Skip to content
Snippets Groups Projects
  1. Jan 16, 2020
    • Dan Carpenter's avatar
      scsi: mptfusion: Fix double fetch bug in ioctl · 28d76df1
      Dan Carpenter authored
      Tom Hatskevich reported that we look up "iocp" then, in the called
      functions we do a second copy_from_user() and look it up again.
      The problem that could cause is:
      
      drivers/message/fusion/mptctl.c
         674          /* All of these commands require an interrupt or
         675           * are unknown/illegal.
         676           */
         677          if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
                                                     ^^^^
      We take this lock.
      
         678                  return ret;
         679
         680          if (cmd == MPTFWDOWNLOAD)
         681                  ret = mptctl_fw_download(arg);
                                                       ^^^
      Then the user memory changes and we look up "iocp" again but a different
      one so now we are holding the incorrect lock and have a race condition.
      
         682          else if (cmd == MPTCOMMAND)
         683                  ret = mptctl_mpt_command(arg);
      
      The security impact of this bug is not as bad as it could have been
      because these operations are all privileged and root already has
      enormous destructive power.  But it's still worth fixing.
      
      This patch passes the "iocp" pointer to the functions to avoid the
      second lookup.  That deletes 100 lines of code from the driver so
      it's a nice clean up as well.
      
      Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
      
      
      Reported-by: default avatarTom Hatskevich <tom2001tom.23@gmail.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      28d76df1
    • Long Li's avatar
      scsi: storvsc: Correctly set number of hardware queues for IDE disk · 7b571c19
      Long Li authored
      Commit 0ed88102 ("scsi: storvsc: setup 1:1 mapping between hardware
      queue and CPU queue") introduced a regression for disks attached to
      IDE. For these disks the host VSP only offers one VMBUS channel. Setting
      multiple queues can overload the VMBUS channel and result in performance
      drop for high queue depth workload on system with large number of CPUs.
      
      Fix it by leaving the number of hardware queues to 1 (default value) for
      IDE disks.
      
      Fixes: 0ed88102 ("scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue")
      Link: https://lore.kernel.org/r/1578960516-108228-1-git-send-email-longli@linuxonhyperv.com
      
      
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarLong Li <longli@microsoft.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      7b571c19
    • Arnd Bergmann's avatar
      scsi: fnic: fix invalid stack access · 42ec15ce
      Arnd Bergmann authored
      gcc -O3 warns that some local variables are not properly initialized:
      
      drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_hang_notify':
      drivers/scsi/fnic/vnic_dev.c:511:16: error: 'a0' is used uninitialized in this function [-Werror=uninitialized]
        vdev->args[0] = *a0;
        ~~~~~~~~~~~~~~^~~~~
      drivers/scsi/fnic/vnic_dev.c:691:6: note: 'a0' was declared here
        u64 a0, a1;
            ^~
      drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
        vdev->args[1] = *a1;
        ~~~~~~~~~~~~~~^~~~~
      drivers/scsi/fnic/vnic_dev.c:691:10: note: 'a1' was declared here
        u64 a0, a1;
                ^~
      drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_mac_addr':
      drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
        vdev->args[1] = *a1;
        ~~~~~~~~~~~~~~^~~~~
      drivers/scsi/fnic/vnic_dev.c:698:10: note: 'a1' was declared here
        u64 a0, a1;
                ^~
      
      Apparently the code relies on the local variables occupying adjacent memory
      locations in the same order, but this is of course not guaranteed.
      
      Use an array of two u64 variables where needed to make it work correctly.
      
      I suspect there is also an endianness bug here, but have not digged in deep
      enough to be sure.
      
      Fixes: 5df6d737 ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA")
      Fixes: mmtom ("init/Kconfig: enable -O3 for all arches")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200107201602.4096790-1-arnd@arndb.de
      
      
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      42ec15ce
  2. Jan 10, 2020
  3. Dec 20, 2019
  4. Dec 17, 2019
    • Arnd Bergmann's avatar
      scsi: lpfc: fix build failure with DEBUGFS disabled · 201743b9
      Arnd Bergmann authored
      A recent change appears to have moved an #endif by accident:
      
      drivers/scsi/lpfc/lpfc_debugfs.c:5393:18: error: 'lpfc_debugfs_dumpHBASlim_open' undeclared here (not in a function); did you mean 'lpfc_debugfs_op_dumpHBASlim'?
      drivers/scsi/lpfc/lpfc_debugfs.c:5394:18: error: 'lpfc_debugfs_lseek' undeclared here (not in a function); did you mean 'lpfc_debugfs_nvme_trc'?
      drivers/scsi/lpfc/lpfc_debugfs.c:5395:18: error: 'lpfc_debugfs_read' undeclared here (not in a function); did you mean 'lpfc_debug_dump_q'?
      drivers/scsi/lpfc/lpfc_debugfs.c:5396:18: error: 'lpfc_debugfs_release' undeclared here (not in a function); did you mean 'lpfc_debugfs_terminate'?
      drivers/scsi/lpfc/lpfc_debugfs.c:5402:18: error: 'lpfc_debugfs_dumpHostSlim_open' undeclared here (not in a function); did you mean 'lpfc_debugfs_op_dumpHostSlim'?
      
      Move it back to where it was previously.
      
      Fixes: 95bfc6d8 ("scsi: lpfc: Make FW logging dynamically configurable")
      Link: https://lore.kernel.org/r/20191216131701.3125077-1-arnd@arndb.de
      
      
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      201743b9
    • Dan Carpenter's avatar
      scsi: mpt3sas: Fix double free in attach error handling · ee560e7b
      Dan Carpenter authored
      The caller also calls _base_release_memory_pools() on error so it leads to
      a number of double frees:
      
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->chain_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->hpr_lookup' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->internal_lookup' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->pcie_sgl_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_free_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_array_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_dma_pool' double freed
      drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->sense_dma_pool' double freed
      
      Fixes: 74522a92 ("scsi: mpt3sas: Optimize I/O memory consumption in driver.")
      Link: https://lore.kernel.org/r/20191203093652.gyntgvnkw2udatyc@kili.mountain
      
      
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarSreekanth Reddy <sreekanth.reddy@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      ee560e7b
  5. Dec 10, 2019
  6. Dec 09, 2019
    • Linus Torvalds's avatar
      Linux 5.5-rc1 · e42617b8
      Linus Torvalds authored
      v5.5-rc1
      e42617b8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 95e6ba51
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) More jumbo frame fixes in r8169, from Heiner Kallweit.
      
       2) Fix bpf build in minimal configuration, from Alexei Starovoitov.
      
       3) Use after free in slcan driver, from Jouni Hogander.
      
       4) Flower classifier port ranges don't work properly in the HW offload
          case, from Yoshiki Komachi.
      
       5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.
      
       6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.
      
       7) Fix flow dissection in dsa TX path, from Alexander Lobakin.
      
       8) Stale syncookie timestampe fixes from Guillaume Nault.
      
      [ Did an evil merge to silence a warning introduced by this pull - Linus ]
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        r8169: fix rtl_hw_jumbo_disable for RTL8168evl
        net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
        r8169: add missing RX enabling for WoL on RTL8125
        vhost/vsock: accept only packets with the right dst_cid
        net: phy: dp83867: fix hfs boot in rgmii mode
        net: ethernet: ti: cpsw: fix extra rx interrupt
        inet: protect against too small mtu values.
        gre: refetch erspan header from skb->data after pskb_may_pull()
        pppoe: remove redundant BUG_ON() check in pppoe_pernet
        tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
        tcp: tighten acceptance of ACKs not matching a child socket
        tcp: fix rejected syncookies due to stale timestamps
        lpc_eth: kernel BUG on remove
        tcp: md5: fix potential overestimation of TCP option space
        net: sched: allow indirect blocks to bind to clsact in TC
        net: core: rename indirect block ingress cb function
        net-sysfs: Call dev_hold always in netdev_queue_add_kobject
        net: dsa: fix flow dissection on Tx path
        net/tls: Fix return values to avoid ENOTSUPP
        net: avoid an indirect call in ____sys_recvmsg()
        ...
      95e6ba51
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 138f371d
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "Eleven patches, all in drivers (no core changes) that are either minor
        cleanups or small fixes.
      
        They were late arriving, but still safe for -rc1"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: MAINTAINERS: Add the linux-scsi mailing list to the ISCSI entry
        scsi: megaraid_sas: Make poll_aen_lock static
        scsi: sd_zbc: Improve report zones error printout
        scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
        scsi: qla2xxx: unregister ports after GPN_FT failure
        scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
        scsi: pm80xx: Remove unused include of linux/version.h
        scsi: pm80xx: fix logic to break out of loop when register value is 2 or 3
        scsi: scsi_transport_sas: Fix memory leak when removing devices
        scsi: lpfc: size cpu map by last cpu id set
        scsi: ibmvscsi_tgt: Remove unneeded variable rc
      138f371d
    • Linus Torvalds's avatar
      Merge tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · a78f7cdd
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Nine cifs/smb3 fixes:
      
         - one fix for stable (oops during oplock break)
      
         - two timestamp fixes including important one for updating mtime at
           close to avoid stale metadata caching issue on dirty files (also
           improves perf by using SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB over the
           wire)
      
         - two fixes for "modefromsid" mount option for file create (now
           allows mode bits to be set more atomically and accurately on create
           by adding "sd_context" on create when modefromsid specified on
           mount)
      
         - two fixes for multichannel found in testing this week against
           different servers
      
         - two small cleanup patches"
      
      * tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: improve check for when we send the security descriptor context on create
        smb3: fix mode passed in on create for modetosid mount option
        cifs: fix possible uninitialized access and race on iface_list
        cifs: Fix lookup of SMB connections on multichannel
        smb3: query attributes on file close
        smb3: remove unused flag passed into close functions
        cifs: remove redundant assignment to pointer pneg_ctxt
        fs: cifs: Fix atime update check vs mtime
        CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
      a78f7cdd
    • Linus Torvalds's avatar
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 5bf9a06a
      Linus Torvalds authored
      Pull misc vfs cleanups from Al Viro:
       "No common topic, just three cleanups".
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        make __d_alloc() static
        fs/namespace: add __user to open_tree and move_mount syscalls
        fs/fnctl: fix missing __user in fcntl_rw_hint()
      5bf9a06a
  7. Dec 08, 2019