<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/drivers/scsi, branch linux-6.4.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-6.4.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-6.4.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2023-09-13T07:48:40+00:00</updated>
<entry>
<title>scsi: mpt3sas: Perform additional retries if doorbell read returns 0</title>
<updated>2023-09-13T07:48:40+00:00</updated>
<author>
<name>Ranjan Kumar</name>
<email>ranjan.kumar@broadcom.com</email>
</author>
<published>2023-08-29T09:00:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=512db7829b4a15592b52f349ec2e64ed45629cd7'/>
<id>urn:sha1:512db7829b4a15592b52f349ec2e64ed45629cd7</id>
<content type='text'>
commit 4ca10f3e31745d35249a727ecd108eb58f0a8c5e upstream.

The driver retries certain register reads 3 times if the returned value is
0. This was done because the controller could return 0 for certain
registers if other registers were being accessed concurrently by the BMC.

In certain systems with increased BMC interactions, the register values
returned can be 0 for longer than 3 retries. Change the retry count from 3
to 30 for the affected registers to prevent problems with out-of-band
management.

Fixes: b899202901a8 ("scsi: mpt3sas: Add separate function for aero doorbell reads")
Cc: stable@vger.kernel.org
Signed-off-by: Ranjan Kumar &lt;ranjan.kumar@broadcom.com&gt;
Link: https://lore.kernel.org/r/20230829090020.5417-2-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>Revert "scsi: qla2xxx: Fix buffer overrun"</title>
<updated>2023-09-13T07:48:40+00:00</updated>
<author>
<name>Nilesh Javali</name>
<email>njavali@marvell.com</email>
</author>
<published>2023-08-21T13:00:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bcd9febc0c725582e488a9fab96806dffe68d424'/>
<id>urn:sha1:bcd9febc0c725582e488a9fab96806dffe68d424</id>
<content type='text'>
commit 641671d97b9199f1ba35ccc2222d4b189a6a5de5 upstream.

Revert due to Get PLOGI Template failed.
This reverts commit b68710a8094fdffe8dd4f7a82c82649f479bb453.

Cc: stable@vger.kernel.org
Signed-off-by: Nilesh Javali &lt;njavali@marvell.com&gt;
Link: https://lore.kernel.org/r/20230821130045.34850-9-njavali@marvell.com
Reviewed-by: Himanshu Madhani &lt;himanshu.madhani@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>scsi: fcoe: Fix potential deadlock on &amp;fip-&gt;ctlr_lock</title>
<updated>2023-09-13T07:48:33+00:00</updated>
<author>
<name>Chengfeng Ye</name>
<email>dg573847474@gmail.com</email>
</author>
<published>2023-08-17T07:47:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=694ddc5bf35a5b6f9acb6e4724324c910a1237f1'/>
<id>urn:sha1:694ddc5bf35a5b6f9acb6e4724324c910a1237f1</id>
<content type='text'>
[ Upstream commit 1a1975551943f681772720f639ff42fbaa746212 ]

There is a long call chain that &amp;fip-&gt;ctlr_lock is acquired by isr
fnic_isr_msix_wq_copy() under hard IRQ context. Thus other process context
code acquiring the lock should disable IRQ, otherwise deadlock could happen
if the IRQ preempts the execution while the lock is held in process context
on the same CPU.

[ISR]
fnic_isr_msix_wq_copy()
 -&gt; fnic_wq_copy_cmpl_handler()
 -&gt; fnic_fcpio_cmpl_handler()
 -&gt; fnic_fcpio_flogi_reg_cmpl_handler()
 -&gt; fnic_flush_tx()
 -&gt; fnic_send_frame()
 -&gt; fcoe_ctlr_els_send()
 -&gt; spin_lock_bh(&amp;fip-&gt;ctlr_lock)

[Process Context]
1. fcoe_ctlr_timer_work()
 -&gt; fcoe_ctlr_flogi_send()
 -&gt; spin_lock_bh(&amp;fip-&gt;ctlr_lock)

2. fcoe_ctlr_recv_work()
 -&gt; fcoe_ctlr_recv_handler()
 -&gt; fcoe_ctlr_recv_els()
 -&gt; fcoe_ctlr_announce()
 -&gt; spin_lock_bh(&amp;fip-&gt;ctlr_lock)

3. fcoe_ctlr_recv_work()
 -&gt; fcoe_ctlr_recv_handler()
 -&gt; fcoe_ctlr_recv_els()
 -&gt; fcoe_ctlr_flogi_retry()
 -&gt; spin_lock_bh(&amp;fip-&gt;ctlr_lock)

4. -&gt; fcoe_xmit()
 -&gt; fcoe_ctlr_els_send()
 -&gt; spin_lock_bh(&amp;fip-&gt;ctlr_lock)

spin_lock_bh() is not enough since fnic_isr_msix_wq_copy() is a
hardirq.

These flaws were found by an experimental static analysis tool I am
developing for irq-related deadlock.

The patch fix the potential deadlocks by spin_lock_irqsave() to disable
hard irq.

Fixes: 794d98e77f59 ("[SCSI] libfcoe: retry rejected FLOGI to another FCF if possible")
Signed-off-by: Chengfeng Ye &lt;dg573847474@gmail.com&gt;
Link: https://lore.kernel.org/r/20230817074708.7509-1-dg573847474@gmail.com
Reviewed-by: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: core: Use 32-bit hostnum in scsi_host_lookup()</title>
<updated>2023-09-13T07:48:33+00:00</updated>
<author>
<name>Tony Battersby</name>
<email>tonyb@cybernetics.com</email>
</author>
<published>2023-08-14T14:03:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=eaf18b15a81181c5be7502bb04473ecb44d41c74'/>
<id>urn:sha1:eaf18b15a81181c5be7502bb04473ecb44d41c74</id>
<content type='text'>
[ Upstream commit 62ec2092095b678ff89ce4ba51c2938cd1e8e630 ]

Change scsi_host_lookup() hostnum argument type from unsigned short to
unsigned int to match the type used everywhere else.

Fixes: 6d49f63b415c ("[SCSI] Make host_no an unsigned int")
Signed-off-by: Tony Battersby &lt;tonyb@cybernetics.com&gt;
Link: https://lore.kernel.org/r/a02497e7-c12b-ef15-47fc-3f0a0b00ffce@cybernetics.com
Reviewed-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly</title>
<updated>2023-09-13T07:48:28+00:00</updated>
<author>
<name>Oleksandr Natalenko</name>
<email>oleksandr@redhat.com</email>
</author>
<published>2023-07-31T08:40:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6aac7f0d1b86aeb8b97b527826768f0516d32290'/>
<id>urn:sha1:6aac7f0d1b86aeb8b97b527826768f0516d32290</id>
<content type='text'>
[ Upstream commit 25dbc20deab5165f847b4eb42f376f725a986ee8 ]

The qedf_dbg_fp_int_cmd_read() function invokes sprintf() directly on a
__user pointer, which may crash the kernel.

Avoid doing that by vmalloc()'ating a buffer for scnprintf() and then
calling simple_read_from_buffer() which does a proper copy_to_user() call.

Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Cc: Rob Evers &lt;revers@redhat.com&gt;
Cc: Johannes Thumshirn &lt;Johannes.Thumshirn@wdc.com&gt;
Cc: David Laight &lt;David.Laight@ACULAB.COM&gt;
Cc: Jozef Bacik &lt;jobacik@redhat.com&gt;
Cc: Laurence Oberman &lt;loberman@redhat.com&gt;
Cc: "James E.J. Bottomley" &lt;jejb@linux.ibm.com&gt;
Cc: "Martin K. Petersen" &lt;martin.petersen@oracle.com&gt;
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Reviewed-by: Johannes Thumshirn &lt;johannes.thumshirn@wdc.com&gt;
Tested-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Acked-by: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Signed-off-by: Oleksandr Natalenko &lt;oleksandr@redhat.com&gt;
Link: https://lore.kernel.org/r/20230731084034.37021-4-oleksandr@redhat.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly</title>
<updated>2023-09-13T07:48:28+00:00</updated>
<author>
<name>Oleksandr Natalenko</name>
<email>oleksandr@redhat.com</email>
</author>
<published>2023-07-31T08:40:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8f92dd19a154d6679ab08f42f370ef51cc124843'/>
<id>urn:sha1:8f92dd19a154d6679ab08f42f370ef51cc124843</id>
<content type='text'>
[ Upstream commit 31b5991a9a91ba97237ac9da509d78eec453ff72 ]

The qedf_dbg_debug_cmd_read() function invokes sprintf() directly on a
__user pointer, which may crash the kernel.

Avoid doing that by using a small on-stack buffer for scnprintf() and then
calling simple_read_from_buffer() which does a proper copy_to_user() call.

Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Cc: Rob Evers &lt;revers@redhat.com&gt;
Cc: Johannes Thumshirn &lt;Johannes.Thumshirn@wdc.com&gt;
Cc: David Laight &lt;David.Laight@ACULAB.COM&gt;
Cc: Jozef Bacik &lt;jobacik@redhat.com&gt;
Cc: Laurence Oberman &lt;loberman@redhat.com&gt;
Cc: "James E.J. Bottomley" &lt;jejb@linux.ibm.com&gt;
Cc: "Martin K. Petersen" &lt;martin.petersen@oracle.com&gt;
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Reviewed-by: Johannes Thumshirn &lt;johannes.thumshirn@wdc.com&gt;
Tested-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Acked-by: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Signed-off-by: Oleksandr Natalenko &lt;oleksandr@redhat.com&gt;
Link: https://lore.kernel.org/r/20230731084034.37021-3-oleksandr@redhat.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly</title>
<updated>2023-09-13T07:48:28+00:00</updated>
<author>
<name>Oleksandr Natalenko</name>
<email>oleksandr@redhat.com</email>
</author>
<published>2023-07-31T08:40:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a892c1bc4ddabd1a296b4dfd395788a4764ecff'/>
<id>urn:sha1:8a892c1bc4ddabd1a296b4dfd395788a4764ecff</id>
<content type='text'>
[ Upstream commit 7d3d20dee4f648ec44e9717d5f647d594d184433 ]

The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.

Avoid doing that by using a small on-stack buffer for scnprintf() and then
calling simple_read_from_buffer() which does a proper copy_to_user() call.

Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Cc: Rob Evers &lt;revers@redhat.com&gt;
Cc: Johannes Thumshirn &lt;Johannes.Thumshirn@wdc.com&gt;
Cc: David Laight &lt;David.Laight@ACULAB.COM&gt;
Cc: Jozef Bacik &lt;jobacik@redhat.com&gt;
Cc: Laurence Oberman &lt;loberman@redhat.com&gt;
Cc: "James E.J. Bottomley" &lt;jejb@linux.ibm.com&gt;
Cc: "Martin K. Petersen" &lt;martin.petersen@oracle.com&gt;
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Reviewed-by: Johannes Thumshirn &lt;johannes.thumshirn@wdc.com&gt;
Tested-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Acked-by: Saurav Kashyap &lt;skashyap@marvell.com&gt;
Signed-off-by: Oleksandr Natalenko &lt;oleksandr@redhat.com&gt;
Link: https://lore.kernel.org/r/20230731084034.37021-2-oleksandr@redhat.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: qla4xxx: Add length check when parsing nlattrs</title>
<updated>2023-09-13T07:48:28+00:00</updated>
<author>
<name>Lin Ma</name>
<email>linma@zju.edu.cn</email>
</author>
<published>2023-07-23T08:00:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4ed21975311247bb84e82298eeb359ec0a0fa84d'/>
<id>urn:sha1:4ed21975311247bb84e82298eeb359ec0a0fa84d</id>
<content type='text'>
[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ]

There are three places that qla4xxx parses nlattrs:

 - qla4xxx_set_chap_entry()

 - qla4xxx_iface_set_param()

 - qla4xxx_sysfs_ddb_set_param()

and each of them directly converts the nlattr to specific pointer of
structure without length checking. This could be dangerous as those
attributes are not validated and a malformed nlattr (e.g., length 0) could
result in an OOB read that leaks heap dirty data.

Add the nla_len check before accessing the nlattr data and return EINVAL if
the length check fails.

Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries")
Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support")
Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers")
Signed-off-by: Lin Ma &lt;linma@zju.edu.cn&gt;
Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn
Reviewed-by: Chris Leech &lt;cleech@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: be2iscsi: Add length check when parsing nlattrs</title>
<updated>2023-09-13T07:48:27+00:00</updated>
<author>
<name>Lin Ma</name>
<email>linma@zju.edu.cn</email>
</author>
<published>2023-07-23T07:59:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=da4c861ef51e55de4d892653140ed733e5ebe81b'/>
<id>urn:sha1:da4c861ef51e55de4d892653140ed733e5ebe81b</id>
<content type='text'>
[ Upstream commit ee0268f230f66cb472df3424f380ea668da2749a ]

beiscsi_iface_set_param() parses nlattr with nla_for_each_attr and assumes
every attributes can be viewed as struct iscsi_iface_param_info.

This is not true because there is no any nla_policy to validate the
attributes passed from the upper function iscsi_set_iface_params().

Add the nla_len check before accessing the nlattr data and return EINVAL if
the length check fails.

Fixes: 0e43895ec1f4 ("[SCSI] be2iscsi: adding functionality to change network settings using iscsiadm")
Signed-off-by: Lin Ma &lt;linma@zju.edu.cn&gt;
Link: https://lore.kernel.org/r/20230723075938.3713864-1-linma@zju.edu.cn
Reviewed-by: Chris Leech &lt;cleech@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()</title>
<updated>2023-09-13T07:48:27+00:00</updated>
<author>
<name>Lin Ma</name>
<email>linma@zju.edu.cn</email>
</author>
<published>2023-07-23T07:58:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3466c1b52457425d40eaa6de6f93915e8e24ffcf'/>
<id>urn:sha1:3466c1b52457425d40eaa6de6f93915e8e24ffcf</id>
<content type='text'>
[ Upstream commit ce51c817008450ef4188471db31639d42d37a5e1 ]

The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an
nlattr payload to type char* and then call C string handling functions like
sscanf and kstrdup:

  char *data = (char*)ev + sizeof(*ev);
  ...
  sscanf(data, "%d", &amp;value);

However, since the nlattr is provided by the user-space program and the
nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see
netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can
lead to an OOB access for those string handling functions.

By investigating how the bug is introduced, we find it is really
interesting as the old version parsing code starting from commit
fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated
the nlattr as integer bytes instead of string and had length check in
iscsi_copy_param():

  if (ev-&gt;u.set_param.len != sizeof(uint32_t))
    BUG();

But, since the commit a54a52caad4b ("[SCSI] iscsi: fixup set/get param
functions"), the code treated the nlattr as C string while forgetting to
add any strlen checks(), opening the possibility of an OOB access.

Fix the potential OOB by adding the strlen() check before accessing the
buf. If the data passes this check, all low-level set_param handlers can
safely treat this buf as legal C string.

Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up")
Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event")
Signed-off-by: Lin Ma &lt;linma@zju.edu.cn&gt;
Link: https://lore.kernel.org/r/20230723075820.3713119-1-linma@zju.edu.cn
Reviewed-by: Chris Leech &lt;cleech@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
</feed>
