<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/scsi/libfc, branch linux-3.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>scsi: libfc: free skb when receiving invalid flogi resp</title>
<updated>2019-03-23T07:18:56+00:00</updated>
<author>
<name>Ming Lu</name>
<email>ming.lu@citrix.com</email>
</author>
<published>2019-01-24T05:25:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=36fb86505290c771618e1e0a57c93f7e77649519'/>
<id>36fb86505290c771618e1e0a57c93f7e77649519</id>
<content type='text'>
[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ]

The issue to be fixed in this commit is when libfc found it received a
invalid FLOGI response from FC switch, it would return without freeing the
fc frame, which is just the skb data. This would cause memory leak if FC
switch keeps sending invalid FLOGI responses.

This fix is just to make it execute `fc_frame_free(fp)` before returning
from function `fc_lport_flogi_resp`.

Signed-off-by: Ming Lu &lt;ming.lu@citrix.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ]

The issue to be fixed in this commit is when libfc found it received a
invalid FLOGI response from FC switch, it would return without freeing the
fc frame, which is just the skb data. This would cause memory leak if FC
switch keeps sending invalid FLOGI responses.

This fix is just to make it execute `fc_frame_free(fp)` before returning
from function `fc_lport_flogi_resp`.

Signed-off-by: Ming Lu &lt;ming.lu@citrix.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Fix fc_fcp_cleanup_each_cmd()</title>
<updated>2015-09-16T14:02:51+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2015-06-05T21:20:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b278b43bf686f872eb4a29d6d3c053b6df998f71'/>
<id>b278b43bf686f872eb4a29d6d3c053b6df998f71</id>
<content type='text'>
[ Upstream commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 ]

Since fc_fcp_cleanup_cmd() can sleep this function must not
be called while holding a spinlock. This patch avoids that
fc_fcp_cleanup_each_cmd() triggers the following bug:

BUG: scheduling while atomic: sg_reset/1512/0x00000202
1 lock held by sg_reset/1512:
 #0:  (&amp;(&amp;fsp-&gt;scsi_pkt_lock)-&gt;rlock){+.-...}, at: [&lt;ffffffffc0225cd5&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Preemption disabled at:[&lt;ffffffffc0225cd5&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Call Trace:
 [&lt;ffffffff816c612c&gt;] dump_stack+0x4f/0x7b
 [&lt;ffffffff810828bc&gt;] __schedule_bug+0x6c/0xd0
 [&lt;ffffffff816c87aa&gt;] __schedule+0x71a/0xa10
 [&lt;ffffffff816c8ad2&gt;] schedule+0x32/0x80
 [&lt;ffffffffc0217eac&gt;] fc_seq_set_resp+0xac/0x100 [libfc]
 [&lt;ffffffffc0218b11&gt;] fc_exch_done+0x41/0x60 [libfc]
 [&lt;ffffffffc0225cff&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc]
 [&lt;ffffffffc0225f43&gt;] fc_eh_device_reset+0x1c3/0x270 [libfc]
 [&lt;ffffffff814a2cc9&gt;] scsi_try_bus_device_reset+0x29/0x60
 [&lt;ffffffff814a3908&gt;] scsi_ioctl_reset+0x258/0x2d0
 [&lt;ffffffff814a2650&gt;] scsi_ioctl+0x150/0x440
 [&lt;ffffffff814b3a9d&gt;] sd_ioctl+0xad/0x120
 [&lt;ffffffff8132f266&gt;] blkdev_ioctl+0x1b6/0x810
 [&lt;ffffffff811da608&gt;] block_ioctl+0x38/0x40
 [&lt;ffffffff811b4e08&gt;] do_vfs_ioctl+0x2f8/0x530
 [&lt;ffffffff811b50c1&gt;] SyS_ioctl+0x81/0xa0
 [&lt;ffffffff816cf8b2&gt;] system_call_fastpath+0x16/0x7a

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 ]

Since fc_fcp_cleanup_cmd() can sleep this function must not
be called while holding a spinlock. This patch avoids that
fc_fcp_cleanup_each_cmd() triggers the following bug:

BUG: scheduling while atomic: sg_reset/1512/0x00000202
1 lock held by sg_reset/1512:
 #0:  (&amp;(&amp;fsp-&gt;scsi_pkt_lock)-&gt;rlock){+.-...}, at: [&lt;ffffffffc0225cd5&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Preemption disabled at:[&lt;ffffffffc0225cd5&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Call Trace:
 [&lt;ffffffff816c612c&gt;] dump_stack+0x4f/0x7b
 [&lt;ffffffff810828bc&gt;] __schedule_bug+0x6c/0xd0
 [&lt;ffffffff816c87aa&gt;] __schedule+0x71a/0xa10
 [&lt;ffffffff816c8ad2&gt;] schedule+0x32/0x80
 [&lt;ffffffffc0217eac&gt;] fc_seq_set_resp+0xac/0x100 [libfc]
 [&lt;ffffffffc0218b11&gt;] fc_exch_done+0x41/0x60 [libfc]
 [&lt;ffffffffc0225cff&gt;] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc]
 [&lt;ffffffffc0225f43&gt;] fc_eh_device_reset+0x1c3/0x270 [libfc]
 [&lt;ffffffff814a2cc9&gt;] scsi_try_bus_device_reset+0x29/0x60
 [&lt;ffffffff814a3908&gt;] scsi_ioctl_reset+0x258/0x2d0
 [&lt;ffffffff814a2650&gt;] scsi_ioctl+0x150/0x440
 [&lt;ffffffff814b3a9d&gt;] sd_ioctl+0xad/0x120
 [&lt;ffffffff8132f266&gt;] blkdev_ioctl+0x1b6/0x810
 [&lt;ffffffff811da608&gt;] block_ioctl+0x38/0x40
 [&lt;ffffffff811b4e08&gt;] do_vfs_ioctl+0x2f8/0x530
 [&lt;ffffffff811b50c1&gt;] SyS_ioctl+0x81/0xa0
 [&lt;ffffffff816cf8b2&gt;] system_call_fastpath+0x16/0x7a

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Fix fc_exch_recv_req() error path</title>
<updated>2015-09-16T14:02:34+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2015-06-05T21:20:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=532a0a6693852856c1520271d12b2a3217de47e3'/>
<id>532a0a6693852856c1520271d12b2a3217de47e3</id>
<content type='text'>
[ Upstream commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 ]

Due to patch "libfc: Do not invoke the response handler after
fc_exch_done()" (commit ID 7030fd62) the lport_recv() call
in fc_exch_recv_req() is passed a dangling pointer. Avoid this
by moving the fc_frame_free() call from fc_invoke_resp() to its
callers. This patch fixes the following crash:

general protection fault: 0000 [#3] PREEMPT SMP
RIP: fc_lport_recv_req+0x72/0x280 [libfc]
Call Trace:
 fc_exch_recv+0x642/0xde0 [libfc]
 fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe]
 kthread+0x10a/0x120
 ret_from_fork+0x42/0x70

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 ]

Due to patch "libfc: Do not invoke the response handler after
fc_exch_done()" (commit ID 7030fd62) the lport_recv() call
in fc_exch_recv_req() is passed a dangling pointer. Avoid this
by moving the fc_frame_free() call from fc_invoke_resp() to its
callers. This patch fixes the following crash:

general protection fault: 0000 [#3] PREEMPT SMP
RIP: fc_lport_recv_req+0x72/0x280 [libfc]
Call Trace:
 fc_exch_recv+0x642/0xde0 [libfc]
 fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe]
 kthread+0x10a/0x120
 ret_from_fork+0x42/0x70

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Replace rcu_assign_pointer() with RCU_INIT_POINTER()</title>
<updated>2014-09-30T07:28:36+00:00</updated>
<author>
<name>Andreea-Cristina Bernat</name>
<email>bernat.ada@gmail.com</email>
</author>
<published>2014-08-18T14:56:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f4303d8fa6da702b5fe53fa91a6984941d89d514'/>
<id>f4303d8fa6da702b5fe53fa91a6984941d89d514</id>
<content type='text'>
The uses of "rcu_assign_pointer()" are NULLing out the pointers.
According to RCU_INIT_POINTER()'s block comment:
"1.   This use of RCU_INIT_POINTER() is NULLing out the pointer"
it is better to use it instead of rcu_assign_pointer() because it has a
smaller overhead.

The following Coccinelle semantic patch was used:
@@
@@

- rcu_assign_pointer
+ RCU_INIT_POINTER
  (..., NULL)

Signed-off-by: Andreea-Cristina Bernat &lt;bernat.ada@gmail.com&gt;
Acked-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The uses of "rcu_assign_pointer()" are NULLing out the pointers.
According to RCU_INIT_POINTER()'s block comment:
"1.   This use of RCU_INIT_POINTER() is NULLing out the pointer"
it is better to use it instead of rcu_assign_pointer() because it has a
smaller overhead.

The following Coccinelle semantic patch was used:
@@
@@

- rcu_assign_pointer
+ RCU_INIT_POINTER
  (..., NULL)

Signed-off-by: Andreea-Cristina Bernat &lt;bernat.ada@gmail.com&gt;
Acked-by: Vasu Dev &lt;vasu.dev@intel.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fcp: Do not interpret check condition as underrun</title>
<updated>2013-09-04T20:52:35+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-14T15:40:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9de99010cbebca4d4343117eff1af9a64d5d4896'/>
<id>9de99010cbebca4d4343117eff1af9a64d5d4896</id>
<content type='text'>
This patch avoids that the FCoE initiator sends a REC message after
having received a SCSI response with non-zero status and non-zero
DATA IN buffer length.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch avoids that the FCoE initiator sends a REC message after
having received a SCSI response with non-zero status and non-zero
DATA IN buffer length.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Do not invoke the response handler after fc_exch_done()</title>
<updated>2013-09-04T20:45:22+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-17T20:34:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7030fd626129ec4d616784516a462d317c251d39'/>
<id>7030fd626129ec4d616784516a462d317c251d39</id>
<content type='text'>
While the FCoE initiator driver invokes fc_exch_done() from inside
the libfc response handler, FCoE target drivers typically invoke
fc_exch_done() from outside the libfc response handler. The object
fc_exch.arg points at may disappear as soon as fc_exch_done() has
finished. So it's important not to invoke the response handler
function after fc_exch_done() has finished. Modify libfc such that
this guarantee is provided if fc_exch_done() is invoked from
outside a response handler. This patch fixes a sporadic crash in
FCoE target implementations after a command has been aborted.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
While the FCoE initiator driver invokes fc_exch_done() from inside
the libfc response handler, FCoE target drivers typically invoke
fc_exch_done() from outside the libfc response handler. The object
fc_exch.arg points at may disappear as soon as fc_exch_done() has
finished. So it's important not to invoke the response handler
function after fc_exch_done() has finished. Modify libfc such that
this guarantee is provided if fc_exch_done() is invoked from
outside a response handler. This patch fixes a sporadic crash in
FCoE target implementations after a command has been aborted.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Reduce exchange lock contention in fc_exch_recv_abts()</title>
<updated>2013-09-04T20:37:53+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-14T15:38:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f95b35cfcacadac16dbc5477fd22b0786256a3d1'/>
<id>f95b35cfcacadac16dbc5477fd22b0786256a3d1</id>
<content type='text'>
Reduce the time during which the exchange lock is held by allocating
a frame before obtaining the exchange lock.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Reduce the time during which the exchange lock is held by allocating
a frame before obtaining the exchange lock.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Avoid that sending after an abort triggers a kernel warning</title>
<updated>2013-09-04T20:30:43+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-14T15:37:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cae7b6dd6c569f18f5c8e3f33cac60fbaeb58140'/>
<id>cae7b6dd6c569f18f5c8e3f33cac60fbaeb58140</id>
<content type='text'>
Calling fc_seq_send() after an ABTS message has been received triggers
a kernel warning (WARN_ON(!(ep-&gt;esb_stat &amp; ESB_ST_SEQ_INIT))). Avoid
this by returning -ENXIO to the caller if fc_seq_send() is invoked after
an ABTS message has been received.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Calling fc_seq_send() after an ABTS message has been received triggers
a kernel warning (WARN_ON(!(ep-&gt;esb_stat &amp; ESB_ST_SEQ_INIT))). Avoid
this by returning -ENXIO to the caller if fc_seq_send() is invoked after
an ABTS message has been received.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Protect ep-&gt;esb_stat changes via ex_lock</title>
<updated>2013-09-04T20:23:38+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-14T15:37:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d73bea2d3a004698d16ba5face89f0bef383e76'/>
<id>5d73bea2d3a004698d16ba5face89f0bef383e76</id>
<content type='text'>
This patch avoids that the WARN_ON(!(ep-&gt;esb_stat &amp; ESB_ST_SEQ_INIT))
statement in fc_seq_send_locked() gets triggered sporadically when
running FCoE target code due to concurrent ep-&gt;esb_stat modifications.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch avoids that the WARN_ON(!(ep-&gt;esb_stat &amp; ESB_ST_SEQ_INIT))
statement in fc_seq_send_locked() gets triggered sporadically when
running FCoE target code due to concurrent ep-&gt;esb_stat modifications.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libfc: Fix a race in fc_exch_timer_set_locked()</title>
<updated>2013-09-04T20:16:25+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bvanassche@acm.org</email>
</author>
<published>2013-08-14T15:35:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b86788658be425a5454246a954721d9122d2b3d6'/>
<id>b86788658be425a5454246a954721d9122d2b3d6</id>
<content type='text'>
It is allowed to pass a zero timeout value to fc_seq_exch_abort().
Avoid that this can cause the timeout function to drop the exchange
reference before it has been increased by fc_exch_timer_set_locked().
This patch fixes a crash when running FCoE target code with poisoning
enabled in the memory allocator.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It is allowed to pass a zero timeout value to fc_seq_exch_abort().
Avoid that this can cause the timeout function to drop the exchange
reference before it has been increased by fc_exch_timer_set_locked().
This patch fixes a crash when running FCoE target code with poisoning
enabled in the memory allocator.

Signed-off-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Robert Love &lt;robert.w.love@intel.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
