- 21 Jul, 2023 1 commit
-
-
Gleb Chesnokov authored
Smatch and Clang both complain that LOGIN_TEMPLATE_SIZE is more than sizeof(ha->plogi_els_payld.fl_csp). Smatch warning: drivers/scsi/qla2xxx/qla_iocb.c:3075 qla24xx_els_dcmd2_iocb() warn: '&ha->plogi_els_payld.fl_csp' sometimes too small '16' size = 112 Clang warning: include/linux/fortify-string.h:592:4: error: call to '__read_overflow2_field' declared with 'warning' attribute: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] __read_overflow2_field(q_size_field, size); When I was reading this code I assumed the "- 4" meant that we were skipping the last 4 bytes but actually it turned out that we are skipping the first four bytes. I have re-written it remove the magic numbers, be more clear and silence the static checker warnings. Signed-off-by:Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/r/4aa0485e-766f-4b02-8d5d-c6781ea8f511@moroto.mountain Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> [ commit 134f66959cd0b upstream ]
-
- 19 Jul, 2023 23 commits
-
-
Gleb Chesnokov authored
System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up gets called for uninitialized wait queue sp->nvme_ls_waitq. qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] RIP: 0010:__wake_up_common+0x4c/0x190 RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7c/0xc0 qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed previously in the commits tagged Fixed: below. Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports") Cc: stable@vger.kernel.org Signed-off-by:Manish Rangankar <mrangankar@marvell.com> Signed-off-by:
Nilesh Javali <njavali@marvell.com> Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com Signed-off-by:
-
Gleb Chesnokov authored
Signed-off-by:
Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by:
-
Gleb Chesnokov authored
Klocwork reported array 'port_dstate_str' of size 10 may use index value(s) 10..15. Add a fix to correct the index of array. Cc: stable@vger.kernel.org Signed-off-by:
Bikash Hazarika <bhazarika@marvell.com> Signed-off-by:
-
Gleb Chesnokov authored
Klocwork tool reported pointer 'rport' returned from call to function fc_bsg_to_rport() may be NULL and will be dereferenced. Add a fix to validate rport before dereferencing. Cc: stable@vger.kernel.org Signed-off-by:
Shreyas Deodhar <sdeodhar@marvell.com> Signed-off-by:
-
Gleb Chesnokov authored
Klocwork warning: Buffer Overflow - Array Index Out of Bounds Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is nested inside of fc_els_flogi which is smaller. Replace structure name to allow proper size calculation. Cc: stable@vger.kernel.org Signed-off-by:
Quinn Tran <qutran@marvell.com> Signed-off-by:
-
Gleb Chesnokov authored
Klocwork reported warning of rport maybe NULL and will be dereferenced. rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. Check valid rport returned by fc_bsg_to_rport(). Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Klocwork reported warning of NULL pointer may be dereferenced. The routine exits when sa_ctl is NULL and fcport is allocated after the exit call thus causing NULL fcport pointer to dereference at the time of exit. To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL. Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate pointer before dereferencing the pointer. Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Klocwork reports array 'vha->host_str' of size 16 may use index value(s) 16..19. Use snprintf() instead of sprintf(). Cc: stable@vger.kernel.org Co-developed-by:
-
Gleb Chesnokov authored
'new_fcports' is unused, so drop it. Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/49bb77624c9edc8d9bf8fe71d0c8a4cd7e582175.1685854354.git.christophe.jaillet@wanadoo.fr Signed-off-by:
-
Gleb Chesnokov authored
Unbreak the build for the previous commit against kernel versions before v5.16. See also commit 3080ea5553cc ("stddef: Introduce DECLARE_FLEX_ARRAY() helper") # v5.16. -
Gleb Chesnokov authored
One-element arrays as fake flex arrays are deprecated and we are moving towards adopting C99 flexible-array members, instead. So, replace one-element array declaration in struct ct_sns_gpnft_rsp, which is ultimately being used inside a union: drivers/scsi/qla2xxx/qla_def.h: 3240 struct ct_sns_gpnft_pkt { 3241 union { 3242 struct ct_sns_req req; 3243 struct ct_sns_gpnft_rsp rsp; 3244 } p; 3245 }; Refactor the rest of the code, accordingly. This issue was found with the help of Coccinelle. Link: https://github.com/KSPP/linux/issues/245 Link: https://github.com/KSPP/linux/issues/193 Reviewed-by:Kees Cook <keescook@chromium.org> Signed-off-by:
Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/ZH+/rZ1R1cBjIxjS@work Signed-off-by:
-
Gleb Chesnokov authored
This loop will exit successfully when "found" is false or in the failure case it times out with "wait_iter" set to -1. The test for timeouts is impossible as is. Fixes: b843adde8d49 ("scsi: qla2xxx: Fix mem access after free") Signed-off-by: -
Gleb Chesnokov authored
Update version to 10.02.08.300-k. Signed-off-by:
-
Gleb Chesnokov authored
System crash due to use after free. Current code allows terminate_rport_io to exit before making sure all IOs has returned. For FCP-2 device, IO's can hang on in HW because driver has not tear down the session in FW at first sign of cable pull. When dev_loss_tmo timer pops, terminate_rport_io is called and upper layer is about to free various resources. Terminate_rport_io trigger qla to do the final cleanup, but the cleanup might not be fast enough where it leave qla still holding on to the same resource. Wait for IO's to return to upper layer before resources are freed. Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
System crash, where driver is accessing scsi layer's memory (scsi_cmnd->device->host) to search for a well known internal pointer (vha). The scsi_cmnd was released back to upper layer which could be freed, but the driver is still accessing it. 7 [ffffa8e8d2c3f8d0] page_fault at ffffffff86c010fe [exception RIP: __qla2x00_eh_wait_for_pending_commands+240] RIP: ffffffffc0642350 RSP: ffffa8e8d2c3f988 RFLAGS: 00010286 RAX: 0000000000000165 RBX: 0000000000000002 RCX: 00000000000036d8 RDX: 0000000000000000 RSI: ffff9c5c56535188 RDI: 0000000000000286 RBP: ffff9c5bf7aa4a58 R8: ffff9c589aecdb70 R9: 00000000000003d1 R10: 0000000000000001 R11: 0000000000380000 R12: ffff9c5c5392bc78 R13: ffff9c57044ff5c0 R14: ffff9c56b5a3aa00 R15: 00000000000006db ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 8 [ffffa8e8d2c3f9c8] qla2x00_eh_wait_for_pending_commands at ffffffffc0646dd5 [qla2xxx] 9 [ffffa8e8d2c3fa00] __qla2x00_async_tm_cmd at ffffffffc0658094 [qla2xxx] Remove access of freed memory. Currently the driver was checking to see if scsi_done was called by seeing if the sp->type has changed. Instead, check to see if the command has left the oustanding_cmds[] array as sign of scsi_done was called. Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Task management command hangs where a side band chip reset failed to nudge the TMF from it's current send path. Add additional error check to block TMF from entering during chip reset and along the TMF path to cause it to bail out, skip over abort of marker. Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Unbreak the build for the previous commit against kernel versions before v5.1.
-
Gleb Chesnokov authored
Task management command failed with status 2Ch which is a result of too many task management commands sent to the same target. Hence limit task management commands to 8 per target. Reported-by:
kernel test robot <lkp@intel.com> Link: https://lore.kernel.org/oe-kbuild-all/202304271952.NKNmoFzv-lkp@intel.com/ Cc: stable@vger.kernel.org Signed-off-by:
-
Gleb Chesnokov authored
Task management cmd failed with status 30h which means FW is not able to finish processing one task management before another task management for the same lun. Hence add wait for completion of marker to space it out. Reported-by:
Himanshu Madhani <himanshu.madhani@oracle.com <mailto:himanshu.madhani@oracle.com>> Signed-off-by:
-
Gleb Chesnokov authored
Add queue flush for task management command, before placing it on the wire. Do IO flush for all Request Q's. Reported-by:
-
Gleb Chesnokov authored
This was detected by smatch.
-
Gleb Chesnokov authored
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NULL-terminated [1]. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
-
- 10 Jul, 2023 8 commits
-
-
Gleb Chesnokov authored
Use sendmsg() conditionally with MSG_SPLICE_PAGES in write_data() rather than calling sendpage(). Support for the following net layer changes in the Linux kernel v6.5: - dc97391e6610 ("sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)") -
Gleb Chesnokov authored
This patch carries out a refactoring of the sendpage functionality in the write_data() function: 1. Reorganize the logic used to select the sock_sendpage function. 2. Streamline the data sending loop by reducing conditional branches and eliminating labels. 3. Adjust the error handling for -EINTR and -EAGAIN to make the code cleaner and easier to follow. This patch doesn't change any functionality.
-
Gleb Chesnokov authored
This patch introduces several improvements to the 'write iop loop' in the write_data() function: 1. Move iop-related variables under the scope of the 'write iop loop'. 2. Eliminate the 'retry' label, use 'continue' instead for simplicity. 3. Remove the redundant 'rest' variable, use just 'res' instead. This patch doesn't change any functionality.
-
Gleb Chesnokov authored
This patch introduces several improvements to the write_data() function: 1. Remove the redundant 'sendpage' function pointer variable. 2. Update variables related to size to use the size_t type for better type correctness and safety. 3. Introduce a new variable, 'parent_req', to store the 'write_cmnd->parent_req' pointer and reduce redundant accesses. 4. Fix several checkpatch warnings. This patch doesn't change any functionality.
-
Gleb Chesnokov authored
Support for the following mm layer changes in the Linux kernel v6.5: - 54d020692b34 ("mm/gup: remove unused vmas parameter from get_user_pages()") -
Gleb Chesnokov authored
Support for the following scsi core changes in the Linux kernel v6.5: - a6cdc35fab0d ("scsi: core: Support retrieving sub-pages of mode pages") -
Gleb Chesnokov authored
Support for the following block layer changes in the Linux kernel v6.5: - 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") - 0718afd47f70 ("block: introduce holder ops") - 2736e8eeb0cc ("block: use the holder as indication for exclusive opens") -
Gleb Chesnokov authored
Enable exclusive opening of block devices to prevent concurrent usage. Additionally, remove the redundant 'holder' argument for 'blkdev_get_by_path()' where exclusive opening isn't utilized.
-
- 30 Jun, 2023 2 commits
-
-
Gleb Chesnokov authored
The prepare_to_wait_exclusive_head() function was modified in commit d8894cbd ("scst.h: Refactor wait_event_locked() to enhance usability and clarity"). It now returns an error if the current interruptible thread has pending signals. This patch introduces the scst_wait_for_cmd() helper function for the scst_cmd_thread(). This new function handles the return value of the prepare_to_wait_exclusive_head() appropriately. This patch fixes the following Coverity complaint: CID 321410 (#1 of 1): Unchecked return value (CHECKED_RETURN) check_return: Calling prepare_to_wait_exclusive_head without checking return value.
-
Gleb Chesnokov authored
The scst_wait_event_interruptible_lock_irq() function now implicitly checks for pending signals. Therefore, there is no need to check for these signals explicitly. This patch replaces the explicit check with a simple evaluation of the function's return value. This patch doesn't change any functionality.
-
- 28 Jun, 2023 1 commit
-
-
Gleb Chesnokov authored
This patch replaces percpu_ref_kill() with percpu_ref_kill_and_confirm() to guarantee safe usage of references in atomic mode immediately afterwards. This change ensures accurate checking of active commands following the initial reference killing. Reported-by:Lev Vainblat <lev@zadarastorage.com>
-
- 27 Jun, 2023 2 commits
-
-
Gleb Chesnokov authored
This patch changes the processing threads to use INTERRUPTIBLE sleep states in the scst_wait_event_...() functions. This aims to avoid warnings from the hung task detection checker and to prevent unnecessary load counting. Fixes: d8894cbd ("scst.h: Refactor wait_event_locked() to enhance usability and clarity")
-
Gleb Chesnokov authored
Another kernel versions update following the 6.4 release.
-
- 20 Jun, 2023 3 commits
-
-
Gleb Chesnokov authored
Since __scst_ext_blocking_done() is only called from inside scst_lib.c, declare that function static. This patch doesn't change any functionality.
-
Gleb Chesnokov authored
This patch modifies scst_sync_ext_block_dev() to support INTERRUPTIBLE waiting and handle signal-induced waiting cancellation. To achieve this, the waitqueue head is moved from the stack and allocated with the blocker. Additionally, reference counting and its management are added to the blocker to handle memory freeing from multiple contexts. Fixes: https://github.com/SCST-project/scst/issues/164
-
Gleb Chesnokov authored
This patch divides the scst_ext_block_dev() function into two separate functions to improve code readability and simplify maintenance: 1. scst_sync_ext_block_dev() - This function is for synchronous blocking and serves as the equivalent of calling the old scst_ext_block_dev() function with the SCST_EXT_BLOCK_SYNC flag. 2. scst_ext_block_dev() - This function is for asynchronous blocking. Additionally, the patch introduces the helper function scst_dev_ext_block() to reduce code duplication between the scst_sync_ext_block_dev() and scst_ext_block_dev() functions. This patch doesn't change any functionality.
-
