mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-10 07:00:48 +00:00
SCSI fixes on 20230123
Six fixes, all in drivers. The biggest are the UFS devfreq fixes which address a lock inversion and the two iscsi_tcp fixes which try to prevent a use after free from userspace still accessing an area which the kernel has released (seen by KASAN). Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com> -----BEGIN PGP SIGNATURE----- iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCY87V4iYcamFtZXMuYm90 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishRl+AQDWchrR xwIlYfLEZ9wbIsJWTpxIFBxf2UpRY1CAM94KswEA49R/UA4qhrjdNsf8+Lkss5Fb fSlWJnhlQ3YruMCmsfY= =tm6h -----END PGP SIGNATURE----- Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Six fixes, all in drivers. The biggest are the UFS devfreq fixes which address a lock inversion and the two iscsi_tcp fixes which try to prevent a use after free from userspace still accessing an area which the kernel has released (seen by KASAN)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: device_handler: alua: Remove a might_sleep() annotation scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress scsi: ufs: core: Fix devfreq deadlocks scsi: hpsa: Fix allocation size for scsi_host_alloc() scsi: target: core: Fix warning on RT kernels
This commit is contained in:
commit
02db81a787
@ -981,6 +981,9 @@ queue_rtpg:
|
||||
*
|
||||
* Returns true if and only if alua_rtpg_work() will be called asynchronously.
|
||||
* That function is responsible for calling @qdata->fn().
|
||||
*
|
||||
* Context: may be called from atomic context (alua_check()) only if the caller
|
||||
* holds an sdev reference.
|
||||
*/
|
||||
static bool alua_rtpg_queue(struct alua_port_group *pg,
|
||||
struct scsi_device *sdev,
|
||||
@ -989,8 +992,6 @@ static bool alua_rtpg_queue(struct alua_port_group *pg,
|
||||
int start_queue = 0;
|
||||
unsigned long flags;
|
||||
|
||||
might_sleep();
|
||||
|
||||
if (WARN_ON_ONCE(!pg) || scsi_device_get(sdev))
|
||||
return false;
|
||||
|
||||
|
@ -5850,7 +5850,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h)
|
||||
{
|
||||
struct Scsi_Host *sh;
|
||||
|
||||
sh = scsi_host_alloc(&hpsa_driver_template, sizeof(h));
|
||||
sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info));
|
||||
if (sh == NULL) {
|
||||
dev_err(&h->pdev->dev, "scsi_host_alloc failed\n");
|
||||
return -ENOMEM;
|
||||
|
@ -849,7 +849,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
|
||||
enum iscsi_host_param param, char *buf)
|
||||
{
|
||||
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
|
||||
struct iscsi_session *session = tcp_sw_host->session;
|
||||
struct iscsi_session *session;
|
||||
struct iscsi_conn *conn;
|
||||
struct iscsi_tcp_conn *tcp_conn;
|
||||
struct iscsi_sw_tcp_conn *tcp_sw_conn;
|
||||
@ -859,6 +859,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
|
||||
|
||||
switch (param) {
|
||||
case ISCSI_HOST_PARAM_IPADDRESS:
|
||||
session = tcp_sw_host->session;
|
||||
if (!session)
|
||||
return -ENOTCONN;
|
||||
|
||||
@ -959,11 +960,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
|
||||
if (!cls_session)
|
||||
goto remove_host;
|
||||
session = cls_session->dd_data;
|
||||
tcp_sw_host = iscsi_host_priv(shost);
|
||||
tcp_sw_host->session = session;
|
||||
|
||||
if (iscsi_tcp_r2tpool_alloc(session))
|
||||
goto remove_session;
|
||||
|
||||
/* We are now fully setup so expose the session to sysfs. */
|
||||
tcp_sw_host = iscsi_host_priv(shost);
|
||||
tcp_sw_host->session = session;
|
||||
return cls_session;
|
||||
|
||||
remove_session:
|
||||
@ -983,10 +986,17 @@ static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session)
|
||||
if (WARN_ON_ONCE(session->leadconn))
|
||||
return;
|
||||
|
||||
iscsi_tcp_r2tpool_free(cls_session->dd_data);
|
||||
iscsi_session_teardown(cls_session);
|
||||
|
||||
iscsi_session_remove(cls_session);
|
||||
/*
|
||||
* Our get_host_param needs to access the session, so remove the
|
||||
* host from sysfs before freeing the session to make sure userspace
|
||||
* is no longer accessing the callout.
|
||||
*/
|
||||
iscsi_host_remove(shost, false);
|
||||
|
||||
iscsi_tcp_r2tpool_free(cls_session->dd_data);
|
||||
|
||||
iscsi_session_free(cls_session);
|
||||
iscsi_host_free(shost);
|
||||
}
|
||||
|
||||
|
@ -3104,17 +3104,32 @@ dec_session_count:
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(iscsi_session_setup);
|
||||
|
||||
/**
|
||||
* iscsi_session_teardown - destroy session, host, and cls_session
|
||||
* @cls_session: iscsi session
|
||||
/*
|
||||
* issi_session_remove - Remove session from iSCSI class.
|
||||
*/
|
||||
void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
|
||||
void iscsi_session_remove(struct iscsi_cls_session *cls_session)
|
||||
{
|
||||
struct iscsi_session *session = cls_session->dd_data;
|
||||
struct module *owner = cls_session->transport->owner;
|
||||
struct Scsi_Host *shost = session->host;
|
||||
|
||||
iscsi_remove_session(cls_session);
|
||||
/*
|
||||
* host removal only has to wait for its children to be removed from
|
||||
* sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing
|
||||
* the session, so drop the session count here.
|
||||
*/
|
||||
iscsi_host_dec_session_cnt(shost);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(iscsi_session_remove);
|
||||
|
||||
/**
|
||||
* iscsi_session_free - Free iscsi session and it's resources
|
||||
* @cls_session: iscsi session
|
||||
*/
|
||||
void iscsi_session_free(struct iscsi_cls_session *cls_session)
|
||||
{
|
||||
struct iscsi_session *session = cls_session->dd_data;
|
||||
struct module *owner = cls_session->transport->owner;
|
||||
|
||||
iscsi_pool_free(&session->cmdpool);
|
||||
kfree(session->password);
|
||||
@ -3132,10 +3147,19 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
|
||||
kfree(session->discovery_parent_type);
|
||||
|
||||
iscsi_free_session(cls_session);
|
||||
|
||||
iscsi_host_dec_session_cnt(shost);
|
||||
module_put(owner);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(iscsi_session_free);
|
||||
|
||||
/**
|
||||
* iscsi_session_teardown - destroy session and cls_session
|
||||
* @cls_session: iscsi session
|
||||
*/
|
||||
void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
|
||||
{
|
||||
iscsi_session_remove(cls_session);
|
||||
iscsi_session_free(cls_session);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(iscsi_session_teardown);
|
||||
|
||||
/**
|
||||
|
@ -73,8 +73,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
|
||||
{
|
||||
struct se_session *sess = se_cmd->se_sess;
|
||||
|
||||
assert_spin_locked(&sess->sess_cmd_lock);
|
||||
WARN_ON_ONCE(!irqs_disabled());
|
||||
lockdep_assert_held(&sess->sess_cmd_lock);
|
||||
|
||||
/*
|
||||
* If command already reached CMD_T_COMPLETE state within
|
||||
* target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown,
|
||||
|
@ -1234,12 +1234,14 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba)
|
||||
* clock scaling is in progress
|
||||
*/
|
||||
ufshcd_scsi_block_requests(hba);
|
||||
mutex_lock(&hba->wb_mutex);
|
||||
down_write(&hba->clk_scaling_lock);
|
||||
|
||||
if (!hba->clk_scaling.is_allowed ||
|
||||
ufshcd_wait_for_doorbell_clr(hba, DOORBELL_CLR_TOUT_US)) {
|
||||
ret = -EBUSY;
|
||||
up_write(&hba->clk_scaling_lock);
|
||||
mutex_unlock(&hba->wb_mutex);
|
||||
ufshcd_scsi_unblock_requests(hba);
|
||||
goto out;
|
||||
}
|
||||
@ -1251,12 +1253,16 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, bool writelock)
|
||||
static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, int err, bool scale_up)
|
||||
{
|
||||
if (writelock)
|
||||
up_write(&hba->clk_scaling_lock);
|
||||
else
|
||||
up_read(&hba->clk_scaling_lock);
|
||||
up_write(&hba->clk_scaling_lock);
|
||||
|
||||
/* Enable Write Booster if we have scaled up else disable it */
|
||||
if (ufshcd_enable_wb_if_scaling_up(hba) && !err)
|
||||
ufshcd_wb_toggle(hba, scale_up);
|
||||
|
||||
mutex_unlock(&hba->wb_mutex);
|
||||
|
||||
ufshcd_scsi_unblock_requests(hba);
|
||||
ufshcd_release(hba);
|
||||
}
|
||||
@ -1273,7 +1279,6 @@ static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, bool writelock)
|
||||
static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up)
|
||||
{
|
||||
int ret = 0;
|
||||
bool is_writelock = true;
|
||||
|
||||
ret = ufshcd_clock_scaling_prepare(hba);
|
||||
if (ret)
|
||||
@ -1302,15 +1307,8 @@ static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up)
|
||||
}
|
||||
}
|
||||
|
||||
/* Enable Write Booster if we have scaled up else disable it */
|
||||
if (ufshcd_enable_wb_if_scaling_up(hba)) {
|
||||
downgrade_write(&hba->clk_scaling_lock);
|
||||
is_writelock = false;
|
||||
ufshcd_wb_toggle(hba, scale_up);
|
||||
}
|
||||
|
||||
out_unprepare:
|
||||
ufshcd_clock_scaling_unprepare(hba, is_writelock);
|
||||
ufshcd_clock_scaling_unprepare(hba, ret, scale_up);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -6066,9 +6064,11 @@ static void ufshcd_force_error_recovery(struct ufs_hba *hba)
|
||||
|
||||
static void ufshcd_clk_scaling_allow(struct ufs_hba *hba, bool allow)
|
||||
{
|
||||
mutex_lock(&hba->wb_mutex);
|
||||
down_write(&hba->clk_scaling_lock);
|
||||
hba->clk_scaling.is_allowed = allow;
|
||||
up_write(&hba->clk_scaling_lock);
|
||||
mutex_unlock(&hba->wb_mutex);
|
||||
}
|
||||
|
||||
static void ufshcd_clk_scaling_suspend(struct ufs_hba *hba, bool suspend)
|
||||
@ -9793,6 +9793,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
|
||||
/* Initialize mutex for exception event control */
|
||||
mutex_init(&hba->ee_ctrl_mutex);
|
||||
|
||||
mutex_init(&hba->wb_mutex);
|
||||
init_rwsem(&hba->clk_scaling_lock);
|
||||
|
||||
ufshcd_init_clk_gating(hba);
|
||||
|
@ -422,6 +422,8 @@ extern int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
|
||||
extern struct iscsi_cls_session *
|
||||
iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost,
|
||||
uint16_t, int, int, uint32_t, unsigned int);
|
||||
void iscsi_session_remove(struct iscsi_cls_session *cls_session);
|
||||
void iscsi_session_free(struct iscsi_cls_session *cls_session);
|
||||
extern void iscsi_session_teardown(struct iscsi_cls_session *);
|
||||
extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *);
|
||||
extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn,
|
||||
|
@ -808,6 +808,7 @@ struct ufs_hba_monitor {
|
||||
* @urgent_bkops_lvl: keeps track of urgent bkops level for device
|
||||
* @is_urgent_bkops_lvl_checked: keeps track if the urgent bkops level for
|
||||
* device is known or not.
|
||||
* @wb_mutex: used to serialize devfreq and sysfs write booster toggling
|
||||
* @clk_scaling_lock: used to serialize device commands and clock scaling
|
||||
* @desc_size: descriptor sizes reported by device
|
||||
* @scsi_block_reqs_cnt: reference counting for scsi block requests
|
||||
@ -951,6 +952,7 @@ struct ufs_hba {
|
||||
enum bkops_status urgent_bkops_lvl;
|
||||
bool is_urgent_bkops_lvl_checked;
|
||||
|
||||
struct mutex wb_mutex;
|
||||
struct rw_semaphore clk_scaling_lock;
|
||||
unsigned char desc_size[QUERY_DESC_IDN_MAX];
|
||||
atomic_t scsi_block_reqs_cnt;
|
||||
|
Loading…
x
Reference in New Issue
Block a user