finish before freeing a session. Make the iSCSI target
driver wait for ongoing commands to finish before freeing a session. This
patch fixes the following KASAN complaint:
BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710
Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247
Memory state around the buggy address: ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^ ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
Cc: Mike Christie <mchristi@redhat.com> Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.org Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Memory state around the buggy address: ffff88802ecd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ecd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802ecd1800: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
^ ffff88802ecd1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ecd1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Cc: Mike Christie <mchristi@redhat.com> Link: https://lore.kernel.org/r/20191113220508.198257-2-bvanassche@acm.org Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Since it is nontrivial to derive the meaning of the size argument from the
code, add a documentation header above target_cmd_size_check().
Cc: Mike Christie <mchristi@redhat.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.de> Cc: Nicholas Bellinger <nab@linux-iscsi.org> Link: https://lore.kernel.org/r/20191107215458.64242-1-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Pan Bian [Wed, 6 Nov 2019 12:32:21 +0000 (20:32 +0800)]
scsi: bnx2i: fix potential use after free
The member hba->pcidev may be used after its reference is dropped. Move the
put function to where it is never used to avoid potential use after free
issues.
This patch was found to introduce a double free regression. The issue
it originally attempted to address was fixed in patch f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path").
Add a module parameter to inhibit disconnect/reselect for individual
targets. This gains compatibility with Aztec PowerMonster SCSI/SATA
adapters with buggy firmware. (No fix is available from the vendor.)
Apparently these adapters pass-through the product/vendor of the attached
SATA device. Since they can't be identified from the response to an INQUIRY
command, a device blacklist flag won't work.
Finn Thain [Sat, 16 Nov 2019 03:36:57 +0000 (14:36 +1100)]
scsi: NCR5380: Unconditionally clear ICR after do_abort()
When do_abort() succeeds, the target will go to BUS FREE phase and there
will be no connected command. Therefore, that function should clear the
Initiator Command Register before returning. It already does so in case of
NCR5380_poll_politely() failure; do the same for the other error case too,
that is, NCR5380_transfer_pio() failure.
Finn Thain [Sat, 16 Nov 2019 03:36:57 +0000 (14:36 +1100)]
scsi: NCR5380: Call scsi_set_resid() on command completion
Most NCR5380 drivers calculate the residual for every data transfer.
(A few drivers just set it to zero.) Pass this quantity back to the scsi
mid-layer on command completion.
James Smart [Sat, 16 Nov 2019 00:38:47 +0000 (16:38 -0800)]
scsi: lpfc: use hdwq assigned cpu for allocation
Looking at the recent conversion from smp_processor_id() to
raw_smp_processor_id(), realized that the allocation should be based on the
cpu the hdwq is bound to, not the executing cpu.
Revise to pull cpu number from the hdwq
Fixes: 765ab6cdac3b ("scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq()") Link: https://lore.kernel.org/r/20191116003847.6141-1-jsmart2021@gmail.com Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Pan Bian [Tue, 5 Nov 2019 09:25:27 +0000 (17:25 +0800)]
scsi: qla4xxx: fix double free bug
The variable init_fw_cb is released twice, resulting in a double free
bug. The call to the function dma_free_coherent() before goto is removed to
get rid of potential double free.
Deepak Ukey [Thu, 14 Nov 2019 10:09:10 +0000 (15:39 +0530)]
scsi: pm80xx: Modified the logic to collect fatal dump
Added the correct method to collect the fatal dump.
Link: https://lore.kernel.org/r/20191114100910.6153-14-deepak.ukey@microchip.com Reported-by: kbuild test robot <lkp@intel.com> Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Vikram Auradkar [Thu, 14 Nov 2019 10:09:09 +0000 (15:39 +0530)]
scsi: pm80xx: Tie the interrupt name to the module instance
With MSI-x enabled, the interrupt instances are <prefix><index> where the
prefix is fixed for all module instances, making it a little harder to
track down what's what.
Link: https://lore.kernel.org/r/20191114100910.6153-13-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Vikram Auradkar <auradkar@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Deepak Ukey [Thu, 14 Nov 2019 10:09:08 +0000 (15:39 +0530)]
scsi: pm80xx: Controller fatal error through sysfs
Added support to check controller fatal error through sysfs.
Link: https://lore.kernel.org/r/20191114100910.6153-12-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:09:07 +0000 (15:39 +0530)]
scsi: pm80xx: Do not request 12G sas speeds
Occasionally, 6G capable drives fail to train at 6G on links that look good
from a signal-integrity perspective. PMC suggests configuring the port to
not even expect 12G.
Link: https://lore.kernel.org/r/20191114100910.6153-11-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:09:06 +0000 (15:39 +0530)]
scsi: pm80xx: Cleanup command when a reset times out
Added the fix so the if driver properly sent the abort it tries to remove
it from the firmware's list of outstanding commands regardless of the abort
status. This means that the task gets freed 'now' rather than possibly
getting freed later when the scsi layer thinks it's leaked but still valid.
Link: https://lore.kernel.org/r/20191114100910.6153-10-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:09:05 +0000 (15:39 +0530)]
scsi: pm80xx: Fix command issue sizing
The commands to the controller are sent in fixed sized chunks which are set
per-chip-generation and stashed in iomb_size. The driver fills in structs
matching the register layout and memcpy this to memory shared with the
controller. However, there are two problem cases:
1) Things like phy_start_req are too large because they share the
sas_identify_frame definition with libsas, and it includes the crc
word. This means that it's overwriting the start of the next
command block, that's ok except if it happens at the end of the
shared memory area.
2) Things like set_nvm_data_req which are shared between the HAL
layers. This means that it's sending 'random' data for things that
are in the reserved area. So far we haven't found a case where the
controller FW cares, but sending possible gibberish (for most of
the structures this is in the reserved area so previously zeroed)
is not recommended.
Link: https://lore.kernel.org/r/20191114100910.6153-9-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Vikram Auradkar [Thu, 14 Nov 2019 10:09:04 +0000 (15:39 +0530)]
scsi: pm80xx: Fix dereferencing dangling pointer
sas_task structure should not be used after task_done is called. If the
device is gone or not attached, we call task_done on t and continue to use
in the sas_task in rest of the function. task_done is pointing to
sas_ata_task_done, may free the memory associated with the task before
returning.
Link: https://lore.kernel.org/r/20191114100910.6153-8-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Vikram Auradkar <auradkar@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
ianyar [Thu, 14 Nov 2019 10:09:03 +0000 (15:39 +0530)]
scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check
The function mpi_uninit_check takes longer for inbound doorbell register to
be cleared. Increased the timeout substantially so that the driver does not
fail to load.
Link: https://lore.kernel.org/r/20191114100910.6153-7-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: ianyar <ianyar@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:09:02 +0000 (15:39 +0530)]
scsi: pm80xx: Squashed logging cleanup changes
The default logging doesn't include the device name, so it's difficult to
determine which controller is being logged about in error scenarios. The
logging level was only settable via sysfs, which made it inconvenient for
actual debugging. This changes the default to only cover error handling.
Link: https://lore.kernel.org/r/20191114100910.6153-6-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Vikram Auradkar [Thu, 14 Nov 2019 10:09:01 +0000 (15:39 +0530)]
scsi: pm80xx: Convert 'long' mdelay to msleep
For delays longer than 20ms [um]delay isn't recommended.
pm80xx_chip_soft_rst starts off with a 500ms delay before it even gets
around to checking for the results of the reset. As long as it's at least
500ms it doesn't matter what the scheduler is doing. The delay in the
pm8001_exec_internal_task_abort does nothing, and theory is this is a delay
to avoid a double-free.
Link: https://lore.kernel.org/r/20191114100910.6153-5-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Vikram Auradkar <auradkar@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
John Sperbeck [Thu, 14 Nov 2019 10:09:00 +0000 (15:39 +0530)]
scsi: pm80xx: Initialize variable used as return status
In pm8001_task_exec(), if the PHY is down, then we return the current value
of 'rc'. We need to make sure it's initialized.
Link: https://lore.kernel.org/r/20191114100910.6153-4-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: John Sperbeck <jsperbeck@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:08:59 +0000 (15:38 +0530)]
scsi: pm80xx: Make phy enable completion as NULL
After the completing the mpi_phy_start_resp, make phy enable completion as
NULL.
Link: https://lore.kernel.org/r/20191114100910.6153-3-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
peter chang [Thu, 14 Nov 2019 10:08:58 +0000 (15:38 +0530)]
scsi: pm80xx: Fix for SATA device discovery
Driver was missing complete() call in mpi_sata_completion which result in
SATA abort error handling timing out. That causes the device to be left in
the in_recovery state so subsequent commands sent to the device fail and
the OS removes access to it.
Link: https://lore.kernel.org/r/20191114100910.6153-2-deepak.ukey@microchip.com Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: peter chang <dpf@google.com> Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com> Signed-off-by: Viswas G <Viswas.G@microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Subhash Jadavani [Fri, 15 Nov 2019 06:09:30 +0000 (22:09 -0800)]
scsi: ufs: Fix error handing during hibern8 enter
During clock gating (ufshcd_gate_work()), we first put the link hibern8 by
calling ufshcd_uic_hibern8_enter() and if ufshcd_uic_hibern8_enter()
returns success (0) then we gate all the clocks. Now let’s zoom in to what
ufshcd_uic_hibern8_enter() does internally: It calls
__ufshcd_uic_hibern8_enter() and if failure is encountered, link recovery
shall put the link back to the highest HS gear and returns success (0) to
ufshcd_uic_hibern8_enter() which is the issue as link is still in active
state due to recovery! Now ufshcd_uic_hibern8_enter() returns success to
ufshcd_gate_work() and hence it goes ahead with gating the UFS clock while
link is still in active state hence I believe controller would raise UIC
error interrupts. But when we service the interrupt, clocks might have
already been disabled!
This change fixes for this by returning failure from
__ufshcd_uic_hibern8_enter() if recovery succeeds as link is still not in
hibern8, upon receiving the error ufshcd_hibern8_enter() would initiate
retry to put the link state back into hibern8.
Link: https://lore.kernel.org/r/1573798172-20534-8-git-send-email-cang@codeaurora.org Reviewed-by: Avri Altman <avri.altman@wdc.com> Reviewed-by: Bean Huo <beanhuo@micron.com> Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org> Signed-off-by: Can Guo <cang@codeaurora.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Can Guo [Fri, 15 Nov 2019 06:09:27 +0000 (22:09 -0800)]
scsi: ufs: Fix register dump caused sleep in atomic context
ufshcd_print_host_regs() can be called by interrupt handler, but it may
sleep due to ufshcd_dump_regs() allocates the dump buffer memory with flag
GFP_KERNEL. Fix it by changing GFP_KERNEL to GFP_ATMOIC.
Can Guo [Fri, 15 Nov 2019 06:09:26 +0000 (22:09 -0800)]
scsi: ufs: Fix up auto hibern8 enablement
Fix up possible unclocked register access to auto hibern8 register in
resume path and through sysfs entry. Meanwhile, enable auto hibern8 only
after device is fully initialized in probe path.
Kars de Jong [Tue, 12 Nov 2019 17:55:23 +0000 (18:55 +0100)]
scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on Fastlane)
When using this driver on a Blizzard 1260, there were failures whenever DMA
transfers from the SCSI bus to memory of 65535 bytes were followed by a DMA
transfer of 1 byte. This caused the byte at offset 65535 to be overwritten
with 0xff. The Blizzard hardware can't handle single byte DMA transfers.
Besides this issue, limiting the DMA length to something that is not a
multiple of the page size is very inefficient on most file systems.
It seems this limit was chosen because the DMA transfer counter of the ESP
by default is 16 bits wide, thus limiting the length to 65535 bytes.
However, the value 0 means 65536 bytes, which is handled by the ESP and the
Blizzard just fine. It is also the default maximum used by esp_scsi when
drivers don't provide their own dma_length_limit() function.
The limit of 65536 bytes can be used by all boards except the Fastlane. The
old driver used a limit of 65532 bytes (0xfffc), which is reintroduced in
this patch.
Fixes: b7ded0e8b0d1 ("scsi: zorro_esp: Limit DMA transfers to 65535 bytes") Link: https://lore.kernel.org/r/20191112175523.23145-1-jongk@linux-m68k.org Signed-off-by: Kars de Jong <jongk@linux-m68k.org> Reviewed-by: Finn Thain <fthain@telegraphics.com.au> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
YueHaibing [Tue, 29 Oct 2019 06:15:30 +0000 (06:15 +0000)]
scsi: csiostor: Remove set but not used variable 'rln'
Fixes gcc '-Wunused-but-set-variable' warning:
drivers/scsi/csiostor/csio_lnode.c: In function 'csio_ln_init':
drivers/scsi/csiostor/csio_lnode.c:1995:21: warning:
variable 'rln' set but not used [-Wunused-but-set-variable]
It is never used since introduction, so remove it.
Bean Huo [Tue, 12 Nov 2019 22:34:36 +0000 (23:34 +0100)]
scsi: ufs: fix potential bug which ends in system hang
In function __ufshcd_query_descriptor(), in the event of an error
happening, we directly goto out_unlock and forget to invaliate
hba->dev_cmd.query.descriptor pointer. This results in this pointer still
valid in ufshcd_copy_query_response() for other query requests which go
through ufshcd_exec_raw_upiu_cmd(). This will cause __memcpy() crash and
system hangs. Log as shown below:
Unable to handle kernel paging request at virtual address ffff000012233c40
Mem abort info:
ESR = 0x96000047
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000047
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp = 0000000028cc735c
[ffff000012233c40] pgd=00000000bffff003, pud=00000000bfffe003,
pmd=00000000ba8b8003, pte=0000000000000000
Internal error: Oops: 96000047 [#2] PREEMPT SMP
...
Call trace:
__memcpy+0x74/0x180
ufshcd_issue_devman_upiu_cmd+0x250/0x3c0
ufshcd_exec_raw_upiu_cmd+0xfc/0x1a8
ufs_bsg_request+0x178/0x3b0
bsg_queue_rq+0xc0/0x118
blk_mq_dispatch_rq_list+0xb0/0x538
blk_mq_sched_dispatch_requests+0x18c/0x1d8
__blk_mq_run_hw_queue+0xb4/0x118
blk_mq_run_work_fn+0x28/0x38
process_one_work+0x1ec/0x470
worker_thread+0x48/0x458
kthread+0x130/0x138
ret_from_fork+0x10/0x1c
Code: 540000aba8c12027a88120c7a8c12027 (a88120c7)
---[ end trace 793e1eb5dff69f2d ]---
note: kworker/0:2H[2054] exited with preempt_count 1
This patch is to move "descriptor = NULL" down to below the label
"out_unlock".
Fixes: d44a5f98bb49b2(ufs: query descriptor API) Link: https://lore.kernel.org/r/20191112223436.27449-3-huobean@gmail.com Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Bean Huo <beanhuo@micron.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Bean Huo [Tue, 12 Nov 2019 22:34:35 +0000 (23:34 +0100)]
scsi: ufs: print helpful hint when response size exceed buffer size
Print out returned response size and buffer size, while the front one is
bigger than the back one.
Link: https://lore.kernel.org/r/20191112223436.27449-2-huobean@gmail.com Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Bean Huo <beanhuo@micron.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Xiang Chen [Tue, 12 Nov 2019 09:30:58 +0000 (17:30 +0800)]
scsi: hisi_sas: Relocate call to hisi_sas_debugfs_exit()
Currently we call function hisi_sas_debugfs_exit() to remove debugfs_dir
before freeing interrupt irqs and destroying workqueue in the driver remove
path.
If a dump is triggered before function hisi_sas_debugfs_exit() but
debugfs_work may be called after it, so it may refer to already removed
debugfs_dir which will cause NULL pointer dereference.
To avoid it, put function hisi_sas_debugfs_exit() after free_irqs and
destroy workqueue when removing hisi_sas driver.
Xiang Chen [Tue, 12 Nov 2019 09:30:57 +0000 (17:30 +0800)]
scsi: hisi_sas: Return directly if init hardware failed
Need to return directly if init hardware failed.
Fixes: 73a4925d154c ("scsi: hisi_sas: Update all the registers after suspend and resume") Link: https://lore.kernel.org/r/1573551059-107873-3-git-send-email-john.garry@huawei.com Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com> Signed-off-by: John Garry <john.garry@huawei.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
James Smart [Mon, 11 Nov 2019 23:04:01 +0000 (15:04 -0800)]
scsi: lpfc: Update lpfc version to 12.6.0.2
Update lpfc version to 12.6.0.2
Link: https://lore.kernel.org/r/20191111230401.12958-7-jsmart2021@gmail.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
James Smart [Mon, 11 Nov 2019 23:04:00 +0000 (15:04 -0800)]
scsi: lpfc: revise nvme max queues to be hdwq count
Driver is setting the initiator nvme template with a max hw queues value of
the present cpu count which is odd. It should be registering the number of
hdwq queues (queues created on the adapter).
Change to set nvme tempate, in all cases, to the number of hardware queues.
James Smart [Mon, 11 Nov 2019 23:03:59 +0000 (15:03 -0800)]
scsi: lpfc: Initialize cpu_map for not present cpus
Currently, cpu_map[cpu#]->hdwq is left to equal LPFC_VECTOR_MAP_EMPTY for
not present CPUs. If a CPU is dynamically hot-added, it is possible we may
crash due to not assigning an allocated hdwq.
Correct by assigning a hdwq at initialization for all not-present CPUs.
Fixes: dcaa21367938 ("scsi: lpfc: Change default IRQ model on AMD architectures") Link: https://lore.kernel.org/r/20191111230401.12958-5-jsmart2021@gmail.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
James Smart [Mon, 11 Nov 2019 23:03:58 +0000 (15:03 -0800)]
scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list()
Compilation can fail due to having an inline function reference where the
function body is not present.
Fix by removing the inline tag.
Fixes: 93a4d6f40198 ("scsi: lpfc: Add registration for CPU Offline/Online events") Link: https://lore.kernel.org/r/20191111230401.12958-4-jsmart2021@gmail.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
*** CID 101747: Null pointer dereferences (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
4433 kfree(mp);
4434 }
4435 mempool_free(mbox, phba->mbox_mem_pool);
4436 }
4437 out:
4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
vvv CID 101747: Null pointer dereferences (FORWARD_NULL)
vvv Dereferencing null pointer "shost".
4439 spin_lock_irq(shost->host_lock);
4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
4441 spin_unlock_irq(shost->host_lock);
4442
4443 /* If the node is not being used by another discovery thread,
4444 * and we are sending a reject, we are done with it.
Fix by adding a check for non-null shost in line 4438.
The scenario when shost is set to null is when ndlp is null.
As such, the ndlp check present was sufficient. But better safe
than sorry so add the shost check.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 101747 ("Null pointer dereferences") Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports") CC: James Bottomley <James.Bottomley@SteelEye.com> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com> CC: linux-next@vger.kernel.org Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
*** CID 1487391: Null pointer dereferences (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
608 spin_unlock(&phba->scsi_buf_list_put_lock);
609 }
610 spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
611
612 if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
613 atomic_inc(&ndlp->cmd_pending);
vvv CID 1487391: Null pointer dereferences (FORWARD_NULL)
vvv Dereferencing null pointer "lpfc_cmd".
614 lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
615 }
616 return lpfc_cmd;
617 }
618 /**
619 * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA
Fix by checking lpfc_cmd to be non-NULL as part of line 612
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487391 ("Null pointer dereferences") Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path") CC: "Martin K. Petersen" <martin.petersen@oracle.com> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com> CC: linux-next@vger.kernel.org Link: https://lore.kernel.org/r/20191111230401.12958-2-jsmart2021@gmail.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: ufs: Add driver for TI wrapper for Cadence UFS IP
TI's J721e SoC has a Cadence UFS IP with a TI specific wrapper. This is a
minimal driver to configure the wrapper. It releases the UFS slave device
out of reset and sets up registers to indicate PHY reference clock input
frequency before probing child Cadence UFS driver.
Link: https://lore.kernel.org/r/20191108164857.11466-3-vigneshr@ti.com Reviewed-by: Avri Altman <avri.altman@wdc.com> Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com> Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Prevent recursion into the IO path under low memory conditions by using
GFP_NOIO in place of GFP_KERNEL when allocating a new command with
tcmu_alloc_cmd() and user ring space with tcmu_get_empty_block().
Link: https://lore.kernel.org/r/20191108082901.417950-1-damien.lemoal@wdc.com Reported-by: Masato Suzuki <masato.suzuki@wdc.com> Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com> Acked-by: Mike Christie <mchristi@redhat.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Damien Le Moal [Wed, 30 Oct 2019 09:08:47 +0000 (18:08 +0900)]
scsi: core: Fix scsi_get/set_resid() interface
struct scsi_cmnd cmd->req.resid_len which is returned and set respectively
by the helper functions scsi_get_resid() and scsi_set_resid() is an
unsigned int. Reflect this fact in the interface of these helper functions.
Also fix compilation errors due to min() and max() type mismatch introduced
by this change in scsi debug code, usb transport code and in the USB ENE
card reader driver.
Fixes: dcaa21367938 ("scsi: lpfc: Change default IRQ model on AMD architectures") Link: https://lore.kernel.org/r/20191108225947.1395-1-jsmart2021@gmail.com Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Possible unsafe locking scenario:
CPU0
----
lock(cpu_hotplug_lock.rw_sem);
lock(cpu_hotplug_lock.rw_sem);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by systemd-udevd/130:
#0: ffff8880d53fe210 (&dev->mutex){....}, at: __device_driver_lock+0x4a/0x70
#1: ffffffff826b05d0 (cpu_hotplug_lock.rw_sem){++++}, at: lpfc_sli4_enable_intr+0x422/0xd50 [lpfc]
Fixes: dcaa21367938 ("scsi: lpfc: Change default IRQ model on AMD architectures") Link: https://lore.kernel.org/r/20191107052158.25788-4-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Bart Van Assche [Thu, 7 Nov 2019 05:21:54 +0000 (21:21 -0800)]
scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq()
Fix the following kernel bug report:
BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/954
Fixes: d79c9e9d4b3d ("scsi: lpfc: Support dynamic unbounded SGL lists on G7 hardware.") Link: https://lore.kernel.org/r/20191107052158.25788-2-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: James Smart <james.smart@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Martin Wilck [Thu, 7 Nov 2019 22:48:57 +0000 (22:48 +0000)]
scsi: qla2xxx: don't use zero for FC4_PRIORITY_NVME
Avoid an uninitialized value (0) for ha->fc4_type_priority being falsely
interpreted as NVMe priority. Not strictly needed any more after the
previous patch, but makes the fc4_type_priority handling more explicit.
Link: https://lore.kernel.org/r/20191107224839.32417-3-martin.wilck@suse.com Tested-by: David Bond <dbond@suse.com> Acked-by: Himanshu Madhani <hmadhani@marvell.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin Wilck <mwilck@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Martin Wilck [Thu, 7 Nov 2019 22:48:55 +0000 (22:48 +0000)]
scsi: qla2xxx: initialize fc4_type_priority
ha->fc4_type_priority is currently initialized only in
qla81xx_nvram_config(). That makes it default to NVMe for other adapters.
Fix it.
Fixes: 84ed362ac40c ("scsi: qla2xxx: Dual FCP-NVMe target port support") Link: https://lore.kernel.org/r/20191107224839.32417-2-martin.wilck@suse.com Tested-by: David Bond <dbond@suse.com> Acked-by: Himanshu Madhani <hmadhani@marvell.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin Wilck <mwilck@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Quinn Tran [Tue, 5 Nov 2019 15:06:54 +0000 (07:06 -0800)]
scsi: qla2xxx: Fix double scsi_done for abort path
Current code assumes abort will remove the original command from the active
list where scsi_done will not be called. Instead, the eh_abort thread will
do the scsi_done. That is not the case. Instead, we have a double
scsi_done calls triggering use after free.
Abort will tell FW to release the command from FW possesion. The original
command will return to ULP with error in its normal fashion via scsi_done.
eh_abort path would wait for the original command completion before
returning. eh_abort path will not perform the scsi_done call.
Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") Cc: stable@vger.kernel.org # 5.2 Link: https://lore.kernel.org/r/20191105150657.8092-6-hmadhani@marvell.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Quinn Tran <qutran@marvell.com> Signed-off-by: Arun Easi <aeasi@marvell.com> Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Quinn Tran [Tue, 5 Nov 2019 15:06:52 +0000 (07:06 -0800)]
scsi: qla2xxx: Fix SRB leak on switch command timeout
when GPSC/GPDB switch command fails, driver just returns without doing a
proper cleanup. This patch fixes this memory leak by calling sp->free() in
the error path.
Link: https://lore.kernel.org/r/20191105150657.8092-4-hmadhani@marvell.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Quinn Tran <qutran@marvell.com> Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Quinn Tran [Tue, 5 Nov 2019 15:06:51 +0000 (07:06 -0800)]
scsi: qla2xxx: Do command completion on abort timeout
On switch, fabric and mgt command timeout, driver send Abort to tell FW to
return the original command. If abort is timeout, then return both Abort
and original command for cleanup.
Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") Cc: stable@vger.kernel.org # 5.2 Link: https://lore.kernel.org/r/20191105150657.8092-3-hmadhani@marvell.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Quinn Tran <qutran@marvell.com> Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Quinn Tran [Tue, 5 Nov 2019 15:06:50 +0000 (07:06 -0800)]
scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure
Current code will send PRLI with FC-NVMe bit set for the targets which
support only FCP. This may result into issue with targets which do not
understand NVMe and will go into a strange state. This patch would restart
the login process by going back to PLOGI state. The PLOGI state will force
the target to respond to correct PRLI request.
Fixes: c76ae845ea836 ("scsi: qla2xxx: Add error handling for PLOGI ELS passthrough") Cc: stable@vger.kernel.org # 5.4 Link: https://lore.kernel.org/r/20191105150657.8092-2-hmadhani@marvell.com Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Quinn Tran <qutran@marvell.com> Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: target: iscsi: rename some variables to avoid confusion.
This patch renames some variables in chap_server_compute_hash() to make it
harder to confuse the initiator's challenge with the target's challenge
when the mutual chap authentication is used.
scsi: target: iscsi: CHAP: add support for SHA1, SHA256 and SHA3-256
This patch modifies the chap_server_compute_hash() function to make it
agnostic to the choice of hash algorithm that is used. It also adds
support to three new hash algorithms: SHA1, SHA256 and SHA3-256.
The chap_got_response() function has been removed because the digest type
validity is already checked by chap_server_open()
Bart Van Assche [Tue, 5 Nov 2019 21:55:53 +0000 (13:55 -0800)]
scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6)
According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical
blocks must be transferred. Make the SCSI tracing code follow SBC-2.
Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.com> Cc: Douglas Gilbert <dgilbert@interlog.com> Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
James Smart [Tue, 5 Nov 2019 00:57:07 +0000 (16:57 -0800)]
scsi: lpfc: Add enablement of multiple adapter dumps
Some adapters support the ability to hold multiple adapter dumps on the
adapter flash. Some adapters default to enabling this feature while others
default to single-dump.
Make support uniform by enabling dual dump by default.
James Smart [Tue, 5 Nov 2019 00:57:06 +0000 (16:57 -0800)]
scsi: lpfc: Change default IRQ model on AMD architectures
The current driver attempts to allocate an interrupt vector per cpu using
the systems managed IRQ allocator (flag PCI_IRQ_AFFINITY). The system IRQ
allocator will either provide the per-cpu vector, or return fewer
vectors. When fewer vectors, they are evenly spread between the numa nodes
on the system. When run on an AMD architecture, if interrupts occur to a
cpu that is not in the same numa node as the adapter generating the
interrupt, there are extreme costs and overheads in performance. Thus, if
1:1 vector allocation is used, or the "balanced" vectors in the other numa
nodes, performance can be hit significantly.
A much more performant model is to allocate interrupts only on the cpus
that are in the numa node where the adapter resides. I/O completion is
still performed by the cpu where the I/O was generated. Unfortunately,
there is no flag to request the managed IRQ subsystem allocate vectors only
for the CPUs in the numa node as the adapter.
On AMD architecture, revert the irq allocation to the normal style
(non-managed) and then use irq_set_affinity_hint() to set the cpu
affinity and disable user-space rebalancing.
Tie the support into CPU offline/online. If the cpu being offlined owns a
vector, the vector is re-affinitized to one of the other CPUs on the same
numa node. If there are no more CPUs on the numa node, the vector has all
affinity removed and lets the system determine where it's serviced.
Similarly, when the cpu that owned a vector comes online, the vector is
reaffinitized to the cpu.
James Smart [Tue, 5 Nov 2019 00:57:05 +0000 (16:57 -0800)]
scsi: lpfc: Add registration for CPU Offline/Online events
The recent affinitization didn't address cpu offlining/onlining. If an
interrupt vector is shared and the low order cpu owning the vector is
offlined, as interrupts are managed, the vector is taken offline. This
causes the other CPUs sharing the vector will hang as they can't get io
completions.
Correct by registering callbacks with the system for Offline/Online
events. When a cpu is taken offline, its eq, which is tied to an interrupt
vector is found. If the cpu is the "owner" of the vector and if the
eq/vector is shared by other CPUs, the eq is placed into a polled mode.
Additionally, code paths that perform io submission on the "sharing CPUs"
will check the eq state and poll for completion after submission of new io
to a wq that uses the eq.
Similarly, when a cpu comes back online and owns an offlined vector, the eq
is taken out of polled mode and rearmed to start driving interrupts for eq.
James Smart [Tue, 5 Nov 2019 00:57:02 +0000 (16:57 -0800)]
scsi: lpfc: Fix dynamic fw log enablement check
The recently posted patch had a typo that incorrectly tested the receiving
function.
Fix the typo (change == to !=)
Fixes: 95bfc6d8ad86 ("scsi: lpfc: Make FW logging dynamically configurable") Link: https://lore.kernel.org/r/20191105005708.7399-6-jsmart2021@gmail.com Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
James Smart [Tue, 5 Nov 2019 00:57:01 +0000 (16:57 -0800)]
scsi: lpfc: Fix unexpected error messages during RSCN handling
During heavy RCN activity and log_verbose = 0 we see these messages:
2754 PRLI failure DID:521245 Status:x9/xb2c00, data: x0
0231 RSCN timeout Data: x0 x3
0230 Unexpected timeout, hba link state x5
This is due to delayed RSCN activity.
Correct by avoiding the timeout thus the messages by restarting the
discovery timeout whenever an rscn is received.
Filter PRLI responses such that severity depends on whether expected for
the configuration or not. For example, PRLI errors on a fabric will be
informational (they are expected), but Point-to-Point errors are not
necessarily expected so they are raised to an error level.
James Smart [Tue, 5 Nov 2019 00:57:00 +0000 (16:57 -0800)]
scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce
When reading sysfs nvme_info file while a remote port leaves and comes
back, a NULL pointer is encountered. The issue is due to ndlp list
corruption as the the nvme_info_show does not use the same lock as the rest
of the code.
Correct by removing the rcu_xxx_lock calls and replace by the host_lock and
phba->hbaLock spinlocks that are used by the rest of the driver. Given
we're called from sysfs, we are safe to use _irq rather than _irqsave.
James Smart [Tue, 5 Nov 2019 00:56:59 +0000 (16:56 -0800)]
scsi: lpfc: Fix configuration of BB credit recovery in service parameters
The driver today is reading service parameters from the firmware and then
overwriting the firmware-provided values with values of its own. There are
some switch features that require preliminary FLOGI's that are
switch-specific and done prior to the actual fabric FLOGI for traffic. The
fw will perform those FLOGIs and will revise the service parameters for the
features configured. As the driver later overwrites those values with its
own values, it misconfigures things like BBSCN use by doing so.
Correct by eliminating the driver-overwrite of firmware values. The driver
correctly re-reads the service parameters after each link up to obtain the
latest values from firmware.
James Smart [Tue, 5 Nov 2019 00:56:58 +0000 (16:56 -0800)]
scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow
If the driver receives a login that is later then LOGO'd by the remote port
(aka ndlp), the driver, upon the completion of the LOGO ACC transmission,
will logout the node and unregister the rpi that is being used for the
node. As part of the unreg, the node's rpi value is replaced by the
LPFC_RPI_ALLOC_ERROR value. If the port is subsequently offlined, the
offline walks the nodes and ensures they are logged out, which possibly
entails unreg'ing their rpi values. This path does not validate the node's
rpi value, thus doesn't detect that it has been unreg'd already. The
replaced rpi value is then used when accessing the rpi bitmask array which
tracks active rpi values. As the LPFC_RPI_ALLOC_ERROR value is not a valid
index for the bitmask, it may fault the system.
Revise the rpi release code to detect when the rpi value is the replaced
RPI_ALLOC_ERROR value and ignore further release steps.
Al Viro [Thu, 17 Oct 2019 19:39:24 +0000 (20:39 +0100)]
scsi: sg: sg_write(): get rid of access_ok()/__copy_from_user()/__get_user()
Just use plain copy_from_user() and get_user(). Note that while a
buf-derived pointer gets stored into ->dxferp, all places that actually use
the resulting value feed it either to import_iovec() or to
import_single_range(), and both will do validation.
Al Viro [Thu, 17 Oct 2019 19:39:22 +0000 (20:39 +0100)]
scsi: sg: sg_new_write(): don't bother with access_ok
... just use copy_from_user(). We copy only SZ_SG_IO_HDR bytes, so that
would, strictly speaking, loosen the check. However, for call chains via
->write() the caller has actually checked the entire range and SG_IO passes
exactly SZ_SG_IO_HDR for count. So no visible behaviour changes happen if
we check only what we really need for copyin.
Al Viro [Thu, 17 Oct 2019 19:39:21 +0000 (20:39 +0100)]
scsi: sg: sg_read(): simplify reading ->pack_id of userland sg_io_hdr_t
We don't need to allocate a temporary buffer and read the entire structure
in it, only to fetch a single field and free what we'd allocated. Just use
get_user() and be done with it...
Pan Bian [Mon, 4 Nov 2019 15:26:22 +0000 (23:26 +0800)]
scsi: fnic: fix use after free
The memory chunk io_req is released by mempool_free. Accessing
io_req->start_time will result in a use after free bug. The variable
start_time is a backup of the timestamp. So, use start_time here to
avoid use after free.
Bart Van Assche [Fri, 1 Nov 2019 21:14:47 +0000 (14:14 -0700)]
scsi: core: scsi_trace: Use get_unaligned_be*()
This patch fixes an unintended sign extension on left shifts. From Colin
King: "Shifting a u8 left will cause the value to be promoted to an
integer. If the top bit of the u8 is set then the following conversion to
an u64 will sign extend the value causing the upper 32 bits to be set in
the result."
Fix this by using get_unaligned_be*() instead.
Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.com> Cc: Douglas Gilbert <dgilbert@interlog.com> Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org Reported-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
projects / mirror_ubuntu-jammy-kernel.git / log