From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon, 2 Dec 2019 21:37:02 +0000 (-0800)
Subject: Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=ef2cc88e2a205b8a11a19e78db63a70d3728cdf5;p=linux.git

Merge tag 'scsi-misc' of git://git./linux/kernel/git/jejb/scsi

Pull SCSI updates from James Bottomley:
 "This is mostly update of the usual drivers: aacraid, ufs, zfcp,
  NCR5380, lpfc, qla2xxx, smartpqi, hisi_sas, target, mpt3sas, pm80xx
  plus a whole load of minor updates and fixes.

  The major core changes are Al Viro's reworking of sg's handling of
  copy to/from user, Ming Lei's removal of the host busy counter to
  avoid contention in the multiqueue case and Damien Le Moal's fixing of
  residual tracking across error handling"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (251 commits)
  scsi: bnx2fc: timeout calculation invalid for bnx2fc_eh_abort()
  scsi: target: core: Fix a pr_debug() argument
  scsi: iscsi: Don't send data to unbound connection
  scsi: target: iscsi: Wait for all commands to finish before freeing a session
  scsi: target: core: Release SPC-2 reservations when closing a session
  scsi: target: core: Document target_cmd_size_check()
  scsi: bnx2i: fix potential use after free
  Revert "scsi: qla2xxx: Fix memory leak when sending I/O fails"
  scsi: NCR5380: Add disconnect_mask module parameter
  scsi: NCR5380: Unconditionally clear ICR after do_abort()
  scsi: NCR5380: Call scsi_set_resid() on command completion
  scsi: scsi_debug: num_tgts must be >= 0
  scsi: lpfc: use hdwq assigned cpu for allocation
  scsi: arcmsr: fix indentation issues
  scsi: qla4xxx: fix double free bug
  scsi: pm80xx: Modified the logic to collect fatal dump
  scsi: pm80xx: Tie the interrupt name to the module instance
  scsi: pm80xx: Controller fatal error through sysfs
  scsi: pm80xx: Do not request 12G sas speeds
  scsi: pm80xx: Cleanup command when a reset times out
  ...
---

ef2cc88e2a205b8a11a19e78db63a70d3728cdf5
diff --cc drivers/scsi/lpfc/lpfc_scsi.c
index 6822cd9ff8f1e,ba26df90a36ac..b138d9fee6757
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@@ -526,8 -526,9 +526,8 @@@ lpfc_sli4_io_xri_aborted(struct lpfc_hb
  		&qp->lpfc_abts_io_buf_list, list) {
  		if (psb->cur_iocbq.sli4_xritag == xri) {
  			list_del_init(&psb->list);
- 			psb->exch_busy = 0;
+ 			psb->flags &= ~LPFC_SBUF_XBUSY;
  			psb->status = IOSTAT_SUCCESS;
 -#ifdef BUILD_NVME
  			if (psb->cur_iocbq.iocb_flag == LPFC_IO_NVME) {
  				qp->abts_nvme_io_bufs--;
  				spin_unlock(&qp->abts_io_buf_list_lock);
diff --cc drivers/scsi/scsi_sysfs.c
index cc51f47560772,2c76d7a43f677..677b5c5403d22
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@@ -466,12 -467,18 +467,18 @@@ static void scsi_device_dev_release_use
  	sdev->request_queue = NULL;
  
  	mutex_lock(&sdev->inquiry_mutex);
 -	rcu_swap_protected(sdev->vpd_pg0, vpd_pg0,
 -			   lockdep_is_held(&sdev->inquiry_mutex));
 -	rcu_swap_protected(sdev->vpd_pg80, vpd_pg80,
 -			   lockdep_is_held(&sdev->inquiry_mutex));
 -	rcu_swap_protected(sdev->vpd_pg83, vpd_pg83,
 -			   lockdep_is_held(&sdev->inquiry_mutex));
 -	rcu_swap_protected(sdev->vpd_pg89, vpd_pg89,
 -			   lockdep_is_held(&sdev->inquiry_mutex));
++	vpd_pg0 = rcu_replace_pointer(sdev->vpd_pg0, vpd_pg0,
++				       lockdep_is_held(&sdev->inquiry_mutex));
 +	vpd_pg80 = rcu_replace_pointer(sdev->vpd_pg80, vpd_pg80,
 +				       lockdep_is_held(&sdev->inquiry_mutex));
 +	vpd_pg83 = rcu_replace_pointer(sdev->vpd_pg83, vpd_pg83,
 +				       lockdep_is_held(&sdev->inquiry_mutex));
++	vpd_pg89 = rcu_replace_pointer(sdev->vpd_pg89, vpd_pg89,
++				       lockdep_is_held(&sdev->inquiry_mutex));
  	mutex_unlock(&sdev->inquiry_mutex);
  
+ 	if (vpd_pg0)
+ 		kfree_rcu(vpd_pg0, rcu);
  	if (vpd_pg83)
  		kfree_rcu(vpd_pg83, rcu);
  	if (vpd_pg80)
diff --cc drivers/scsi/sg.c
index 9e4ef22b3579a,0940abd91d3ce..160748ad9c0f0
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@@ -429,28 -429,14 +429,36 @@@ sg_read(struct file *filp, char __user 
  	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
  				      "sg_read: count=%d\n", (int) count));
  
- 	if (!access_ok(buf, count))
- 		return -EFAULT;
  	if (sfp->force_packid && (count >= SZ_SG_HEADER)) {
- 		old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL);
- 		if (!old_hdr)
- 			return -ENOMEM;
- 		if (__copy_from_user(old_hdr, buf, SZ_SG_HEADER)) {
- 			retval = -EFAULT;
- 			goto free_old_hdr;
- 		}
+ 		old_hdr = memdup_user(buf, SZ_SG_HEADER);
+ 		if (IS_ERR(old_hdr))
+ 			return PTR_ERR(old_hdr);
  		if (old_hdr->reply_len < 0) {
  			if (count >= SZ_SG_IO_HDR) {
 -				sg_io_hdr_t __user *p = (void __user *)buf;
 -				if (get_user(req_pack_id, &p->pack_id)) {
++				/*
++				 * This is stupid.
++				 *
++				 * We're copying the whole sg_io_hdr_t from user
++				 * space just to get the 'pack_id' field. But the
++				 * field is at different offsets for the compat
++				 * case, so we'll use "get_sg_io_hdr()" to copy
++				 * the whole thing and convert it.
++				 *
++				 * We could do something like just calculating the
++				 * offset based of 'in_compat_syscall()', but the
++				 * 'compat_sg_io_hdr' definition is in the wrong
++				 * place for that.
++				 */
 +				sg_io_hdr_t *new_hdr;
 +				new_hdr = kmalloc(SZ_SG_IO_HDR, GFP_KERNEL);
 +				if (!new_hdr) {
 +					retval = -ENOMEM;
 +					goto free_old_hdr;
 +				}
 +				retval = get_sg_io_hdr(new_hdr, buf);
 +				req_pack_id = new_hdr->pack_id;
 +				kfree(new_hdr);
 +				if (retval) {
  					retval = -EFAULT;
  					goto free_old_hdr;
  				}