OpenCloudOS-Kernel/drivers/scsi
Wenwen Wang c9318a3e02 scsi: 3w-9xxx: fix a missing-check bug
In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from
the userspace pointer 'argp' and saved to the kernel object
'driver_command'.  Then a security check is performed on the data buffer
size indicated by 'driver_command', which is
'driver_command.buffer_length'. If the security check is passed, the
entire ioctl command is copied again from the 'argp' pointer and saved
to the kernel object 'tw_ioctl'. Then, various operations are performed
on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer
resides in userspace, a malicious userspace process can race to change
the buffer size between the two copies. This way, the user can bypass
the security check and inject invalid data buffer size. This can cause
potential security issues in the following execution.

This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o
avoid the above issues.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Adam Radford <aradford@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-05-08 01:32:18 -04:00
..
aacraid scsi: aacraid: Insure command thread is not recursively stopped 2018-04-09 21:08:30 -04:00
aic7xxx Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
aic94xx treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
arcmsr scsi: arcmsr: Change driver version to v1.40.00.05-20180309 2018-03-21 18:46:30 -04:00
arm scsi: fas216: fix sense buffer initialization 2018-01-22 20:04:01 -05:00
be2iscsi treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
bfa scsi: bfa: remove VLA 2018-03-15 00:35:43 -04:00
bnx2fc scsi: bnx2fc: Fix check in SCSI completion handler for timed out request 2018-01-30 21:27:02 -05:00
bnx2i scsi: bnx2i: Use zeroing allocator rather than allocator/memset 2018-01-04 01:13:28 -05:00
csiostor Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
cxgbi scsi: cxgb4i: silence overflow warning in t4_uld_rx_handler() 2018-04-09 21:32:45 -04:00
cxlflash scsi: cxlflash: Handle spurious interrupts 2018-04-18 19:32:51 -04:00
device_handler Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
dpt sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
esas2r scsi: esas2r: fix spelling mistake: "asynchromous" -> "asynchronous" 2018-05-01 23:32:31 -04:00
fcoe treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
fnic scsi: fnic: use 64-bit timestamps 2018-01-22 20:03:57 -05:00
hisi_sas scsi: hisi_sas: workaround a v3 hw hilink bug 2018-05-08 01:10:44 -04:00
ibmvscsi scsi: ibmvfc: Avoid unnecessary port relogin 2018-03-15 00:52:33 -04:00
ibmvscsi_tgt scsi: ibmvscsis: add DRC indices to debug statements 2017-12-04 22:56:04 -05:00
isci scsi: isci: remove redundant check on in_connection_align_insertion_frequency 2018-05-01 23:31:45 -04:00
libfc scsi: libfc: remove redundant initialization of 'disc' 2018-02-13 21:37:01 -05:00
libsas scsi: libsas: add transport class for ATA devices 2018-04-18 19:32:51 -04:00
lpfc scsi: lpfc: fix spelling mistakes: "mabilbox" and "maibox" 2018-05-08 01:26:44 -04:00
megaraid scsi: megaraid_sas: fix spelling mistake: "disbale" -> "disable" 2018-05-01 23:35:43 -04:00
mpt3sas scsi: mpt3sas: Update driver version "25.100.00.00" 2018-05-08 00:40:05 -04:00
mvsas scsi: mvsas: fix wrong endianness of sgpio api 2018-03-01 21:07:48 -05:00
osd block: fix blk_rq_append_bio 2017-12-18 13:55:43 -07:00
pcmcia scsi: remove the fdomain and fdomain_cs drivers 2018-03-19 22:54:47 -04:00
pm8001 treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
qedf scsi: qedf: Update version number to 8.33.16.20 2018-05-08 00:57:11 -04:00
qedi SCSI for-linus on 20180404 2018-04-05 15:05:53 -07:00
qla2xxx scsi: qla2xxx: remove the unused tcm_qla2xxx_cmd_wq 2018-05-08 01:24:25 -04:00
qla4xxx Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
smartpqi SCSI for-linus on 20180404 2018-04-05 15:05:53 -07:00
snic License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sym53c8xx_2 treewide: Align function definition open/close braces 2018-03-26 11:13:09 +02:00
ufs Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
.gitignore scsi: scsi_devinfo: Add scsi_devinfo_tbl.c 2017-10-25 05:40:22 -04:00
3w-9xxx.c scsi: 3w-9xxx: fix a missing-check bug 2018-05-08 01:32:18 -04:00
3w-9xxx.h scsi: 3w-9xxx: rework lock timeouts 2017-12-04 20:32:53 -05:00
3w-sas.c scsi: 3ware: use 64-bit times for FW time sync 2017-12-04 20:32:53 -05:00
3w-sas.h
3w-xxxx.c
3w-xxxx.h
53c700.c scsi: 53c700: move bus reset to host reset 2017-08-25 17:21:11 -04:00
53c700.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
53c700.scr
53c700_d.h_shipped
BusLogic.c
BusLogic.h
FlashPoint.c
Kconfig scsi: zorro_esp: New driver for Amiga Zorro NCR53C9x boards 2018-04-19 00:00:44 -04:00
Makefile scsi: devinfo: warn on undefined blist flags 2018-04-20 19:14:35 -04:00
NCR5380.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
NCR5380.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
NCR_D700.c
NCR_D700.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
NCR_Q720.c dma-coherent: remove the DMA_MEMORY_MAP and DMA_MEMORY_IO flags 2017-09-01 11:59:17 +02:00
NCR_Q720.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
a100u2w.c scsi: a100u2w: Use module_pci_driver 2018-05-01 23:31:40 -04:00
a100u2w.h
a2091.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
a2091.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
a3000.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
a3000.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
a4000t.c
advansys.c
aha152x.c scsi: aha152x: drop host reset 2017-08-25 17:21:11 -04:00
aha152x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
aha1542.c scsi: aha1542: constify pnp_device_id 2017-08-24 22:29:07 -04:00
aha1542.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
aha1740.c scsi: aha1740: stop using scsi_unregister 2018-03-15 00:26:54 -04:00
aha1740.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
am53c974.c scsi: am53c974: Use module_pci_driver 2018-05-01 23:29:41 -04:00
atari_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
atp870u.c scsi: atp870u: 64 bit bug in atp885_init() 2018-03-01 21:10:36 -05:00
atp870u.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bvme6000_scsi.c
ch.c scsi: ch: add refcounting 2017-08-24 22:29:06 -04:00
constants.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dc395x.c scsi: dc395x: Convert timers to use timer_setup() 2017-10-27 02:22:00 -07:00
dc395x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dmx3191d.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
dpt_i2o.c scsi: dpt_i2o: Use after free in I2ORESETCMD ioctl 2018-04-09 21:31:37 -04:00
dpti.h scsi: dpt_i2o: stop using scsi_unregister 2018-03-15 00:25:37 -04:00
esp_scsi.c scsi: esp_scsi: Always clear msg_out_len after MESSAGE OUT phase 2017-08-10 19:55:35 -04:00
esp_scsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
g_NCR5380.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
gdth.c scsi: gdth: Convert timers to use timer_setup() 2017-10-27 02:22:00 -07:00
gdth.h block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h> 2018-03-17 14:45:23 -06:00
gdth_ioctl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gdth_proc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gdth_proc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gvp11.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
gvp11.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hosts.c scsi: core: remove redundant assignment to shost->use_blk_mq 2018-04-09 16:34:41 -04:00
hpsa.c Merge branch 'fixes' into misc 2018-04-03 17:38:39 -07:00
hpsa.h scsi: hpsa: fix selection of reply queue 2018-03-14 23:31:13 -04:00
hpsa_cmd.h scsi: hpsa: update discovery polling 2017-10-25 04:55:18 -04:00
hptiop.c scsi: hptiop: Simplify reset handling 2017-08-25 17:21:10 -04:00
hptiop.h
imm.c scsi: imm: drop duplicate bus_reset handler 2017-08-25 17:21:11 -04:00
imm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
initio.c
initio.h
ipr.c scsi: ipr: Use dma_pool_zalloc() 2018-03-12 21:16:58 -04:00
ipr.h scsi: ipr: Use sgl_alloc_order() and sgl_free_order() 2018-02-13 21:49:14 -05:00
ips.c scsi: ips: fix firmware timestamps for 32-bit 2018-04-20 19:40:17 -04:00
ips.h scsi: ips: fix firmware timestamps for 32-bit 2018-04-20 19:40:17 -04:00
iscsi_boot_sysfs.c
iscsi_tcp.c scsi: iscsi_tcp: don't set a bounce limit 2018-04-19 00:00:44 -04:00
iscsi_tcp.h
jazz_esp.c scsi: jazz_esp, sun3x_esp: Pass struct device pointer in dma calls 2018-03-12 22:05:43 -04:00
lasi700.c parisc/scsi/lasi700: Fix section mismatches 2017-08-22 16:34:36 +02:00
libiscsi.c scsi: doc: fix iscsi-related kernel-doc warnings 2018-01-03 23:10:06 -05:00
libiscsi_tcp.c scsi: doc: fix iscsi-related kernel-doc warnings 2018-01-03 23:10:06 -05:00
mac53c94.c scsi: Convert to using %pOF instead of full_name 2017-08-07 14:04:02 -04:00
mac53c94.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mac_esp.c scsi: mac_esp: Fix PIO transfers for MESSAGE IN phase 2017-08-10 19:55:34 -04:00
mac_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
megaraid.c scsi: megaraid: silence a static checker bug 2018-05-08 01:29:00 -04:00
megaraid.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mesh.c
mesh.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mvme16x_scsi.c
mvme147.c scsi: mvme147: stop using scsi_module.c 2018-03-19 22:54:47 -04:00
mvme147.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mvumi.c scsi: mvumi: Using module_pci_driver 2018-04-20 19:40:11 -04:00
mvumi.h
ncr53c8xx.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
ncr53c8xx.h
nsp32.c scsi: nsp32: fix logic bug in error handling 2017-10-16 22:38:44 -04:00
nsp32.h
nsp32_debug.c
nsp32_io.h
osst.c scsi: osst: silence underflow warning in osst_verify_frame() 2017-08-24 22:29:01 -04:00
osst.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
osst_detect.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
osst_options.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pmcraid.c scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order() 2018-02-13 21:49:15 -05:00
pmcraid.h scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order() 2018-02-13 21:49:15 -05:00
ppa.c scsi: ppa: mark expected switch fall-throughs 2017-12-04 20:32:52 -05:00
ppa.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ps3rom.c
qla1280.c timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack() 2017-10-05 15:01:17 +02:00
qla1280.h timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack() 2017-10-05 15:01:17 +02:00
qlogicfas.c scsi: qlogicfas: move bus_reset to host_reset 2017-08-25 17:21:11 -04:00
qlogicfas408.c scsi: qlogicfas: move bus_reset to host_reset 2017-08-25 17:21:11 -04:00
qlogicfas408.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
qlogicpti.c scsi: qlogicpti: fixup qlogicpti_reset() definition 2017-08-28 22:15:46 -04:00
qlogicpti.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid_class.c scsi: raid_class: Add 'JBOD' RAID level 2018-02-12 11:43:25 -05:00
script_asm.pl
scsi.c scsi: core: fix two wrong indentation cases 2018-02-27 22:26:12 -05:00
scsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_common.c scsi: core: doc. fixes to scsi_common.c 2017-12-11 21:39:39 -05:00
scsi_debug.c SCSI for-linus on 20180404 2018-04-05 15:05:53 -07:00
scsi_debugfs.c scsi: devinfo: use const_ilog2 for array indices 2018-04-20 19:14:28 -04:00
scsi_debugfs.h
scsi_devinfo.c scsi: devinfo: BLIST_RETRY_ASC_C1 for Fujitsu ETERNUS 2018-04-20 19:14:36 -04:00
scsi_dh.c scsi: scsi_dh: replace too broad "TP9" string with the exact models 2018-04-18 19:34:08 -04:00
scsi_error.c scsi: devinfo: BLIST_RETRY_ASC_C1 for Fujitsu ETERNUS 2018-04-20 19:14:36 -04:00
scsi_ioctl.c scsi: Suppress gcc 7 fall-through warnings reported with W=1 2017-08-25 17:08:07 -04:00
scsi_lib.c scsi: core: Make scsi_result_to_blk_status() recognize CONDITION MET 2018-04-09 21:31:37 -04:00
scsi_lib_dma.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_logging.c
scsi_logging.h SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_netlink.c
scsi_pm.c
scsi_priv.h scsi: dh: Remove scsi_dh_remove_device() 2017-12-07 21:13:45 -05:00
scsi_proc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_sas_internal.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_scan.c scsi: core: Use blist_flags_t consistently 2017-12-14 22:30:24 -05:00
scsi_sysctl.c
scsi_sysfs.c scsi: devinfo: change blist_flag_t to 64bit 2018-04-20 19:14:35 -04:00
scsi_trace.c
scsi_transport_api.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_transport_fc.c scsi: scsi_transport_fc: fix typos on 64/128 GBit define names 2018-01-03 22:51:02 -05:00
scsi_transport_iscsi.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_transport_sas.c scsi: scsi_transport_sas: don't bounce highmem pages for the smp handler 2018-05-01 23:11:15 -04:00
scsi_transport_spi.c scsi: scsi_transport_spi: make two const arrays static, shrinks object size 2018-02-15 18:20:14 -05:00
scsi_transport_srp.c Revert "scsi: make 'state' device attribute pollable" 2017-11-07 09:04:32 -08:00
scsi_typedefs.h
scsicam.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sd.c for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
sd.h scsi: sd_zbc: Change the type of the ZBC fields into u32 2018-04-19 00:00:44 -04:00
sd_dif.c
sd_zbc.c scsi: sd_zbc: Let the SCSI core handle ILLEGAL REQUEST / ASC 0x21 2018-04-19 00:00:44 -04:00
sense_codes.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ses.c scsi: ses: don't ask for diagnostic pages repeatedly during probe 2017-12-04 22:55:59 -05:00
sg.c scsi: sg: Change return type to vm_fault_t 2018-04-19 00:00:44 -04:00
sgiwd93.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
sim710.c
sni_53c710.c
sr.c sr: get/drop reference to device in revalidate and check_events 2018-04-11 11:26:09 -06:00
sr.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sr_ioctl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sr_vendor.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
st.c scsi: st: Replace GFP_ATOMIC with GFP_KERNEL in new_tape_buffer 2018-04-20 19:14:37 -04:00
st.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
st_options.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stex.c
storvsc_drv.c scsi: storvsc: Select channel based on available percentage of ring buffer to write 2018-04-20 15:38:38 -04:00
sun3_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
sun3_scsi_vme.c
sun3x_esp.c scsi: jazz_esp, sun3x_esp: Pass struct device pointer in dma calls 2018-03-12 22:05:43 -04:00
sun_esp.c scsi: sun_esp: fix device reference leaks 2017-06-27 21:46:55 -04:00
virtio_scsi.c scsi: virtio_scsi: unify scsi_host_template 2018-03-14 23:31:13 -04:00
vmw_pvscsi.c
vmw_pvscsi.h
wd33c93.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
wd33c93.h
wd719x.c scsi: wd719x: Use module_pci_driver 2018-05-01 23:30:12 -04:00
wd719x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-scsifront.c scsi: xen-scsifront: Remove code that zeroes driver-private command data 2017-06-12 21:02:04 -04:00
zalon.c parisc/scsi/zalon: Fix section mismatches 2017-08-22 16:34:36 +02:00
zorro7xx.c
zorro_esp.c scsi: zorro_esp: New driver for Amiga Zorro NCR53C9x boards 2018-04-19 00:00:44 -04:00