1. 02 9月, 2020 1 次提交
  2. 18 3月, 2020 2 次提交
    • J
      scsi: libsas: stop discovering if oob mode is disconnected · d6fbed97
      Jason Yan 提交于
      commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f upstream.
      
      [ Fixes: CVE-2019-19965 ]
      
      The discovering of sas port is driven by workqueue in libsas. When libsas
      is processing port events or phy events in workqueue, new events may rise
      up and change the state of some structures such as asd_sas_phy.  This may
      cause some problems such as follows:
      
      ==>thread 1                       ==>thread 2
      
                                        ==>phy up
                                        ==>phy_up_v3_hw()
                                          ==>oob_mode = SATA_OOB_MODE;
                                        ==>phy down quickly
                                        ==>hisi_sas_phy_down()
                                          ==>sas_ha->notify_phy_event()
                                          ==>sas_phy_disconnected()
                                            ==>oob_mode = OOB_NOT_CONNECTED
      ==>workqueue wakeup
      ==>sas_form_port()
        ==>sas_discover_domain()
          ==>sas_get_port_device()
            ==>oob_mode is OOB_NOT_CONNECTED and device
               is wrongly taken as expander
      
      This at last lead to the panic when libsas trying to issue a command to
      discover the device.
      
      [183047.614035] Unable to handle kernel NULL pointer dereference at
      virtual address 0000000000000058
      [183047.622896] Mem abort info:
      [183047.625762]   ESR = 0x96000004
      [183047.628893]   Exception class = DABT (current EL), IL = 32 bits
      [183047.634888]   SET = 0, FnV = 0
      [183047.638015]   EA = 0, S1PTW = 0
      [183047.641232] Data abort info:
      [183047.644189]   ISV = 0, ISS = 0x00000004
      [183047.648100]   CM = 0, WnR = 0
      [183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
      00000000b7df67be
      [183047.657834] [0000000000000058] pgd=0000000000000000
      [183047.662789] Internal error: Oops: 96000004 [#1] SMP
      [183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
      0x00000000417c4974)
      [183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
      W  OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
      [183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
      BIOS 0.15 10/22/2019
      [183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
      [183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
      [183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
      [183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
      [183047.717153] sp : ffff00000f28ba60
      [183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
      [183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
      [183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
      [183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
      [183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
      [183047.747464] x19: 0000000000f80800 x18: 0000000000000010
      [183047.752848] x17: 0000000000000000 x16: 0000000000000000
      [183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
      [183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
      [183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
      [183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
      [183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
      [183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
      [183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
      [183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
      [183047.801307] Call trace:
      [183047.803827]  prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
      [183047.809127]  hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
      [183047.814773]  hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
      [183047.820939]  hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
      [183047.826757]  smp_execute_task_sg+0xec/0x218
      [183047.831013]  smp_execute_task+0x74/0xa0
      [183047.834921]  sas_discover_expander.part.7+0x9c/0x5f8
      [183047.839959]  sas_discover_root_expander+0x90/0x160
      [183047.844822]  sas_discover_domain+0x1b8/0x1e8
      [183047.849164]  process_one_work+0x1b4/0x3f8
      [183047.853246]  worker_thread+0x54/0x470
      [183047.856981]  kthread+0x134/0x138
      [183047.860283]  ret_from_fork+0x10/0x18
      [183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
      [183047.870097] kernel fault(0x1) notification starting on CPU 0
      [183047.875828] kernel fault(0x1) notification finished on CPU 0
      [183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
      hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
      [183047.892418] ---[ end trace 4cc26083fc11b783  ]---
      [183047.897107] Kernel panic - not syncing: Fatal exception
      [183047.902403] kernel fault(0x5) notification starting on CPU 0
      [183047.908134] kernel fault(0x5) notification finished on CPU 0
      [183047.913865] SMP: stopping secondary CPUs
      [183047.917861] Kernel Offset: disabled
      [183047.921422] CPU features: 0x2,a2a00a38
      [183047.925243] Memory Limit: none
      [183047.928372] kernel reboot(0x2) notification starting on CPU 0
      [183047.934190] kernel reboot(0x2) notification finished on CPU 0
      [183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
      ]---
      
      Fixes: 2908d778 ("[SCSI] aic94xx: new driver")
      Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.comReported-by: NGao Chuan <gaochuan4@huawei.com>
      Reviewed-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NShile Zhang <shile.zhang@linux.alibaba.com>
      Acked-by: NCaspar Zhang <caspar@linux.alibaba.com>
      d6fbed97
    • Z
      scsi: core: Run queue when state is set to running after being blocked · 79d0c296
      zhengbin 提交于
      commit 70fc085c5015c54a7b8742a45fc9ab05d6da90da upstream.
      
      Use dd to test a SCSI device:
      
        1. echo "blocked" >/sys/block/sda/device/state
        2. dd if=/dev/sda of=/mnt/t.log bs=1M count=10
        3. echo "running" >/sys/block/sda/device/state
      
      dd should finish this work after step 3, but it hangs.
      
      After step2, the call chain is this:
      
      blk_mq_dispatch_rq_list-->scsi_queue_rq-->prep_to_mq
      
      prep_to_mq will return BLK_STS_RESOURCE, and scsi_queue_rq will
      transition it to BLK_STS_DEV_RESOURCE which means that driver can
      guarantee that IO dispatch will be triggered in future when the
      resource is available.  Need to follow the rule if we set the device
      state to running.
      
      [mkp: tweaked commit description and code comment as suggested by Bart]
      Signed-off-by: Nzhengbin <zhengbin13@huawei.com>
      Reviewed-by: NMing Lei <ming.lei@redhat.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
      Reviewed-by: NXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      79d0c296
  3. 27 12月, 2019 1 次提交
  4. 21 12月, 2019 2 次提交
    • R
      scsi: qla2xxx: Change discovery state before PLOGI · 5dc3f408
      Roman Bolshakov 提交于
      commit 58e39a2ce4be08162c0368030cdc405f7fd849aa upstream.
      
      When a port sends PLOGI, discovery state should be changed to login
      pending, otherwise RELOGIN_NEEDED bit is set in
      qla24xx_handle_plogi_done_event(). RELOGIN_NEEDED triggers another PLOGI,
      and it never goes out of the loop until login timer expires.
      
      Fixes: 8777e431 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine")
      Fixes: 8b5292bcfcacf ("scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag")
      Cc: Quinn Tran <qutran@marvell.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20191125165702.1013-6-r.bolshakov@yadro.comAcked-by: NHimanshu Madhani <hmadhani@marvell.com>
      Reviewed-by: NHannes Reinecke <hare@suse.de>
      Tested-by: NHannes Reinecke <hare@suse.de>
      Signed-off-by: NRoman Bolshakov <r.bolshakov@yadro.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5dc3f408
    • B
      scsi: iscsi: Fix a potential deadlock in the timeout handler · 86aa5f87
      Bart Van Assche 提交于
      commit 5480e299b5ae57956af01d4839c9fc88a465eeab upstream.
      
      Some time ago the block layer was modified such that timeout handlers are
      called from thread context instead of interrupt context. Make it safe to
      run the iSCSI timeout handler in thread context. This patch fixes the
      following lockdep complaint:
      
      ================================
      WARNING: inconsistent lock state
      5.5.1-dbg+ #11 Not tainted
      --------------------------------
      inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      kworker/7:1H/206 [HC0[0]:SC0[0]:HE1:SE1] takes:
      ffff88802d9827e8 (&(&session->frwd_lock)->rlock){+.?.}, at: iscsi_eh_cmd_timed_out+0xa6/0x6d0 [libiscsi]
      {IN-SOFTIRQ-W} state was registered at:
        lock_acquire+0x106/0x240
        _raw_spin_lock+0x38/0x50
        iscsi_check_transport_timeouts+0x3e/0x210 [libiscsi]
        call_timer_fn+0x132/0x470
        __run_timers.part.0+0x39f/0x5b0
        run_timer_softirq+0x63/0xc0
        __do_softirq+0x12d/0x5fd
        irq_exit+0xb3/0x110
        smp_apic_timer_interrupt+0x131/0x3d0
        apic_timer_interrupt+0xf/0x20
        default_idle+0x31/0x230
        arch_cpu_idle+0x13/0x20
        default_idle_call+0x53/0x60
        do_idle+0x38a/0x3f0
        cpu_startup_entry+0x24/0x30
        start_secondary+0x222/0x290
        secondary_startup_64+0xa4/0xb0
      irq event stamp: 1383705
      hardirqs last  enabled at (1383705): [<ffffffff81aace5c>] _raw_spin_unlock_irq+0x2c/0x50
      hardirqs last disabled at (1383704): [<ffffffff81aacb98>] _raw_spin_lock_irq+0x18/0x50
      softirqs last  enabled at (1383690): [<ffffffffa0e2efea>] iscsi_queuecommand+0x76a/0xa20 [libiscsi]
      softirqs last disabled at (1383682): [<ffffffffa0e2e998>] iscsi_queuecommand+0x118/0xa20 [libiscsi]
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&session->frwd_lock)->rlock);
        <Interrupt>
          lock(&(&session->frwd_lock)->rlock);
      
       *** DEADLOCK ***
      
      2 locks held by kworker/7:1H/206:
       #0: ffff8880d57bf928 ((wq_completion)kblockd){+.+.}, at: process_one_work+0x472/0xab0
       #1: ffff88802b9c7de8 ((work_completion)(&q->timeout_work)){+.+.}, at: process_one_work+0x476/0xab0
      
      stack backtrace:
      CPU: 7 PID: 206 Comm: kworker/7:1H Not tainted 5.5.1-dbg+ #11
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      Workqueue: kblockd blk_mq_timeout_work
      Call Trace:
       dump_stack+0xa5/0xe6
       print_usage_bug.cold+0x232/0x23b
       mark_lock+0x8dc/0xa70
       __lock_acquire+0xcea/0x2af0
       lock_acquire+0x106/0x240
       _raw_spin_lock+0x38/0x50
       iscsi_eh_cmd_timed_out+0xa6/0x6d0 [libiscsi]
       scsi_times_out+0xf4/0x440 [scsi_mod]
       scsi_timeout+0x1d/0x20 [scsi_mod]
       blk_mq_check_expired+0x365/0x3a0
       bt_iter+0xd6/0xf0
       blk_mq_queue_tag_busy_iter+0x3de/0x650
       blk_mq_timeout_work+0x1af/0x380
       process_one_work+0x56d/0xab0
       worker_thread+0x7a/0x5d0
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      Fixes: 287922eb ("block: defer timeouts to a workqueue")
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Keith Busch <keith.busch@intel.com>
      Cc: Lee Duncan <lduncan@suse.com>
      Cc: Chris Leech <cleech@redhat.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191209173457.187370-1-bvanassche@acm.orgSigned-off-by: NBart Van Assche <bvanassche@acm.org>
      Reviewed-by: NLee Duncan <lduncan@suse.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86aa5f87
  5. 18 12月, 2019 15 次提交
  6. 05 12月, 2019 10 次提交
  7. 01 12月, 2019 9 次提交