tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

James writes:
"SCSI fixes on 20180925

Nine obvious bug fixes mostly in individual drivers. The target fix
is of particular importance because it's CVE related."

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: sd: don't crash the host on invalid commands
scsi: ipr: System hung while dlpar adding primary ipr adapter back
scsi: target: iscsi: Use bin2hex instead of a re-implementation
scsi: target: iscsi: Use hex2bin instead of a re-implementation
scsi: lpfc: Synchronize access to remoteport via rport
scsi: ufs: Disable blk-mq for now
scsi: sd: Contribute to randomness when running rotational device
scsi: ibmvscsis: Ensure partition name is properly NUL terminated
scsi: ibmvscsis: Fix a stringop-overflow warning

Greg Kroah-Hartman 846e8dd4 bfb0e9b4

+118 -92
+2 -3
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
··· 3474 3474 vscsi->dds.window[LOCAL].liobn, 3475 3475 vscsi->dds.window[REMOTE].liobn); 3476 3476 3477 - strcpy(vscsi->eye, "VSCSI "); 3478 - strncat(vscsi->eye, vdev->name, MAX_EYE); 3477 + snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name); 3479 3478 3480 3479 vscsi->dds.unit_id = vdev->unit_address; 3481 - strncpy(vscsi->dds.partition_name, partition_name, 3480 + strscpy(vscsi->dds.partition_name, partition_name, 3482 3481 sizeof(vscsi->dds.partition_name)); 3483 3482 vscsi->dds.partition_num = partition_number; 3484 3483
+63 -47
drivers/scsi/ipr.c
··· 3335 3335 LEAVE; 3336 3336 } 3337 3337 3338 - /** 3339 - * ipr_worker_thread - Worker thread 3340 - * @work: ioa config struct 3341 - * 3342 - * Called at task level from a work thread. This function takes care 3343 - * of adding and removing device from the mid-layer as configuration 3344 - * changes are detected by the adapter. 3345 - * 3346 - * Return value: 3347 - * nothing 3348 - **/ 3349 - static void ipr_worker_thread(struct work_struct *work) 3338 + static void ipr_add_remove_thread(struct work_struct *work) 3350 3339 { 3351 3340 unsigned long lock_flags; 3352 3341 struct ipr_resource_entry *res; 3353 3342 struct scsi_device *sdev; 3354 - struct ipr_dump *dump; 3355 3343 struct ipr_ioa_cfg *ioa_cfg = 3356 - container_of(work, struct ipr_ioa_cfg, work_q); 3344 + container_of(work, struct ipr_ioa_cfg, scsi_add_work_q); 3357 3345 u8 bus, target, lun; 3358 3346 int did_work; 3359 3347 3360 3348 ENTER; 3361 3349 spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3362 - 3363 - if (ioa_cfg->sdt_state == READ_DUMP) { 3364 - dump = ioa_cfg->dump; 3365 - if (!dump) { 3366 - spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3367 - return; 3368 - } 3369 - kref_get(&dump->kref); 3370 - spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3371 - ipr_get_ioa_dump(ioa_cfg, dump); 3372 - kref_put(&dump->kref, ipr_release_dump); 3373 - 3374 - spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3375 - if (ioa_cfg->sdt_state == DUMP_OBTAINED && !ioa_cfg->dump_timeout) 3376 - ipr_initiate_ioa_reset(ioa_cfg, IPR_SHUTDOWN_NONE); 3377 - spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3378 - return; 3379 - } 3380 - 3381 - if (ioa_cfg->scsi_unblock) { 3382 - ioa_cfg->scsi_unblock = 0; 3383 - ioa_cfg->scsi_blocked = 0; 3384 - spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3385 - scsi_unblock_requests(ioa_cfg->host); 3386 - spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3387 - if (ioa_cfg->scsi_blocked) 3388 - scsi_block_requests(ioa_cfg->host); 3389 - } 3390 - 3391 - if (!ioa_cfg->scan_enabled) { 3392 - spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3393 - return; 3394 - } 3395 3350 3396 3351 restart: 3397 3352 do { ··· 3391 3436 ioa_cfg->scan_done = 1; 3392 3437 spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3393 3438 kobject_uevent(&ioa_cfg->host->shost_dev.kobj, KOBJ_CHANGE); 3439 + LEAVE; 3440 + } 3441 + 3442 + /** 3443 + * ipr_worker_thread - Worker thread 3444 + * @work: ioa config struct 3445 + * 3446 + * Called at task level from a work thread. This function takes care 3447 + * of adding and removing device from the mid-layer as configuration 3448 + * changes are detected by the adapter. 3449 + * 3450 + * Return value: 3451 + * nothing 3452 + **/ 3453 + static void ipr_worker_thread(struct work_struct *work) 3454 + { 3455 + unsigned long lock_flags; 3456 + struct ipr_dump *dump; 3457 + struct ipr_ioa_cfg *ioa_cfg = 3458 + container_of(work, struct ipr_ioa_cfg, work_q); 3459 + 3460 + ENTER; 3461 + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3462 + 3463 + if (ioa_cfg->sdt_state == READ_DUMP) { 3464 + dump = ioa_cfg->dump; 3465 + if (!dump) { 3466 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3467 + return; 3468 + } 3469 + kref_get(&dump->kref); 3470 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3471 + ipr_get_ioa_dump(ioa_cfg, dump); 3472 + kref_put(&dump->kref, ipr_release_dump); 3473 + 3474 + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3475 + if (ioa_cfg->sdt_state == DUMP_OBTAINED && !ioa_cfg->dump_timeout) 3476 + ipr_initiate_ioa_reset(ioa_cfg, IPR_SHUTDOWN_NONE); 3477 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3478 + return; 3479 + } 3480 + 3481 + if (ioa_cfg->scsi_unblock) { 3482 + ioa_cfg->scsi_unblock = 0; 3483 + ioa_cfg->scsi_blocked = 0; 3484 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3485 + scsi_unblock_requests(ioa_cfg->host); 3486 + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); 3487 + if (ioa_cfg->scsi_blocked) 3488 + scsi_block_requests(ioa_cfg->host); 3489 + } 3490 + 3491 + if (!ioa_cfg->scan_enabled) { 3492 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3493 + return; 3494 + } 3495 + 3496 + schedule_work(&ioa_cfg->scsi_add_work_q); 3497 + 3498 + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); 3394 3499 LEAVE; 3395 3500 } 3396 3501 ··· 9948 9933 INIT_LIST_HEAD(&ioa_cfg->free_res_q); 9949 9934 INIT_LIST_HEAD(&ioa_cfg->used_res_q); 9950 9935 INIT_WORK(&ioa_cfg->work_q, ipr_worker_thread); 9936 + INIT_WORK(&ioa_cfg->scsi_add_work_q, ipr_add_remove_thread); 9951 9937 init_waitqueue_head(&ioa_cfg->reset_wait_q); 9952 9938 init_waitqueue_head(&ioa_cfg->msi_wait_q); 9953 9939 init_waitqueue_head(&ioa_cfg->eeh_wait_q);
+1
drivers/scsi/ipr.h
··· 1575 1575 u8 saved_mode_page_len; 1576 1576 1577 1577 struct work_struct work_q; 1578 + struct work_struct scsi_add_work_q; 1578 1579 struct workqueue_struct *reset_work_q; 1579 1580 1580 1581 wait_queue_head_t reset_wait_q;
+10 -5
drivers/scsi/lpfc/lpfc_attr.c
··· 360 360 goto buffer_done; 361 361 362 362 list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { 363 + nrport = NULL; 364 + spin_lock(&vport->phba->hbalock); 363 365 rport = lpfc_ndlp_get_nrport(ndlp); 364 - if (!rport) 365 - continue; 366 - 367 - /* local short-hand pointer. */ 368 - nrport = rport->remoteport; 366 + if (rport) 367 + nrport = rport->remoteport; 368 + spin_unlock(&vport->phba->hbalock); 369 369 if (!nrport) 370 370 continue; 371 371 ··· 3386 3386 struct lpfc_nodelist *ndlp; 3387 3387 #if (IS_ENABLED(CONFIG_NVME_FC)) 3388 3388 struct lpfc_nvme_rport *rport; 3389 + struct nvme_fc_remote_port *remoteport = NULL; 3389 3390 #endif 3390 3391 3391 3392 shost = lpfc_shost_from_vport(vport); ··· 3397 3396 if (ndlp->rport) 3398 3397 ndlp->rport->dev_loss_tmo = vport->cfg_devloss_tmo; 3399 3398 #if (IS_ENABLED(CONFIG_NVME_FC)) 3399 + spin_lock(&vport->phba->hbalock); 3400 3400 rport = lpfc_ndlp_get_nrport(ndlp); 3401 3401 if (rport) 3402 + remoteport = rport->remoteport; 3403 + spin_unlock(&vport->phba->hbalock); 3404 + if (remoteport) 3402 3405 nvme_fc_set_remoteport_devloss(rport->remoteport, 3403 3406 vport->cfg_devloss_tmo); 3404 3407 #endif
+5 -5
drivers/scsi/lpfc/lpfc_debugfs.c
··· 551 551 unsigned char *statep; 552 552 struct nvme_fc_local_port *localport; 553 553 struct lpfc_nvmet_tgtport *tgtp; 554 - struct nvme_fc_remote_port *nrport; 554 + struct nvme_fc_remote_port *nrport = NULL; 555 555 struct lpfc_nvme_rport *rport; 556 556 557 557 cnt = (LPFC_NODELIST_SIZE / LPFC_NODELIST_ENTRY_SIZE); ··· 696 696 len += snprintf(buf + len, size - len, "\tRport List:\n"); 697 697 list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { 698 698 /* local short-hand pointer. */ 699 + spin_lock(&phba->hbalock); 699 700 rport = lpfc_ndlp_get_nrport(ndlp); 700 - if (!rport) 701 - continue; 702 - 703 - nrport = rport->remoteport; 701 + if (rport) 702 + nrport = rport->remoteport; 703 + spin_unlock(&phba->hbalock); 704 704 if (!nrport) 705 705 continue; 706 706
+8 -3
drivers/scsi/lpfc/lpfc_nvme.c
··· 2725 2725 rpinfo.port_name = wwn_to_u64(ndlp->nlp_portname.u.wwn); 2726 2726 rpinfo.node_name = wwn_to_u64(ndlp->nlp_nodename.u.wwn); 2727 2727 2728 + spin_lock_irq(&vport->phba->hbalock); 2728 2729 oldrport = lpfc_ndlp_get_nrport(ndlp); 2730 + spin_unlock_irq(&vport->phba->hbalock); 2729 2731 if (!oldrport) 2730 2732 lpfc_nlp_get(ndlp); 2731 2733 ··· 2842 2840 struct nvme_fc_local_port *localport; 2843 2841 struct lpfc_nvme_lport *lport; 2844 2842 struct lpfc_nvme_rport *rport; 2845 - struct nvme_fc_remote_port *remoteport; 2843 + struct nvme_fc_remote_port *remoteport = NULL; 2846 2844 2847 2845 localport = vport->localport; 2848 2846 ··· 2856 2854 if (!lport) 2857 2855 goto input_err; 2858 2856 2857 + spin_lock_irq(&vport->phba->hbalock); 2859 2858 rport = lpfc_ndlp_get_nrport(ndlp); 2860 - if (!rport) 2859 + if (rport) 2860 + remoteport = rport->remoteport; 2861 + spin_unlock_irq(&vport->phba->hbalock); 2862 + if (!remoteport) 2861 2863 goto input_err; 2862 2864 2863 - remoteport = rport->remoteport; 2864 2865 lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC, 2865 2866 "6033 Unreg nvme remoteport %p, portname x%llx, " 2866 2867 "port_id x%06x, portstate x%x port type x%x\n",
+5 -1
drivers/scsi/sd.c
··· 1276 1276 case REQ_OP_ZONE_RESET: 1277 1277 return sd_zbc_setup_reset_cmnd(cmd); 1278 1278 default: 1279 - BUG(); 1279 + WARN_ON_ONCE(1); 1280 + return BLKPREP_KILL; 1280 1281 } 1281 1282 } 1282 1283 ··· 2960 2959 if (rot == 1) { 2961 2960 blk_queue_flag_set(QUEUE_FLAG_NONROT, q); 2962 2961 blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, q); 2962 + } else { 2963 + blk_queue_flag_clear(QUEUE_FLAG_NONROT, q); 2964 + blk_queue_flag_set(QUEUE_FLAG_ADD_RANDOM, q); 2963 2965 } 2964 2966 2965 2967 if (sdkp->device->type == TYPE_ZBC) {
+7
drivers/scsi/ufs/ufshcd.c
··· 7940 7940 err = -ENOMEM; 7941 7941 goto out_error; 7942 7942 } 7943 + 7944 + /* 7945 + * Do not use blk-mq at this time because blk-mq does not support 7946 + * runtime pm. 7947 + */ 7948 + host->use_blk_mq = false; 7949 + 7943 7950 hba = shost_priv(host); 7944 7951 hba->host = host; 7945 7952 hba->dev = dev;
+17 -28
drivers/target/iscsi/iscsi_target_auth.c
··· 26 26 #include "iscsi_target_nego.h" 27 27 #include "iscsi_target_auth.h" 28 28 29 - static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) 30 - { 31 - int j = DIV_ROUND_UP(len, 2), rc; 32 - 33 - rc = hex2bin(dst, src, j); 34 - if (rc < 0) 35 - pr_debug("CHAP string contains non hex digit symbols\n"); 36 - 37 - dst[j] = '\0'; 38 - return j; 39 - } 40 - 41 - static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) 42 - { 43 - int i; 44 - 45 - for (i = 0; i < src_len; i++) { 46 - sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); 47 - } 48 - } 49 - 50 29 static int chap_gen_challenge( 51 30 struct iscsi_conn *conn, 52 31 int caller, ··· 41 62 ret = get_random_bytes_wait(chap->challenge, CHAP_CHALLENGE_LENGTH); 42 63 if (unlikely(ret)) 43 64 return ret; 44 - chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, 65 + bin2hex(challenge_asciihex, chap->challenge, 45 66 CHAP_CHALLENGE_LENGTH); 46 67 /* 47 68 * Set CHAP_C, and copy the generated challenge into c_str. ··· 227 248 pr_err("Could not find CHAP_R.\n"); 228 249 goto out; 229 250 } 251 + if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) { 252 + pr_err("Malformed CHAP_R\n"); 253 + goto out; 254 + } 255 + if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) { 256 + pr_err("Malformed CHAP_R\n"); 257 + goto out; 258 + } 230 259 231 260 pr_debug("[server] Got CHAP_R=%s\n", chap_r); 232 - chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); 233 261 234 262 tfm = crypto_alloc_shash("md5", 0, 0); 235 263 if (IS_ERR(tfm)) { ··· 280 294 goto out; 281 295 } 282 296 283 - chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); 297 + bin2hex(response, server_digest, MD5_SIGNATURE_SIZE); 284 298 pr_debug("[server] MD5 Server Digest: %s\n", response); 285 299 286 300 if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { ··· 335 349 pr_err("Could not find CHAP_C.\n"); 336 350 goto out; 337 351 } 338 - pr_debug("[server] Got CHAP_C=%s\n", challenge); 339 - challenge_len = chap_string_to_hex(challenge_binhex, challenge, 340 - strlen(challenge)); 352 + challenge_len = DIV_ROUND_UP(strlen(challenge), 2); 341 353 if (!challenge_len) { 342 354 pr_err("Unable to convert incoming challenge\n"); 343 355 goto out; ··· 344 360 pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); 345 361 goto out; 346 362 } 363 + if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) { 364 + pr_err("Malformed CHAP_C\n"); 365 + goto out; 366 + } 367 + pr_debug("[server] Got CHAP_C=%s\n", challenge); 347 368 /* 348 369 * During mutual authentication, the CHAP_C generated by the 349 370 * initiator must not match the original CHAP_C generated by ··· 402 413 /* 403 414 * Convert response from binary hex to ascii hext. 404 415 */ 405 - chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); 416 + bin2hex(response, digest, MD5_SIGNATURE_SIZE); 406 417 *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", 407 418 response); 408 419 *nr_out_len += 1;