linux.git/drivers/message, branch v4.4.215 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23T07:18:39+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-01-14T12:34:14+00:00 952fc03b38b8dca3923f3c61e3273c8f8ed2bd86 commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream. Tom Hatskevich reported that we look up "iocp" then, in the called functions we do a second copy_from_user() and look it up again. The problem that could cause is: drivers/message/fusion/mptctl.c 674 /* All of these commands require an interrupt or 675 * are unknown/illegal. 676 */ 677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0) ^^^^ We take this lock. 678 return ret; 679 680 if (cmd == MPTFWDOWNLOAD) 681 ret = mptctl_fw_download(arg); ^^^ Then the user memory changes and we look up "iocp" again but a different one so now we are holding the incorrect lock and have a race condition. 682 else if (cmd == MPTCOMMAND) 683 ret = mptctl_mpt_command(arg); The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. But it's still worth fixing. This patch passes the "iocp" pointer to the functions to avoid the second lookup. That deletes 100 lines of code from the driver so it's a nice clean up as well. Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.

Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:

drivers/message/fusion/mptctl.c
   674          /* All of these commands require an interrupt or
   675           * are unknown/illegal.
   676           */
   677          if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
                                               ^^^^
We take this lock.

   678                  return ret;
   679
   680          if (cmd == MPTFWDOWNLOAD)
   681                  ret = mptctl_fw_download(arg);
                                                 ^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.

   682          else if (cmd == MPTCOMMAND)
   683                  ret = mptctl_mpt_command(arg);

The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power.  But it's still worth fixing.

This patch passes the "iocp" pointer to the functions to avoid the
second lookup.  That deletes 100 lines of code from the driver so
it's a nice clean up as well.

Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30T05:48:58+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-01-25T14:27:27+00:00 215331289b3bf313c4ada720b1ddf2bcb65ab1b6 [ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ]

My static checker complains about an out of bounds read:

    drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo()
    error: buffer overflow 'hd->sel_timeout' 255 <= u32max.

It's true that we probably should have a bounds check here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: mptsas: Disable WRITE SAME 2018-04-29T05:50:06+00:00 Martin K. Petersen martin.petersen@oracle.com 2018-04-19T02:54:59+00:00 f0ffbef2003775400c14108ee38acbf69e611767 commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream. First generation MPT Fusion controllers can not translate WRITE SAME when the attached device is a SATA drive. Disable WRITE SAME support. Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream.

First generation MPT Fusion controllers can not translate WRITE SAME
when the attached device is a SATA drive. Disable WRITE SAME support.

Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mptfusion: hide unused seq_mpt_print_ioc_summary function 2018-02-25T10:03:45+00:00 Arnd Bergmann arnd@arndb.de 2016-01-27T15:57:18+00:00 a125eb8bec000ed4252be4f7ede74508b3f3ca9e commit 28558f5af50d8335cbbc8bc2726e0747553e29f5 upstream. The seq_mpt_print_ioc_summary function is used for the /proc/mpt/iocN/summary implementation and never gets called when CONFIG_PROC_FS is disabled: drivers/message/fusion/mptbase.c:6851:13: warning: 'seq_mpt_print_ioc_summary' defined but not used [-Wunused-function] static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan) This adds an #ifdef to hide the function definition in that case and avoid the warning. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 28558f5af50d8335cbbc8bc2726e0747553e29f5 upstream.

The seq_mpt_print_ioc_summary function is used for the
/proc/mpt/iocN/summary implementation and never gets called when
CONFIG_PROC_FS is disabled:

drivers/message/fusion/mptbase.c:6851:13: warning: 'seq_mpt_print_ioc_summary' defined but not used [-Wunused-function]
 static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan)

This adds an #ifdef to hide the function definition in that case and
avoid the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag '4.4-scsi-mkp' into misc 2015-11-12T12:06:18+00:00 James Bottomley JBottomley@Odin.com 2015-11-12T12:06:18+00:00 febdfbd2137a5727f70dfbf920105c07e6c2a21e SCSI queue for 4.4. Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
SCSI queue for 4.4.

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
mptfusion: don't allow negative bytes in kbuf_alloc_2_sgl() 2015-11-12T01:58:06+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-11-10T22:15:24+00:00 491212014ec3ab6c477e7368405c5ae028b05ceb There is a static checker warning here because "bytes" is controlled by the user and we cap the upper bound with min() but allow negatives. Negative bytes will result in some nasty warning messages but are not super harmful. Anyway, no one needs negative bytes so let's just check for it and return NULL. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
There is a static checker warning here because "bytes" is controlled by
the user and we cap the upper bound with min() but allow negatives.
Negative bytes will result in some nasty warning messages but are not
super harmful.  Anyway, no one needs negative bytes so let's just check
for it and return NULL.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
scsi: use host wide tags by default 2015-11-10T01:11:57+00:00 Christoph Hellwig hch@lst.de 2015-10-08T08:28:04+00:00 64d513ac31bd02a3c9b69ef04444f36c196f9a9d This patch changes the !blk-mq path to the same defaults as the blk-mq I/O path by always enabling block tagging, and always using host wide tags. We've had blk-mq available for a few releases so bugs with this mode should have been ironed out, and this ensures we get better coverage of over tagging setup over different configs. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Jens Axboe <axboe@kernel.dk> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com> 
This patch changes the !blk-mq path to the same defaults as the blk-mq
I/O path by always enabling block tagging, and always using host wide
tags.  We've had blk-mq available for a few releases so bugs with
this mode should have been ironed out, and this ensures we get better
coverage of over tagging setup over different configs.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
mptfusion: prevent some memory corruption 2015-08-26T14:11:45+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-07-03T08:53:03+00:00 e819cdb198319cccf4af4fc12ac4d796109d8c23 These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com> 
These are signed values the come from the user, we put a cap on the
upper bounds but not on the lower bounds.

We use "karg.dataSgeOffset" to calculate "sz".  We verify "sz" and
proceed as if that means that "karg.dataSgeOffset" is correct but this
fails to consider that the "sz" calculations can have integer overflows.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
fusion: remove dead MTRR code 2015-06-13T15:44:14+00:00 Luis R. Rodriguez mcgrof@suse.com 2015-04-21T20:46:06+00:00 8cd1943bf0e87f467a1b498c63483f70b18b43d7 If and when this gets enabled the driver could should split up IO memory space properly and that is quite a bit of work. Just remove the uncommented dead MTRR code then. There are a few motivations for this: a) Take advantage of PAT when available b) Help bury MTRR code away, MTRR is architecture specific and on x86 its replaced by PAT c) Help with the goal of eventually using _PAGE_CACHE_UC over _PAGE_CACHE_UC_MINUS on x86 on ioremap_nocache() (see commit de33c442e titled "x86 PAT: fix performance drop for glx, use UC minus for ioremap(), ioremap_nocache() and pci_mmap_page_range()") Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com> Acked-by: Sreekanth Reddy <ureekanth.reddy@avagotech.com> Signed-off-by: James Bottomley <JBottomley@Odin.com> 
If and when this gets enabled the driver could should split
up IO memory space properly and that is quite a bit of work.
Just remove the uncommented dead MTRR code then.

There are a few motivations for this:

a) Take advantage of PAT when available

b) Help bury MTRR code away, MTRR is architecture specific and on
   x86 its replaced by PAT

c) Help with the goal of eventually using _PAGE_CACHE_UC over
   _PAGE_CACHE_UC_MINUS on x86 on ioremap_nocache() (see commit
   de33c442e titled "x86 PAT: fix performance drop for glx,
   use UC minus for ioremap(), ioremap_nocache() and
   pci_mmap_page_range()")

Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Acked-by: Sreekanth Reddy <ureekanth.reddy@avagotech.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
mptsas: fix depth param in scsi_track_queue_full 2015-06-13T15:40:33+00:00 Tomas Henzl thenzl@redhat.com 2015-06-03T15:37:02+00:00 2865c073257eaf1ede043a4dbc77afc71b6de175 A user of scsi_track_queue_full should pass to the function a constant value untill the queue-depth changes, otherwise the internal logic in scsi_track_queue_full rejects the change. Other users of this function use a 'sdev->queue_depth - 1' as depth parameter, let's do the same. Signed-off-by: Tomas Henzl <thenzl@redhat.com> Acked-by: "Sreekanth Reddy" <Sreekanth.reddy@avagotech.com> Signed-off-by: James Bottomley <JBottomley@Odin.com> 
A user of scsi_track_queue_full should pass to the function a constant value
untill the queue-depth changes, otherwise the internal logic in
scsi_track_queue_full rejects the change.  Other users of this function use a
'sdev->queue_depth - 1' as depth parameter, let's do the same.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Acked-by: "Sreekanth Reddy" <Sreekanth.reddy@avagotech.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>