git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ben Hutchings <benh@debian.org>
	Sat, 27 May 2023 13:34:30 +0000 (15:34 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 9 Jun 2023 08:29:03 +0000 (10:29 +0200)
commit	e2897f133acdb86ca1d16dc3001f7da623efa3d7
tree	6203f7ce438931c626d9837f0e910057967a016b	tree \| snapshot
parent	56a4a9dc5ed11a8699c31c3d72a845365538d659	commit \| diff

scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)

adpt_i2o_passthru() takes a user-provided message and passes it
through to the hardware with appropriate translation of addresses
and message IDs.  It has a number of bugs:

- When a message requires scatter/gather, it doesn't verify that the
  offset to the scatter/gather list is less than the message size.
- When a message requires scatter/gather, it overwrites the DMA
  addresses with the user-space virtual addresses before unmapping the
  DMA buffers.
- It reads the message from user memory multiple times.  This allows
  user-space to change the message and bypass validation.
- It assumes that the message is at least 4 words long, but doesn't
  check that.

I tried fixing these, but even the maintainer of the corresponding
user-space in Debian doesn't have the hardware any more.

Instead, remove the pass-through ioctl (I2OUSRCMD) and supporting
code.

There is no corresponding upstream commit, because this driver was
removed upstream.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: 67af2b060e02 ("[SCSI] dpt_i2o: move from virt_to_bus/bus_to_virt ...")
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/scsi/dpt_i2o.c		diff \| blob \| blame \| history
drivers/scsi/dpti.h		diff \| blob \| blame \| history