| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6e77e31acee95ebcba03c54dc1b34173cbaf831e.camel@HansenPartnership.com>
Date: Sat, 11 Oct 2025 10:47:02 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds
<torvalds@...ux-foundation.org>
Cc: linux-scsi <linux-scsi@...r.kernel.org>, linux-kernel
<linux-kernel@...r.kernel.org>
Subject: [GIT PULL] SCSI fixes for the 6.17+ merge window
Fixes only in drivers (ufs, mvsas, qla2xxx, target) that came in just
before or during the merge window. The most important one is the
qla2xxx which reverts a conversion to fix flexible array member
warnings that went up in this merge window but which turned out on
further testing to be causing data corruption.
The patch is available here:
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git scsi-misc
The short changelog is:
Daniel Lee (1):
scsi: ufs: sysfs: Make HID attributes visible
Duoming Zhou (1):
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
Hoyoung Seo (1):
scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS
John Meneghini (1):
Revert "scsi: qla2xxx: Fix memcpy() field-spanning write issue"
Marek Szyprowski (1):
scsi: ufs: core: Fix PM QoS mutex initialization
Peter Wang (1):
scsi: ufs: core: Fix runtime suspend error deadlock
Wang Haoran (1):
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
And the diffstat:
drivers/scsi/mvsas/mv_init.c | 2 +-
drivers/scsi/qla2xxx/qla_def.h | 10 ++++------
drivers/scsi/qla2xxx/qla_isr.c | 17 +++++++++--------
drivers/scsi/qla2xxx/qla_nvme.c | 2 +-
drivers/scsi/qla2xxx/qla_os.c | 5 ++---
drivers/target/target_core_configfs.c | 2 +-
drivers/ufs/core/ufs-sysfs.c | 2 +-
drivers/ufs/core/ufs-sysfs.h | 1 +
drivers/ufs/core/ufshcd.c | 16 +++++++++++++---
include/ufs/ufshci.h | 4 +++-
10 files changed, 36 insertions(+), 25 deletions(-)
with full diff below.
Regards,
James
---
diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c
index 2c72da6b8cf0..7f1ad305eee6 100644
--- a/drivers/scsi/mvsas/mv_init.c
+++ b/drivers/scsi/mvsas/mv_init.c
@@ -124,7 +124,7 @@ static void mvs_free(struct mvs_info *mvi)
if (mvi->shost)
scsi_host_put(mvi->shost);
list_for_each_entry(mwq, &mvi->wq_list, entry)
- cancel_delayed_work(&mwq->work_q);
+ cancel_delayed_work_sync(&mwq->work_q);
kfree(mvi->rsvd_tags);
kfree(mvi);
}
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 604e66bead1e..cb95b7b12051 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -4890,7 +4890,9 @@ struct purex_item {
struct purex_item *pkt);
atomic_t in_use;
uint16_t size;
- uint8_t iocb[] __counted_by(size);
+ struct {
+ uint8_t iocb[64];
+ } iocb;
};
#include "qla_edif.h"
@@ -5099,6 +5101,7 @@ typedef struct scsi_qla_host {
struct list_head head;
spinlock_t lock;
} purex_list;
+ struct purex_item default_item;
struct name_list_extended gnl;
/* Count of active session/fcport */
@@ -5127,11 +5130,6 @@ typedef struct scsi_qla_host {
#define DPORT_DIAG_IN_PROGRESS BIT_0
#define DPORT_DIAG_CHIP_RESET_IN_PROGRESS BIT_1
uint16_t dport_status;
-
- /* Must be last --ends in a flexible-array member. */
- TRAILING_OVERLAP(struct purex_item, default_item, iocb,
- uint8_t __default_item_iocb[QLA_DEFAULT_PAYLOAD_SIZE];
- );
} scsi_qla_host_t;
struct qla27xx_image_status {
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 4559b490614d..c4c6b5c6658c 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1077,17 +1077,17 @@ static struct purex_item *
qla24xx_alloc_purex_item(scsi_qla_host_t *vha, uint16_t size)
{
struct purex_item *item = NULL;
+ uint8_t item_hdr_size = sizeof(*item);
if (size > QLA_DEFAULT_PAYLOAD_SIZE) {
- item = kzalloc(struct_size(item, iocb, size), GFP_ATOMIC);
+ item = kzalloc(item_hdr_size +
+ (size - QLA_DEFAULT_PAYLOAD_SIZE), GFP_ATOMIC);
} else {
if (atomic_inc_return(&vha->default_item.in_use) == 1) {
item = &vha->default_item;
goto initialize_purex_header;
} else {
- item = kzalloc(
- struct_size(item, iocb, QLA_DEFAULT_PAYLOAD_SIZE),
- GFP_ATOMIC);
+ item = kzalloc(item_hdr_size, GFP_ATOMIC);
}
}
if (!item) {
@@ -1127,16 +1127,17 @@ qla24xx_queue_purex_item(scsi_qla_host_t *vha, struct purex_item *pkt,
* @vha: SCSI driver HA context
* @pkt: ELS packet
*/
-static struct purex_item *
-qla24xx_copy_std_pkt(struct scsi_qla_host *vha, void *pkt)
+static struct purex_item
+*qla24xx_copy_std_pkt(struct scsi_qla_host *vha, void *pkt)
{
struct purex_item *item;
- item = qla24xx_alloc_purex_item(vha, QLA_DEFAULT_PAYLOAD_SIZE);
+ item = qla24xx_alloc_purex_item(vha,
+ QLA_DEFAULT_PAYLOAD_SIZE);
if (!item)
return item;
- memcpy(&item->iocb, pkt, QLA_DEFAULT_PAYLOAD_SIZE);
+ memcpy(&item->iocb, pkt, sizeof(item->iocb));
return item;
}
diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
index 065f9bcca26f..316594aa40cc 100644
--- a/drivers/scsi/qla2xxx/qla_nvme.c
+++ b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -1308,7 +1308,7 @@ void qla2xxx_process_purls_iocb(void **pkt, struct rsp_que **rsp)
ql_dbg(ql_dbg_unsol, vha, 0x2121,
"PURLS OP[%01x] size %d xchg addr 0x%x portid %06x\n",
- item->iocb[3], item->size, uctx->exchange_address,
+ item->iocb.iocb[3], item->size, uctx->exchange_address,
fcport->d_id.b24);
/* +48 0 1 2 3 4 5 6 7 8 9 A B C D E F
* ----- -----------------------------------------------
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 98a5c105fdfd..9a2f328200ab 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -6459,10 +6459,9 @@ void qla24xx_process_purex_rdp(struct scsi_qla_host *vha,
void
qla24xx_free_purex_item(struct purex_item *item)
{
- if (item == &item->vha->default_item) {
+ if (item == &item->vha->default_item)
memset(&item->vha->default_item, 0, sizeof(struct purex_item));
- memset(&item->vha->__default_item_iocb, 0, QLA_DEFAULT_PAYLOAD_SIZE);
- } else
+ else
kfree(item);
}
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index 0904ecae253a..b19acd662726 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -2774,7 +2774,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page)
config_item_name(&dev->dev_group.cg_item));
cur_len++; /* Extra byte for NULL terminator */
- if ((cur_len + len) > PAGE_SIZE) {
+ if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) {
pr_warn("Ran out of lu_gp_show_attr"
"_members buffer\n");
break;
diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
index 0086816b27cd..c040afc6668e 100644
--- a/drivers/ufs/core/ufs-sysfs.c
+++ b/drivers/ufs/core/ufs-sysfs.c
@@ -1949,7 +1949,7 @@ static umode_t ufs_sysfs_hid_is_visible(struct kobject *kobj,
return hba->dev_info.hid_sup ? attr->mode : 0;
}
-static const struct attribute_group ufs_sysfs_hid_group = {
+const struct attribute_group ufs_sysfs_hid_group = {
.name = "hid",
.attrs = ufs_sysfs_hid,
.is_visible = ufs_sysfs_hid_is_visible,
diff --git a/drivers/ufs/core/ufs-sysfs.h b/drivers/ufs/core/ufs-sysfs.h
index 8d94af3b8077..6efb82a082fd 100644
--- a/drivers/ufs/core/ufs-sysfs.h
+++ b/drivers/ufs/core/ufs-sysfs.h
@@ -14,5 +14,6 @@ void ufs_sysfs_remove_nodes(struct device *dev);
extern const struct attribute_group ufs_sysfs_unit_descriptor_group;
extern const struct attribute_group ufs_sysfs_lun_attributes_group;
+extern const struct attribute_group ufs_sysfs_hid_group;
#endif
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index b2e103aa4e62..127b691402f9 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6673,6 +6673,14 @@ static void ufshcd_err_handler(struct work_struct *work)
}
spin_unlock_irqrestore(hba->host->host_lock, flags);
+ ufshcd_rpm_get_noresume(hba);
+ if (hba->pm_op_in_progress) {
+ ufshcd_link_recovery(hba);
+ ufshcd_rpm_put(hba);
+ return;
+ }
+ ufshcd_rpm_put(hba);
+
ufshcd_err_handling_prepare(hba);
spin_lock_irqsave(hba->host->host_lock, flags);
@@ -8472,6 +8480,8 @@ static int ufs_get_device_desc(struct ufs_hba *hba)
DEVICE_DESC_PARAM_EXT_UFS_FEATURE_SUP) &
UFS_DEV_HID_SUPPORT;
+ sysfs_update_group(&hba->dev->kobj, &ufs_sysfs_hid_group);
+
model_index = desc_buf[DEVICE_DESC_PARAM_PRDCT_NAME];
err = ufshcd_read_string_desc(hba, model_index,
@@ -10661,6 +10671,9 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
*/
spin_lock_init(&hba->clk_gating.lock);
+ /* Initialize mutex for PM QoS request synchronization */
+ mutex_init(&hba->pm_qos_mutex);
+
/*
* Set the default power management level for runtime and system PM.
* Host controller drivers can override them in their
@@ -10749,9 +10762,6 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
mutex_init(&hba->wb_mutex);
- /* Initialize mutex for PM QoS request synchronization */
- mutex_init(&hba->pm_qos_mutex);
-
init_rwsem(&hba->clk_scaling_lock);
ufshcd_init_clk_gating(hba);
diff --git a/include/ufs/ufshci.h b/include/ufs/ufshci.h
index 612500a7088f..e64b70132101 100644
--- a/include/ufs/ufshci.h
+++ b/include/ufs/ufshci.h
@@ -180,6 +180,7 @@ static inline u32 ufshci_version(u32 major, u32 minor)
#define UTP_TASK_REQ_COMPL 0x200
#define UIC_COMMAND_COMPL 0x400
#define DEVICE_FATAL_ERROR 0x800
+#define UTP_ERROR 0x1000
#define CONTROLLER_FATAL_ERROR 0x10000
#define SYSTEM_BUS_FATAL_ERROR 0x20000
#define CRYPTO_ENGINE_FATAL_ERROR 0x40000
@@ -199,7 +200,8 @@ static inline u32 ufshci_version(u32 major, u32 minor)
CONTROLLER_FATAL_ERROR |\
SYSTEM_BUS_FATAL_ERROR |\
CRYPTO_ENGINE_FATAL_ERROR |\
- UIC_LINK_LOST)
+ UIC_LINK_LOST |\
+ UTP_ERROR)
/* HCS - Host Controller Status 30h */
#define DEVICE_PRESENT 0x1
Powered by blists - more mailing lists