From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 2 Apr 2024 07:51:39 +0000 (+0200)
Subject: drop scsi-sg-avoid-sg-device-teardown-race.patch
X-Git-Tag: v6.7.12~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d358e4b2789308581f75b560d1b354d1fc21b95f;p=thirdparty%2Fkernel%2Fstable-queue.git

drop scsi-sg-avoid-sg-device-teardown-race.patch
---

diff --git a/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch b/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch
deleted file mode 100644
index c6e024b2190..00000000000
--- a/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-Date: Wed, 20 Mar 2024 22:30:32 +0100
-Subject: scsi: sg: Avoid sg device teardown race
-
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-
-commit 27f58c04a8f438078583041468ec60597841284d upstream.
-
-sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling
-scsi_device_put().
-
-sg_device_destroy() is accessing the parent scsi_device request_queue which
-will already be set to NULL when the preceding call to scsi_device_put()
-removed the last reference to the parent scsi_device.
-
-The resulting NULL pointer exception will then crash the kernel.
-
-Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de
-Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage")
-Cc: stable@vger.kernel.org
-Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
-Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de
-Reviewed-by: Bart Van Assche <bvanassche@acm.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sg.c |    4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -2208,6 +2208,7 @@ sg_remove_sfp_usercontext(struct work_st
- {
- 	struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
- 	struct sg_device *sdp = sfp->parentdp;
-+	struct scsi_device *device = sdp->device;
- 	Sg_request *srp;
- 	unsigned long iflags;
- 
-@@ -2233,8 +2234,9 @@ sg_remove_sfp_usercontext(struct work_st
- 			"sg_remove_sfp: sfp=0x%p\n", sfp));
- 	kfree(sfp);
- 
--	scsi_device_put(sdp->device);
-+	WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
- 	kref_put(&sdp->d_ref, sg_device_destroy);
-+	scsi_device_put(device);
- 	module_put(THIS_MODULE);
- }
- 
diff --git a/queue-6.6/series b/queue-6.6/series
index bea5be012b8..2c5ffc60842 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -354,7 +354,6 @@ drm-amd-display-clear-optc-mem-select-on-disable.patch
 vfio-pds-make-sure-migration-file-isn-t-accessed-aft.patch
 alsa-sh-aica-reorder-cleanup-operations-to-avoid-uaf-bugs.patch
 scsi-sd-fix-tcg-opal-unlock-on-system-resume.patch
-scsi-sg-avoid-sg-device-teardown-race.patch
 scsi-core-fix-unremoved-procfs-host-directory-regression.patch
 staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
 staging-vc04_services-fix-information-leak-in-create_component.patch
diff --git a/queue-6.7/scsi-sg-avoid-sg-device-teardown-race.patch b/queue-6.7/scsi-sg-avoid-sg-device-teardown-race.patch
deleted file mode 100644
index 940437e82ea..00000000000
--- a/queue-6.7/scsi-sg-avoid-sg-device-teardown-race.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-Date: Wed, 20 Mar 2024 22:30:32 +0100
-Subject: scsi: sg: Avoid sg device teardown race
-
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-
-commit 27f58c04a8f438078583041468ec60597841284d upstream.
-
-sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling
-scsi_device_put().
-
-sg_device_destroy() is accessing the parent scsi_device request_queue which
-will already be set to NULL when the preceding call to scsi_device_put()
-removed the last reference to the parent scsi_device.
-
-The resulting NULL pointer exception will then crash the kernel.
-
-Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de
-Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage")
-Cc: stable@vger.kernel.org
-Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
-Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de
-Reviewed-by: Bart Van Assche <bvanassche@acm.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sg.c |    4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -2207,6 +2207,7 @@ sg_remove_sfp_usercontext(struct work_st
- {
- 	struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
- 	struct sg_device *sdp = sfp->parentdp;
-+	struct scsi_device *device = sdp->device;
- 	Sg_request *srp;
- 	unsigned long iflags;
- 
-@@ -2232,8 +2233,9 @@ sg_remove_sfp_usercontext(struct work_st
- 			"sg_remove_sfp: sfp=0x%p\n", sfp));
- 	kfree(sfp);
- 
--	scsi_device_put(sdp->device);
-+	WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
- 	kref_put(&sdp->d_ref, sg_device_destroy);
-+	scsi_device_put(device);
- 	module_put(THIS_MODULE);
- }
- 
diff --git a/queue-6.7/series b/queue-6.7/series
index a2966dd7483..ac3fe4a318a 100644
--- a/queue-6.7/series
+++ b/queue-6.7/series
@@ -387,7 +387,6 @@ vfio-pds-make-sure-migration-file-isn-t-accessed-aft.patch
 alsa-sh-aica-reorder-cleanup-operations-to-avoid-uaf-bugs.patch
 scsi-ufs-qcom-provide-default-cycles_in_1us-value.patch
 scsi-sd-fix-tcg-opal-unlock-on-system-resume.patch
-scsi-sg-avoid-sg-device-teardown-race.patch
 scsi-core-fix-unremoved-procfs-host-directory-regression.patch
 staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
 staging-vc04_services-fix-information-leak-in-create_component.patch
diff --git a/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch b/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch
deleted file mode 100644
index 940437e82ea..00000000000
--- a/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-Date: Wed, 20 Mar 2024 22:30:32 +0100
-Subject: scsi: sg: Avoid sg device teardown race
-
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-
-commit 27f58c04a8f438078583041468ec60597841284d upstream.
-
-sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling
-scsi_device_put().
-
-sg_device_destroy() is accessing the parent scsi_device request_queue which
-will already be set to NULL when the preceding call to scsi_device_put()
-removed the last reference to the parent scsi_device.
-
-The resulting NULL pointer exception will then crash the kernel.
-
-Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de
-Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage")
-Cc: stable@vger.kernel.org
-Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
-Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de
-Reviewed-by: Bart Van Assche <bvanassche@acm.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sg.c |    4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -2207,6 +2207,7 @@ sg_remove_sfp_usercontext(struct work_st
- {
- 	struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
- 	struct sg_device *sdp = sfp->parentdp;
-+	struct scsi_device *device = sdp->device;
- 	Sg_request *srp;
- 	unsigned long iflags;
- 
-@@ -2232,8 +2233,9 @@ sg_remove_sfp_usercontext(struct work_st
- 			"sg_remove_sfp: sfp=0x%p\n", sfp));
- 	kfree(sfp);
- 
--	scsi_device_put(sdp->device);
-+	WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
- 	kref_put(&sdp->d_ref, sg_device_destroy);
-+	scsi_device_put(device);
- 	module_put(THIS_MODULE);
- }
- 
diff --git a/queue-6.8/series b/queue-6.8/series
index 4baf2da512b..c2b2e839a2f 100644
--- a/queue-6.8/series
+++ b/queue-6.8/series
@@ -349,7 +349,6 @@ btrfs-fix-extent-map-leak-in-unexpected-scenario-at-.patch
 alsa-sh-aica-reorder-cleanup-operations-to-avoid-uaf-bugs.patch
 scsi-ufs-qcom-provide-default-cycles_in_1us-value.patch
 scsi-sd-fix-tcg-opal-unlock-on-system-resume.patch
-scsi-sg-avoid-sg-device-teardown-race.patch
 scsi-core-fix-unremoved-procfs-host-directory-regression.patch
 staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
 staging-vc04_services-fix-information-leak-in-create_component.patch