[thirdparty/kernel/stable-queue.git] / releases / 4.4.36 / fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch

From 2ce9d2272b98743b911196c49e7af5841381c206 Mon Sep 17 00:00:00 2001
From: Petr Vandrovec <petr@vandrovec.name>
Date: Thu, 10 Nov 2016 13:57:14 -0800
Subject: Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y

From: Petr Vandrovec <petr@vandrovec.name>

commit 2ce9d2272b98743b911196c49e7af5841381c206 upstream.

Some code (all error handling) submits CDBs that are allocated
on the stack.  This breaks with CB/CBI code that tries to create
URB directly from SCSI command buffer - which happens to be in
vmalloced memory with vmalloced kernel stacks.

Let's make copy of the command in usb_stor_CB_transport.

Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/transport.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/storage/transport.c
+++ b/drivers/usb/storage/transport.c
@@ -919,10 +919,15 @@ int usb_stor_CB_transport(struct scsi_cm
 
 	/* COMMAND STAGE */
 	/* let's send the command via the control pipe */
+	/*
+	 * Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack.
+	 * Stack may be vmallocated.  So no DMA for us.  Make a copy.
+	 */
+	memcpy(us->iobuf, srb->cmnd, srb->cmd_len);
 	result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
 				      US_CBI_ADSC, 
 				      USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0, 
-				      us->ifnum, srb->cmnd, srb->cmd_len);
+				      us->ifnum, us->iobuf, srb->cmd_len);
 
 	/* check the return code for the command */
 	usb_stor_dbg(us, "Call to usb_stor_ctrl_transfer() returned %d\n",
Commit	Line	Data
9c6fd700 GKH	1	From 2ce9d2272b98743b911196c49e7af5841381c206 Mon Sep 17 00:00:00 2001
	2	From: Petr Vandrovec <petr@vandrovec.name>
	3	Date: Thu, 10 Nov 2016 13:57:14 -0800
	4	Subject: Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y
	5
	6	From: Petr Vandrovec <petr@vandrovec.name>
	7
	8	commit 2ce9d2272b98743b911196c49e7af5841381c206 upstream.
	9
	10	Some code (all error handling) submits CDBs that are allocated
	11	on the stack. This breaks with CB/CBI code that tries to create
	12	URB directly from SCSI command buffer - which happens to be in
	13	vmalloced memory with vmalloced kernel stacks.
	14
	15	Let's make copy of the command in usb_stor_CB_transport.
	16
	17	Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
	18	Acked-by: Alan Stern <stern@rowland.harvard.edu>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20
	21	---
	22	drivers/usb/storage/transport.c \| 7 ++++++-
	23	1 file changed, 6 insertions(+), 1 deletion(-)
	24
	25	--- a/drivers/usb/storage/transport.c
	26	+++ b/drivers/usb/storage/transport.c
	27	@@ -919,10 +919,15 @@ int usb_stor_CB_transport(struct scsi_cm
	28
	29	/* COMMAND STAGE */
	30	/* let's send the command via the control pipe */
	31	+ /*
	32	+ * Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack.
	33	+ * Stack may be vmallocated. So no DMA for us. Make a copy.
	34	+ */
	35	+ memcpy(us->iobuf, srb->cmnd, srb->cmd_len);
	36	result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
	37	US_CBI_ADSC,
	38	USB_TYPE_CLASS \| USB_RECIP_INTERFACE, 0,
	39	- us->ifnum, srb->cmnd, srb->cmd_len);
	40	+ us->ifnum, us->iobuf, srb->cmd_len);
	41
	42	/* check the return code for the command */
	43	usb_stor_dbg(us, "Call to usb_stor_ctrl_transfer() returned %d\n",