Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.10 2024-07-29T00:06:20+00:00 2024-07-29T00:06:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-07-29T00:06:20+00:00 urn:sha1:9f499b8c791d2983c0a31a543c51d1b2f15e8755 While working on simplifying the minmax functions, and avoiding excessive macro expansion, it turns out that the sr.c use of the 'clamp()' macro has the arguments the wrong way around. The clamp logic is val = clamp(in, low, high); and it returns the input clamped to the low/high limits. But sr.c ddid speed = clamp(0, speed, 0xffff / 177); which clamps the value '0' to the range '[speed, 0xffff / 177]' and ends up being nonsensical. Happily, I don't think anybody ever cared. Fixes: 9fad9d560af5 ("scsi: sr: Fix unintentional arithmetic wraparound") Cc: Justin Stitt <justinstitt@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2024-05-15T14:05:24+00:00 Justin Stitt justinstitt@google.com 2024-05-08T17:22:51+00:00 urn:sha1:9fad9d560af5c654bb38e0b07ee54a4e9acdc5cd Running syzkaller with the newly reintroduced signed integer overflow sanitizer produces this report: [ 65.194362] ------------[ cut here ]------------ [ 65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9 [ 65.203607] -2147483648 * 177 cannot be represented in type 'int' [ 65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 65.219923] Call Trace: [ 65.221556] <TASK> [ 65.223029] dump_stack_lvl+0x93/0xd0 [ 65.225573] handle_overflow+0x171/0x1b0 [ 65.228219] sr_select_speed+0xeb/0xf0 [ 65.230786] ? __pm_runtime_resume+0xe6/0x130 [ 65.233606] sr_block_ioctl+0x15d/0x1d0 ... Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the kernel with Commit 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer"). Firstly, let's change the type of "speed" to unsigned long as sr_select_speed()'s only caller passes in an unsigned long anyways. $ git grep '\.select_speed' | drivers/scsi/sr.c: .select_speed = sr_select_speed, ... | static int cdrom_ioctl_select_speed(struct cdrom_device_info *cdi, | unsigned long arg) | { | ... | return cdi->ops->select_speed(cdi, arg); | } Next, let's add an extra check to make sure we don't exceed 0xffff/177 (350) since 0xffff is the max speed. This has two benefits: 1) we deal with integer overflow before it happens and 2) we properly respect the max speed of 0xffff. There are some "magic" numbers here but I did not want to change more than what was necessary. Link: https://github.com/llvm/llvm-project/pull/82432 [1] Closes: https://github.com/KSPP/linux/issues/357 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20240508-b4-b4-sio-sr_select_speed-v2-1-00b68f724290@google.com Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2023-01-14T02:34:09+00:00 Mike Christie michael.christie@oracle.com 2022-12-29T19:01:50+00:00 urn:sha1:49d33b6245d91a2ca20755cd4edf86dd0e49649e scsi_execute*() is going to be removed. Convert sr to scsi_execute_cmd(). Signed-off-by: Mike Christie <michael.christie@oracle.com> Reviewed-by: John Garry <john.g.garry@oracle.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2022-04-19T02:48:31+00:00 Tom Rix trix@redhat.com 2022-04-11T17:47:56+00:00 urn:sha1:faad6cebded8e0fd902b672f220449b93db479eb sr_ioctl.c uses this pattern: result = sr_do_ioctl(cd, &cgc); to-user = buffer[]; kfree(buffer); return result; Use of a buffer without checking leaks information. Check result and jump over the use of buffer if there is an error. result = sr_do_ioctl(cd, &cgc); if (result) goto err; to-user = buffer[]; err: kfree(buffer); return result; Additionally, initialize the buffer to zero. This problem can be seen in the 2.4.0 kernel. Link: https://lore.kernel.org/r/20220411174756.2418435-1-trix@redhat.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Tom Rix <trix@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-09-14T02:15:49+00:00 Colin Ian King colin.king@canonical.com 2021-08-26T11:57:14+00:00 urn:sha1:e699a4e1d37314eb842ba9de19a7ccee7f75da10 There is a spelling mistake in a literal string. Fix it. Link: https://lore.kernel.org/r/20210826115714.11844-1-colin.king@canonical.com Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T03:59:18+00:00 Hannes Reinecke hare@suse.de 2021-04-27T08:30:46+00:00 urn:sha1:3d45cefc8edd7f560e6c97a8d9928ad571f76dec Originally the SCSI subsystem has been using 'special' SCSI status codes, which were the SAM-specified ones but shifted by 1. As most drivers have now been modified to use the SAM-specified ones, having two nearly identical sets of definitions only causes confusion. The Linux-specifed SCSI status codes have been marked obsolete for several years so drop them and use the SAM-specified status codes throughout. Link: https://lore.kernel.org/r/20210427083046.31620-41-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T02:48:22+00:00 Hannes Reinecke hare@suse.com 2021-04-27T08:30:20+00:00 urn:sha1:54c29086195fd72b6a290ef367e71f73fa657b1f The driver_byte field in the result is now unused, so we can drop the definitions. Link: https://lore.kernel.org/r/20210427083046.31620-15-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T02:48:21+00:00 Hannes Reinecke hare@suse.de 2021-04-27T08:30:12+00:00 urn:sha1:ced202f7bd78eb6a79c441a8b217e0f3d38bccfc Return the actual error code in __scsi_execute() (which, according to the documentation, should have happened anyway). And audit all callers to cope with negative return values from __scsi_execute() and friends. [mkp: resolve conflict and return bool] Link: https://lore.kernel.org/r/20210427083046.31620-7-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-04-06T15:28:17+00:00 Christoph Hellwig hch@lst.de 2021-03-31T07:29:58+00:00 urn:sha1:aaff5ebaa2694f283b7d07fdd55fb287ffc4f1e9 Remove the unchecked_isa_dma now that all users are gone. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Martin K. Petersen <martin.petersen@oracle.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Link: https://lore.kernel.org/r/20210331073001.46776-6-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> 2020-12-12T18:12:25+00:00 Sebastian Andrzej Siewior bigeasy@linutronix.de 2020-12-04T16:48:49+00:00 urn:sha1:8d2ac857a81d5a44b9643038291ea958bbf05c7f sr_read_sector() is hardly used since v2.3.16. Its only purpose is to check if it is a XA medium via sr_is_xa(). This check is only enabled if the module parameter `xa_test' is enabled. Change the sector size back to 2048 if it was changed. With this change, there is no lazy sector size changing left. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jens Axboe <axboe@kernel.dk>