From: Greg Kroah-Hartman Date: Sun, 13 Aug 2023 20:43:32 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.323~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e0334fcb60ecca9bd0e4a113a5eec492ceaf88c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alpha-remove-__init-annotation-from-exported-page_is_ram.patch scsi-53c700-check-that-command-slot-is-not-null.patch scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch scsi-core-fix-possible-memory-leak-if-device_add-fails.patch scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch --- diff --git a/queue-4.14/alpha-remove-__init-annotation-from-exported-page_is_ram.patch b/queue-4.14/alpha-remove-__init-annotation-from-exported-page_is_ram.patch new file mode 100644 index 00000000000..1ebd102d6e2 --- /dev/null +++ b/queue-4.14/alpha-remove-__init-annotation-from-exported-page_is_ram.patch @@ -0,0 +1,40 @@ +From 6ccbd7fd474674654019a20177c943359469103a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sat, 29 Jul 2023 16:42:23 +0900 +Subject: alpha: remove __init annotation from exported page_is_ram() + +From: Masahiro Yamada + +commit 6ccbd7fd474674654019a20177c943359469103a upstream. + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. + +Commit c5a130325f13 ("ACPI/APEI: Add parameter check before error +injection") exported page_is_ram(), hence the __init annotation should +be removed. + +This fixes the modpost warning in ARCH=alpha builds: + + WARNING: modpost: vmlinux: page_is_ram: EXPORT_SYMBOL used for init symbol. Remove __init or EXPORT_SYMBOL. + +Fixes: c5a130325f13 ("ACPI/APEI: Add parameter check before error injection") +Signed-off-by: Masahiro Yamada +Reviewed-by: Randy Dunlap +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/setup.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/alpha/kernel/setup.c ++++ b/arch/alpha/kernel/setup.c +@@ -469,8 +469,7 @@ setup_memory(void *kernel_end) + extern void setup_memory(void *); + #endif /* !CONFIG_DISCONTIGMEM */ + +-int __init +-page_is_ram(unsigned long pfn) ++int page_is_ram(unsigned long pfn) + { + struct memclust_struct * cluster; + struct memdesc_struct * memdesc; diff --git a/queue-4.14/scsi-53c700-check-that-command-slot-is-not-null.patch b/queue-4.14/scsi-53c700-check-that-command-slot-is-not-null.patch new file mode 100644 index 00000000000..3ed1ff7d0a7 --- /dev/null +++ b/queue-4.14/scsi-53c700-check-that-command-slot-is-not-null.patch @@ -0,0 +1,36 @@ +From 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Fri, 28 Jul 2023 15:35:21 +0300 +Subject: scsi: 53c700: Check that command slot is not NULL + +From: Alexandra Diupina + +commit 8366d1f1249a0d0bba41d0bd1298d63e5d34c7f7 upstream. + +Add a check for the command slot value to avoid dereferencing a NULL +pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Vladimir Telezhnikov +Signed-off-by: Vladimir Telezhnikov +Signed-off-by: Alexandra Diupina +Link: https://lore.kernel.org/r/20230728123521.18293-1-adiupina@astralinux.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/53c700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/53c700.c ++++ b/drivers/scsi/53c700.c +@@ -1594,7 +1594,7 @@ NCR_700_intr(int irq, void *dev_id) + printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); + #endif + resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; +- } else if(dsp >= to32bit(&slot->pSG[0].ins) && ++ } else if (slot && dsp >= to32bit(&slot->pSG[0].ins) && + dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { + int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff; + int SGcount = (dsp - to32bit(&slot->pSG[0].ins))/sizeof(struct NCR_700_SG_List); diff --git a/queue-4.14/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch b/queue-4.14/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch new file mode 100644 index 00000000000..e4ad8d3a3bd --- /dev/null +++ b/queue-4.14/scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch @@ -0,0 +1,106 @@ +From 9426d3cef5000824e5f24f80ed5f42fb935f2488 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Mon, 24 Jul 2023 14:25:40 -0400 +Subject: scsi: core: Fix legacy /proc parsing buffer overflow + +From: Tony Battersby + +commit 9426d3cef5000824e5f24f80ed5f42fb935f2488 upstream. + +(lightly modified commit message mostly by Linus Torvalds) + +The parsing code for /proc/scsi/scsi is disgusting and broken. We should +have just used 'sscanf()' or something simple like that, but the logic may +actually predate our kernel sscanf library routine for all I know. It +certainly predates both git and BK histories. + +And we can't change it to be something sane like that now, because the +string matching at the start is done case-insensitively, and the separator +parsing between numbers isn't done at all, so *any* separator will work, +including a possible terminating NUL character. + +This interface is root-only, and entirely for legacy use, so there is +absolutely no point in trying to tighten up the parsing. Because any +separator has traditionally worked, it's entirely possible that people have +used random characters rather than the suggested space. + +So don't bother to try to pretty it up, and let's just make a minimal patch +that can be back-ported and we can forget about this whole sorry thing for +another two decades. + +Just make it at least not read past the end of the supplied data. + +Link: https://lore.kernel.org/linux-scsi/b570f5fe-cb7c-863a-6ed9-f6774c219b88@cybernetics.com/ +Cc: Linus Torvalds +Cc: Martin K Petersen +Cc: James Bottomley +Cc: Willy Tarreau +Cc: stable@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tony Battersby +Signed-off-by: Martin K Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_proc.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/scsi_proc.c ++++ b/drivers/scsi/scsi_proc.c +@@ -311,7 +311,7 @@ static ssize_t proc_scsi_write(struct fi + size_t length, loff_t *ppos) + { + int host, channel, id, lun; +- char *buffer, *p; ++ char *buffer, *end, *p; + int err; + + if (!buf || length > PAGE_SIZE) +@@ -326,10 +326,14 @@ static ssize_t proc_scsi_write(struct fi + goto out; + + err = -EINVAL; +- if (length < PAGE_SIZE) +- buffer[length] = '\0'; +- else if (buffer[PAGE_SIZE-1]) +- goto out; ++ if (length < PAGE_SIZE) { ++ end = buffer + length; ++ *end = '\0'; ++ } else { ++ end = buffer + PAGE_SIZE - 1; ++ if (*end) ++ goto out; ++ } + + /* + * Usage: echo "scsi add-single-device 0 1 2 3" >/proc/scsi/scsi +@@ -338,10 +342,10 @@ static ssize_t proc_scsi_write(struct fi + if (!strncmp("scsi add-single-device", buffer, 22)) { + p = buffer + 23; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_add_single_device(host, channel, id, lun); + +@@ -352,10 +356,10 @@ static ssize_t proc_scsi_write(struct fi + } else if (!strncmp("scsi remove-single-device", buffer, 25)) { + p = buffer + 26; + +- host = simple_strtoul(p, &p, 0); +- channel = simple_strtoul(p + 1, &p, 0); +- id = simple_strtoul(p + 1, &p, 0); +- lun = simple_strtoul(p + 1, &p, 0); ++ host = (p < end) ? simple_strtoul(p, &p, 0) : 0; ++ channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; ++ lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; + + err = scsi_remove_single_device(host, channel, id, lun); + } diff --git a/queue-4.14/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch b/queue-4.14/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..eadcc32886b --- /dev/null +++ b/queue-4.14/scsi-core-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Thu, 3 Aug 2023 10:02:30 +0800 +Subject: scsi: core: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 04b5b5cb0136ce970333a9c6cec7e46adba1ea3a upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to decrease the reference count in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: ee959b00c335 ("SCSI: convert struct class_device to struct device") +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230803020230.226903-1-wangzhu9@huawei.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/raid_class.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -248,6 +248,7 @@ int raid_component_add(struct raid_templ + return 0; + + err_out: ++ put_device(&rc->dev); + list_del(&rc->node); + rd->component_count--; + put_device(component_dev); diff --git a/queue-4.14/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch b/queue-4.14/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch new file mode 100644 index 00000000000..9ac5a57221d --- /dev/null +++ b/queue-4.14/scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch @@ -0,0 +1,34 @@ +From 41320b18a0e0dfb236dba4edb9be12dba1878156 Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Tue, 1 Aug 2023 19:14:21 +0800 +Subject: scsi: snic: Fix possible memory leak if device_add() fails + +From: Zhu Wang + +commit 41320b18a0e0dfb236dba4edb9be12dba1878156 upstream. + +If device_add() returns error, the name allocated by dev_set_name() needs +be freed. As the comment of device_add() says, put_device() should be used +to give up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanp(). + +Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") +Signed-off-by: Zhu Wang +Acked-by: Narsimhulu Musini +Link: https://lore.kernel.org/r/20230801111421.63651-1-wangzhu9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/snic/snic_disc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -316,6 +316,7 @@ snic_tgt_create(struct snic *snic, struc + "Snic Tgt: device_add, with err = %d\n", + ret); + ++ put_device(&tgt->dev); + put_device(&snic->shost->shost_gendev); + spin_lock_irqsave(snic->shost->host_lock, flags); + list_del(&tgt->list); diff --git a/queue-4.14/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch b/queue-4.14/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch new file mode 100644 index 00000000000..6719c2080b1 --- /dev/null +++ b/queue-4.14/scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch @@ -0,0 +1,62 @@ +From 175544ad48cbf56affeef2a679c6a4d4fb1e2881 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Fri, 28 Jul 2023 21:59:24 -0700 +Subject: scsi: storvsc: Fix handling of virtual Fibre Channel timeouts + +From: Michael Kelley + +commit 175544ad48cbf56affeef2a679c6a4d4fb1e2881 upstream. + +Hyper-V provides the ability to connect Fibre Channel LUNs to the host +system and present them in a guest VM as a SCSI device. I/O to the vFC +device is handled by the storvsc driver. The storvsc driver includes a +partial integration with the FC transport implemented in the generic +portion of the Linux SCSI subsystem so that FC attributes can be displayed +in /sys. However, the partial integration means that some aspects of vFC +don't work properly. Unfortunately, a full and correct integration isn't +practical because of limitations in what Hyper-V provides to the guest. + +In particular, in the context of Hyper-V storvsc, the FC transport timeout +function fc_eh_timed_out() causes a kernel panic because it can't find the +rport and dereferences a NULL pointer. The original patch that added the +call from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this +regard. + +In many cases a timeout is due to a transient condition, so the situation +can be improved by just continuing to wait like with other I/O requests +issued by storvsc, and avoiding the guaranteed panic. For a permanent +failure, continuing to wait may result in a hung thread instead of a panic, +which again may be better. + +So fix the panic by removing the storvsc call to fc_eh_timed_out(). This +allows storvsc to keep waiting for a response. The change has been tested +by users who experienced a panic in fc_eh_timed_out() due to transient +timeouts, and it solves their problem. + +In the future we may want to deprecate the vFC functionality in storvsc +since it can't be fully fixed. But it has current users for whom it is +working well enough, so it should probably stay for a while longer. + +Fixes: 3930d7309807 ("scsi: storvsc: use default I/O timeout handler for FC devices") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1690606764-79669-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1505,10 +1505,6 @@ static int storvsc_host_reset_handler(st + */ + static enum blk_eh_timer_return storvsc_eh_timed_out(struct scsi_cmnd *scmnd) + { +-#if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) +- if (scmnd->device->host->transportt == fc_transport_template) +- return fc_eh_timed_out(scmnd); +-#endif + return BLK_EH_RESET_TIMER; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 6f7259ed8ac..a2d819f7dad 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -18,3 +18,9 @@ drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch ib-hfi1-fix-possible-panic-during-hotplug-remove.patch btrfs-don-t-stop-integrity-writeback-too-early.patch netfilter-nf_tables-report-use-refcount-overflow.patch +scsi-core-fix-legacy-proc-parsing-buffer-overflow.patch +scsi-storvsc-fix-handling-of-virtual-fibre-channel-timeouts.patch +scsi-53c700-check-that-command-slot-is-not-null.patch +scsi-snic-fix-possible-memory-leak-if-device_add-fails.patch +scsi-core-fix-possible-memory-leak-if-device_add-fails.patch +alpha-remove-__init-annotation-from-exported-page_is_ram.patch