From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 19 Mar 2018 13:44:08 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v4.15.12~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4dcf10414a49311024a394a8b758dc3e67056a7e;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	scsi-sg-fix-sg_dxfer_from_dev-transfers.patch
	scsi-sg-fix-static-checker-warning-in-sg_is_valid_dxfer.patch
	scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
---

diff --git a/queue-3.18/scsi-sg-fix-sg_dxfer_from_dev-transfers.patch b/queue-3.18/scsi-sg-fix-sg_dxfer_from_dev-transfers.patch
new file mode 100644
index 00000000000..f1a419b3ffa
--- /dev/null
+++ b/queue-3.18/scsi-sg-fix-sg_dxfer_from_dev-transfers.patch
@@ -0,0 +1,46 @@
+From 68c59fcea1f2c6a54c62aa896cc623c1b5bc9b47 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Fri, 7 Jul 2017 10:56:38 +0200
+Subject: scsi: sg: fix SG_DXFER_FROM_DEV transfers
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 68c59fcea1f2c6a54c62aa896cc623c1b5bc9b47 upstream.
+
+SG_DXFER_FROM_DEV transfers do not necessarily have a dxferp as we set
+it to NULL for the old sg_io read/write interface, but must have a
+length bigger than 0. This fixes a regression introduced by commit
+28676d869bbb ("scsi: sg: check for valid direction before starting the
+request")
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 28676d869bbb ("scsi: sg: check for valid direction before starting the request")
+Reported-by: Chris Clayton <chris2553@googlemail.com>
+Tested-by: Chris Clayton <chris2553@googlemail.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Tested-by: Chris Clayton <chris2553@googlemail.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Cristian Crinteanu <crinteanu.cristian@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -769,8 +769,11 @@ static bool sg_is_valid_dxfer(sg_io_hdr_
+ 		if (hp->dxferp || hp->dxfer_len > 0)
+ 			return false;
+ 		return true;
+-	case SG_DXFER_TO_DEV:
+ 	case SG_DXFER_FROM_DEV:
++		if (hp->dxfer_len < 0)
++			return false;
++		return true;
++	case SG_DXFER_TO_DEV:
+ 	case SG_DXFER_TO_FROM_DEV:
+ 		if (!hp->dxferp || hp->dxfer_len == 0)
+ 			return false;
diff --git a/queue-3.18/scsi-sg-fix-static-checker-warning-in-sg_is_valid_dxfer.patch b/queue-3.18/scsi-sg-fix-static-checker-warning-in-sg_is_valid_dxfer.patch
new file mode 100644
index 00000000000..a534b104d2e
--- /dev/null
+++ b/queue-3.18/scsi-sg-fix-static-checker-warning-in-sg_is_valid_dxfer.patch
@@ -0,0 +1,44 @@
+From 14074aba4bcda3764c9a702b276308b89901d5b6 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Mon, 17 Jul 2017 15:11:42 +0200
+Subject: scsi: sg: fix static checker warning in sg_is_valid_dxfer
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 14074aba4bcda3764c9a702b276308b89901d5b6 upstream.
+
+dxfer_len is an unsigned int and we always assign a value > 0 to it, so
+it doesn't make any sense to check if it is < 0. We can't really check
+dxferp as well as we have both NULL and not NULL cases in the possible
+call paths.
+
+So just return true for SG_DXFER_FROM_DEV transfer in
+sg_is_valid_dxfer().
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -770,8 +770,11 @@ static bool sg_is_valid_dxfer(sg_io_hdr_
+ 			return false;
+ 		return true;
+ 	case SG_DXFER_FROM_DEV:
+-		if (hp->dxfer_len < 0)
+-			return false;
++		/*
++		 * for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp
++		 * can either be NULL or != NULL so there's no point in checking
++		 * it either. So just return true.
++		 */
+ 		return true;
+ 	case SG_DXFER_TO_DEV:
+ 	case SG_DXFER_TO_FROM_DEV:
diff --git a/queue-3.18/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch b/queue-3.18/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
new file mode 100644
index 00000000000..6280c1b6a9f
--- /dev/null
+++ b/queue-3.18/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
@@ -0,0 +1,76 @@
+From f930c7043663188429cd9b254e9d761edfc101ce Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Thu, 27 Jul 2017 09:11:26 +0200
+Subject: scsi: sg: only check for dxfer_len greater than 256M
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit f930c7043663188429cd9b254e9d761edfc101ce upstream.
+
+Don't make any assumptions on the sg_io_hdr_t::dxfer_direction or the
+sg_io_hdr_t::dxferp in order to determine if it is a valid request. The
+only way we can check for bad requests is by checking if the length
+exceeds 256M.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 28676d869bbb (scsi: sg: check for valid direction before starting the request)
+Reported-by: Jason L Tibbitts III <tibbs@math.uh.edu>
+Tested-by: Jason L Tibbitts III <tibbs@math.uh.edu>
+Suggested-by: Doug Gilbert <dgilbert@interlog.com>
+Cc: Doug Gilbert <dgilbert@interlog.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |   31 +------------------------------
+ 1 file changed, 1 insertion(+), 30 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -762,35 +762,6 @@ sg_new_write(Sg_fd *sfp, struct file *fi
+ 	return count;
+ }
+ 
+-static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
+-{
+-	switch (hp->dxfer_direction) {
+-	case SG_DXFER_NONE:
+-		if (hp->dxferp || hp->dxfer_len > 0)
+-			return false;
+-		return true;
+-	case SG_DXFER_FROM_DEV:
+-		/*
+-		 * for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp
+-		 * can either be NULL or != NULL so there's no point in checking
+-		 * it either. So just return true.
+-		 */
+-		return true;
+-	case SG_DXFER_TO_DEV:
+-	case SG_DXFER_TO_FROM_DEV:
+-		if (!hp->dxferp || hp->dxfer_len == 0)
+-			return false;
+-		return true;
+-	case SG_DXFER_UNKNOWN:
+-		if ((!hp->dxferp && hp->dxfer_len) ||
+-		    (hp->dxferp && hp->dxfer_len == 0))
+-			return false;
+-		return true;
+-	default:
+-		return false;
+-	}
+-}
+-
+ static int
+ sg_common_write(Sg_fd * sfp, Sg_request * srp,
+ 		unsigned char *cmnd, int timeout, int blocking)
+@@ -811,7 +782,7 @@ sg_common_write(Sg_fd * sfp, Sg_request
+ 			"sg_common_write:  scsi opcode=0x%02x, cmd_size=%d\n",
+ 			(int) cmnd[0], (int) hp->cmd_len));
+ 
+-	if (!sg_is_valid_dxfer(hp))
++	if (hp->dxfer_len >= SZ_256M)
+ 		return -EINVAL;
+ 
+ 	k = sg_start_req(srp, cmnd);
diff --git a/queue-3.18/series b/queue-3.18/series
index e6cc4601b89..cbd143c8757 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -63,3 +63,6 @@ alsa-seq-clear-client-entry-before-deleting-else-at-closing.patch
 lock_parent-needs-to-recheck-if-dentry-got-__dentry_kill-ed-under-it.patch
 fs-aio-add-explicit-rcu-grace-period-when-freeing-kioctx.patch
 fs-aio-use-rcu-accessors-for-kioctx_table-table.patch
+scsi-sg-fix-sg_dxfer_from_dev-transfers.patch
+scsi-sg-fix-static-checker-warning-in-sg_is_valid_dxfer.patch
+scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch