Bart Van Assche [Mon, 24 Feb 2025 11:55:17 +0000 (11:55 +0000)]
scsi: scsi_debug: Do not sleep in atomic sections
Function stop_qc_helper() is called while the debug_scsi_cmd lock is held,
and from here we may call cancel_work_sync(), which may sleep.
Sleeping in atomic sections is not allowed.
Hence change the cancel_work_sync() call into a cancel_work() call.
However now it is not possible to know if the work callback is running when
we return. This is relevant for eh_abort_handler handling, as the semantics
of that callback are that success means that we do not keep a reference to
the scsi_cmnd - now this is not possible. So return FAIL when we are unsure
if the callback still running.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
jpg: return FAILED from scsi_debug_abort() when possible callback running Signed-off-by: John Garry <john.g.garry@oracle.com> Link: https://lore.kernel.org/r/20250224115517.495899-5-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Bart Van Assche [Mon, 24 Feb 2025 11:55:16 +0000 (11:55 +0000)]
scsi: scsi_debug: Simplify command handling
Simplify command handling by moving struct sdebug_defer into the private
SCSI command data instead of allocating it separately. The only functional
change is that aborting a SCSI command now fails and is retried at a later
time if the completion handler can't be cancelled.
See also commit 1107c7b24ee3 ("scsi: scsi_debug: Dynamically allocate
sdebug_queued_cmd").
Bart Van Assche [Mon, 24 Feb 2025 11:55:15 +0000 (11:55 +0000)]
scsi: scsi_debug: Remove a reference to in_use_bm
Commit f1437cd1e535 ("scsi: scsi_debug: Drop sdebug_queue") removed the
'in_use_bm' struct member. Hence remove a reference to that struct member
from the procfs host info file.
Fixes: f1437cd1e535 ("scsi: scsi_debug: Drop sdebug_queue") Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: John Garry <john.g.garry@oracle.com> Link: https://lore.kernel.org/r/20250224115517.495899-3-john.g.garry@oracle.com Reviewed-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
It was originally intended for supporting checking for atomic writes
overlapping with ongoing reads and writes, but that support never got
added.
SBC-4 r22 section 4.29.3.2 "Performing operations during an atomic write
operation" describes two methods of handling overlapping atomic writes.
Currently the only method supported is for the ongoing read or write to
complete.
Kaixin Wang [Wed, 18 Sep 2024 12:07:50 +0000 (20:07 +0800)]
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
Ranjan Kumar [Thu, 20 Feb 2025 14:25:27 +0000 (19:55 +0530)]
scsi: mpi3mr: Check admin reply queue from Watchdog
Admin reply processing can be called from multiple contexts. The driver
uses an atomic flag for synchronization among multiple threads/context for
draining the admin replies.
Upon entering the admin processing routine, the driver will set the atomic
flag and start reply processing. When exiting the routine, the driver
resets the flag. However, there is a race condition when one thread (Thread
1) has processed replies and is about to reset the flag but in the meantime
few more replies are posted and another thread (Thread 2) is called to
process replies. Since the synchronization flag is still set, Thread 2 will
return without processing replies and those new replies will not be
flushed.
Make the watchdog thread monitor cases where admin ISR/poll call returns
due to another thread processing admin replies. If such an instance is
found, make driver call admin ISR to drain replies (if any).
Co-developed-by: Sumit Saxena <sumit.saxena@broadcom.com> Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com> Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com> Link: https://lore.kernel.org/r/20250220142528.20837-4-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drm/repaper: fix integer overflows in repeat functions
There are conditions, albeit somewhat unlikely, under which right hand
expressions, calculating the end of time period in functions like
repaper_frame_fixed_repeat(), may overflow.
For instance, if 'factor10x' in repaper_get_temperature() is high
enough (170), as is 'epd->stage_time' in repaper_probe(), then the
resulting value of 'end' will not fit in unsigned int expression.
Mitigate this by casting 'epd->factored_stage_time' to wider type before
any multiplication is done.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Merge patch series "scsi: scsi_debug: Add more tape support"
Kai Mäkisara <Kai.Makisara@kolumbus.fi> says:
Currently, the scsi_debug driver can create tape devices and the st
driver attaches to those. Nothing much can be done with the tape devices
because scsi_debug does not have support for the tape-specific commands
and features. These patches add some more tape support to the scsi_debug
driver. The end result is simulated drives with a tape having one or two
partitions (one partition is created initially).
The tape is implemented as fixed number (10 000) of 8-byte units.
The first four bytes of a unit contain the type of the unit (data
block, filemark or end-of-data mark). If the units is a data block,
the first four bytes also contain the block length and the remaining
four bytes the first bytes of written data. This allows the user
to use tags to see that the read block is what it was supposed to be.
The following SCSI operations are added or modified:
FORMAT MEDIUM
- added
LOCATE
- added
MODE SELECT
- modified to allow use without page(s) (just header and block descriptor)
- store density and block size
- partition page added
MODE SENSE
- modified to allow use without page(s) (just header and block descriptor)
- set density and block size
- partition page added
READ BLOCK LIMITS
- added
READ POSITION
- added
READ
- added tape support for READ (6)
REWIND
- modified to set the tape position
SPACE
- added
START STOP (LOAD)
- modified to return New Medium Unit Attention if tape loaded (not
according to the standard, but enables testing this UA)
WRITE
- added tape support for WRITE (6)
WRITE FILEMARKS
- added
Merge patch series "Initial support for RK3576 UFS controller"
Shawn Lin <shawn.lin@rock-chips.com> says:
This patchset adds initial UFS controller supprt for RK3576 SoC.
Patch 1 is the dt-bindings. Patch 2-4 deal with rpm and spm support
in advanced suggested by Ulf. Patch 5 exports two new APIs for host
driver. Patch 6 and 7 are the host driver and dtsi support.
Uwe Kleine-König [Mon, 17 Feb 2025 17:49:36 +0000 (18:49 +0100)]
drm/bridge: ti-sn65dsi86: Check for CONFIG_PWM using IS_REACHABLE()
Currently CONFIG_PWM is a bool but I intend to change it to tristate. If
CONFIG_PWM=m in the configuration, the cpp symbol CONFIG_PWM isn't
defined and so the PWM code paths in the ti-sn65dsi86 driver are not
used.
The correct way to check for CONFIG_PWM is using IS_REACHABLE which does
the right thing for all cases
CONFIG_DRM_TI_SN65DSI86 ∈ { y, m } x CONFIG_PWM ∈ { y, m, n }.
There is no change until CONFIG_PWM actually becomes tristate.
gentwo / linux / .git / log