From: Greg Kroah-Hartman Date: Mon, 28 Aug 2023 06:33:53 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v6.4.13~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b74f3dae280c58a6ebe90f33e202ae416e3d662;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: scsi-core-raid_class-remove-raid_component_add.patch scsi-snic-fix-double-free-in-snic_tgt_create.patch scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch --- diff --git a/queue-6.4/scsi-core-raid_class-remove-raid_component_add.patch b/queue-6.4/scsi-core-raid_class-remove-raid_component_add.patch new file mode 100644 index 00000000000..1f42945cd07 --- /dev/null +++ b/queue-6.4/scsi-core-raid_class-remove-raid_component_add.patch @@ -0,0 +1,92 @@ +From 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Tue, 22 Aug 2023 01:52:54 +0000 +Subject: scsi: core: raid_class: Remove raid_component_add() + +From: Zhu Wang + +commit 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 upstream. + +The raid_component_add() function was added to the kernel tree via patch +"[SCSI] embryonic RAID class" (2005). Remove this function since it never +has had any callers in the Linux kernel. And also raid_component_release() +is only used in raid_component_add(), so it is also removed. + +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230822015254.184270-1-wangzhu9@huawei.com +Reviewed-by: Bart Van Assche +Fixes: 04b5b5cb0136 ("scsi: core: Fix possible memory leak if device_add() fails") +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/raid_class.c | 48 --------------------------------------------- + include/linux/raid_class.h | 4 --- + 2 files changed, 52 deletions(-) + +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -209,54 +209,6 @@ raid_attr_ro_state(level); + raid_attr_ro_fn(resync); + raid_attr_ro_state_fn(state); + +-static void raid_component_release(struct device *dev) +-{ +- struct raid_component *rc = +- container_of(dev, struct raid_component, dev); +- dev_printk(KERN_ERR, rc->dev.parent, "COMPONENT RELEASE\n"); +- put_device(rc->dev.parent); +- kfree(rc); +-} +- +-int raid_component_add(struct raid_template *r,struct device *raid_dev, +- struct device *component_dev) +-{ +- struct device *cdev = +- attribute_container_find_class_device(&r->raid_attrs.ac, +- raid_dev); +- struct raid_component *rc; +- struct raid_data *rd = dev_get_drvdata(cdev); +- int err; +- +- rc = kzalloc(sizeof(*rc), GFP_KERNEL); +- if (!rc) +- return -ENOMEM; +- +- INIT_LIST_HEAD(&rc->node); +- device_initialize(&rc->dev); +- rc->dev.release = raid_component_release; +- rc->dev.parent = get_device(component_dev); +- rc->num = rd->component_count++; +- +- dev_set_name(&rc->dev, "component-%d", rc->num); +- list_add_tail(&rc->node, &rd->component_list); +- rc->dev.class = &raid_class.class; +- err = device_add(&rc->dev); +- if (err) +- goto err_out; +- +- return 0; +- +-err_out: +- put_device(&rc->dev); +- list_del(&rc->node); +- rd->component_count--; +- put_device(component_dev); +- kfree(rc); +- return err; +-} +-EXPORT_SYMBOL(raid_component_add); +- + struct raid_template * + raid_class_attach(struct raid_function_template *ft) + { +--- a/include/linux/raid_class.h ++++ b/include/linux/raid_class.h +@@ -77,7 +77,3 @@ DEFINE_RAID_ATTRIBUTE(enum raid_state, s + + struct raid_template *raid_class_attach(struct raid_function_template *); + void raid_class_release(struct raid_template *); +- +-int __must_check raid_component_add(struct raid_template *, struct device *, +- struct device *); +- diff --git a/queue-6.4/scsi-snic-fix-double-free-in-snic_tgt_create.patch b/queue-6.4/scsi-snic-fix-double-free-in-snic_tgt_create.patch new file mode 100644 index 00000000000..9b3dbf7e1bf --- /dev/null +++ b/queue-6.4/scsi-snic-fix-double-free-in-snic_tgt_create.patch @@ -0,0 +1,41 @@ +From 1bd3a76880b2bce017987cf53780b372cf59528e Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Sat, 19 Aug 2023 08:39:41 +0000 +Subject: scsi: snic: Fix double free in snic_tgt_create() + +From: Zhu Wang + +commit 1bd3a76880b2bce017987cf53780b372cf59528e upstream. + +Commit 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() +fails") fixed the memory leak caused by dev_set_name() when device_add() +failed. However, it did not consider that 'tgt' has already been released +when put_device(&tgt->dev) is called. Remove kfree(tgt) in the error path +to avoid double free of 'tgt' and move put_device(&tgt->dev) after the +removed kfree(tgt) to avoid a use-after-free. + +Fixes: 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() fails") +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230819083941.164365-1-wangzhu9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/snic/snic_disc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -303,12 +303,11 @@ snic_tgt_create(struct snic *snic, struc + "Snic Tgt: device_add, with err = %d\n", + ret); + +- put_device(&tgt->dev); + put_device(&snic->shost->shost_gendev); + spin_lock_irqsave(snic->shost->host_lock, flags); + list_del(&tgt->list); + spin_unlock_irqrestore(snic->shost->host_lock, flags); +- kfree(tgt); ++ put_device(&tgt->dev); + tgt = NULL; + + return tgt; diff --git a/queue-6.4/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch b/queue-6.4/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch new file mode 100644 index 00000000000..37d25ef28d1 --- /dev/null +++ b/queue-6.4/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch @@ -0,0 +1,35 @@ +From c422fbd5cb58c9a078172ae1e9750971b738a197 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Mon, 21 Aug 2023 14:11:21 +0200 +Subject: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5 + +From: Neil Armstrong + +commit c422fbd5cb58c9a078172ae1e9750971b738a197 upstream. + +The qunipro_g4_sel clear is also needed for new platforms with major +version > 5. Fix the version check to take this into account. + +Fixes: 9c02aa24bf40 ("scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5") +Acked-by: Manivannan Sadhasivam +Reviewed-by: Nitin Rawat +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230821-topic-sm8x50-upstream-ufs-major-5-plus-v2-1-f42a4b712e58@linaro.org +Reviewed-by: "Bao D. Nguyen" +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -225,7 +225,7 @@ static void ufs_qcom_select_unipro_mode( + ufs_qcom_cap_qunipro(host) ? QUNIPRO_SEL : 0, + REG_UFS_CFG1); + +- if (host->hw_ver.major == 0x05) ++ if (host->hw_ver.major >= 0x05) + ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0); + + /* make sure above configuration is applied before we return */ diff --git a/queue-6.4/series b/queue-6.4/series index 1e3a4c01def..2d902e5d205 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -110,3 +110,6 @@ can-raw-add-missing-refcount-for-memory-leak-fix.patch drm-i915-fix-error-handling-if-driver-creation-fails-during-probe.patch madvise-madvise_cold_or_pageout_pte_range-don-t-use-mapcount-against-large-folio-for-sharing-check.patch madvise-madvise_free_pte_range-don-t-use-mapcount-against-large-folio-for-sharing-check.patch +scsi-snic-fix-double-free-in-snic_tgt_create.patch +scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch +scsi-core-raid_class-remove-raid_component_add.patch