Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.257 2025-08-28T14:22:44+00:00 2025-08-28T14:22:44+00:00 jackysliu 1972843537@qq.com 2025-06-24T11:58:24+00:00 urn:sha1:9337c2affbaebe00b75fdf84ea0e2fcf93c140af [ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ] When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL if probing fails. Signed-off-by: jackysliu <1972843537@qq.com> Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-12-14T18:47:58+00:00 Ye Bin yebin10@huawei.com 2024-10-23T01:18:09+00:00 urn:sha1:ef2c2580189ea88a0dcaf56eb3a565763a900edb [ Upstream commit 178b8f38932d635e90f5f0e9af1986c6f4a89271 ] BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20 Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303 Call Trace: <TASK> dump_stack_lvl+0x95/0xe0 print_report+0xcb/0x620 kasan_report+0xbd/0xf0 __lock_acquire+0x2aca/0x3a20 lock_acquire+0x19b/0x520 _raw_spin_lock+0x2b/0x40 attribute_container_unregister+0x30/0x160 fc_release_transport+0x19/0x90 [scsi_transport_fc] bfad_im_module_exit+0x23/0x60 [bfa] bfad_init+0xdb/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 fc_attach_transport+0x4f/0x4740 [scsi_transport_fc] bfad_im_module_init+0x17/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x38/0x50 kfree+0x212/0x480 bfad_im_module_init+0x7e/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Above issue happens as follows: bfad_init error = bfad_im_module_init() fc_release_transport(bfad_im_scsi_transport_template); if (error) goto ext; ext: bfad_im_module_exit(); fc_release_transport(bfad_im_scsi_transport_template); --> Trigger double release Don't call bfad_im_module_exit() if bfad_im_module_init() failed. Fixes: 7725ccfda597 ("[SCSI] bfa: Brocade BFA FC SCSI driver") Signed-off-by: Ye Bin <yebin10@huawei.com> Link: https://lore.kernel.org/r/20241023011809.63466-1-yebin@huaweicloud.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-06-16T11:32:08+00:00 Bui Quang Minh minhquangbui99@gmail.com 2024-04-24T14:44:20+00:00 urn:sha1:00b425ff0891283207d7bad607a2412225274d7a [ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ] Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-03-26T22:22:01+00:00 Arnd Bergmann arnd@arndb.de 2024-02-22T12:44:06+00:00 urn:sha1:a2b74f35eea3139228fa6a05f08bc54725910a7a [ Upstream commit b69600231f751304db914c63b937f7098ed2895c ] Some callback functions used here take a boolean argument, others take a status argument. This breaks KCFI type checking, so clang now warns about the function pointer cast: drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] Assuming the code is actually correct here and the callers always match the argument types of the callee, rework this to replace the explicit cast with a union of the two pointer types. This does not change the behavior of the code, so if something is actually broken here, a larger rework may be necessary. Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats") Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.") Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-04-13T19:00:55+00:00 Yang Guang yang.guang5@zte.com.cn 2022-01-27T00:03:46+00:00 urn:sha1:de9505936c47df0c1cbee112a48c883322135b54 [ Upstream commit 2245ea91fd3a04cafbe2f54911432a8657528c3b ] coccinelle report: ./drivers/scsi/bfa/bfad_attr.c:908:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:860:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:888:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:853:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:808:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:728:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:822:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:927:9-17: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:900:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:874:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:714:8-16: WARNING: use scnprintf or sprintf ./drivers/scsi/bfa/bfad_attr.c:839:8-16: WARNING: use scnprintf or sprintf Use sysfs_emit() instead of scnprintf() or sprintf(). Link: https://lore.kernel.org/r/def83ff75faec64ba592b867a8499b1367bae303.1643181468.git.yang.guang5@zte.com.cn Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Yang Guang <yang.guang5@zte.com.cn> Signed-off-by: David Yang <davidcomponentone@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-10-23T23:19:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-10-23T23:19:02+00:00 urn:sha1:af995383eb653f875c4e4e2349d5b0b4ba839eaa Pull more SCSI updates from James Bottomley: "The set of core changes here is Christoph's submission path cleanups. These introduced a couple of regressions when first proposed so they got held over from the initial merge window pull request to give more testing time, which they've now had and Syzbot has confirmed the regression it detected is fixed. The other main changes are two driver updates (arcmsr, pm80xx) and assorted minor clean ups" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (38 commits) scsi: qla2xxx: Fix return of uninitialized value in rval scsi: core: Set sc_data_direction to DMA_NONE for no-transfer commands scsi: sr: Initialize ->cmd_len scsi: arcmsr: Update driver version to v1.50.00.02-20200819 scsi: arcmsr: Add support for ARC-1886 series RAID controllers scsi: arcmsr: Fix device hot-plug monitoring timer stop scsi: arcmsr: Remove unnecessary syntax scsi: pm80xx: Driver version update scsi: pm80xx: Increase the number of outstanding I/O supported to 1024 scsi: pm80xx: Remove DMA memory allocation for ccb and device structures scsi: pm80xx: Increase number of supported queues scsi: sym53c8xx_2: Fix sizeof() mismatch scsi: isci: Fix a typo in a comment scsi: qla4xxx: Fix inconsistent format argument type scsi: myrb: Fix inconsistent format argument types scsi: myrb: Remove redundant assignment to variable timeout scsi: bfa: Fix error return in bfad_pci_init() scsi: fcoe: Simplify the return expression of fcoe_sysfs_setup() scsi: snic: Simplify the return expression of svnic_cq_alloc() scsi: fnic: Simplify the return expression of vnic_wq_copy_alloc() ... 2020-10-08T03:50:04+00:00 Jing Xiangfeng jingxiangfeng@huawei.com 2020-09-25T06:24:23+00:00 urn:sha1:f0f6c3a4fcb80fcbcce4ff6739996dd98c228afd Fix to return error code -ENODEV from the error handling case instead of 0. Link: https://lore.kernel.org/r/20200925062423.161504-1-jingxiangfeng@huawei.com Fixes: 11ea3824140c ("scsi: bfa: fix calls to dma_set_mask_and_coherent()") Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2020-08-23T22:36:59+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2020-08-23T22:36:59+00:00 urn:sha1:df561f6688fef775baa341a0f5d960becd248b11 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> 2020-07-25T02:33:06+00:00 Lee Jones lee.jones@linaro.org 2020-07-23T12:24:44+00:00 urn:sha1:64332c13d0d130a0e95d1eeb8df20a9ca7887534 Fixes the following checkpatch warning: CHECK: Please use a blank line after function/struct/union/enum declarations #129: FILE: drivers/scsi/bfa/bfa_ioc.c:6913: } +/* Link: https://lore.kernel.org/r/20200723122446.1329773-39-lee.jones@linaro.org Cc: Anil Gurumurthy <anil.gurumurthy@qlogic.com> Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2020-07-25T02:33:04+00:00 Lee Jones lee.jones@linaro.org 2020-07-23T12:24:41+00:00 urn:sha1:20e73cb1d03cbb131799e7e5b6abb7b0359e81b2 This is the only use of kerneldoc in the source file and no descriptions are provided. Also demote standard comment. Fixes the following W=1 kernel build warning(s): drivers/scsi/bfa/bfa_svc.c:3847: warning: Function parameter or member 'bfa' not described in 'bfa_fcport_get_cfg_topology' Link: https://lore.kernel.org/r/20200723122446.1329773-36-lee.jones@linaro.org Cc: Anil Gurumurthy <anil.gurumurthy@qlogic.com> Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>