From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 7 Nov 2015 00:42:15 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.93~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=103891e0d219dbed133d18ec3bd8457dc00fc595;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	vhost-scsi-potential-memory-corruption.patch
---

diff --git a/queue-3.14/series b/queue-3.14/series
index 67db6f34f50..299f5070153 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -34,3 +34,4 @@ md-raid5-fix-locking-in-handle_stripe_clean_event.patch
 serial-8250_pci-add-support-for-16-port-exar-boards.patch
 serial-8250_pci-add-support-for-12-port-exar-boards.patch
 xen-fix-backport-of-previous-kexec-patch.patch
+vhost-scsi-potential-memory-corruption.patch
diff --git a/queue-3.14/vhost-scsi-potential-memory-corruption.patch b/queue-3.14/vhost-scsi-potential-memory-corruption.patch
new file mode 100644
index 00000000000..663ec5ad55c
--- /dev/null
+++ b/queue-3.14/vhost-scsi-potential-memory-corruption.patch
@@ -0,0 +1,56 @@
+From 59c816c1f24df0204e01851431d3bab3eb76719c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 5 Feb 2015 10:37:33 +0300
+Subject: vhost/scsi: potential memory corruption
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 59c816c1f24df0204e01851431d3bab3eb76719c upstream.
+
+This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
+to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
+
+I looked at the context and it turns out that in
+vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
+the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
+anything higher than 255 then it is invalid.  I have made that the limit
+now.
+
+In vhost_scsi_send_evt() we mask away values higher than 255, but now
+that the limit has changed, we don't need the mask.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: Ray Yang <ray.yang@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/scsi.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -1139,7 +1139,7 @@ tcm_vhost_send_evt(struct vhost_scsi *vs
+ 		 * lun[4-7] need to be zero according to virtio-scsi spec.
+ 		 */
+ 		evt->event.lun[0] = 0x01;
+-		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
++		evt->event.lun[1] = tpg->tport_tpgt;
+ 		if (lun->unpacked_lun >= 256)
+ 			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
+ 		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
+@@ -2004,12 +2004,12 @@ tcm_vhost_make_tpg(struct se_wwn *wwn,
+ 			struct tcm_vhost_tport, tport_wwn);
+ 
+ 	struct tcm_vhost_tpg *tpg;
+-	unsigned long tpgt;
++	u16 tpgt;
+ 	int ret;
+ 
+ 	if (strstr(name, "tpgt_") != name)
+ 		return ERR_PTR(-EINVAL);
+-	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
++	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
+ 		return ERR_PTR(-EINVAL);
+ 
+ 	tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL);