SCSI fixes on 20160819

Six fairly small fixes.  The ipr, mpt3sas and ses ones all trigger
 oopses.  The megaraid one fixes an attach failure on io mapped only
 cards, the fcoe one is an obvious problem in the error path and the
 aacraid one is a theoretical security issue (ability to trick the
 kernel into a buffer overrun).
 
 Signed-off-by: James E. J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJXtxopAAoJEAVr7HOZEZN4N60P/2VTZ9bdiqYhn8Tvk9CJMrOe
 gdy+jD8WrurYwKpCJt/KKcotwj6AYu15nYV4t3pCTMfMgPmmLqRNQvL5hQDdlWX6
 RV3ExInIUBVy4sOQXNQXRxFXO2egGM++TqDt8aoezJ5GURo7kW+kcWtAgh/YkWMJ
 AnuLzn5tUQt1nTixjmpnEGz3Omdm64+kXeR85PDg+eE+uOvJmb2784Fwox30r/pt
 /Av3Q8z+2oorkUIZ6Vru1gSSaSD37qJA4nOu3DXfbb6pg+LqM8MDF7cWvXo4oFiB
 Vq3HqRvsJELBBvIwXo69w9EAc3ZXooM3v1bKIlGARB/caZcG21/3WcOesPvubfPs
 ligbAhMzF6XTCOyRQyde/N9kFfJmYVnbfJtUWCWoO1l1OjtSOK6uOobXOKMUuXcn
 qKR/aEYffNdDWiErmuwijqHconQaOoKDY0iYqsodzbw9sgy2UpNASeyGfh66aWZT
 VlU+msUdwZr8Ag37H9Vz06omxduptRZ+Ar4CvKoJ0rmOZUHPZ1UyDHx3XRf4ijwr
 RtnxV4jNPYfSndcIjl1jwcgYsSELbWr5kZwoZDx4EiYYGb80LbNrur3iaTLnmY0n
 kZdXlCjKLYo81lk0O5EXBpxrW+KB9TSVPYC4JD4xlSB4pEPmsjrr2LKHxelRr5pz
 tlbdNIaUCXM6TwKOfE7v
 =rA0D
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Six fairly small fixes.  The ipr, mpt3sas and ses ones all trigger
  oopses.  The megaraid one fixes an attach failure on io mapped only
  cards, the fcoe one is an obvious problem in the error path and the
  aacraid one is a theoretical security issue (ability to trick the
  kernel into a buffer overrun)"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  ses: Fix racy cleanup of /sys in remove_dev()
  mpt3sas: Fix resume on WarpDrive flash cards
  ipr: Fix sync scsi scan
  megaraid_sas: Fix probing cards without io port
  aacraid: Check size values after double-fetch from user
  fcoe: Use kfree_skb() instead of kfree()
This commit is contained in:
Linus Torvalds 2016-08-19 09:22:50 -07:00
commit b284879281
6 changed files with 29 additions and 19 deletions

View File

@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
struct fib *fibptr; struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0; struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL; dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
unsigned size; unsigned int size, osize;
int retval; int retval;
if (dev->in_reset) { if (dev->in_reset) {
@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
* will not overrun the buffer when we copy the memory. Return * will not overrun the buffer when we copy the memory. Return
* an error if we would. * an error if we would.
*/ */
size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); osize = size = le16_to_cpu(kfib->header.Size) +
sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize)) if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize); size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) { if (size > dev->max_fib_size) {
@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
goto cleanup; goto cleanup;
} }
/* Sanity check the second copy */
if ((osize != le16_to_cpu(kfib->header.Size) +
sizeof(struct aac_fibhdr))
|| (size < le16_to_cpu(kfib->header.SenderSize))) {
retval = -EINVAL;
goto cleanup;
}
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev); aac_adapter_interrupt(dev);
/* /*

View File

@ -2923,7 +2923,7 @@ static int fcoe_ctlr_vlan_recv(struct fcoe_ctlr *fip, struct sk_buff *skb)
mutex_unlock(&fip->ctlr_mutex); mutex_unlock(&fip->ctlr_mutex);
drop: drop:
kfree(skb); kfree_skb(skb);
return rc; return rc;
} }

View File

@ -5037,7 +5037,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
/* Find first memory bar */ /* Find first memory bar */
bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
if (pci_request_selected_regions(instance->pdev, instance->bar, if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
"megasas: LSI")) { "megasas: LSI")) {
dev_printk(KERN_DEBUG, &instance->pdev->dev, "IO memory region busy!\n"); dev_printk(KERN_DEBUG, &instance->pdev->dev, "IO memory region busy!\n");
return -EBUSY; return -EBUSY;
@ -5339,7 +5339,7 @@ fail_ready_state:
iounmap(instance->reg_set); iounmap(instance->reg_set);
fail_ioremap: fail_ioremap:
pci_release_selected_regions(instance->pdev, instance->bar); pci_release_selected_regions(instance->pdev, 1<<instance->bar);
return -EINVAL; return -EINVAL;
} }
@ -5360,7 +5360,7 @@ static void megasas_release_mfi(struct megasas_instance *instance)
iounmap(instance->reg_set); iounmap(instance->reg_set);
pci_release_selected_regions(instance->pdev, instance->bar); pci_release_selected_regions(instance->pdev, 1<<instance->bar);
} }
/** /**

View File

@ -2603,7 +2603,7 @@ megasas_release_fusion(struct megasas_instance *instance)
iounmap(instance->reg_set); iounmap(instance->reg_set);
pci_release_selected_regions(instance->pdev, instance->bar); pci_release_selected_regions(instance->pdev, 1<<instance->bar);
} }
/** /**

View File

@ -2188,6 +2188,17 @@ mpt3sas_base_map_resources(struct MPT3SAS_ADAPTER *ioc)
} else } else
ioc->msix96_vector = 0; ioc->msix96_vector = 0;
if (ioc->is_warpdrive) {
ioc->reply_post_host_index[0] = (resource_size_t __iomem *)
&ioc->chip->ReplyPostHostIndex;
for (i = 1; i < ioc->cpu_msix_table_sz; i++)
ioc->reply_post_host_index[i] =
(resource_size_t __iomem *)
((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1)
* 4)));
}
list_for_each_entry(reply_q, &ioc->reply_queue_list, list) list_for_each_entry(reply_q, &ioc->reply_queue_list, list)
pr_info(MPT3SAS_FMT "%s: IRQ %d\n", pr_info(MPT3SAS_FMT "%s: IRQ %d\n",
reply_q->name, ((ioc->msix_enable) ? "PCI-MSI-X enabled" : reply_q->name, ((ioc->msix_enable) ? "PCI-MSI-X enabled" :
@ -5280,17 +5291,6 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc)
if (r) if (r)
goto out_free_resources; goto out_free_resources;
if (ioc->is_warpdrive) {
ioc->reply_post_host_index[0] = (resource_size_t __iomem *)
&ioc->chip->ReplyPostHostIndex;
for (i = 1; i < ioc->cpu_msix_table_sz; i++)
ioc->reply_post_host_index[i] =
(resource_size_t __iomem *)
((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1)
* 4)));
}
pci_set_drvdata(ioc->pdev, ioc->shost); pci_set_drvdata(ioc->pdev, ioc->shost);
r = _base_get_ioc_facts(ioc, CAN_SLEEP); r = _base_get_ioc_facts(ioc, CAN_SLEEP);
if (r) if (r)

View File

@ -778,6 +778,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
if (!edev) if (!edev)
return; return;
enclosure_unregister(edev);
ses_dev = edev->scratch; ses_dev = edev->scratch;
edev->scratch = NULL; edev->scratch = NULL;
@ -789,7 +791,6 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
kfree(edev->component[0].scratch); kfree(edev->component[0].scratch);
put_device(&edev->edev); put_device(&edev->edev);
enclosure_unregister(edev);
} }
static void ses_intf_remove(struct device *cdev, static void ses_intf_remove(struct device *cdev,