<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/drivers/scsi, branch linux-4.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.7.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.7.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2016-10-22T10:06:48+00:00</updated>
<entry>
<title>scsi: ibmvfc: Fix I/O hang when port is not mapped</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2016-09-19T13:59:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5131d36b8106905f455b024c811f969966349756'/>
<id>urn:sha1:5131d36b8106905f455b024c811f969966349756</id>
<content type='text'>
commit 07d0e9a847401ffd2f09bd450d41644cd090e81d upstream.

If a VFC port gets unmapped in the VIOS, it may not respond with a CRQ
init complete following H_REG_CRQ. If this occurs, we can end up having
called scsi_block_requests and not a resulting unblock until the init
complete happens, which may never occur, and we end up hanging I/O
requests.  This patch ensures the host action stay set to
IBMVFC_HOST_ACTION_TGT_DEL so we move all rports into devloss state and
unblock unless we receive an init complete.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Acked-by: Tyrel Datwyler &lt;tyreld@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>scsi: arcmsr: Simplify user_len checking</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Borislav Petkov</name>
<email>bp@alien8.de</email>
</author>
<published>2016-09-23T11:22:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1e7f077827be9611b6382a1be5b4d208928a9fcf'/>
<id>urn:sha1:1e7f077827be9611b6382a1be5b4d208928a9fcf</id>
<content type='text'>
commit 4bd173c30792791a6daca8c64793ec0a4ae8324f upstream.

Do the user_len check first and then the ver_addr allocation so that we
can save us the kfree() on the error path when user_len is &gt;
ARCMSR_API_DATA_BUFLEN.

Signed-off-by: Borislav Petkov &lt;bp@suse.de&gt;
Cc: Marco Grassi &lt;marco.gra@gmail.com&gt;
Cc: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Cc: Tomas Henzl &lt;thenzl@redhat.com&gt;
Cc: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2016-09-15T13:44:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6e3655655623c52a8a55cec01be8cf6681ee54a3'/>
<id>urn:sha1:6e3655655623c52a8a55cec01be8cf6681ee54a3</id>
<content type='text'>
commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream.

We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.

Reported-by: Marco Grassi &lt;marco.gra@gmail.com&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached</title>
<updated>2016-10-07T13:21:26+00:00</updated>
<author>
<name>Johannes Thumshirn</name>
<email>jthumshirn@suse.de</email>
</author>
<published>2016-08-17T09:46:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=27241dbfcf11ca5599140a027927d56cb31e3993'/>
<id>urn:sha1:27241dbfcf11ca5599140a027927d56cb31e3993</id>
<content type='text'>
commit 835831c57e9b0cccc24e96a812542875471d75b5 upstream.

Use scsi_is_sas_rphy() instead of is_sas_attached() to decide whether we
should obtain the SAS address from a scsi device or not. This will
prevent us from tripping on the BUG_ON() in sas_sdev_to_rdev() if the
rphy isn't attached to the SAS transport class, like it is with hpsa's
logical devices.

Fixes: 3f8d6f2a0 ('ses: fix discovery of SATA devices in SAS enclosures')
Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: James E.J. Bottomley &lt;jejb@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>fnic: pci_dma_mapping_error() doesn't return an error code</title>
<updated>2016-10-07T13:21:23+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2016-07-07T08:23:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=be784fafa10c5021a1c03369944edce75b95d1f9'/>
<id>urn:sha1:be784fafa10c5021a1c03369944edce75b95d1f9</id>
<content type='text'>
commit dd7328e4c53649c1c7ec36bc1cf5b229b8662047 upstream.

pci_dma_mapping_error() returns true on error and false on success.

Fixes: fd6ddfa4c1dd ('fnic: check pci_map_single() return value')
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>qla2xxx: Fix BBCR offset</title>
<updated>2016-10-07T13:21:23+00:00</updated>
<author>
<name>Sawan Chandak</name>
<email>sawan.chandak@qlogic.com</email>
</author>
<published>2016-07-06T15:14:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5a2c5cb739408dab9f76da832245c0443330d08f'/>
<id>urn:sha1:5a2c5cb739408dab9f76da832245c0443330d08f</id>
<content type='text'>
commit 061b5c3c48a1e276f8fd539bfa8aab8b359ffc31 upstream.

Fixes: 969a619 ("qla2xxx: Add support for buffer to buffer credit value for ISP27XX.")
Signed-off-by: Sawan Chandak &lt;sawan.chandak@qlogic.com&gt;
Signed-off-by: Himanshu Madhani &lt;himanshu.madhani@qlogic.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>scsi: fix upper bounds check of sense key in scsi_sense_key_string()</title>
<updated>2016-09-15T06:20:30+00:00</updated>
<author>
<name>Tyrel Datwyler</name>
<email>tyreld@linux.vnet.ibm.com</email>
</author>
<published>2016-08-12T22:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5ef15cd2eb598d67c60d7386da8706c8818ce5b4'/>
<id>urn:sha1:5ef15cd2eb598d67c60d7386da8706c8818ce5b4</id>
<content type='text'>
commit a87eeb900dbb9f8202f96604d56e47e67c936b9d upstream.

Commit 655ee63cf371 ("scsi constants: command, sense key + additional
sense string") added a "Completed" sense string with key 0xF to
snstext[], but failed to updated the upper bounds check of the sense key
in scsi_sense_key_string().

Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings")
Signed-off-by: Tyrel Datwyler &lt;tyreld@linux.vnet.ibm.com&gt;
Reviewed-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>megaraid_sas: Fix probing cards without io port</title>
<updated>2016-09-07T06:34:52+00:00</updated>
<author>
<name>Yinghai Lu</name>
<email>yinghai@kernel.org</email>
</author>
<published>2016-08-06T06:37:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0a20e12c78170ba7705b102559c734e5df095bff'/>
<id>urn:sha1:0a20e12c78170ba7705b102559c734e5df095bff</id>
<content type='text'>
commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.

Found one megaraid_sas HBA probe fails,

[  187.235190] scsi host2: Avago SAS based MegaRAID driver
[  191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io  0x0000-0x00ff]
[  191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!

and the card has resource like,
[  125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
[  125.104446] pci 0000:89:00.0: reg 0x10: [io  0x0000-0x00ff]
[  125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
[  125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
[  125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]

that does not io port resource allocated from BIOS, and kernel can not
assign one as io port shortage.

The driver is only looking for MEM, and should not fail.

It turns out megasas_init_fw() etc are using bar index as mask.  index 1
is used as mask 1, so that pci_request_selected_regions() is trying to
request BAR0 instead of BAR1.

Fix all related reference.

Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
Signed-off-by: Yinghai Lu &lt;yinghai@kernel.org&gt;
Acked-by: Kashyap Desai &lt;kashyap.desai@broadcom.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>mpt3sas: Fix resume on WarpDrive flash cards</title>
<updated>2016-09-07T06:34:52+00:00</updated>
<author>
<name>Greg Edwards</name>
<email>gedwards@fireweed.org</email>
</author>
<published>2016-07-30T16:06:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=404b74f0475907c973e4256d2dc894aada709240'/>
<id>urn:sha1:404b74f0475907c973e4256d2dc894aada709240</id>
<content type='text'>
commit ce7c6c9e1d997a2670aead3a7b87f4df32c11118 upstream.

mpt3sas crashes on resume after suspend with WarpDrive flash cards.  The
reply_post_host_index array is not set back up after the resume, and we
deference a stale pointer in _base_interrupt().

[   47.309711] BUG: unable to handle kernel paging request at ffffc90001f8006c
[   47.318289] IP: [&lt;ffffffffc00863ef&gt;] _base_interrupt+0x49f/0xa30 [mpt3sas]
[   47.326749] PGD 41ccaa067 PUD 41ccab067 PMD 3466c067 PTE 0
[   47.333848] Oops: 0002 [#1] SMP
...
[   47.452708] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.7.0 #6
[   47.460506] Hardware name: Dell Inc. OptiPlex 990/06D7TR, BIOS A18 09/24/2013
[   47.469629] task: ffffffff81c0d500 ti: ffffffff81c00000 task.ti: ffffffff81c00000
[   47.479112] RIP: 0010:[&lt;ffffffffc00863ef&gt;]  [&lt;ffffffffc00863ef&gt;] _base_interrupt+0x49f/0xa30 [mpt3sas]
[   47.490466] RSP: 0018:ffff88041d203e30  EFLAGS: 00010002
[   47.497801] RAX: 0000000000000001 RBX: ffff880033f4c000 RCX: 0000000000000001
[   47.506973] RDX: ffffc90001f8006c RSI: 0000000000000082 RDI: 0000000000000082
[   47.516141] RBP: ffff88041d203eb0 R08: ffff8804118e2820 R09: 0000000000000001
[   47.525300] R10: 0000000000000001 R11: 00000000100c0000 R12: 0000000000000000
[   47.534457] R13: ffff880412c487e0 R14: ffff88041a8987d8 R15: 0000000000000001
[   47.543632] FS:  0000000000000000(0000) GS:ffff88041d200000(0000) knlGS:0000000000000000
[   47.553796] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   47.561632] CR2: ffffc90001f8006c CR3: 0000000001c06000 CR4: 00000000000406f0
[   47.570883] Stack:
[   47.575015]  000000001d211228 ffff88041d2100c0 ffff8800c47d8130 0000000000000100
[   47.584625]  ffff8804100c0000 100c000000000000 ffff88041a8992a0 ffff88041a8987f8
[   47.594230]  ffff88041d203e00 ffffffff81111e55 000000000000038c ffff880414ad4280
[   47.603862] Call Trace:
[   47.608474]  &lt;IRQ&gt;
[   47.610413]  [&lt;ffffffff81111e55&gt;] ? call_timer_fn+0x35/0x120
[   47.620539]  [&lt;ffffffff81100a1f&gt;] handle_irq_event_percpu+0x7f/0x1c0
[   47.629061]  [&lt;ffffffff81100b8c&gt;] handle_irq_event+0x2c/0x50
[   47.636859]  [&lt;ffffffff81103fff&gt;] handle_edge_irq+0x6f/0x130
[   47.644654]  [&lt;ffffffff8102fbf3&gt;] handle_irq+0x73/0x120
[   47.652011]  [&lt;ffffffff810c6ada&gt;] ? atomic_notifier_call_chain+0x1a/0x20
[   47.660854]  [&lt;ffffffff817e374b&gt;] do_IRQ+0x4b/0xd0
[   47.667777]  [&lt;ffffffff817e160c&gt;] common_interrupt+0x8c/0x8c
[   47.675635]  &lt;EOI&gt;

Move the reply_post_host_index array setup into
mpt3sas_base_map_resources(), which is also in the resume path.

Signed-off-by: Greg Edwards &lt;gedwards@fireweed.org&gt;
Acked-by: Chaitra P B &lt;chaitra.basappa@broadcom.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>aacraid: Check size values after double-fetch from user</title>
<updated>2016-09-07T06:34:52+00:00</updated>
<author>
<name>Dave Carroll</name>
<email>david.carroll@microsemi.com</email>
</author>
<published>2016-08-05T19:44:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=37e0f46b779f3081fc4719956eb44cacbb5a294f'/>
<id>urn:sha1:37e0f46b779f3081fc4719956eb44cacbb5a294f</id>
<content type='text'>
commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.

In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang &lt;wpengfeinudt@gmail.com&gt;
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Signed-off-by: Dave Carroll &lt;david.carroll@microsemi.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
