tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"The most important one is the bfa fix because it's easy to oops the
kernel with this driver (this includes the commit that corrects the
compiler warning in the original), a regression in the new timespec
conversion in aacraid and a regression in the Fibre Channel ELS
handling patch.

The other three are a theoretical problem with termination in the
vendor/host matching code and a use after free in lpfc.

The additional patches are a fix for an I/O hang in the mq code under
certain circumstances and a rare oops in some debugging code"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: core: Fix a scsi_show_rq() NULL pointer dereference
scsi: MAINTAINERS: change FCoE list to linux-scsi
scsi: libsas: fix length error in sas_smp_handler()
scsi: bfa: fix type conversion warning
scsi: core: run queue if SCSI device queue isn't ready and queue is idle
scsi: scsi_devinfo: cleanly zero-pad devinfo strings
scsi: scsi_devinfo: handle non-terminated strings
scsi: bfa: fix access to bfad_im_port_s
scsi: aacraid: address UBSAN warning regression
scsi: libfc: fix ELS request handling
scsi: lpfc: Use after free in lpfc_rq_buf_free()

Linus Torvalds 66dbbd72 07a20ed1

+54 -33
+1 -1
MAINTAINERS
··· 5431 5431 5432 5432 FCOE SUBSYSTEM (libfc, libfcoe, fcoe) 5433 5433 M: Johannes Thumshirn <jth@kernel.org> 5434 - L: fcoe-devel@open-fcoe.org 5434 + L: linux-scsi@vger.kernel.org 5435 5435 W: www.Open-FCoE.org 5436 5436 S: Supported 5437 5437 F: drivers/scsi/libfc/
+6 -2
drivers/scsi/aacraid/commsup.c
··· 2482 2482 /* Synchronize our watches */ 2483 2483 if (((NSEC_PER_SEC - (NSEC_PER_SEC / HZ)) > now.tv_nsec) 2484 2484 && (now.tv_nsec > (NSEC_PER_SEC / HZ))) 2485 - difference = (((NSEC_PER_SEC - now.tv_nsec) * HZ) 2486 - + NSEC_PER_SEC / 2) / NSEC_PER_SEC; 2485 + difference = HZ + HZ / 2 - 2486 + now.tv_nsec / (NSEC_PER_SEC / HZ); 2487 2487 else { 2488 2488 if (now.tv_nsec > NSEC_PER_SEC / 2) 2489 2489 ++now.tv_sec; ··· 2507 2507 if (kthread_should_stop()) 2508 2508 break; 2509 2509 2510 + /* 2511 + * we probably want usleep_range() here instead of the 2512 + * jiffies computation 2513 + */ 2510 2514 schedule_timeout(difference); 2511 2515 2512 2516 if (kthread_should_stop())
+4 -2
drivers/scsi/bfa/bfad_bsg.c
··· 3135 3135 struct fc_bsg_request *bsg_request = job->request; 3136 3136 struct fc_bsg_reply *bsg_reply = job->reply; 3137 3137 uint32_t vendor_cmd = bsg_request->rqst_data.h_vendor.vendor_cmd[0]; 3138 - struct bfad_im_port_s *im_port = shost_priv(fc_bsg_to_shost(job)); 3138 + struct Scsi_Host *shost = fc_bsg_to_shost(job); 3139 + struct bfad_im_port_s *im_port = bfad_get_im_port(shost); 3139 3140 struct bfad_s *bfad = im_port->bfad; 3140 3141 void *payload_kbuf; 3141 3142 int rc = -EINVAL; ··· 3351 3350 bfad_im_bsg_els_ct_request(struct bsg_job *job) 3352 3351 { 3353 3352 struct bfa_bsg_data *bsg_data; 3354 - struct bfad_im_port_s *im_port = shost_priv(fc_bsg_to_shost(job)); 3353 + struct Scsi_Host *shost = fc_bsg_to_shost(job); 3354 + struct bfad_im_port_s *im_port = bfad_get_im_port(shost); 3355 3355 struct bfad_s *bfad = im_port->bfad; 3356 3356 bfa_bsg_fcpt_t *bsg_fcpt; 3357 3357 struct bfad_fcxp *drv_fcxp;
+4 -2
drivers/scsi/bfa/bfad_im.c
··· 546 546 bfad_im_scsi_host_alloc(struct bfad_s *bfad, struct bfad_im_port_s *im_port, 547 547 struct device *dev) 548 548 { 549 + struct bfad_im_port_pointer *im_portp; 549 550 int error = 1; 550 551 551 552 mutex_lock(&bfad_mutex); ··· 565 564 goto out_free_idr; 566 565 } 567 566 568 - im_port->shost->hostdata[0] = (unsigned long)im_port; 567 + im_portp = shost_priv(im_port->shost); 568 + im_portp->p = im_port; 569 569 im_port->shost->unique_id = im_port->idr_id; 570 570 im_port->shost->this_id = -1; 571 571 im_port->shost->max_id = MAX_FCP_TARGET; ··· 750 748 751 749 sht->sg_tablesize = bfad->cfg_data.io_max_sge; 752 750 753 - return scsi_host_alloc(sht, sizeof(unsigned long)); 751 + return scsi_host_alloc(sht, sizeof(struct bfad_im_port_pointer)); 754 752 } 755 753 756 754 void
+10
drivers/scsi/bfa/bfad_im.h
··· 69 69 struct fc_vport *fc_vport; 70 70 }; 71 71 72 + struct bfad_im_port_pointer { 73 + struct bfad_im_port_s *p; 74 + }; 75 + 76 + static inline struct bfad_im_port_s *bfad_get_im_port(struct Scsi_Host *host) 77 + { 78 + struct bfad_im_port_pointer *im_portp = shost_priv(host); 79 + return im_portp->p; 80 + } 81 + 72 82 enum bfad_itnim_state { 73 83 ITNIM_STATE_NONE, 74 84 ITNIM_STATE_ONLINE,
+4
drivers/scsi/libfc/fc_lport.c
··· 904 904 case ELS_FLOGI: 905 905 if (!lport->point_to_multipoint) 906 906 fc_lport_recv_flogi_req(lport, fp); 907 + else 908 + fc_rport_recv_req(lport, fp); 907 909 break; 908 910 case ELS_LOGO: 909 911 if (fc_frame_sid(fp) == FC_FID_FLOGI) 910 912 fc_lport_recv_logo_req(lport, fp); 913 + else 914 + fc_rport_recv_req(lport, fp); 911 915 break; 912 916 case ELS_RSCN: 913 917 lport->tt.disc_recv_req(lport, fp);
+5 -5
drivers/scsi/libsas/sas_expander.c
··· 2145 2145 struct sas_rphy *rphy) 2146 2146 { 2147 2147 struct domain_device *dev; 2148 - unsigned int reslen = 0; 2148 + unsigned int rcvlen = 0; 2149 2149 int ret = -EINVAL; 2150 2150 2151 2151 /* no rphy means no smp target support (ie aic94xx host) */ ··· 2179 2179 2180 2180 ret = smp_execute_task_sg(dev, job->request_payload.sg_list, 2181 2181 job->reply_payload.sg_list); 2182 - if (ret > 0) { 2183 - /* positive number is the untransferred residual */ 2184 - reslen = ret; 2182 + if (ret >= 0) { 2183 + /* bsg_job_done() requires the length received */ 2184 + rcvlen = job->reply_payload.payload_len - ret; 2185 2185 ret = 0; 2186 2186 } 2187 2187 2188 2188 out: 2189 - bsg_job_done(job, ret, reslen); 2189 + bsg_job_done(job, ret, rcvlen); 2190 2190 }
+1 -1
drivers/scsi/lpfc/lpfc_mem.c
··· 753 753 drqe.address_hi = putPaddrHigh(rqb_entry->dbuf.phys); 754 754 rc = lpfc_sli4_rq_put(rqb_entry->hrq, rqb_entry->drq, &hrqe, &drqe); 755 755 if (rc < 0) { 756 - (rqbp->rqb_free_buffer)(phba, rqb_entry); 757 756 lpfc_printf_log(phba, KERN_ERR, LOG_INIT, 758 757 "6409 Cannot post to RQ %d: %x %x\n", 759 758 rqb_entry->hrq->queue_id, 760 759 rqb_entry->hrq->host_index, 761 760 rqb_entry->hrq->hba_index); 761 + (rqbp->rqb_free_buffer)(phba, rqb_entry); 762 762 } else { 763 763 list_add_tail(&rqb_entry->hbuf.list, &rqbp->rqb_buffer_list); 764 764 rqbp->buffer_count++;
+4 -2
drivers/scsi/scsi_debugfs.c
··· 8 8 { 9 9 struct scsi_cmnd *cmd = container_of(scsi_req(rq), typeof(*cmd), req); 10 10 int msecs = jiffies_to_msecs(jiffies - cmd->jiffies_at_alloc); 11 - char buf[80]; 11 + const u8 *const cdb = READ_ONCE(cmd->cmnd); 12 + char buf[80] = "(?)"; 12 13 13 - __scsi_format_command(buf, sizeof(buf), cmd->cmnd, cmd->cmd_len); 14 + if (cdb) 15 + __scsi_format_command(buf, sizeof(buf), cdb, cmd->cmd_len); 14 16 seq_printf(m, ", .cmd=%s, .retries=%d, allocated %d.%03d s ago", buf, 15 17 cmd->retries, msecs / 1000, msecs % 1000); 16 18 }
+10 -17
drivers/scsi/scsi_devinfo.c
··· 34 34 }; 35 35 36 36 37 - static const char spaces[] = " "; /* 16 of them */ 38 37 static blist_flags_t scsi_default_dev_flags; 39 38 static LIST_HEAD(scsi_dev_info_list); 40 39 static char scsi_dev_flags[256]; ··· 297 298 size_t from_length; 298 299 299 300 from_length = strlen(from); 300 - strncpy(to, from, min(to_length, from_length)); 301 - if (from_length < to_length) { 302 - if (compatible) { 303 - /* 304 - * NUL terminate the string if it is short. 305 - */ 306 - to[from_length] = '\0'; 307 - } else { 308 - /* 309 - * space pad the string if it is short. 310 - */ 311 - strncpy(&to[from_length], spaces, 312 - to_length - from_length); 313 - } 301 + /* This zero-pads the destination */ 302 + strncpy(to, from, to_length); 303 + if (from_length < to_length && !compatible) { 304 + /* 305 + * space pad the string if it is short. 306 + */ 307 + memset(&to[from_length], ' ', to_length - from_length); 314 308 } 315 309 if (from_length > to_length) 316 310 printk(KERN_WARNING "%s: %s string '%s' is too long\n", ··· 450 458 /* 451 459 * vendor strings must be an exact match 452 460 */ 453 - if (vmax != strlen(devinfo->vendor) || 461 + if (vmax != strnlen(devinfo->vendor, 462 + sizeof(devinfo->vendor)) || 454 463 memcmp(devinfo->vendor, vskip, vmax)) 455 464 continue; 456 465 ··· 459 466 * @model specifies the full string, and 460 467 * must be larger or equal to devinfo->model 461 468 */ 462 - mlen = strlen(devinfo->model); 469 + mlen = strnlen(devinfo->model, sizeof(devinfo->model)); 463 470 if (mmax < mlen || memcmp(devinfo->model, mskip, mlen)) 464 471 continue; 465 472 return devinfo;
+2
drivers/scsi/scsi_lib.c
··· 1967 1967 out_put_device: 1968 1968 put_device(&sdev->sdev_gendev); 1969 1969 out: 1970 + if (atomic_read(&sdev->device_busy) == 0 && !scsi_device_blocked(sdev)) 1971 + blk_mq_delay_run_hw_queue(hctx, SCSI_QUEUE_DELAY); 1970 1972 return false; 1971 1973 } 1972 1974
+3 -1
drivers/scsi/sd.c
··· 1312 1312 static void sd_uninit_command(struct scsi_cmnd *SCpnt) 1313 1313 { 1314 1314 struct request *rq = SCpnt->request; 1315 + u8 *cmnd; 1315 1316 1316 1317 if (SCpnt->flags & SCMD_ZONE_WRITE_LOCK) 1317 1318 sd_zbc_write_unlock_zone(SCpnt); ··· 1321 1320 __free_page(rq->special_vec.bv_page); 1322 1321 1323 1322 if (SCpnt->cmnd != scsi_req(rq)->cmd) { 1324 - mempool_free(SCpnt->cmnd, sd_cdb_pool); 1323 + cmnd = SCpnt->cmnd; 1325 1324 SCpnt->cmnd = NULL; 1326 1325 SCpnt->cmd_len = 0; 1326 + mempool_free(cmnd, sd_cdb_pool); 1327 1327 } 1328 1328 } 1329 1329