From: Greg Kroah-Hartman Date: Sun, 13 Aug 2023 20:44:40 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.323~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ca32a0bc2f59c3c153c0b1ca851d321c6b04e83;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alpha-remove-__init-annotation-from-exported-page_is_ram.patch sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch scsi-53c700-check-that-command-slot-is-not-null.patch scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch scsi-core-fix-possible-memory-leak-if-device_add-fails.patch scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch --- diff --git a/queue-5.4/alpha-remove-__init-annotation-from-exported-page_is_ram.patch b/queue-5.4/alpha-remove-__init-annotation-from-exported-page_is_ram.patch new file mode 100644 index 00000000000..7cfc282b615 --- /dev/null +++ b/queue-5.4/alpha-remove-__init-annotation-from-exported-page_is_ram.patch @@ -0,0 +1,40 @@ +From 6ccbd7fd474674654019a20177c943359469103a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sat, 29 Jul 2023 16:42:23 +0900 +Subject: alpha: remove __init annotation from exported page_is_ram() + +From: Masahiro Yamada + +commit 6ccbd7fd474674654019a20177c943359469103a upstream. + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. + +Commit c5a130325f13 ("ACPI/APEI: Add parameter check before error +injection") exported page_is_ram(), hence the __init annotation should +be removed. + +This fixes the modpost warning in ARCH=alpha builds: + + WARNING: modpost: vmlinux: page_is_ram: EXPORT_SYMBOL used for init symbol. Remove __init or EXPORT_SYMBOL. + +Fixes: c5a130325f13 ("ACPI/APEI: Add parameter check before error injection") +Signed-off-by: Masahiro Yamada +Reviewed-by: Randy Dunlap +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/setup.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/alpha/kernel/setup.c ++++ b/arch/alpha/kernel/setup.c +@@ -394,8 +394,7 @@ setup_memory(void *kernel_end) + extern void setup_memory(void *); + #endif /* !CONFIG_DISCONTIGMEM */ + +-int __init +-page_is_ram(unsigned long pfn) ++int page_is_ram(unsigned long pfn) + { + struct memclust_struct * cluster; + struct memdesc_struct * memdesc; diff --git a/queue-5.4/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch b/queue-5.4/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch new file mode 100644 index 00000000000..e062fbafe3c --- /dev/null +++ b/queue-5.4/sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch @@ -0,0 +1,148 @@ +From 11b73313c12403f617b47752db0ab3deef201af7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 22 Jun 2023 18:15:03 +0000 +Subject: sch_netem: fix issues in netem_change() vs get_dist_table() + +From: Eric Dumazet + +commit 11b73313c12403f617b47752db0ab3deef201af7 upstream. + +In blamed commit, I missed that get_dist_table() was allocating +memory using GFP_KERNEL, and acquiring qdisc lock to perform +the swap of newly allocated table with current one. + +In this patch, get_dist_table() is allocating memory and +copy user data before we acquire the qdisc lock. + +Then we perform swap operations while being protected by the lock. + +Note that after this patch netem_change() no longer can do partial changes. +If an error is returned, qdisc conf is left unchanged. + +Fixes: 2174a08db80d ("sch_netem: acquire qdisc lock in netem_change()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Stephen Hemminger +Acked-by: Jamal Hadi Salim +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230622181503.2327695-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 59 +++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 34 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -773,12 +773,10 @@ static void dist_free(struct disttable * + * signed 16 bit values. + */ + +-static int get_dist_table(struct Qdisc *sch, struct disttable **tbl, +- const struct nlattr *attr) ++static int get_dist_table(struct disttable **tbl, const struct nlattr *attr) + { + size_t n = nla_len(attr)/sizeof(__s16); + const __s16 *data = nla_data(attr); +- spinlock_t *root_lock; + struct disttable *d; + int i; + +@@ -793,13 +791,7 @@ static int get_dist_table(struct Qdisc * + for (i = 0; i < n; i++) + d->table[i] = data[i]; + +- root_lock = qdisc_root_sleeping_lock(sch); +- +- spin_lock_bh(root_lock); +- swap(*tbl, d); +- spin_unlock_bh(root_lock); +- +- dist_free(d); ++ *tbl = d; + return 0; + } + +@@ -956,6 +948,8 @@ static int netem_change(struct Qdisc *sc + { + struct netem_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_NETEM_MAX + 1]; ++ struct disttable *delay_dist = NULL; ++ struct disttable *slot_dist = NULL; + struct tc_netem_qopt *qopt; + struct clgstate old_clg; + int old_loss_model = CLG_RANDOM; +@@ -969,6 +963,18 @@ static int netem_change(struct Qdisc *sc + if (ret < 0) + return ret; + ++ if (tb[TCA_NETEM_DELAY_DIST]) { ++ ret = get_dist_table(&delay_dist, tb[TCA_NETEM_DELAY_DIST]); ++ if (ret) ++ goto table_free; ++ } ++ ++ if (tb[TCA_NETEM_SLOT_DIST]) { ++ ret = get_dist_table(&slot_dist, tb[TCA_NETEM_SLOT_DIST]); ++ if (ret) ++ goto table_free; ++ } ++ + sch_tree_lock(sch); + /* backup q->clg and q->loss_model */ + old_clg = q->clg; +@@ -978,26 +984,17 @@ static int netem_change(struct Qdisc *sc + ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]); + if (ret) { + q->loss_model = old_loss_model; ++ q->clg = old_clg; + goto unlock; + } + } else { + q->loss_model = CLG_RANDOM; + } + +- if (tb[TCA_NETEM_DELAY_DIST]) { +- ret = get_dist_table(sch, &q->delay_dist, +- tb[TCA_NETEM_DELAY_DIST]); +- if (ret) +- goto get_table_failure; +- } +- +- if (tb[TCA_NETEM_SLOT_DIST]) { +- ret = get_dist_table(sch, &q->slot_dist, +- tb[TCA_NETEM_SLOT_DIST]); +- if (ret) +- goto get_table_failure; +- } +- ++ if (delay_dist) ++ swap(q->delay_dist, delay_dist); ++ if (slot_dist) ++ swap(q->slot_dist, slot_dist); + sch->limit = qopt->limit; + + q->latency = PSCHED_TICKS2NS(qopt->latency); +@@ -1047,17 +1044,11 @@ static int netem_change(struct Qdisc *sc + + unlock: + sch_tree_unlock(sch); +- return ret; + +-get_table_failure: +- /* recover clg and loss_model, in case of +- * q->clg and q->loss_model were modified +- * in get_loss_clg() +- */ +- q->clg = old_clg; +- q->loss_model = old_loss_model; +- +- goto unlock; ++table_free: ++ dist_free(delay_dist); ++ dist_free(slot_dist); ++ return ret; + } + + static int netem_init(struct Qdisc *sch, struct nlattr *opt, diff --git a/queue-5.4/scsi-53c700-check-that-command-slot-is-not-null.patch b/queue-5.4/scsi-53c700-check-that-command-slot-is-not-null.patch new file mode 100644 index 00000000000..f7753eefa28 --- /dev/null +++ b/queue-5.4/scsi-53c700-check-that-command-slot-is-not-null.patch @@ -0,0 +1,36 @@ +From 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Fri, 28 Jul 2023 15:35:21 +0300 +Subject: scsi: 53c700: Check that command slot is not NULL + +From: Alexandra Diupina + +commit 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 upstream. + +Add a check for the command slot value to avoid dereferencing a NULL +pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Vladimir Telezhnikov +Signed-off-by: Vladimir Telezhnikov +Signed-off-by: Alexandra Diupina +Link: https://lore.kernel.org/r/20230728123521.18293-1-adiupina@astralinux.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/53c700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/53c700.c ++++ b/drivers/scsi/53c700.c +@@ -1581,7 +1581,7 @@ NCR_700_intr(int irq, void *dev_id) + printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); + #endif + resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; +- } else if(dsp >= to32bit(&slot->pSG[0].ins) && ++ } else if (slot && dsp >= to32bit(&slot->pSG[0].ins) && + dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { + int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff; + int SGcount = (dsp - to32bit(&slot->pSG[0].ins))/sizeof(struct NCR_700_SG_List); diff --git a/queue-5.4/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch b/queue-5.4/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch new file mode 100644 index 00000000000..e4ad8d3a3bd --- /dev/null +++ b/queue-5.4/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch @@ -0,0 +1,106 @@ +From 9426d3cef5000824e5f24f80ed5f42fb935f2488 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Mon, 24 Jul 2023 14:25:40 -0400 +Subject: scsi: core: Fix legacy /proc parsing buffer overflow + +From: Tony Battersby + +commit 9426d3cef5000824e5f24f80ed5f42fb935f2488 upstream. + +(lightly modified commit message mostly by Linus Torvalds) + +The parsing code for /proc/scsi/scsi is disgusting and broken. We should +have just used 'sscanf()' or something simple like that, but the logic may +actually predate our kernel sscanf library routine for all I know. It +certainly predates both git and BK histories. + +And we can't change it to be something sane like that now, because the +string matching at the start is done case-insensitively, and the separator +parsing between numbers isn't done at all, so *any* separator will work, +including a possible terminating NUL character. + +This interface is root-only, and entirely for legacy use, so there is +absolutely no point in trying to tighten up the parsing. Because any +separator has traditionally worked, it's entirely possible that people have +used random characters rather than the suggested space. + +So don't bother to try to pretty it up, and let's just make a minimal patch +that can be back-ported and we can forget about this whole sorry thing for +another two decades. + +Just make it at least not read past the end of the supplied data. + +Link: https://lore.kernel.org/linux-scsi/b570f5fe-cb7c-863a-6ed9-f6774c219b88@cybernetics.com/ +Cc: Linus Torvalds +Cc: Martin K Petersen +Cc: James Bottomley +Cc: Willy Tarreau +Cc: stable@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tony Battersby +Signed-off-by: Martin K Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_proc.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/scsi_proc.c ++++ b/drivers/scsi/scsi_proc.c +@@ -311,7 +311,7 @@ static ssize_t proc_scsi_write(struct fi + size_t length, loff_t *ppos) + { + int host, channel, id, lun; +- char *buffer, *p; ++ char *buffer, *end, *p; + int err; + + if (!buf || length > PAGE_SIZE) +@@ -326,10 +326,14 @@ static ssize_t proc_scsi_write(struct fi + goto out; + + err = -EINVAL; +- if (length < PAGE_SIZE) +- buffer[length] = '\0'; +- else if (buffer[PAGE_SIZE-1]) +- goto out; ++ if (length < PAGE_SIZE) { ++ end = buffer + length; ++ *end = '\0'; ++ } else { ++ end = buffer + PAGE_SIZE - 1; ++ if (*end) ++ goto out; ++ } + + /* + * Usage: echo "scsi add-single-device 0 1 2 3" >/proc/scsi/scsi +@@ -338,10 +342,10 @@ static ssize_t proc_scsi_write(struct fi + if (!strncmp("scsi add-single-device", buffer, 22)) { + p = buffer + 23; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_add_single_device(host, channel, id, lun); + +@@ -352,10 +356,10 @@ static ssize_t proc_scsi_write(struct fi + } else if (!strncmp("scsi remove-single-device", buffer, 25)) { + p = buffer + 26; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_remove_single_device(host, channel, id, lun); + } diff --git a/queue-5.4/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch b/queue-5.4/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..eadcc32886b --- /dev/null +++ b/queue-5.4/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Thu, 3 Aug 2023 10:02:30 +0800 +Subject: scsi: core: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to decrease the reference count in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: ee959b00c335 ("SCSI: convert struct class_device to struct device") +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230803020230.226903-1-wangzhu9@huawei.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/raid_class.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -248,6 +248,7 @@ int raid_component_add(struct raid_templ + return 0; + + err_out: ++ put_device(&rc->dev); + list_del(&rc->node); + rd->component_count--; + put_device(component_dev); diff --git a/queue-5.4/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch b/queue-5.4/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..514c88e72a7 --- /dev/null +++ b/queue-5.4/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 41320b18a0e0dfb236dba4edb9be12dba1878156 Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Tue, 1 Aug 2023 19:14:21 +0800 +Subject: scsi: snic: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 41320b18a0e0dfb236dba4edb9be12dba1878156 upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to give up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") +Signed-off-by: Zhu Wang +Acked-by: Narsimhulu Musini +Link: https://lore.kernel.org/r/20230801111421.63651-1-wangzhu9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/snic/snic_disc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -317,6 +317,7 @@ snic_tgt_create(struct snic *snic, struc + "Snic Tgt: device_add, with err = %d\n", + ret); + ++ put_device(&tgt->dev); + put_device(&snic->shost->shost_gendev); + spin_lock_irqsave(snic->shost->host_lock, flags); + list_del(&tgt->list); diff --git a/queue-5.4/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch b/queue-5.4/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch new file mode 100644 index 00000000000..a5f534da5dd --- /dev/null +++ b/queue-5.4/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch @@ -0,0 +1,62 @@ +From 175544ad48cbf56affeef2a679c6a4d4fb1e2881 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Fri, 28 Jul 2023 21:59:24 -0700 +Subject: scsi: storvsc: Fix handling of virtual Fibre Channel timeouts + +From: Michael Kelley + +commit 175544ad48cbf56affeef2a679c6a4d4fb1e2881 upstream. + +Hyper-V provides the ability to connect Fibre Channel LUNs to the host +system and present them in a guest VM as a SCSI device. I/O to the vFC +device is handled by the storvsc driver. The storvsc driver includes a +partial integration with the FC transport implemented in the generic +portion of the Linux SCSI subsystem so that FC attributes can be displayed +in /sys. However, the partial integration means that some aspects of vFC +don't work properly. Unfortunately, a full and correct integration isn't +practical because of limitations in what Hyper-V provides to the guest. + +In particular, in the context of Hyper-V storvsc, the FC transport timeout +function fc_eh_timed_out() causes a kernel panic because it can't find the +rport and dereferences a NULL pointer. The original patch that added the +call from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this +regard. + +In many cases a timeout is due to a transient condition, so the situation +can be improved by just continuing to wait like with other I/O requests +issued by storvsc, and avoiding the guaranteed panic. For a permanent +failure, continuing to wait may result in a hung thread instead of a panic, +which again may be better. + +So fix the panic by removing the storvsc call to fc_eh_timed_out(). This +allows storvsc to keep waiting for a response. The change has been tested +by users who experienced a panic in fc_eh_timed_out() due to transient +timeouts, and it solves their problem. + +In the future we may want to deprecate the vFC functionality in storvsc +since it can't be fully fixed. But it has current users for whom it is +working well enough, so it should probably stay for a while longer. + +Fixes: 3930d7309807 ("scsi: storvsc: use default I/O timeout handler for FC devices") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1690606764-79669-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1526,10 +1526,6 @@ static int storvsc_host_reset_handler(st + */ + static enum blk_eh_timer_return storvsc_eh_timed_out(struct scsi_cmnd *scmnd) + { +-#if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) +- if (scmnd->device->host->transportt == fc_transport_template) +- return fc_eh_timed_out(scmnd); +-#endif + return BLK_EH_RESET_TIMER; + } + diff --git a/queue-5.4/series b/queue-5.4/series index 02c1cf1bd11..548708923a8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -30,3 +30,10 @@ btrfs-set-cache_block_group_error-if-we-find-an-error.patch nvme-tcp-fix-potential-unbalanced-freeze-unfreeze.patch nvme-rdma-fix-potential-unbalanced-freeze-unfreeze.patch netfilter-nf_tables-report-use-refcount-overflow.patch +scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch +scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch +scsi-53c700-check-that-command-slot-is-not-null.patch +scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch +scsi-core-fix-possible-memory-leak-if-device_add-fails.patch +alpha-remove-__init-annotation-from-exported-page_is_ram.patch +sch_netem-fix-issues-in-netem_change-vs-get_dist_table.patch