1. 10 Feb, 2017 24 commits
    • Vincent Stehlé's avatar
      ubifs: Fix assertion in layout_in_gaps() · cfd4e393
      Vincent Stehlé authored
      commit c0082e98 upstream.
      
      An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
      below the maximum bound. When computing this maximum bound the idx_lebs
      count is multiplied by sizeof(int), while C pointers arithmetic does take
      into account the size of the pointed elements implicitly already. Remove
      the multiplication to fix the assertion.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarVincent Stehlé <vincent.stehle@intel.com>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cfd4e393
    • Ashish Samant's avatar
      ocfs2: fix start offset to ocfs2_zero_range_for_truncate() · 8b79f326
      Ashish Samant authored
      commit d21c353d upstream.
      
      If we punch a hole on a reflink such that following conditions are met:
      
      1. start offset is on a cluster boundary
      2. end offset is not on a cluster boundary
      3. (end offset is somewhere in another extent) or
         (hole range > MAX_CONTIG_BYTES(1MB)),
      
      we dont COW the first cluster starting at the start offset.  But in this
      case, we were wrongly passing this cluster to
      ocfs2_zero_range_for_truncate() to zero out.  This will modify the
      cluster in place and zero it in the source too.
      
      Fix this by skipping this cluster in such a scenario.
      
      To reproduce:
      
      1. Create a random file of say 10 MB
           xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
      2. Reflink  it
           reflink -f 10MBfile reflnktest
      3. Punch a hole at starting at cluster boundary  with range greater that
      1MB. You can also use a range that will put the end offset in another
      extent.
           fallocate -p -o 0 -l 1048615 reflnktest
      4. sync
      5. Check the  first cluster in the source file. (It will be zeroed out).
          dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
      
      Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.comSigned-off-by: default avatarAshish Samant <ashish.samant@oracle.com>
      Reported-by: default avatarSaar Maoz <saar.maoz@oracle.com>
      Reviewed-by: default avatarSrinivas Eeda <srinivas.eeda@oracle.com>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: Eric Ren <zren@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8b79f326
    • Joseph Qi's avatar
      ocfs2/dlm: fix race between convert and migration · c7e3bdde
      Joseph Qi authored
      commit e6f0c6e6 upstream.
      
      Commit ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      checks if lockres master has changed to identify whether new master has
      finished recovery or not.  This will introduce a race that right after
      old master does umount ( means master will change), a new convert
      request comes.
      
      In this case, it will reset lockres state to DLM_RECOVERING and then
      retry convert, and then fail with lockres->l_action being set to
      OCFS2_AST_INVALID, which will cause inconsistent lock level between
      ocfs2 and dlm, and then finally BUG.
      
      Since dlm recovery will clear lock->convert_pending in
      dlm_move_lockres_to_recovery_list, we can use it to correctly identify
      the race case between convert and recovery.  So fix it.
      
      Fixes: ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.comSigned-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarJun Piao <piaojun@huawei.com>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c7e3bdde
    • Jeff Mahoney's avatar
      btrfs: ensure that file descriptor used with subvol ioctls is a dir · 879149a0
      Jeff Mahoney authored
      commit 325c50e3 upstream.
      
      If the subvol/snapshot create/destroy ioctls are passed a regular file
      with execute permissions set, we'll eventually Oops while trying to do
      inode->i_op->lookup via lookup_one_len.
      
      This patch ensures that the file descriptor refers to a directory.
      
      Fixes: cb8e7090 (Btrfs: Fix subvolume creation locking rules)
      Fixes: 76dda93c (Btrfs: add snapshot/subvolume destroy ioctl)
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      879149a0
    • Darrick J. Wong's avatar
      libxfs: clean up _calc_dquots_per_chunk · 444f0f1d
      Darrick J. Wong authored
      commit 58d78967 upstream.
      
      The function xfs_calc_dquots_per_chunk takes a parameter in units
      of basic blocks.  The kernel seems to get the units wrong, but
      userspace got 'fixed' by commenting out the unnecessary conversion.
      Fix both.
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      444f0f1d
    • Dave Chinner's avatar
      xfs: fix superblock inprogress check · 5a8afb1c
      Dave Chinner authored
      commit f3d7ebde upstream.
      
      From inspection, the superblock sb_inprogress check is done in the
      verifier and triggered only for the primary superblock via a
      "bp->b_bn == XFS_SB_DADDR" check.
      
      Unfortunately, the primary superblock is an uncached buffer, and
      hence it is configured by xfs_buf_read_uncached() with:
      
      	bp->b_bn = XFS_BUF_DADDR_NULL;  /* always null for uncached buffers */
      
      And so this check never triggers. Fix it.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      [wt: s/xfs_sb.c/xfs_mount.c in 3.10]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5a8afb1c
    • Mike Galbraith's avatar
      reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() · ee894273
      Mike Galbraith authored
      commit 420902c9 upstream.
      
      If we hold the superblock lock while calling reiserfs_quota_on_mount(), we can
      deadlock our own worker - mount blocks kworker/3:2, sleeps forever more.
      
      crash> ps|grep UN
          715      2   3  ffff880220734d30  UN   0.0       0      0  [kworker/3:2]
         9369   9341   2  ffff88021ffb7560  UN   1.3  493404 123184  Xorg
         9665   9664   3  ffff880225b92ab0  UN   0.0   47368    812  udisks-daemon
        10635  10403   3  ffff880222f22c70  UN   0.0   14904    936  mount
      crash> bt ffff880220734d30
      PID: 715    TASK: ffff880220734d30  CPU: 3   COMMAND: "kworker/3:2"
       #0 [ffff8802244c3c20] schedule at ffffffff8144584b
       #1 [ffff8802244c3cc8] __rt_mutex_slowlock at ffffffff814472b3
       #2 [ffff8802244c3d28] rt_mutex_slowlock at ffffffff814473f5
       #3 [ffff8802244c3dc8] reiserfs_write_lock at ffffffffa05f28fd [reiserfs]
       #4 [ffff8802244c3de8] flush_async_commits at ffffffffa05ec91d [reiserfs]
       #5 [ffff8802244c3e08] process_one_work at ffffffff81073726
       #6 [ffff8802244c3e68] worker_thread at ffffffff81073eba
       #7 [ffff8802244c3ec8] kthread at ffffffff810782e0
       #8 [ffff8802244c3f48] kernel_thread_helper at ffffffff81450064
      crash> rd ffff8802244c3cc8 10
      ffff8802244c3cc8:  ffffffff814472b3 ffff880222f23250   .rD.....P2."....
      ffff8802244c3cd8:  0000000000000000 0000000000000286   ................
      ffff8802244c3ce8:  ffff8802244c3d30 ffff880220734d80   0=L$.....Ms ....
      ffff8802244c3cf8:  ffff880222e8f628 0000000000000000   (.."............
      ffff8802244c3d08:  0000000000000000 0000000000000002   ................
      crash> struct rt_mutex ffff880222e8f628
      struct rt_mutex {
        wait_lock = {
          raw_lock = {
            slock = 65537
          }
        },
        wait_list = {
          node_list = {
            next = 0xffff8802244c3d48,
            prev = 0xffff8802244c3d48
          }
        },
        owner = 0xffff880222f22c71,
        save_state = 0
      }
      crash> bt 0xffff880222f22c70
      PID: 10635  TASK: ffff880222f22c70  CPU: 3   COMMAND: "mount"
       #0 [ffff8802216a9868] schedule at ffffffff8144584b
       #1 [ffff8802216a9910] schedule_timeout at ffffffff81446865
       #2 [ffff8802216a99a0] wait_for_common at ffffffff81445f74
       #3 [ffff8802216a9a30] flush_work at ffffffff810712d3
       #4 [ffff8802216a9ab0] schedule_on_each_cpu at ffffffff81074463
       #5 [ffff8802216a9ae0] invalidate_bdev at ffffffff81178aba
       #6 [ffff8802216a9af0] vfs_load_quota_inode at ffffffff811a3632
       #7 [ffff8802216a9b50] dquot_quota_on_mount at ffffffff811a375c
       #8 [ffff8802216a9b80] finish_unfinished at ffffffffa05dd8b0 [reiserfs]
       #9 [ffff8802216a9cc0] reiserfs_fill_super at ffffffffa05de825 [reiserfs]
          RIP: 00007f7b9303997a  RSP: 00007ffff443c7a8  RFLAGS: 00010202
          RAX: 00000000000000a5  RBX: ffffffff8144ef12  RCX: 00007f7b932e9ee0
          RDX: 00007f7b93d9a400  RSI: 00007f7b93d9a3e0  RDI: 00007f7b93d9a3c0
          RBP: 00007f7b93d9a2c0   R8: 00007f7b93d9a550   R9: 0000000000000001
          R10: ffffffffc0ed040e  R11: 0000000000000202  R12: 000000000000040e
          R13: 0000000000000000  R14: 00000000c0ed040e  R15: 00007ffff443ca20
          ORIG_RAX: 00000000000000a5  CS: 0033  SS: 002b
      Signed-off-by: default avatarMike Galbraith <efault@gmx.de>
      Acked-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Acked-by: default avatarMike Galbraith <mgalbraith@suse.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ee894273
    • Jeff Mahoney's avatar
      reiserfs: fix "new_insert_key may be used uninitialized ..." · 52495e7b
      Jeff Mahoney authored
      commit 0a11b9aa upstream.
      
      new_insert_key only makes any sense when it's associated with a
      new_insert_ptr, which is initialized to NULL and changed to a
      buffer_head when we also initialize new_insert_key.  We can key off of
      that to avoid the uninitialized warning.
      
      Link: http://lkml.kernel.org/r/5eca5ffb-2155-8df2-b4a2-f162f105efed@suse.comSigned-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      52495e7b
    • Theodore Ts'o's avatar
      ext4: sanity check the block and cluster size at mount time · a7ee70f6
      Theodore Ts'o authored
      commit 8cdf3372 upstream.
      
      If the block size or cluster size is insane, reject the mount.  This
      is important for security reasons (although we shouldn't be just
      depending on this check).
      
      Ref: http://www.securityfocus.com/archive/1/539661
      Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506Reported-by: default avatarBorislav Petkov <bp@alien8.de>
      Reported-by: default avatarNikolay Borisov <kernel@kyup.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a7ee70f6
    • Ross Zwisler's avatar
      ext4: allow DAX writeback for hole punch · 7a97321f
      Ross Zwisler authored
      commit cca32b7e upstream.
      
      Currently when doing a DAX hole punch with ext4 we fail to do a writeback.
      This is because the logic around filemap_write_and_wait_range() in
      ext4_punch_hole() only looks for dirty page cache pages in the radix tree,
      not for dirty DAX exceptional entries.
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7a97321f
    • Daeho Jeong's avatar
      ext4: reinforce check of i_dtime when clearing high fields of uid and gid · 1326ba87
      Daeho Jeong authored
      commit 93e3b4e6 upstream.
      
      Now, ext4_do_update_inode() clears high 16-bit fields of uid/gid
      of deleted and evicted inode to fix up interoperability with old
      kernels. However, it checks only i_dtime of an inode to determine
      whether the inode was deleted and evicted, and this is very risky,
      because i_dtime can be used for the pointer maintaining orphan inode
      list, too. We need to further check whether the i_dtime is being
      used for the orphan inode list even if the i_dtime is not NULL.
      
      We found that high 16-bit fields of uid/gid of inode are unintentionally
      and permanently cleared when the inode truncation is just triggered,
      but not finished, and the inode metadata, whose high uid/gid bits are
      cleared, is written on disk, and the sudden power-off follows that
      in order.
      Signed-off-by: default avatarDaeho Jeong <daeho.jeong@samsung.com>
      Signed-off-by: default avatarHobin Woo <hobin.woo@samsung.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1326ba87
    • Konstantin Khlebnikov's avatar
      ext4: use __GFP_NOFAIL in ext4_free_blocks() · fa8a01a8
      Konstantin Khlebnikov authored
      commit adb7ef60 upstream.
      
      This might be unexpected but pages allocated for sbi->s_buddy_cache are
      charged to current memory cgroup. So, GFP_NOFS allocation could fail if
      current task has been killed by OOM or if current memory cgroup has no
      free memory left. Block allocator cannot handle such failures here yet.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      fa8a01a8
    • Daeho Jeong's avatar
      ext4: avoid modifying checksum fields directly during checksum verification · 3a45bbb2
      Daeho Jeong authored
      commit b47820ed upstream.
      
      We temporally change checksum fields in buffers of some types of
      metadata into '0' for verifying the checksum values. By doing this
      without locking the buffer, some metadata's checksums, which are
      being committed or written back to the storage, could be damaged.
      In our test, several metadata blocks were found with damaged metadata
      checksum value during recovery process. When we only verify the
      checksum value, we have to avoid modifying checksum fields directly.
      Signed-off-by: default avatarDaeho Jeong <daeho.jeong@samsung.com>
      Signed-off-by: default avatarYoungjin Gil <youngjin.gil@samsung.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3a45bbb2
    • Theodore Ts'o's avatar
      ext4: validate that metadata blocks do not overlap superblock · 7d506613
      Theodore Ts'o authored
      commit 829fa70d upstream.
      
      A number of fuzzing failures seem to be caused by allocation bitmaps
      or other metadata blocks being pointed at the superblock.
      
      This can cause kernel BUG or WARNings once the superblock is
      overwritten, so validate the group descriptor blocks to make sure this
      doesn't happen.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7d506613
    • Ching Huang's avatar
      scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware · 9c30efd6
      Ching Huang authored
      commit 2bf7dc84 upstream.
      
      The arcmsr driver failed to pass SYNCHRONIZE CACHE to controller
      firmware. Depending on how drive caches are handled internally by
      controller firmware this could potentially lead to data integrity
      problems.
      
      Ensure that cache flushes are passed to the controller.
      
      [mkp: applied by hand and removed unused vars]
      Signed-off-by: default avatarChing Huang <ching2048@areca.com.tw>
      Reported-by: default avatarTomas Henzl <thenzl@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9c30efd6
    • Ewan D. Milne's avatar
      scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded · bdf7e17f
      Ewan D. Milne authored
      commit 4d2b496f upstream.
      
      map_storep was not being vfree()'d in the module_exit call.
      Signed-off-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarLaurence Oberman <loberman@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      bdf7e17f
    • Dan Carpenter's avatar
      scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() · 7a03031a
      Dan Carpenter authored
      commit 7bc2b55a upstream.
      
      We need to put an upper bound on "user_len" so the memcpy() doesn't
      overflow.
      
      [js] no ARCMSR_API_DATA_BUFLEN defined, use the number
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7a03031a
    • Ming Lei's avatar
      scsi: Fix use-after-free · ba02e936
      Ming Lei authored
      commit bcd8f2e9 upstream.
      
      This patch fixes one use-after-free report[1] by KASAN.
      
      In __scsi_scan_target(), when a type 31 device is probed,
      SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned
      again.
      
      Inside the following scsi_report_lun_scan(), one new scsi_device
      instance is allocated, and scsi_probe_and_add_lun() is called again to
      probe the target and still see type 31 device, finally
      __scsi_remove_device() is called to remove & free the device at the end
      of scsi_probe_and_add_lun(), so cause use-after-free in
      scsi_report_lun_scan().
      
      And the following SCSI log can be observed:
      
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0)
      	scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0
      	scsi 0:0:2:0: scsi scan: REPORT LUN scan
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104
      
      This patch fixes the issue by moving the putting reference at
      the end of scsi_report_lun_scan().
      
      [1] KASAN report
      ==================================================================
      [    3.274597] PM: Adding info for serio:serio1
      [    3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304
      [    3.275653] Read of size 4 by task kworker/u10:0/27
      [    3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121
      [    3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [    3.276797] Workqueue: events_unbound async_run_entry_fn
      [    3.277083]  ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80
      [    3.277532]  ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930
      [    3.277989]  ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165
      [    3.278436] Call Trace:
      [    3.278528]  [<ffffffff94bbc6c1>] dump_stack+0x65/0x84
      [    3.278797]  [<ffffffff9459fec1>] kasan_object_err+0x21/0x70
      [    3.279063] device: 'psaux': device_add
      [    3.279616]  [<ffffffff945a0165>] kasan_report_error+0x205/0x500
      [    3.279651] PM: Adding info for No Bus:psaux
      [    3.280202]  [<ffffffff944ecd22>] ? kfree_const+0x22/0x30
      [    3.280486]  [<ffffffff94bc2dc9>] ? kobject_release+0x119/0x370
      [    3.280805]  [<ffffffff945a0543>] __asan_report_load4_noabort+0x43/0x50
      [    3.281170]  [<ffffffff9507e1f7>] ? __scsi_scan_target+0xd87/0xdf0
      [    3.281506]  [<ffffffff9507e1f7>] __scsi_scan_target+0xd87/0xdf0
      [    3.281848]  [<ffffffff9507d470>] ? scsi_add_device+0x30/0x30
      [    3.282156]  [<ffffffff94f7f660>] ? pm_runtime_autosuspend_expiration+0x60/0x60
      [    3.282570]  [<ffffffff956ddb07>] ? _raw_spin_lock+0x17/0x40
      [    3.282880]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.283200]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.283563]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.283882]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.284173]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.284492]  [<ffffffff941a8954>] ? pwq_dec_nr_in_flight+0x124/0x2a0
      [    3.284876]  [<ffffffff941d1770>] ? preempt_count_add+0x130/0x160
      [    3.285207]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.285526]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.285844]  [<ffffffff941aa810>] ? process_one_work+0x12d0/0x12d0
      [    3.286182]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.286443]  [<ffffffff940855cd>] ? __switch_to+0x88d/0x1430
      [    3.286745]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287085]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.287368]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048
      [    3.288064] Allocated:
      [    3.288147] PID = 27
      [    3.288218]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.288531]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.288806]  [<ffffffff9459f4bd>] kasan_kmalloc+0xad/0xe0
      [    3.289098]  [<ffffffff9459c07e>] __kmalloc+0x13e/0x250
      [    3.289378]  [<ffffffff95078e5a>] scsi_alloc_sdev+0xea/0xcf0
      [    3.289701]  [<ffffffff9507de76>] __scsi_scan_target+0xa06/0xdf0
      [    3.290034]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.290362]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.290724]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.291055]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.291354]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.291695]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.292022]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.292325]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.292594]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.292886] Freed:
      [    3.292945] PID = 27
      [    3.293016]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.293327]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.293600]  [<ffffffff9459fa61>] kasan_slab_free+0x71/0xb0
      [    3.293916]  [<ffffffff9459bac2>] kfree+0xa2/0x1f0
      [    3.294168]  [<ffffffff9508158a>] scsi_device_dev_release_usercontext+0x50a/0x730
      [    3.294598]  [<ffffffff941ace9a>] execute_in_process_context+0xda/0x130
      [    3.294974]  [<ffffffff9508107c>] scsi_device_dev_release+0x1c/0x20
      [    3.295322]  [<ffffffff94f566f6>] device_release+0x76/0x1e0
      [    3.295626]  [<ffffffff94bc2db7>] kobject_release+0x107/0x370
      [    3.295942]  [<ffffffff94bc29ce>] kobject_put+0x4e/0xa0
      [    3.296222]  [<ffffffff94f56e17>] put_device+0x17/0x20
      [    3.296497]  [<ffffffff9505201c>] scsi_device_put+0x7c/0xa0
      [    3.296801]  [<ffffffff9507e1bc>] __scsi_scan_target+0xd4c/0xdf0
      [    3.297132]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.297458]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.297829]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.298156]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.298453]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.298777]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.299105]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.299408]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.299676]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.299967] Memory state around the buggy address:
      [    3.300209]  ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300608]  ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300986] >ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.301408]                    ^
      [    3.301550]  ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    3.301987]  ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    3.302396]
      ==================================================================
      
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMing Lei <tom.leiming@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ba02e936
    • Brian King's avatar
      scsi: ibmvfc: Fix I/O hang when port is not mapped · f6e64a44
      Brian King authored
      commit 07d0e9a8 upstream.
      
      If a VFC port gets unmapped in the VIOS, it may not respond with a CRQ
      init complete following H_REG_CRQ. If this occurs, we can end up having
      called scsi_block_requests and not a resulting unblock until the init
      complete happens, which may never occur, and we end up hanging I/O
      requests.  This patch ensures the host action stay set to
      IBMVFC_HOST_ACTION_TGT_DEL so we move all rports into devloss state and
      unblock unless we receive an init complete.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Acked-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      f6e64a44
    • Sumit Saxena's avatar
      scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression · bb3445f8
      Sumit Saxena authored
      commit 5e5ec175 upstream.
      
      This patch will fix regression caused by commit 1e793f6f ("scsi:
      megaraid_sas: Fix data integrity failure for JBOD (passthrough)
      devices").
      
      The problem was that the MEGASAS_IS_LOGICAL macro did not have braces
      and as a result the driver ended up exposing a lot of non-existing SCSI
      devices (all SCSI commands to channels 1,2,3 were returned as
      SUCCESS-DID_OK by driver).
      
      [mkp: clarified patch description]
      
      Fixes: 1e793f6fReported-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarKashyap Desai <kashyap.desai@broadcom.com>
      Signed-off-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Tested-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Tested-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      bb3445f8
    • Kashyap Desai's avatar
      scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices · 00360043
      Kashyap Desai authored
      commit 1e793f6f upstream.
      
      Commit 02b01e01 ("megaraid_sas: return sync cache call with
      success") modified the driver to successfully complete SYNCHRONIZE_CACHE
      commands without passing them to the controller. Disk drive caches are
      only explicitly managed by controller firmware when operating in RAID
      mode. So this commit effectively disabled writeback cache flushing for
      any drives used in JBOD mode, leading to data integrity failures.
      
      [mkp: clarified patch description]
      
      Fixes: 02b01e01Signed-off-by: default avatarKashyap Desai <kashyap.desai@broadcom.com>
      Signed-off-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      00360043
    • Andrey Grodzovsky's avatar
      mpt2sas: Fix secure erase premature termination · 0ae49760
      Andrey Grodzovsky authored
      Problem:
      This is a work around for a bug with LSI Fusion MPT SAS2 when
      pefroming secure erase. Due to the very long time the operation
      takes commands issued during the erase will time out and will trigger
      execution of abort hook. Even though the abort hook is called for
      the specific command which timed out this leads to entire device halt
      (scsi_state terminated) and premature termination of the secured erase.
      
      Fix:
      Set device state to busy while erase in progress to reject any incoming
      commands until the erase is done. The device is blocked any way during
      this time and cannot execute any other command.
      More data and logs can be found here -
      https://drive.google.com/file/d/0B9ocOHYHbbS1Q3VMdkkzeWFkTjg/view
      
      P.S
      This is a backport from the same fix for mpt3sas driver intended
      for pre-4.4 stable trees.
      Signed-off-by: default avatarAndrey Grodzovsky <andrey2805@gmail.com>
      Cc: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: PDL-MPT-FUSIONLINUX <MPT-FusionLinux.pdl@broadcom.com>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0ae49760
    • James Bottomley's avatar
      scsi: mpt3sas: fix hang on ata passthrough commands · dafa91f7
      James Bottomley authored
      commit ffb58456 upstream.
      
      mpt3sas has a firmware failure where it can only handle one pass through
      ATA command at a time.  If another comes in, contrary to the SAT
      standard, it will hang until the first one completes (causing long
      commands like secure erase to timeout).  The original fix was to block
      the device when an ATA command came in, but this caused a regression
      with
      
      commit 669f0441
      Author: Bart Van Assche <bart.vanassche@sandisk.com>
      Date:   Tue Nov 22 16:17:13 2016 -0800
      
          scsi: srp_transport: Move queuecommand() wait code to SCSI core
      
      So fix the original fix of the secure erase timeout by properly
      returning SAM_STAT_BUSY like the SAT recommends.  The original patch
      also had a concurrency problem since scsih_qcmd is lockless at that
      point (this is fixed by using atomic bitops to set and test the flag).
      
      [mkp: addressed feedback wrt. test_bit and fixed whitespace]
      
      Fixes: 18f6084a (mpt3sas: Fix secure erase premature termination)
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      Acked-by: default avatarSreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarIngo Molnar <mingo@kernel.org>
      Tested-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [wt: adjust context]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dafa91f7
    • Suganath Prabu S's avatar
      scsi: mpt3sas: Unblock device after controller reset · d99fcf7d
      Suganath Prabu S authored
      commit 7ff723ad upstream.
      
      While issuing any ATA passthrough command to firmware the driver will
      block the device. But it will unblock the device only if the I/O
      completes through the ISR path. If a controller reset occurs before
      command completion the device will remain in blocked state.
      
      Make sure we unblock the device following a controller reset if an ATA
      passthrough command was queued.
      
      [mkp: clarified patch description]
      
      Cc: <stable@vger.kernel.org> # v4.4+
      Fixes: ac6c2a93bd07 ("mpt3sas: Fix for SATA drive in blocked state, after diag reset")
      Signed-off-by: default avatarSuganath Prabu S <suganath-prabu.subramani@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [wt: adjust context]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d99fcf7d
  2. 06 Feb, 2017 16 commits
    • Andrey Grodzovsky's avatar
      scsi: mpt3sas: Fix secure erase premature termination · 3a0c14e0
      Andrey Grodzovsky authored
      commit 18f6084a upstream.
      
      This is a work around for a bug with LSI Fusion MPT SAS2 when perfoming
      secure erase. Due to the very long time the operation takes, commands
      issued during the erase will time out and will trigger execution of the
      abort hook. Even though the abort hook is called for the specific
      command which timed out, this leads to entire device halt
      (scsi_state terminated) and premature termination of the secure erase.
      
      Set device state to busy while ATA passthrough commands are in progress.
      
      [mkp: hand applied to 4.9/scsi-fixes, tweaked patch description]
      Signed-off-by: default avatarAndrey Grodzovsky <andrey2805@gmail.com>
      Acked-by: default avatarSreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Cc: <linux-scsi@vger.kernel.org>
      Cc: Sathya Prakash <sathya.prakash@broadcom.com>
      Cc: Chaitra P B <chaitra.basappa@broadcom.com>
      Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
      Cc: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3a0c14e0
    • Dan Carpenter's avatar
      scsi: zfcp: spin_lock_irqsave() is not nestable · 7ddb2584
      Dan Carpenter authored
      commit e7cb08e8 upstream.
      
      We accidentally overwrite the original saved value of "flags" so that we
      can't re-enable IRQs at the end of the function.  Presumably this
      function is mostly called with IRQs disabled or it would be obvious in
      testing.
      
      Fixes: aceeffbb ("zfcp: trace full payload of all SAN records (req,resp,iels)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7ddb2584
    • Steffen Maier's avatar
      zfcp: trace full payload of all SAN records (req,resp,iels) · beb0b6c9
      Steffen Maier authored
      commit aceeffbb upstream.
      
      This was lost with commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      but is necessary for problem determination, e.g. to see the
      currently active zone set during automatic port scan.
      
      For the large GPN_FT response (4 pages), save space by not dumping
      any empty residual entries.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Reviewed-by: default avatarAlexey Ishchuk <aishchuk@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      beb0b6c9
    • Steffen Maier's avatar
      zfcp: fix payload trace length for SAN request&response · 569816b4
      Steffen Maier authored
      commit 94db3725 upstream.
      
      commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      started to add FC_CT_HDR_LEN which made zfcp dump random data
      out of bounds for RSPN GS responses because u.rspn.rsp
      is the largest and last field in the union of struct zfcp_fc_req.
      Other request/response types only happened to stay within bounds
      due to the padding of the union or
      due to the trace capping of u.gspn.rsp to ZFCP_DBF_SAN_MAX_PAYLOAD.
      
      Timestamp      : ...
      Area           : SAN
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU id         : ..
      Caller         : ...
      Record id      : 2
      Tag            : fsscth2
      Request id     : 0x...
      Destination ID : 0x00fffffc
      Payload short  : 01000000 fc020000 80020000 00000000
                       xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx <===
                       00000000 00000000 00000000 00000000
      Payload length : 32                                  <===
      
      struct zfcp_fc_req {
          [0] struct zfcp_fsf_ct_els ct_els;
         [56] struct scatterlist sg_req;
         [96] struct scatterlist sg_rsp;
              union {
                  struct {req; rsp;} adisc;    SIZE: 28+28=   56
                  struct {req; rsp;} gid_pn;   SIZE: 24+20=   44
                  struct {rspsg; req;} gpn_ft; SIZE: 40*4+20=180
                  struct {req; rsp;} gspn;     SIZE: 20+273= 293
                  struct {req; rsp;} rspn;     SIZE: 277+16= 293
        [136] } u;
      }
      SIZE: 432
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Reviewed-by: default avatarAlexey Ishchuk <aishchuk@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      569816b4
    • Steffen Maier's avatar
      zfcp: fix D_ID field with actual value on tracing SAN responses · 46737af6
      Steffen Maier authored
      commit 771bf035 upstream.
      
      With commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      we lost the N_Port-ID where an ELS response comes from.
      With commit 7c7dc196
      ("[SCSI] zfcp: Simplify handling of ct and els requests")
      we lost the N_Port-ID where a CT response comes from.
      It's especially useful if the request SAN trace record
      with D_ID was already lost due to trace buffer wrap.
      
      GS uses an open WKA port handle and ELS just a D_ID, and
      only for ELS we could get D_ID from QTCB bottom via zfcp_fsf_req.
      To cover both cases, add a new field to zfcp_fsf_ct_els
      and fill it in on request to use in SAN response trace.
      Strictly speaking the D_ID on SAN response is the FC frame's S_ID.
      We don't need a field for the other end which is always us.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Fixes: 7c7dc196 ("[SCSI] zfcp: Simplify handling of ct and els requests")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      46737af6
    • Steffen Maier's avatar
      zfcp: restore tracing of handle for port and LUN with HBA records · 8467dd46
      Steffen Maier authored
      commit 7c964ffe upstream.
      
      This information was lost with
      commit a54ca0f6
      ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      but is required to debug e.g. invalid handle situations.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: a54ca0f6 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8467dd46
    • Steffen Maier's avatar
      zfcp: trace on request for open and close of WKA port · 69169095
      Steffen Maier authored
      commit d27a7cb9 upstream.
      
      Since commit a54ca0f6
      ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      HBA records no longer contain WWPN, D_ID, or LUN
      to reduce duplicate information which is already in REC records.
      In contrast to "regular" target ports, we don't use recovery to open
      WKA ports such as directory/nameserver, so we don't get REC records.
      Therefore, introduce pseudo REC running records without any
      actual recovery action but including D_ID of WKA port on open/close.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: a54ca0f6 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      69169095
    • Steffen Maier's avatar
      zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace · 05307725
      Steffen Maier authored
      commit 0102a30a upstream.
      
      bring back
      commit d21e9daa
      ("[SCSI] zfcp: Dont use 0 to indicate invalid LUN in rec trace")
      which was lost with
      commit ae0904f6
      ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: ae0904f6 ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      05307725
    • Steffen Maier's avatar
      zfcp: retain trace level for SCSI and HBA FSF response records · 909987d4
      Steffen Maier authored
      commit 35f040df upstream.
      
      While retaining the actual filtering according to trace level,
      the following commits started to write such filtered records
      with a hardcoded record level of 1 instead of the actual record level:
      commit 250a1352
      ("[SCSI] zfcp: Redesign of the debug tracing for SCSI records.")
      commit a54ca0f6
      ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      
      Now we can distinguish written records again for offline level filtering.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 250a1352 ("[SCSI] zfcp: Redesign of the debug tracing for SCSI records.")
      Fixes: a54ca0f6 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      909987d4
    • Steffen Maier's avatar
      zfcp: close window with unblocked rport during rport gone · efaebcb4
      Steffen Maier authored
      commit 4eeaa4f3 upstream.
      
      On a successful end of reopen port forced,
      zfcp_erp_strategy_followup_success() re-uses the port erp_action
      and the subsequent zfcp_erp_action_cleanup() now
      sees ZFCP_ERP_SUCCEEDED with
      erp_action->action==ZFCP_ERP_ACTION_REOPEN_PORT
      instead of ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
      but must not perform zfcp_scsi_schedule_rport_register().
      
      We can detect this because the fresh port reopen erp_action
      is in its very first step ZFCP_ERP_STEP_UNINITIALIZED.
      
      Otherwise this opens a time window with unblocked rport
      (until the followup port reopen recovery would block it again).
      If a scsi_cmnd timeout occurs during this time window
      fc_timed_out() cannot work as desired and such command
      would indeed time out and trigger scsi_eh. This prevents
      a clean and timely path failover.
      This should not happen if the path issue can be recovered
      on FC transport layer such as path issues involving RSCNs.
      
      Also, unnecessary and repeated DID_IMM_RETRY for pending and
      undesired new requests occur because internally zfcp still
      has its zfcp_port blocked.
      
      As follow-on errors with scsi_eh, it can cause,
      in the worst case, permanently lost paths due to one of:
      sd <scsidev>: [<scsidisk>] Medium access timeout failure. Offlining disk!
      sd <scsidev>: Device offlined - not ready after error recovery
      
      For fix validation and to aid future debugging with other recoveries
      we now also trace (un)blocking of rports.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 5767620c ("[SCSI] zfcp: Do not unblock rport from REOPEN_PORT_FORCED")
      Fixes: a2fa0aed ("[SCSI] zfcp: Block FC transport rports early on errors")
      Fixes: 5f852be9 ("[SCSI] zfcp: Fix deadlock between zfcp ERP and SCSI")
      Fixes: 338151e0 ("[SCSI] zfcp: make use of fc_remote_port_delete when target port is unavailable")
      Fixes: 3859f6a2 ("[PATCH] zfcp: add rports to enable scsi_add_device to work again")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      efaebcb4
    • Steffen Maier's avatar
      zfcp: fix ELS/GS request&response length for hardware data router · 5f62704e
      Steffen Maier authored
      commit 70369f8e upstream.
      
      In the hardware data router case, introduced with kernel 3.2
      commit 86a9668a ("[SCSI] zfcp: support for hardware data router")
      the ELS/GS request&response length needs to be initialized
      as in the chained SBAL case.
      
      Otherwise, the FCP channel rejects ELS requests with
      FSF_REQUEST_SIZE_TOO_LARGE.
      
      Such ELS requests can be issued by user space through BSG / HBA API,
      or zfcp itself uses ADISC ELS for remote port link test on RSCN.
      The latter can cause a short path outage due to
      unnecessary remote target port recovery because the always
      failing ADISC cannot detect extremely short path interruptions
      beyond the local FCP channel.
      
      Below example is decoded with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : SAN
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU id         : ..
      Caller         : zfcp_dbf_san_req+0408
      Record id      : 1
      Tag            : fssels1
      Request id     : 0x<reqid>
      Destination ID : 0x00<target d_id>
      Payload info   : 52000000 00000000 <our wwpn       >           [ADISC]
                       <our wwnn       > 00<s_id> 00000000
                       00000000 00000000 00000000 00000000
      
      Timestamp      : ...
      Area           : HBA
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU id         : ..
      Caller         : zfcp_dbf_hba_fsf_res+0740
      Record id      : 1
      Tag            : fs_ferr
      Request id     : 0x<reqid>
      Request status : 0x00000010
      FSF cmnd       : 0x0000000b               [FSF_QTCB_SEND_ELS]
      FSF sequence no: 0x...
      FSF issued     : ...
      FSF stat       : 0x00000061		  [FSF_REQUEST_SIZE_TOO_LARGE]
      FSF stat qual  : 00000000 00000000 00000000 00000000
      Prot stat      : 0x00000100
      Prot stat qual : 00000000 00000000 00000000 00000000
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 86a9668a ("[SCSI] zfcp: support for hardware data router")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5f62704e
    • Steffen Maier's avatar
      zfcp: fix fc_host port_type with NPIV · 6d35bb9a
      Steffen Maier authored
      commit bd77befa upstream.
      
      For an NPIV-enabled FCP device, zfcp can erroneously show
      "NPort (fabric via point-to-point)" instead of "NPIV VPORT"
      for the port_type sysfs attribute of the corresponding
      fc_host.
      s390-tools that can be affected are dbginfo.sh and ziomon.
      
      zfcp_fsf_exchange_config_evaluate() ignores
      fsf_qtcb_bottom_config.connection_features indicating NPIV
      and only sets fc_host_port_type to FC_PORTTYPE_NPORT if
      fsf_qtcb_bottom_config.fc_topology is FSF_TOPO_FABRIC.
      
      Only the independent zfcp_fsf_exchange_port_evaluate()
      evaluates connection_features to overwrite fc_host_port_type
      to FC_PORTTYPE_NPIV in case of NPIV.
      Code was introduced with upstream kernel 2.6.30
      commit 0282985d
      ("[SCSI] zfcp: Report fc_host_port_type as NPIV").
      
      This works during FCP device recovery (such as set online)
      because it performs FSF_QTCB_EXCHANGE_CONFIG_DATA followed by
      FSF_QTCB_EXCHANGE_PORT_DATA in sequence.
      
      However, the zfcp-specific scsi host sysfs attributes
      "requests", "megabytes", or "seconds_active" trigger only
      zfcp_fsf_exchange_config_evaluate() resetting fc_host
      port_type to FC_PORTTYPE_NPORT despite NPIV.
      
      The zfcp-specific scsi host sysfs attribute "utilization"
      triggers only zfcp_fsf_exchange_port_evaluate() correcting
      the fc_host port_type again in case of NPIV.
      
      Evaluate fsf_qtcb_bottom_config.connection_features
      in zfcp_fsf_exchange_config_evaluate() where it belongs to.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 0282985d ("[SCSI] zfcp: Report fc_host_port_type as NPIV")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      6d35bb9a
    • Takashi Iwai's avatar
      ALSA: pcm : Call kill_fasync() in stream lock · a27178e0
      Takashi Iwai authored
      commit 3aa02cb6 upstream.
      
      Currently kill_fasync() is called outside the stream lock in
      snd_pcm_period_elapsed().  This is potentially racy, since the stream
      may get released even during the irq handler is running.  Although
      snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
      guarantee that the irq handler finishes, thus the kill_fasync() call
      outside the stream spin lock may be invoked after the substream is
      detached, as recently reported by KASAN.
      
      As a quick workaround, move kill_fasync() call inside the stream
      lock.  The fasync is rarely used interface, so this shouldn't have a
      big impact from the performance POV.
      
      Ideally, we should implement some sync mechanism for the proper finish
      of stream and irq handler.  But this oneliner should suffice for most
      cases, so far.
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a27178e0
    • Takashi Iwai's avatar
      ALSA: ali5451: Fix out-of-bound position reporting · 3d4cfa95
      Takashi Iwai authored
      commit db685779 upstream.
      
      The pointer callbacks of ali5451 driver may return the value at the
      boundary occasionally, and it results in the kernel warning like
        snd_ali5451 0000:00:06.0: BUG: , pos = 16384, buffer size = 16384, period size = 1024
      
      It seems that folding the position offset is enough for fixing the
      warning and no ill-effect has been seen by that.
      Reported-by: default avatarEnrico Mioso <mrkiko.rs@gmail.com>
      Tested-by: default avatarEnrico Mioso <mrkiko.rs@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3d4cfa95
    • Vegard Nossum's avatar
      ALSA: timer: fix NULL pointer dereference on memory allocation failure · e13285a1
      Vegard Nossum authored
      commit 8ddc0563 upstream.
      
      I hit this with syzkaller:
      
          kasan: CONFIG_KASAN_INLINE enabled
          kasan: GPF could be caused by NULL-ptr deref or user memory access
          general protection fault: 0000 [#1] PREEMPT SMP KASAN
          CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          task: ffff88011278d600 task.stack: ffff8801120c0000
          RIP: 0010:[<ffffffff82c8ba07>]  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
          RSP: 0018:ffff8801120c7a60  EFLAGS: 00010006
          RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
          RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
          RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
          R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
          R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
          FS:  00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
          Stack:
           ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
           ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
           ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
          Call Trace:
           [<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
           [<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
           [<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
           [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
           [<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
           [<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
           [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
           [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
           [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
           [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
           [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
           [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
           [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
           [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
           [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
           [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
          RIP  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
           RSP <ffff8801120c7a60>
          ---[ end trace 5955b08db7f2b029 ]---
      
      This can happen if snd_hrtimer_open() fails to allocate memory and
      returns an error, which is currently not checked by snd_timer_open():
      
          ioctl(SNDRV_TIMER_IOCTL_SELECT)
           - snd_timer_user_tselect()
      	- snd_timer_close()
      	   - snd_hrtimer_close()
      	      - (struct snd_timer *) t->private_data = NULL
              - snd_timer_open()
                 - snd_hrtimer_open()
                    - kzalloc() fails; t->private_data is still NULL
      
          ioctl(SNDRV_TIMER_IOCTL_START)
           - snd_timer_user_start()
      	- snd_timer_start()
      	   - snd_timer_start1()
      	      - snd_hrtimer_start()
      		- t->private_data == NULL // boom
      
      [js] no put_device in 3.12 yet
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e13285a1
    • Vegard Nossum's avatar
      ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE · 3fcea56c
      Vegard Nossum authored
      commit 6b760bb2 upstream.
      
      I got this:
      
          divide error: 0000 [#1] PREEMPT SMP KASAN
          CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          task: ffff8801120a9580 task.stack: ffff8801120b0000
          RIP: 0010:[<ffffffff82c8bd9a>]  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
          RSP: 0018:ffff88011aa87da8  EFLAGS: 00010006
          RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
          RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
          RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
          R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
          R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
          FS:  00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
          Stack:
           0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
           ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
           00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
          Call Trace:
           <IRQ>
           [<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
           [<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
           [<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
           [<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
           [<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
           [<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
           [<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
           [<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
           [<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
           <EOI>
           [<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
           [<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
           [<ffffffff82c87015>] snd_timer_continue+0x45/0x80
           [<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
           [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
           [<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
           [<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
           [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
           [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
           [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
           [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
           [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
           [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
           [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
           [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
           [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
           [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
          RIP  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
           RSP <ffff88011aa87da8>
          ---[ end trace 6aa380f756a21074 ]---
      
      The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
      completely new/unused timer -- it will have ->sticks == 0, which causes a
      divide by 0 in snd_hrtimer_callback().
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3fcea56c