linux-stable.git/drivers/scsi/libfc, branch v4.9.166 Linux kernel stable tree scsi: libfc: free skb when receiving invalid flogi resp 2019-03-13T21:04:57+00:00 Ming Lu ming.lu@citrix.com 2019-01-24T05:25:42+00:00 5224c7811d50b5f2bbc26723b4bf4fc90dbdb2e7 [ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ] The issue to be fixed in this commit is when libfc found it received a invalid FLOGI response from FC switch, it would return without freeing the fc frame, which is just the skb data. This would cause memory leak if FC switch keeps sending invalid FLOGI responses. This fix is just to make it execute `fc_frame_free(fp)` before returning from function `fc_lport_flogi_resp`. Signed-off-by: Ming Lu <ming.lu@citrix.com> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ]

The issue to be fixed in this commit is when libfc found it received a
invalid FLOGI response from FC switch, it would return without freeing the
fc frame, which is just the skb data. This would cause memory leak if FC
switch keeps sending invalid FLOGI responses.

This fix is just to make it execute `fc_frame_free(fp)` before returning
from function `fc_lport_flogi_resp`.

Signed-off-by: Ming Lu <ming.lu@citrix.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO 2018-09-05T07:20:04+00:00 Johannes Thumshirn jthumshirn@suse.de 2018-07-31T13:46:03+00:00 a8871571f3561251f5f92d8cb0d2cd4f11d38123 [ Upstream commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65 ] When receiving a LOGO request we forget to clear the FC_RP_STARTED flag before starting the rport delete routine. As the started flag was not cleared, we're not deleting the rport but waiting for a restart and thus are keeping the reference count of the rdata object at 1. This leads to the following kmemleak report: unreferenced object 0xffff88006542aa00 (size 512): comm "kworker/0:2", pid 24, jiffies 4294899222 (age 226.880s) hex dump (first 32 bytes): 68 96 fe 65 00 88 ff ff 00 00 00 00 00 00 00 00 h..e............ 01 00 00 00 08 00 00 00 02 c5 45 24 ac b8 00 10 ..........E$.... backtrace: [<(____ptrval____)>] fcoe_ctlr_vn_add.isra.5+0x7f/0x770 [libfcoe] [<(____ptrval____)>] fcoe_ctlr_vn_recv+0x12af/0x27f0 [libfcoe] [<(____ptrval____)>] fcoe_ctlr_recv_work+0xd01/0x32f0 [libfcoe] [<(____ptrval____)>] process_one_work+0x7ff/0x1420 [<(____ptrval____)>] worker_thread+0x87/0xef0 [<(____ptrval____)>] kthread+0x2db/0x390 [<(____ptrval____)>] ret_from_fork+0x35/0x40 [<(____ptrval____)>] 0xffffffffffffffff Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Reported-by: ard <ard@kwaak.net> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65 ]

When receiving a LOGO request we forget to clear the FC_RP_STARTED flag
before starting the rport delete routine.

As the started flag was not cleared, we're not deleting the rport but
waiting for a restart and thus are keeping the reference count of the rdata
object at 1.

This leads to the following kmemleak report:
unreferenced object 0xffff88006542aa00 (size 512):
  comm "kworker/0:2", pid 24, jiffies 4294899222 (age 226.880s)
  hex dump (first 32 bytes):
    68 96 fe 65 00 88 ff ff 00 00 00 00 00 00 00 00  h..e............
    01 00 00 00 08 00 00 00 02 c5 45 24 ac b8 00 10  ..........E$....
  backtrace:
    [<(____ptrval____)>] fcoe_ctlr_vn_add.isra.5+0x7f/0x770 [libfcoe]
    [<(____ptrval____)>] fcoe_ctlr_vn_recv+0x12af/0x27f0 [libfcoe]
    [<(____ptrval____)>] fcoe_ctlr_recv_work+0xd01/0x32f0 [libfcoe]
    [<(____ptrval____)>] process_one_work+0x7ff/0x1420
    [<(____ptrval____)>] worker_thread+0x87/0xef0
    [<(____ptrval____)>] kthread+0x2db/0x390
    [<(____ptrval____)>] ret_from_fork+0x35/0x40
    [<(____ptrval____)>] 0xffffffffffffffff

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: ard <ard@kwaak.net>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: libfc: fix seconds_since_last_reset miscalculation 2016-11-18T01:44:51+00:00 Johannes Thumshirn jthumshirn@suse.de 2016-11-17T11:50:23+00:00 208da78e8ec8b6d6ce3747ab0e5c120458e08ae6 Commit 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation") removed the use of 'struct timespec' from fc_get_host_stats(). This broke the output of 'fcoeadm -s' after kernel 4.8-rc1. Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Cc: <stable@vger.kernel.org> # v4.8+ Fixes: 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation") Acked-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
Commit 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation")
removed the use of 'struct timespec' from fc_get_host_stats(). This broke the
output of 'fcoeadm -s' after kernel 4.8-rc1.

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: <stable@vger.kernel.org> # v4.8+
Fixes: 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation")
Acked-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: libfc: do not send ABTS when resetting exchanges 2016-08-19T02:35:17+00:00 Hannes Reinecke hare@suse.de 2016-08-05T12:55:03+00:00 a850ced42916a9bf25f4595c744156e6b8b8f5c0 When all exchanges are reset the upper layers have already logged out of the remote port, so the exchanges can be reset without sending any ABTS. Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com> Tested-by: Chad Dupuis <chad.dupuis@qlogic.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
When all exchanges are reset the upper layers have already logged out of
the remote port, so the exchanges can be reset without sending any ABTS.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com>
Tested-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: libfc: reset exchange manager during LOGO handling 2016-08-19T02:34:40+00:00 Hannes Reinecke hare@suse.de 2016-08-05T12:55:02+00:00 649eb8693857e9b9fca009fba4eb7e80f9f3a326 FC-LS mandates that we should invalidate all sequences before sending a LOGO. And we should set the event to RPORT_EV_STOP when a LOGO request has been received to signal that all exchanges are terminated. Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com> Tested-by: Chad Dupuis <chad.dupuis@qlogic.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
FC-LS mandates that we should invalidate all sequences before sending a
LOGO. And we should set the event to RPORT_EV_STOP when a LOGO request
has been received to signal that all exchanges are terminated.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com>
Tested-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: libfc: send LOGO for PLOGI failure 2016-08-19T02:34:05+00:00 Hannes Reinecke hare@suse.de 2016-08-05T12:55:01+00:00 d391966a03846176a78ef8d53898de8b4302a2be When running in point-to-multipoint mode PLOGI is done after FLOGI completed. So when the PLOGI fails we should be sending a LOGO to the remote port. [mkp: Applied by hand] Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com> Tested-by: Chad Dupuis <chad.dupuis@qlogic.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
When running in point-to-multipoint mode PLOGI is done after FLOGI
completed. So when the PLOGI fails we should be sending a LOGO to the
remote port.

[mkp: Applied by hand]

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com>
Tested-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: libfc: Issue PRLI after a PRLO has been received 2016-08-19T02:27:26+00:00 Hannes Reinecke hare@suse.de 2016-08-05T12:55:00+00:00 166f310b629c046b7f5ca846adf978cda47b06c2 When receiving a PRLO it just means that the operating parameters have changed, it does _not_ mean that the port doesn't want to communicate with us. So instead of implicitly logging out we should be issueing a PRLI to figure out the new operating parameters. We can always recover once PRLI fails. Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com> Tested-by: Chad Dupuis <chad.dupuis@qlogic.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
When receiving a PRLO it just means that the operating parameters have
changed, it does _not_ mean that the port doesn't want to communicate
with us.  So instead of implicitly logging out we should be issueing a
PRLI to figure out the new operating parameters.  We can always recover
once PRLI fails.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Chad Dupuis <chad.dupuis@qlogic.com>
Tested-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
libfc: sanity check cpu number extracted from xid 2016-07-14T01:49:57+00:00 Chris Leech cleech@redhat.com 2016-06-30T15:32:36+00:00 fa06883281afaa158b2b350f16c377c448df6b61 In the receive path libfc extracts a cpu number from the ox_id in the fiber channel header and uses that to do a per_cpu_ptr conversion. If, for some reason, a frame is received with an invalid ox_id, per_cpu_ptr will return an invalid pointer and the libfc receive path will panic the system trying to use it. I'm currently looking at such a case, and I don't yet know why a cpu number > nr_cpu_ids is appearing in an exchange id. But adding a sanity check in libfc prevents a system panic, and seems like good idea when dealing with frames coming in from the network. Signed-off-by: Chris Leech <cleech@redhat.com> Acked-by: Johannes Thumshirn <jth@kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
In the receive path libfc extracts a cpu number from the ox_id in the
fiber channel header and uses that to do a per_cpu_ptr conversion.  If,
for some reason, a frame is received with an invalid ox_id, per_cpu_ptr
will return an invalid pointer and the libfc receive path will panic the
system trying to use it.

I'm currently looking at such a case, and I don't yet know why a cpu
number > nr_cpu_ids is appearing in an exchange id.  But adding a sanity
check in libfc prevents a system panic, and seems like good idea when
dealing with frames coming in from the network.

Signed-off-by: Chris Leech <cleech@redhat.com>
Acked-by: Johannes Thumshirn <jth@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: libfc: fix seconds_since_last_reset calculation 2016-07-13T03:16:31+00:00 Arnd Bergmann arnd@arndb.de 2016-06-17T15:47:25+00:00 540eb1eef0aba8bd10b7ebb3dc56cdb9e480164f The fc_get_host_stats() function contains a complex conversion from jiffies to timespec to seconds. As we try to get rid of uses of struct timespec, we can clean this up and replace it with a simpler computation. Simply dividing the difference in jiffies by HZ is not only much more efficient, it also avoids a problem that causes the seconds_since_last_reset value to be incorrect if jiffies has overrun since the 'boot_time' value was recorded. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
The fc_get_host_stats() function contains a complex conversion from
jiffies to timespec to seconds. As we try to get rid of uses of struct
timespec, we can clean this up and replace it with a simpler
computation.

Simply dividing the difference in jiffies by HZ is not only much more
efficient, it also avoids a problem that causes the
seconds_since_last_reset value to be incorrect if jiffies has overrun
since the 'boot_time' value was recorded.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
libfc: Update rport reference counting 2016-07-13T03:16:31+00:00 Hannes Reinecke hare@suse.de 2016-05-24T06:11:58+00:00 baa6719f902af9c03e528b08dfb847de295b5137 Originally libfc would just be initializing the refcount to '1', and using the disc_mutex to synchronize if and when the final put should be happening. This has a race condition as the mutex might be delayed, causing other threads to access an invalid structure. This patch updates the rport reference counting to increase the reference every time 'rport_lookup' is called, and decreases the reference correspondingly. This removes the need to hold 'disc_mutex' when removing the structure, and avoids the above race condition. Signed-off-by: Hannes Reinecke <hare@suse.com> Acked-by: Vasu Dev <vasu.dev@intel.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
Originally libfc would just be initializing the refcount to '1', and
using the disc_mutex to synchronize if and when the final put should be
happening.  This has a race condition as the mutex might be delayed,
causing other threads to access an invalid structure.  This patch
updates the rport reference counting to increase the reference every
time 'rport_lookup' is called, and decreases the reference
correspondingly.  This removes the need to hold 'disc_mutex' when
removing the structure, and avoids the above race condition.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Acked-by: Vasu Dev <vasu.dev@intel.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>