Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.10.245 2024-07-27T08:40:22Z 2024-07-27T08:40:22Z Bart Van Assche bvanassche@acm.org 2022-08-26T00:26:34Z urn:sha1:5ce8fad941233e81f2afb5b52a3fcddd3ba8732f commit 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 upstream. There are two .exit_cmd_priv implementations. Both implementations use resources associated with the SCSI host. Make sure that these resources are still available when .exit_cmd_priv is called by waiting inside scsi_remove_host() until the tag set has been freed. This commit fixes the following use-after-free: ================================================================== BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Read of size 8 at addr ffff888100337000 by task multipathd/16727 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] scsi_mq_exit_request+0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_device_dev_release_usercontext+0x4c1/0x4e0 execute_in_process_context+0x23/0x90 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_disk_release+0x3f/0x50 device_release+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] free_priority_group+0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lore.kernel.org/r/20220826002635.919423-1-bvanassche@acm.org Fixes: 65ca846a5314 ("scsi: core: Introduce {init,exit}_cmd_priv()") Cc: Ming Lei <ming.lei@redhat.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Mike Christie <michael.christie@oracle.com> Cc: Hannes Reinecke <hare@suse.de> Cc: John Garry <john.garry@huawei.com> Cc: Li Zhijian <lizhijian@fujitsu.com> Reported-by: Li Zhijian <lizhijian@fujitsu.com> Tested-by: Li Zhijian <lizhijian@fujitsu.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> [mheyne: fixed contextual conflicts: - drivers/scsi/hosts.c: due to missing commit 973dac8a8a14 ("scsi: core: Refine how we set tag_set NUMA node") - drivers/scsi/scsi_sysfs.c: due to missing commit 6f8191fdf41d ("block: simplify disk shutdown") - drivers/scsi/scsi_scan.c: due to missing commit 59506abe5e34 ("scsi: core: Inline scsi_mq_alloc_queue()")] Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-23T07:42:15Z Bart Van Assche bvanassche@acm.org 2021-04-15T22:08:11Z urn:sha1:7efadce40a6b173193888ac8392442beda666620 [ Upstream commit b8e162f9e7e2da6e823a4984d6aa0523e278babf ] Improve readability of the code in the SCSI core by introducing an enumeration type for the values used internally that decide how to continue processing a SCSI command. The eh_*_handler return values have not been changed because that would involve modifying all SCSI drivers. The output of the following command has been inspected to verify that no out-of-range values are assigned to a variable of type enum scsi_disposition: KCFLAGS=-Wassign-enum make CC=clang W=1 drivers/scsi/ Link: https://lore.kernel.org/r/20210415220826.29438-6-bvanassche@acm.org Cc: Christoph Hellwig <hch@lst.de> Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com> Cc: Hannes Reinecke <hare@suse.de> Cc: Daniel Wagner <dwagner@suse.de> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Stable-dep-of: 4373534a9850 ("scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler") Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-12T19:56:38Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-01-11T09:35:04Z urn:sha1:e30419672e3acc039389236d0f4e77a08b217710 This reverts commit 294d66c35a4e019a9dfe889fe382adce1cc3773e which is commit 7ba46799d34695534666a3f71a2be10ea85ece6c upstream. As reported, a lot of scsi changes were made just to resolve a 2 line patch, so let's revert them all and then manually fix up the 2 line fixup so that things are simpler and potential abi changes are not an issue. Link: https://lore.kernel.org/r/ZZ042FejzwMM5vDW@duo.ucw.cz Reported-by: Pavel Machek <pavel@ucw.cz> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Benjamin Block <bblock@linux.ibm.com> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-12T19:56:38Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-01-11T09:35:02Z urn:sha1:f60f60e1deca9729c596b2bca9f1e1bf47bf8a0e This reverts commit f230e6d4249b9ccdcb571077023cecabf91ecbb1 which is commit f0f214fe8cd32224267ebea93817b8c32074623d upstream. As reported, a lot of scsi changes were made just to resolve a 2 line patch, so let's revert them all and then manually fix up the 2 line fixup so that things are simpler and potential abi changes are not an issue. Link: https://lore.kernel.org/r/ZZ042FejzwMM5vDW@duo.ucw.cz Reported-by: Pavel Machek <pavel@ucw.cz> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Ming Lei <ming.lei@redhat.com> Cc: Hannes Reinecke <hare@suse.de> Cc: Damien Le Moal <damien.lemoal@wdc.com> Cc: Benjamin Block <bblock@linux.ibm.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-12T19:56:38Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-01-11T09:35:01Z urn:sha1:a5edb407029321066c0ebbc2fd3d91acdd644d1e This reverts commit d054858a9c9e4406099e61fe00c93516f9b4c169 which is commit d2c945f01d233085fedc9e3cf7ec180eaa2b7a85 upstream. As reported, a lot of scsi changes were made just to resolve a 2 line patch, so let's revert them all and then manually fix up the 2 line fixup so that things are simpler and potential abi changes are not an issue. Link: https://lore.kernel.org/r/ZZ042FejzwMM5vDW@duo.ucw.cz Reported-by: Pavel Machek <pavel@ucw.cz> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Benjamin Block <bblock@linux.ibm.com> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-12T19:56:38Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-01-11T09:35:00Z urn:sha1:2129297760278dc48649b9d50b4b646b36b5ff6d This reverts commit df83ca8e986d0285974dfa510973191547dcd173 which is commit aa8e25e5006aac52c943c84e9056ab488630ee19 upstream. As reported, a lot of scsi changes were made just to resolve a 2 line patch, so let's revert them all and then manually fix up the 2 line fixup so that things are simpler and potential abi changes are not an issue. Link: https://lore.kernel.org/r/ZZ042FejzwMM5vDW@duo.ucw.cz Reported-by: Pavel Machek <pavel@ucw.cz> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.de> Cc: Ming Lei <ming.lei@redhat.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-12T19:56:37Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-01-11T09:34:58Z urn:sha1:cea19678bf55f8d087bf617478f249208432156c This reverts commit f2d30198c0530b8da155697d8723e19ac72c15fe which is commit bf23e619039d360d503b7282d030daf2277a5d47 upstream. As reported, a lot of scsi changes were made just to resolve a 2 line patch, so let's revert them all and then manually fix up the 2 line fixup so that things are simpler and potential abi changes are not an issue. Link: https://lore.kernel.org/r/ZZ042FejzwMM5vDW@duo.ucw.cz Reported-by: Pavel Machek <pavel@ucw.cz> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Ming Lei <ming.lei@redhat.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Benjamin Block <bblock@linux.ibm.com> Cc: Bean Huo <beanhuo@micron.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-05T14:12:31Z Bart Van Assche bvanassche@acm.org 2021-10-07T20:27:56Z urn:sha1:f2d30198c0530b8da155697d8723e19ac72c15fe [ Upstream commit bf23e619039d360d503b7282d030daf2277a5d47 ] Conditional statements are faster than indirect calls. Use a structure member to track the SCSI command submitter such that later patches can call scsi_done(scmd) instead of scmd->scsi_done(scmd). The asymmetric behavior that scsi_send_eh_cmnd() sets the submission context to the SCSI error handler and that it does not restore the submission context to the SCSI core is retained. Link: https://lore.kernel.org/r/20211007202923.2174984-2-bvanassche@acm.org Cc: Hannes Reinecke <hare@suse.com> Cc: Ming Lei <ming.lei@redhat.com> Cc: Christoph Hellwig <hch@lst.de> Reviewed-by: Benjamin Block <bblock@linux.ibm.com> Reviewed-by: Bean Huo <beanhuo@micron.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Stable-dep-of: 066c5b46b6ea ("scsi: core: Always send batch on reset or error handling command") Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-05T14:12:30Z Bart Van Assche bvanassche@acm.org 2021-08-09T23:03:05Z urn:sha1:df83ca8e986d0285974dfa510973191547dcd173 [ Upstream commit aa8e25e5006aac52c943c84e9056ab488630ee19 ] Prepare for removal of the request pointer by using scsi_cmd_to_rq() instead. Cast away constness where necessary when passing a SCSI command pointer to scsi_cmd_to_rq(). This patch does not change any functionality. Link: https://lore.kernel.org/r/20210809230355.8186-3-bvanassche@acm.org Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.de> Cc: Ming Lei <ming.lei@redhat.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Stable-dep-of: 066c5b46b6ea ("scsi: core: Always send batch on reset or error handling command") Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-05T14:12:30Z Martin K. Petersen martin.petersen@oracle.com 2021-06-09T03:39:26Z urn:sha1:d054858a9c9e4406099e61fe00c93516f9b4c169 [ Upstream commit d2c945f01d233085fedc9e3cf7ec180eaa2b7a85 ] scsi_get_lba() confusingly returned the block layer sector number expressed in units of 512 bytes. Now that we have a more aptly named scsi_get_sector() function, make scsi_get_lba() return the actual LBA. Link: https://lore.kernel.org/r/20210609033929.3815-13-martin.petersen@oracle.com Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Benjamin Block <bblock@linux.ibm.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Message-Id: <20210609033929.3815-13-martin.petersen@oracle.com> Stable-dep-of: 066c5b46b6ea ("scsi: core: Always send batch on reset or error handling command") Signed-off-by: Sasha Levin <sashal@kernel.org>