5.15-stable patches

added patches:
	scsi-core-raid_class-remove-raid_component_add.patch
	scsi-snic-fix-double-free-in-snic_tgt_create.patch

diff --git a/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch b/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch
new file mode 100644 (file)
index 0000000..1f42945
--- /dev/null
+++ b/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch
@@ -0,0 +1,92 @@
+From 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 Mon Sep 17 00:00:00 2001
+From: Zhu Wang <wangzhu9@huawei.com>
+Date: Tue, 22 Aug 2023 01:52:54 +0000
+Subject: scsi: core: raid_class: Remove raid_component_add()
+
+From: Zhu Wang <wangzhu9@huawei.com>
+
+commit 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 upstream.
+
+The raid_component_add() function was added to the kernel tree via patch
+"[SCSI] embryonic RAID class" (2005). Remove this function since it never
+has had any callers in the Linux kernel. And also raid_component_release()
+is only used in raid_component_add(), so it is also removed.
+
+Signed-off-by: Zhu Wang <wangzhu9@huawei.com>
+Link: https://lore.kernel.org/r/20230822015254.184270-1-wangzhu9@huawei.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Fixes: 04b5b5cb0136 ("scsi: core: Fix possible memory leak if device_add() fails")
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/raid_class.c  |   48 ---------------------------------------------
+ include/linux/raid_class.h |    4 ---
+ 2 files changed, 52 deletions(-)
+
+--- a/drivers/scsi/raid_class.c
++++ b/drivers/scsi/raid_class.c
+@@ -209,54 +209,6 @@ raid_attr_ro_state(level);
+ raid_attr_ro_fn(resync);
+ raid_attr_ro_state_fn(state);
+ 
+-static void raid_component_release(struct device *dev)
+-{
+-      struct raid_component *rc =
+-              container_of(dev, struct raid_component, dev);
+-      dev_printk(KERN_ERR, rc->dev.parent, "COMPONENT RELEASE\n");
+-      put_device(rc->dev.parent);
+-      kfree(rc);
+-}
+-
+-int raid_component_add(struct raid_template *r,struct device *raid_dev,
+-                     struct device *component_dev)
+-{
+-      struct device *cdev =
+-              attribute_container_find_class_device(&r->raid_attrs.ac,
+-                                                    raid_dev);
+-      struct raid_component *rc;
+-      struct raid_data *rd = dev_get_drvdata(cdev);
+-      int err;
+-
+-      rc = kzalloc(sizeof(*rc), GFP_KERNEL);
+-      if (!rc)
+-              return -ENOMEM;
+-
+-      INIT_LIST_HEAD(&rc->node);
+-      device_initialize(&rc->dev);
+-      rc->dev.release = raid_component_release;
+-      rc->dev.parent = get_device(component_dev);
+-      rc->num = rd->component_count++;
+-
+-      dev_set_name(&rc->dev, "component-%d", rc->num);
+-      list_add_tail(&rc->node, &rd->component_list);
+-      rc->dev.class = &raid_class.class;
+-      err = device_add(&rc->dev);
+-      if (err)
+-              goto err_out;
+-
+-      return 0;
+-
+-err_out:
+-      put_device(&rc->dev);
+-      list_del(&rc->node);
+-      rd->component_count--;
+-      put_device(component_dev);
+-      kfree(rc);
+-      return err;
+-}
+-EXPORT_SYMBOL(raid_component_add);
+-
+ struct raid_template *
+ raid_class_attach(struct raid_function_template *ft)
+ {
+--- a/include/linux/raid_class.h
++++ b/include/linux/raid_class.h
+@@ -77,7 +77,3 @@ DEFINE_RAID_ATTRIBUTE(enum raid_state, s
+       
+ struct raid_template *raid_class_attach(struct raid_function_template *);
+ void raid_class_release(struct raid_template *);
+-
+-int __must_check raid_component_add(struct raid_template *, struct device *,
+-                                  struct device *);
+-

diff --git a/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch b/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch
new file mode 100644 (file)
index 0000000..f93ff9c
--- /dev/null
+++ b/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch
@@ -0,0 +1,41 @@
+From 1bd3a76880b2bce017987cf53780b372cf59528e Mon Sep 17 00:00:00 2001
+From: Zhu Wang <wangzhu9@huawei.com>
+Date: Sat, 19 Aug 2023 08:39:41 +0000
+Subject: scsi: snic: Fix double free in snic_tgt_create()
+
+From: Zhu Wang <wangzhu9@huawei.com>
+
+commit 1bd3a76880b2bce017987cf53780b372cf59528e upstream.
+
+Commit 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add()
+fails") fixed the memory leak caused by dev_set_name() when device_add()
+failed. However, it did not consider that 'tgt' has already been released
+when put_device(&tgt->dev) is called. Remove kfree(tgt) in the error path
+to avoid double free of 'tgt' and move put_device(&tgt->dev) after the
+removed kfree(tgt) to avoid a use-after-free.
+
+Fixes: 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() fails")
+Signed-off-by: Zhu Wang <wangzhu9@huawei.com>
+Link: https://lore.kernel.org/r/20230819083941.164365-1-wangzhu9@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/snic/snic_disc.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/snic/snic_disc.c
++++ b/drivers/scsi/snic/snic_disc.c
+@@ -317,12 +317,11 @@ snic_tgt_create(struct snic *snic, struc
+                             "Snic Tgt: device_add, with err = %d\n",
+                             ret);
+ 
+-              put_device(&tgt->dev);
+               put_device(&snic->shost->shost_gendev);
+               spin_lock_irqsave(snic->shost->host_lock, flags);
+               list_del(&tgt->list);
+               spin_unlock_irqrestore(snic->shost->host_lock, flags);
+-              kfree(tgt);
++              put_device(&tgt->dev);
+               tgt = NULL;
+ 
+               return tgt;

diff --git a/queue-5.15/series b/queue-5.15/series
index 930ebb9bfd8ad00e58a0b1ddbd9c0f5f7cb56abf..f5eddbefd02e6a41496244c678a8641e4315a6b5 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -81,3 +81,5 @@ sched-deadline-create-dl-bw-alloc-free-check-overflow-interface.patch
 cgroup-cpuset-free-dl-bw-in-case-can_attach-fails.patch
 drm-i915-fix-premature-release-of-request-s-reusable-memory.patch
 can-raw-add-missing-refcount-for-memory-leak-fix.patch
+scsi-snic-fix-double-free-in-snic_tgt_create.patch
+scsi-core-raid_class-remove-raid_component_add.patch