From cc7a529043060729fa7d66bf78d0c762d90e84fc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Aug 2023 08:33:36 +0200 Subject: [PATCH] 5.15-stable patches added patches: scsi-core-raid_class-remove-raid_component_add.patch scsi-snic-fix-double-free-in-snic_tgt_create.patch --- ...raid_class-remove-raid_component_add.patch | 92 +++++++++++++++++++ ...c-fix-double-free-in-snic_tgt_create.patch | 41 +++++++++ queue-5.15/series | 2 + 3 files changed, 135 insertions(+) create mode 100644 queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch create mode 100644 queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch diff --git a/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch b/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch new file mode 100644 index 00000000000..1f42945cd07 --- /dev/null +++ b/queue-5.15/scsi-core-raid_class-remove-raid_component_add.patch @@ -0,0 +1,92 @@ +From 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Tue, 22 Aug 2023 01:52:54 +0000 +Subject: scsi: core: raid_class: Remove raid_component_add() + +From: Zhu Wang + +commit 60c5fd2e8f3c42a5abc565ba9876ead1da5ad2b7 upstream. + +The raid_component_add() function was added to the kernel tree via patch +"[SCSI] embryonic RAID class" (2005). Remove this function since it never +has had any callers in the Linux kernel. And also raid_component_release() +is only used in raid_component_add(), so it is also removed. + +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230822015254.184270-1-wangzhu9@huawei.com +Reviewed-by: Bart Van Assche +Fixes: 04b5b5cb0136 ("scsi: core: Fix possible memory leak if device_add() fails") +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/raid_class.c | 48 --------------------------------------------- + include/linux/raid_class.h | 4 --- + 2 files changed, 52 deletions(-) + +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -209,54 +209,6 @@ raid_attr_ro_state(level); + raid_attr_ro_fn(resync); + raid_attr_ro_state_fn(state); + +-static void raid_component_release(struct device *dev) +-{ +- struct raid_component *rc = +- container_of(dev, struct raid_component, dev); +- dev_printk(KERN_ERR, rc->dev.parent, "COMPONENT RELEASE\n"); +- put_device(rc->dev.parent); +- kfree(rc); +-} +- +-int raid_component_add(struct raid_template *r,struct device *raid_dev, +- struct device *component_dev) +-{ +- struct device *cdev = +- attribute_container_find_class_device(&r->raid_attrs.ac, +- raid_dev); +- struct raid_component *rc; +- struct raid_data *rd = dev_get_drvdata(cdev); +- int err; +- +- rc = kzalloc(sizeof(*rc), GFP_KERNEL); +- if (!rc) +- return -ENOMEM; +- +- INIT_LIST_HEAD(&rc->node); +- device_initialize(&rc->dev); +- rc->dev.release = raid_component_release; +- rc->dev.parent = get_device(component_dev); +- rc->num = rd->component_count++; +- +- dev_set_name(&rc->dev, "component-%d", rc->num); +- list_add_tail(&rc->node, &rd->component_list); +- rc->dev.class = &raid_class.class; +- err = device_add(&rc->dev); +- if (err) +- goto err_out; +- +- return 0; +- +-err_out: +- put_device(&rc->dev); +- list_del(&rc->node); +- rd->component_count--; +- put_device(component_dev); +- kfree(rc); +- return err; +-} +-EXPORT_SYMBOL(raid_component_add); +- + struct raid_template * + raid_class_attach(struct raid_function_template *ft) + { +--- a/include/linux/raid_class.h ++++ b/include/linux/raid_class.h +@@ -77,7 +77,3 @@ DEFINE_RAID_ATTRIBUTE(enum raid_state, s + + struct raid_template *raid_class_attach(struct raid_function_template *); + void raid_class_release(struct raid_template *); +- +-int __must_check raid_component_add(struct raid_template *, struct device *, +- struct device *); +- diff --git a/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch b/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch new file mode 100644 index 00000000000..f93ff9c933a --- /dev/null +++ b/queue-5.15/scsi-snic-fix-double-free-in-snic_tgt_create.patch @@ -0,0 +1,41 @@ +From 1bd3a76880b2bce017987cf53780b372cf59528e Mon Sep 17 00:00:00 2001 +From: Zhu Wang +Date: Sat, 19 Aug 2023 08:39:41 +0000 +Subject: scsi: snic: Fix double free in snic_tgt_create() + +From: Zhu Wang + +commit 1bd3a76880b2bce017987cf53780b372cf59528e upstream. + +Commit 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() +fails") fixed the memory leak caused by dev_set_name() when device_add() +failed. However, it did not consider that 'tgt' has already been released +when put_device(&tgt->dev) is called. Remove kfree(tgt) in the error path +to avoid double free of 'tgt' and move put_device(&tgt->dev) after the +removed kfree(tgt) to avoid a use-after-free. + +Fixes: 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() fails") +Signed-off-by: Zhu Wang +Link: https://lore.kernel.org/r/20230819083941.164365-1-wangzhu9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/snic/snic_disc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -317,12 +317,11 @@ snic_tgt_create(struct snic *snic, struc + "Snic Tgt: device_add, with err = %d\n", + ret); + +- put_device(&tgt->dev); + put_device(&snic->shost->shost_gendev); + spin_lock_irqsave(snic->shost->host_lock, flags); + list_del(&tgt->list); + spin_unlock_irqrestore(snic->shost->host_lock, flags); +- kfree(tgt); ++ put_device(&tgt->dev); + tgt = NULL; + + return tgt; diff --git a/queue-5.15/series b/queue-5.15/series index 930ebb9bfd8..f5eddbefd02 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -81,3 +81,5 @@ sched-deadline-create-dl-bw-alloc-free-check-overflow-interface.patch cgroup-cpuset-free-dl-bw-in-case-can_attach-fails.patch drm-i915-fix-premature-release-of-request-s-reusable-memory.patch can-raw-add-missing-refcount-for-memory-leak-fix.patch +scsi-snic-fix-double-free-in-snic_tgt_create.patch +scsi-core-raid_class-remove-raid_component_add.patch -- 2.47.2