Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.296 2020-11-10T09:23:57Z 2020-11-10T09:23:57Z Helge Deller deller@gmx.de 2020-10-22T09:00:05Z urn:sha1:4a59ea4d11e79ba6a9667999f19bb53ef2b3401f commit 2f4843b172c2c0360ee7792ad98025fae7baefde upstream. The mptscsih_remove() function triggers a kernel oops if the Scsi_Host pointer (ioc->sh) is NULL, as can be seen in this syslog: ioc0: LSI53C1030 B2: Capabilities={Initiator,Target} Begin: Waiting for root file system ... scsi host2: error handler thread failed to spawn, error = -4 mptspi: ioc0: WARNING - Unable to register controller with SCSI subsystem Backtrace: [<000000001045b7cc>] mptspi_probe+0x248/0x3d0 [mptspi] [<0000000040946470>] pci_device_probe+0x1ac/0x2d8 [<0000000040add668>] really_probe+0x1bc/0x988 [<0000000040ade704>] driver_probe_device+0x160/0x218 [<0000000040adee24>] device_driver_attach+0x160/0x188 [<0000000040adef90>] __driver_attach+0x144/0x320 [<0000000040ad7c78>] bus_for_each_dev+0xd4/0x158 [<0000000040adc138>] driver_attach+0x4c/0x80 [<0000000040adb3ec>] bus_add_driver+0x3e0/0x498 [<0000000040ae0130>] driver_register+0xf4/0x298 [<00000000409450c4>] __pci_register_driver+0x78/0xa8 [<000000000007d248>] mptspi_init+0x18c/0x1c4 [mptspi] This patch adds the necessary NULL-pointer checks. Successfully tested on a HP C8000 parisc workstation with buggy SCSI drives. Link: https://lore.kernel.org/r/20201022090005.GA9000@ls3530.fritz.box Cc: <stable@vger.kernel.org> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-22T07:10:45Z Tomas Henzl thenzl@redhat.com 2020-06-16T15:04:46Z urn:sha1:c94e289e6ca84b46537d9812b43a3214630af0ef [ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] The sense data buffer in sense_buf_pool is allocated with size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) is used when reading the data. That may lead to a read from unallocated area, sometimes from another (unallocated) page. To fix this, limit the read size to MPT_SENSE_BUFFER_ALLOC. Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com Co-developed-by: Stanislav Saner <ssaner@redhat.com> Signed-off-by: Stanislav Saner <ssaner@redhat.com> Signed-off-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-23T07:19:39Z Dan Carpenter dan.carpenter@oracle.com 2020-01-14T12:34:14Z urn:sha1:ddfa91a194d054fb765b919e593183794d6637d6 commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream. Tom Hatskevich reported that we look up "iocp" then, in the called functions we do a second copy_from_user() and look it up again. The problem that could cause is: drivers/message/fusion/mptctl.c 674 /* All of these commands require an interrupt or 675 * are unknown/illegal. 676 */ 677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0) ^^^^ We take this lock. 678 return ret; 679 680 if (cmd == MPTFWDOWNLOAD) 681 ret = mptctl_fw_download(arg); ^^^ Then the user memory changes and we look up "iocp" again but a different one so now we are holding the incorrect lock and have a race condition. 682 else if (cmd == MPTCOMMAND) 683 ret = mptctl_mpt_command(arg); The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. But it's still worth fixing. This patch passes the "iocp" pointer to the functions to avoid the second lookup. That deletes 100 lines of code from the driver so it's a nice clean up as well. Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-25T14:13:06Z Dan Carpenter dan.carpenter@oracle.com 2018-01-25T14:27:27Z urn:sha1:95bcf5b14e31a232bdeb606219c5eaa5b96e285c [ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-29T09:32:02Z Martin K. Petersen martin.petersen@oracle.com 2018-04-19T02:54:59Z urn:sha1:70f2351eca535c590dad1657a3761650c8515acb commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream. First generation MPT Fusion controllers can not translate WRITE SAME when the attached device is a SATA drive. Disable WRITE SAME support. Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-14T18:26:19Z Wei Yongjun weiyongjun1@huawei.com 2016-09-10T16:06:36Z urn:sha1:c08b3f9a27006c5c541b5c0fa273444a93617fda Fix to return error code -ENOMEM from the workqueue alloc error handling case instead of 0, as done elsewhere in this function. Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2016-09-02T10:13:57Z Bhaktipriya Shridhar bhaktipriya96@gmail.com 2016-08-30T19:03:25Z urn:sha1:b2990536f44752e54dc300a2f98253519adfe649 The workqueues "ioc->reset_work_q" and "ioc->fw_event_q" queue a single work item &ioc->fault_reset_work and &fw_event->work, respectively and hence don't require ordering. Hence, they have been converted to use alloc_workqueue(). The WQ_MEM_RECLAIM flag has been set to ensure forward progress under memory pressure since the workqueue belongs to a storage driver which is being used on a memory reclaim path. Since there are fixed number of work items, explicit concurrency limit is unnecessary here. Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2016-09-02T10:12:01Z Bhaktipriya Shridhar bhaktipriya96@gmail.com 2016-08-30T19:03:05Z urn:sha1:77d4f08024d86974d3eddc6d0a7143f74974783f The workqueue "fc_rescan_work_q" queues multiple work items viz &ioc->fc_rescan_work, &ioc->fc_lsc_work, &ioc->fc_setup_reset_work, which require strict execution ordering. Hence, an ordered dedicated workqueue has been used. WQ_MEM_RECLAIM has been set since the workqueue is belongs to a storage driver which is being used on a memory reclaim path and hence, requires forward progress under memory pressure. Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2016-05-18T23:38:59Z Linus Torvalds torvalds@linux-foundation.org 2016-05-18T23:38:59Z urn:sha1:675e0655c12209ba1f40af0dff7cd76b17a1315c Pull SCSI updates from James Bottomley: "First round of SCSI updates for the 4.6+ merge window. This batch includes the usual quota of driver updates (bnx2fc, mp3sas, hpsa, ncr5380, lpfc, hisi_sas, snic, aacraid, megaraid_sas). There's also a multiqueue update for scsi_debug, assorted bug fixes and a few other minor updates (refactor of scsi_sg_pools into generic code, alua and VPD updates, and struct timeval conversions)" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (138 commits) mpt3sas: Used "synchronize_irq()"API to synchronize timed-out IO & TMs mpt3sas: Set maximum transfer length per IO to 4MB for VDs mpt3sas: Updating mpt3sas driver version to 13.100.00.00 mpt3sas: Fix initial Reference tag field for 4K PI drives. mpt3sas: Handle active cable exception event mpt3sas: Update MPI header to 2.00.42 Revert "lpfc: Delete unnecessary checks before the function call mempool_destroy" eata_pio: missing break statement hpsa: Fix type ZBC conditional checks scsi_lib: Decode T10 vendor IDs scsi_dh_alua: do not fail for unknown VPD identification scsi_debug: use locally assigned naa scsi_debug: uuid for lu name scsi_debug: vpd and mode page work scsi_debug: add multiple queue support bfa: fix bfa_fcb_itnim_alloc() error handling megaraid_sas: Downgrade two success messages to info cxlflash: Fix to resolve dead-lock during EEH recovery scsi_debug: rework resp_report_luns scsi_debug: use pdt constants ... 2016-05-04T18:16:49Z Florian Westphal fw@strlen.de 2016-05-03T14:33:13Z urn:sha1:860e9538a9482bb84589f7d0718a7e6d0a944d58 Replace all trans_start updates with netif_trans_update helper. change was done via spatch: struct net_device *d; @@ - d->trans_start = jiffies + netif_trans_update(d) Compile tested only. Cc: user-mode-linux-devel@lists.sourceforge.net Cc: linux-xtensa@linux-xtensa.org Cc: linux1394-devel@lists.sourceforge.net Cc: linux-rdma@vger.kernel.org Cc: netdev@vger.kernel.org Cc: MPT-FusionLinux.pdl@broadcom.com Cc: linux-scsi@vger.kernel.org Cc: linux-can@vger.kernel.org Cc: linux-parisc@vger.kernel.org Cc: linux-omap@vger.kernel.org Cc: linux-hams@vger.kernel.org Cc: linux-usb@vger.kernel.org Cc: linux-wireless@vger.kernel.org Cc: linux-s390@vger.kernel.org Cc: devel@driverdev.osuosl.org Cc: b.a.t.m.a.n@lists.open-mesh.org Cc: linux-bluetooth@vger.kernel.org Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Mugunthan V N <mugunthanvnm@ti.com> Acked-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: David S. Miller <davem@davemloft.net>