Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.18.62 2016-08-31T23:26:17+00:00 2016-08-31T23:26:17+00:00 Dave Carroll david.carroll@microsemi.com 2016-08-05T19:44:10+00:00 urn:sha1:30c2bbd8a7b7ff3b6849d6ce1a69d4db9e40183b [ Upstream commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 ] In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of- bounds access in aac_fib_send(). We also check the sender size to insure it is not out of bounds. This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: stable@vger.kernel.org Signed-off-by: Dave Carroll <david.carroll@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 2016-06-03T15:30:31+00:00 Raghava Aditya Renukunta RaghavaAditya.Renukunta@microsemi.com 2016-04-26T06:31:57+00:00 urn:sha1:1f4e61daf4c53b99d72f7dd4d373dc63dd75aa05 [ Upstream commit fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7 ] Typically under error conditions, it is possible for aac_command_thread() to miss the wakeup from kthread_stop() and go back to sleep, causing it to hang aac_shutdown. In the observed scenario, the adapter is not functioning correctly and so aac_fib_send() never completes (or time-outs depending on how it was called). Shortly after aac_command_thread() starts it performs aac_fib_send(SendHostTime) which hangs. When aac_probe_one /aac_get_adapter_info send time outs, kthread_stop is called which breaks the command thread out of it's hang. The code will still go back to sleep in schedule_timeout() without checking kthread_should_stop() so it causes aac_probe_one to hang until the schedule_timeout() which is 30 minutes. Fixed by: Adding another kthread_should_stop() before schedule_timeout() Cc: stable@vger.kernel.org Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2016-06-03T15:30:30+00:00 Raghava Aditya Renukunta RaghavaAditya.Renukunta@microsemi.com 2016-04-26T06:31:26+00:00 urn:sha1:b2d6c2dc831170205c89273b93eaf2e60dead5cc [ Upstream commit 07beca2be24cc710461c0b131832524c9ee08910 ] aac_fib_send has a special function case for initial commands during driver initialization using wait < 0(pseudo sync mode). In this case, the command does not sleep but rather spins checking for timeout.This loop is calls cpu_relax() in an attempt to allow other processes/threads to use the CPU, but this function does not relinquish the CPU and so the command will hog the processor. This was observed in a KDUMP "crashkernel" and that prevented the "command thread" (which is responsible for completing the command from being timed out) from starting because it could not get the CPU. Fixed by replacing "cpu_relax()" call with "schedule()" Cc: stable@vger.kernel.org Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2016-04-18T12:49:17+00:00 Raghava Aditya Renukunta raghavaaditya.renukunta@pmcs.com 2016-02-03T23:06:02+00:00 urn:sha1:bb403c355af83b32b7d16b988596a84d449b0762 [ Upstream commit f88fa79a61726ce9434df9b4aede36961f709f17 ] aac_fib_map_free() calls pci_free_consistent() without checking that dev->hw_fib_va is not NULL and dev->max_fib_size is not zero.If they are indeed NULL/0, this will result in a hang as pci_free_consistent() will attempt to invalidate cache for the entire 64-bit address space (which would take a very long time). Fixed by adding a check to make sure that dev->hw_fib_va and dev->max_fib_size are not NULL and 0 respectively. Fixes: 9ad5204d6 - "[SCSI]aacraid: incorrect dma mapping mask during blinked recover or user initiated reset" Cc: stable@vger.kernel.org Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2014-09-15T23:01:58+00:00 Kashyap.Desai@avagotech.com Kashyap.Desai@avagotech.com 2014-08-20T13:54:33+00:00 urn:sha1:64bdcbc449105377dd60c8da97cfc1663b39562c Add a use_cmd_list flag in struct Scsi_Host to request keeping track of all outstanding commands per device. Default behaviour is not to keep track of cmd_list per sdev, as this may introduce lock contention. (overhead is more on multi-node NUMA.), and only enable it on the two drivers that need it. Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Christoph Hellwig <hch@lst.de> 2014-07-17T20:07:37+00:00 Hannes Reinecke hare@suse.de 2014-06-25T13:27:36+00:00 urn:sha1:9cb78c16f5dadefd8dc5ba0ae5a2f26cd59419b3 The SCSI standard defines 64-bit values for LUNs, and large arrays employing large or hierarchical LUN numbers become more and more common. So update the linux SCSI stack to use 64-bit LUN numbers. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Christoph Hellwig <hch@infradead.org> Reviewed-by: Ewan Milne <emilne@redhat.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2014-03-19T22:04:44+00:00 Michael Opdenacker michael.opdenacker@free-electrons.com 2014-03-05T05:09:41+00:00 urn:sha1:4909cc2b89715c2dfd4c466a37cc08b2b3890fed It's a NOOP since 2.6.35 and it will be removed one day. [jejb: remove from missed arm scsi drivers] Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com> 2014-03-15T17:19:00+00:00 Mahesh Rajashekhara Mahesh.Rajashekhara@pmcs.com 2014-01-13T08:20:30+00:00 urn:sha1:6e40e5f021d9f322342f3757d092431ed8c6b6d8 This patch fixes kernel panic issue while booting into the kdump kernel. We have triggered crash and kdump vmcore was successful. No issues seen while booting into the OS. Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com> 2013-11-29T04:48:39+00:00 Martin K. Petersen martin.petersen@oracle.com 2013-10-23T10:25:40+00:00 urn:sha1:54b2b50c20a61b51199bedb6e5d2f8ec2568fb43 Some host adapters do not pass commands through to the target disk directly. Instead they provide an emulated target which may or may not accurately report its capabilities. In some cases the physical device characteristics are reported even when the host adapter is processing commands on the device's behalf. This can lead to adapter firmware hangs or excessive I/O errors. This patch disables WRITE SAME for devices connected to host adapters that provide an emulated target. Driver writers can disable WRITE SAME by setting the no_write_same flag in the host adapter template. [jejb: fix up rejections due to eh_deadline patch] Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Cc: stable@kernel.org Signed-off-by: James Bottomley <JBottomley@Parallels.com> 2013-11-20T00:27:39+00:00 Mahesh Rajashekhara Mahesh.Rajashekhara@pmcs.com 2013-10-31T08:31:02+00:00 urn:sha1:b4789b8e6be3151a955ade74872822f30e8cd914 It appears that driver runs into a problem here if fibsize is too small because we allocate user_srbcmd with fibsize size only but later we access it until user_srbcmd->sg.count to copy it over to srbcmd. It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this structure already includes one sg element and this is not needed for commands without data. So, we would recommend to add the following (instead of test for fibsize == 0). Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>