From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 10 Jun 2023 15:43:56 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v4.14.318~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8b3e6570f23fc907734bd156f2cbf255399ebd28;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	scsi-megaraid_sas-add-flexible-array-member-for-sgls.patch
	series
---

diff --git a/queue-6.1/scsi-megaraid_sas-add-flexible-array-member-for-sgls.patch b/queue-6.1/scsi-megaraid_sas-add-flexible-array-member-for-sgls.patch
new file mode 100644
index 00000000000..15ac948afa7
--- /dev/null
+++ b/queue-6.1/scsi-megaraid_sas-add-flexible-array-member-for-sgls.patch
@@ -0,0 +1,62 @@
+From a9a3629592ab7442a2e9d40281420b51c453ea9b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 5 Jan 2023 21:32:00 -0800
+Subject: scsi: megaraid_sas: Add flexible array member for SGLs
+
+From: Kees Cook <keescook@chromium.org>
+
+commit a9a3629592ab7442a2e9d40281420b51c453ea9b upstream.
+
+struct MPI2_RAID_SCSI_IO_REQUEST ends with a single SGL, but expects to
+copy multiple. Add a flexible array member so the compiler can reason about
+the size of the memcpy(). This will avoid the run-time false positive
+warning:
+
+  memcpy: detected field-spanning write (size 128) of single field "&r1_cmd->io_request->SGL" at drivers/scsi/megaraid/megaraid_sas_fusion.c:3326 (size 16)
+
+This change results in no binary output differences.
+
+Reported-by: Holger Kiehl <Holger.Kiehl@dwd.de>
+Link: https://lore.kernel.org/all/88de8faa-56c4-693d-2d3-67152ee72057@diagnostix.dwd.de/
+Cc: Kashyap Desai <kashyap.desai@broadcom.com>
+Cc: Sumit Saxena <sumit.saxena@broadcom.com>
+Cc: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: megaraidlinux.pdl@broadcom.com
+Cc: linux-scsi@vger.kernel.org
+Link: https://lore.kernel.org/r/20230106053153.never.999-kees@kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Holger Kiehl <Holger.Kiehl@dwd.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c |    2 +-
+ drivers/scsi/megaraid/megaraid_sas_fusion.h |    5 ++++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -3323,7 +3323,7 @@ static void megasas_prepare_secondRaid1_
+ 	/* copy the io request frame as well as 8 SGEs data for r1 command*/
+ 	memcpy(r1_cmd->io_request, cmd->io_request,
+ 	       (sizeof(struct MPI2_RAID_SCSI_IO_REQUEST)));
+-	memcpy(&r1_cmd->io_request->SGL, &cmd->io_request->SGL,
++	memcpy(r1_cmd->io_request->SGLs, cmd->io_request->SGLs,
+ 	       (fusion->max_sge_in_main_msg * sizeof(union MPI2_SGE_IO_UNION)));
+ 	/*sense buffer is different for r1 command*/
+ 	r1_cmd->io_request->SenseBufferLowAddress =
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
+@@ -526,7 +526,10 @@ struct MPI2_RAID_SCSI_IO_REQUEST {
+ 	__le32			Control;                        /* 0x3C */
+ 	union MPI2_SCSI_IO_CDB_UNION  CDB;			/* 0x40 */
+ 	union RAID_CONTEXT_UNION RaidContext;  /* 0x60 */
+-	union MPI2_SGE_IO_UNION       SGL;			/* 0x80 */
++	union {
++		union MPI2_SGE_IO_UNION       SGL;		/* 0x80 */
++		DECLARE_FLEX_ARRAY(union MPI2_SGE_IO_UNION, SGLs);
++	};
+ };
+ 
+ /*
diff --git a/queue-6.1/series b/queue-6.1/series
new file mode 100644
index 00000000000..9a0adfbd39e
--- /dev/null
+++ b/queue-6.1/series
@@ -0,0 +1 @@
+scsi-megaraid_sas-add-flexible-array-member-for-sgls.patch