kernel/linux.git/drivers/scsi/libfc, branch v6.19.11

scsi: libfc: Prevent integer overflow in fc_fcp_recv_data()

2025-10-07T02:27:28+00:00

The "offset" comes from the skb->data that we received. Here the code is verifying that "offset + len" is within bounds however it does not take integer overflows into account. Use size_add() to be safe. This would only be an issue on 32bit systems which are probably a very small percent of the users. Still, it's worth fixing just for correctness sake. Fixes: 42e9a92fe6a9 ("[SCSI] libfc: A modular Fibre Channel library") Signed-off-by: Dan Carpenter Message-Id: Signed-off-by: Martin K. Petersen

scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()

2025-09-25T01:57:03+00:00

The fc_ct_ms_fill() helper currently formats the OS name and version into entry->value using "%s v%s". Since init_utsname()->sysname and ->release are unbounded strings, snprintf() may attempt to write more than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a -Wformat-truncation warning with W=1. In file included from drivers/scsi/libfc/fc_elsct.c:18: drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’: drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may be truncated writing up to 64 bytes into a region of size between 62 and 126 [-Werror=format-truncation=] 359 | "%s v%s", | ^~ 360 | init_utsname()->sysname, 361 | init_utsname()->release); | ~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between 3 and 131 bytes into a destination of size 128 357 | snprintf((char *)&entry->value, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 359 | "%s v%s", | ~~~~~~~~~ 360 | init_utsname()->sysname, | ~~~~~~~~~~~~~~~~~~~~~~~~ 361 | init_utsname()->release); | ~~~~~~~~~~~~~~~~~~~~~~~~ Fix this by using "%.62s v%.62s", which ensures sysname and release are truncated to fit within the 128-byte field defined by FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN. [mkp: clarified commit description] Signed-off-by: Alok Tiwari Signed-off-by: Martin K. Petersen

treewide, timers: Rename from_timer() to timer_container_of()

2025-06-08T07:07:37+00:00

Move this API to the canonical timer_*() namespace. [ tglx: Redone against pre rc1 ] Signed-off-by: Ingo Molnar Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/aB2X0jCKQO56WdMt@gmail.com

treewide: Switch/rename to timer_delete[_sync]()

2025-04-05T08:30:12+00:00

timer_delete[_sync]() replaces del_timer[_sync](). Convert the whole tree over and remove the historical wrapper inlines. Conversion was done with coccinelle plus manual fixups where necessary. Signed-off-by: Thomas Gleixner Signed-off-by: Ingo Molnar

scsi: Rename .slave_alloc() and .slave_destroy()

2024-12-04T20:34:28+00:00

Rename .slave_alloc() into .sdev_init() and .slave_destroy() into .sdev_destroy(). The new names make it clear that these are actions on SCSI devices. Make this change in the SCSI core, SCSI drivers and also in the ATA drivers. No functionality has been changed. This patch has been created as follows: * Change the text "slave_alloc" into "sdev_init" in all source files except those in drivers/net/ and Documentation/. * Change the text "slave_destroy" into "sdev_destroy" in all source files except those in drivers/net/ and Documentation/. * Rename lpfc_no_slave() into lpfc_no_sdev(). * Manually adjust whitespace where necessary to restore vertical alignment (dc395x driver and include/linux/libata.h). Acked-by: Damien Le Moal Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20241022180839.2712439-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen

move asm/unaligned.h to linux/unaligned.h

2024-10-02T21:23:23+00:00

asm/unaligned.h is always an include of asm-generic/unaligned.h; might as well move that thing to linux/unaligned.h and include that - there's nothing arch-specific in that header. auto-generated by the following: for i in `git grep -l -w asm/unaligned.h`; do sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i done for i in `git grep -l -w asm-generic/unaligned.h`; do sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i done git mv include/asm-generic/unaligned.h include/linux/unaligned.h git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h

scsi: Expand all create*_workqueue() invocations

2024-08-23T01:28:55+00:00

The workqueue maintainer wants to remove the create*_workqueue() macros because these macros always set the WQ_MEM_RECLAIM flag and because these only support literal workqueue names. Hence this patch that replaces the create*_workqueue() invocations with the definition of this macro. The WQ_MEM_RECLAIM flag has been retained because I think that flag is necessary for workqueues created by storage drivers. This patch has been generated by running spatch and git clang-format. spatch has been invoked as follows: spatch --in-place --sp-file expand-create-workqueue.spatch $(git grep -lEw 'create_(freezable_|singlethread_|)workqueue' */scsi */ufs) The contents of the expand-create-workqueue.spatch file is as follows: @@ expression name; @@ -create_workqueue(name) +alloc_workqueue("%s", WQ_MEM_RECLAIM, 1, name) @@ expression name; @@ -create_freezable_workqueue(name) +alloc_workqueue("%s", WQ_FREEZABLE | WQ_UNBOUND | WQ_MEM_RECLAIM, 1, name) @@ expression name; @@ -create_singlethread_workqueue(name) +alloc_ordered_workqueue("%s", WQ_MEM_RECLAIM, name) Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20240822195944.654691-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen

scsi: libfc: replace deprecated strncpy() with memcpy()

2024-02-27T02:21:23+00:00

strncpy() is deprecated [1] and as such we should use different apis to copy string data. We can see that ct is NUL-initialized with fc_ct_hdr_fill: | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn) + len, ... In fc_ct_hdr_fill(): | memset(ct, 0, ct_plen); We also calculate the length of the source string: | len = strnlen(fc_host_symbolic_name(lport->host), 255); ...then this argument is used in strncpy(), which is bad because the pattern of (dest, src, strlen(src)) usually leaves the destination buffer without NUL-termination. However, it looks as though we do not require NUL-termination since fr_name is part of a seq_buf-like structure wherein its length is monitored: | struct fc_ns_rspn { | struct fc_ns_fid fr_fid; /* port ID object */ | __u8 fr_name_len; | char fr_name[]; | } __attribute__((__packed__)); So, this is really just a byte copy into a length-bounded buffer. Let's use memcpy(). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt Link: https://lore.kernel.org/r/20240221-strncpy-drivers-scsi-libfc-fc_encode-h-v2-1-019a0889c5ca@google.com Reviewed-by: Kees Cook Signed-off-by: Martin K. Petersen

scsi: libfc: Map FC_TIMED_OUT to DID_TIME_OUT

2023-12-06T02:32:11+00:00

When an exchange is completed with FC_TIMED_OUT we should map it to DID_TIME_OUT to inform the SCSI midlayer that this was a command timeout; DID_BUS_BUSY implies that the command was never sent which is not the case here. Signed-off-by: Hannes Reinecke Link: https://lore.kernel.org/r/20231129165832.224100-4-hare@kernel.org Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen

scsi: libfc: Fix up timeout error in fc_fcp_rec_error()

2023-12-06T02:32:11+00:00

We should set the status to FC_TIMED_OUT when a timeout error is passed to fc_fcp_rec_error(). Signed-off-by: Hannes Reinecke Link: https://lore.kernel.org/r/20231129165832.224100-3-hare@kernel.org Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen