<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/scsi, branch v4.1.38</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>sg_write()/bsg_write() is not fit to be called under KERNEL_DS</title>
<updated>2017-01-13T01:56:58+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2016-12-16T18:42:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3e3267311e3b6557206f293eeb9205b41e090625'/>
<id>3e3267311e3b6557206f293eeb9205b41e090625</id>
<content type='text'>
[ Upstream commit 128394eff343fc6d2f32172f03e24829539c5835 ]

Both damn things interpret userland pointers embedded into the payload;
worse, they are actually traversing those.  Leaving aside the bad
API design, this is very much _not_ safe to call with KERNEL_DS.
Bail out early if that happens.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 128394eff343fc6d2f32172f03e24829539c5835 ]

Both damn things interpret userland pointers embedded into the payload;
worse, they are actually traversing those.  Leaving aside the bad
API design, this is very much _not_ safe to call with KERNEL_DS.
Bail out early if that happens.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: avoid a permanent stop of the scsi device's request queue</title>
<updated>2017-01-13T01:56:57+00:00</updated>
<author>
<name>Wei Fang</name>
<email>fangwei1@huawei.com</email>
</author>
<published>2016-12-13T01:25:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b51fce881b201cc00e88f64357d61b067e6b588'/>
<id>1b51fce881b201cc00e88f64357d61b067e6b588</id>
<content type='text'>
[ Upstream commit d2a145252c52792bc59e4767b486b26c430af4bb ]

A race between scanning and fc_remote_port_delete() may result in a
permanent stop if the device gets blocked before scsi_sysfs_add_sdev()
and unblocked after.  The reason is that blocking a device sets both the
SDEV_BLOCKED state and the QUEUE_FLAG_STOPPED.  However,
scsi_sysfs_add_sdev() unconditionally sets SDEV_RUNNING which causes the
device to be ignored by scsi_target_unblock() and thus never have its
QUEUE_FLAG_STOPPED cleared leading to a device which is apparently
running but has a stopped queue.

We actually have two places where SDEV_RUNNING is set: once in
scsi_add_lun() which respects the blocked flag and once in
scsi_sysfs_add_sdev() which doesn't.  Since the second set is entirely
spurious, simply remove it to fix the problem.

Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Zengxi Chen &lt;chenzengxi@huawei.com&gt;
Signed-off-by: Wei Fang &lt;fangwei1@huawei.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d2a145252c52792bc59e4767b486b26c430af4bb ]

A race between scanning and fc_remote_port_delete() may result in a
permanent stop if the device gets blocked before scsi_sysfs_add_sdev()
and unblocked after.  The reason is that blocking a device sets both the
SDEV_BLOCKED state and the QUEUE_FLAG_STOPPED.  However,
scsi_sysfs_add_sdev() unconditionally sets SDEV_RUNNING which causes the
device to be ignored by scsi_target_unblock() and thus never have its
QUEUE_FLAG_STOPPED cleared leading to a device which is apparently
running but has a stopped queue.

We actually have two places where SDEV_RUNNING is set: once in
scsi_add_lun() which respects the blocked flag and once in
scsi_sysfs_add_sdev() which doesn't.  Since the second set is entirely
spurious, simply remove it to fix the problem.

Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Zengxi Chen &lt;chenzengxi@huawei.com&gt;
Signed-off-by: Wei Fang &lt;fangwei1@huawei.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset</title>
<updated>2017-01-13T01:56:52+00:00</updated>
<author>
<name>Kashyap Desai</name>
<email>kashyap.desai@broadcom.com</email>
</author>
<published>2016-10-21T13:33:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=78ef3e710efde520451452abd4b85062847aa191'/>
<id>78ef3e710efde520451452abd4b85062847aa191</id>
<content type='text'>
[ Upstream commit 18e1c7f68a5814442abad849abe6eacbf02ffd7c ]

For SRIOV enabled firmware, if there is a OCR(online controller reset)
possibility driver set the convert flag to 1, which is not happening if
there are outstanding commands even after 180 seconds.  As driver does
not set convert flag to 1 and still making the OCR to run, VF(Virtual
function) driver is directly writing on to the register instead of
waiting for 30 seconds. Setting convert flag to 1 will cause VF driver
will wait for 30 secs before going for reset.

CC: stable@vger.kernel.org
Signed-off-by: Kiran Kumar Kasturi &lt;kiran-kumar.kasturi@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 18e1c7f68a5814442abad849abe6eacbf02ffd7c ]

For SRIOV enabled firmware, if there is a OCR(online controller reset)
possibility driver set the convert flag to 1, which is not happening if
there are outstanding commands even after 180 seconds.  As driver does
not set convert flag to 1 and still making the OCR to run, VF(Virtual
function) driver is directly writing on to the register instead of
waiting for 30 seconds. Setting convert flag to 1 will cause VF driver
will wait for 30 secs before going for reset.

CC: stable@vger.kernel.org
Signed-off-by: Kiran Kumar Kasturi &lt;kiran-kumar.kasturi@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression</title>
<updated>2016-12-23T14:05:27+00:00</updated>
<author>
<name>Sumit Saxena</name>
<email>sumit.saxena@broadcom.com</email>
</author>
<published>2016-11-09T10:59:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c27edfb64bbff3cd5d8fc723161128dd4bb57789'/>
<id>c27edfb64bbff3cd5d8fc723161128dd4bb57789</id>
<content type='text'>
[ Upstream commit 5e5ec1759dd663a1d5a2f10930224dd009e500e8 ]

This patch will fix regression caused by commit 1e793f6fc0db ("scsi:
megaraid_sas: Fix data integrity failure for JBOD (passthrough)
devices").

The problem was that the MEGASAS_IS_LOGICAL macro did not have braces
and as a result the driver ended up exposing a lot of non-existing SCSI
devices (all SCSI commands to channels 1,2,3 were returned as
SUCCESS-DID_OK by driver).

[mkp: clarified patch description]

Fixes: 1e793f6fc0db920400574211c48f9157a37e3945
Reported-by: Jens Axboe &lt;axboe@kernel.dk&gt;
CC: stable@vger.kernel.org
Signed-off-by: Kashyap Desai &lt;kashyap.desai@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Tested-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Tested-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5e5ec1759dd663a1d5a2f10930224dd009e500e8 ]

This patch will fix regression caused by commit 1e793f6fc0db ("scsi:
megaraid_sas: Fix data integrity failure for JBOD (passthrough)
devices").

The problem was that the MEGASAS_IS_LOGICAL macro did not have braces
and as a result the driver ended up exposing a lot of non-existing SCSI
devices (all SCSI commands to channels 1,2,3 were returned as
SUCCESS-DID_OK by driver).

[mkp: clarified patch description]

Fixes: 1e793f6fc0db920400574211c48f9157a37e3945
Reported-by: Jens Axboe &lt;axboe@kernel.dk&gt;
CC: stable@vger.kernel.org
Signed-off-by: Kashyap Desai &lt;kashyap.desai@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Tested-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Tested-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()</title>
<updated>2016-12-23T13:56:35+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2016-12-14T12:24:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8165fc3eb28cbd2e4cca07308f3a205ab347a9d1'/>
<id>8165fc3eb28cbd2e4cca07308f3a205ab347a9d1</id>
<content type='text'>
[ Upstream commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 ]

We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.

References: CVE-2016-7425
Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Marco Grassi &lt;marco.gra@gmail.com&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 ]

We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.

References: CVE-2016-7425
Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Marco Grassi &lt;marco.gra@gmail.com&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware</title>
<updated>2016-11-26T03:57:03+00:00</updated>
<author>
<name>Ching Huang</name>
<email>ching2048@areca.com.tw</email>
</author>
<published>2016-10-19T09:50:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=97d53c4d89e0f2833b932b8e3f0c2d7312a55b52'/>
<id>97d53c4d89e0f2833b932b8e3f0c2d7312a55b52</id>
<content type='text'>
[ Upstream commit 2bf7dc8443e113844d078fd6541b7f4aa544f92f ]

The arcmsr driver failed to pass SYNCHRONIZE CACHE to controller
firmware. Depending on how drive caches are handled internally by
controller firmware this could potentially lead to data integrity
problems.

Ensure that cache flushes are passed to the controller.

[mkp: applied by hand and removed unused vars]

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ching Huang &lt;ching2048@areca.com.tw&gt;
Reported-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2bf7dc8443e113844d078fd6541b7f4aa544f92f ]

The arcmsr driver failed to pass SYNCHRONIZE CACHE to controller
firmware. Depending on how drive caches are handled internally by
controller firmware this could potentially lead to data integrity
problems.

Ensure that cache flushes are passed to the controller.

[mkp: applied by hand and removed unused vars]

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ching Huang &lt;ching2048@areca.com.tw&gt;
Reported-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded</title>
<updated>2016-11-26T03:57:03+00:00</updated>
<author>
<name>Ewan D. Milne</name>
<email>emilne@redhat.com</email>
</author>
<published>2016-10-26T15:22:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d207c6603fc6be402f6e75181c9dae0bfd585e56'/>
<id>d207c6603fc6be402f6e75181c9dae0bfd585e56</id>
<content type='text'>
[ Upstream commit 4d2b496f19f3c2cfaca1e8fa0710688b5ff3811d ]

map_storep was not being vfree()'d in the module_exit call.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4d2b496f19f3c2cfaca1e8fa0710688b5ff3811d ]

map_storep was not being vfree()'d in the module_exit call.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices</title>
<updated>2016-11-26T03:57:02+00:00</updated>
<author>
<name>Kashyap Desai</name>
<email>kashyap.desai@broadcom.com</email>
</author>
<published>2016-10-21T13:33:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9a9a2373142ac2c6fd9df9d038eb929b919e30d7'/>
<id>9a9a2373142ac2c6fd9df9d038eb929b919e30d7</id>
<content type='text'>
[ Upstream commit 1e793f6fc0db920400574211c48f9157a37e3945 ]

Commit 02b01e010afe ("megaraid_sas: return sync cache call with
success") modified the driver to successfully complete SYNCHRONIZE_CACHE
commands without passing them to the controller. Disk drive caches are
only explicitly managed by controller firmware when operating in RAID
mode. So this commit effectively disabled writeback cache flushing for
any drives used in JBOD mode, leading to data integrity failures.

[mkp: clarified patch description]

Fixes: 02b01e010afeeb49328d35650d70721d2ca3fd59
CC: stable@vger.kernel.org
Signed-off-by: Kashyap Desai &lt;kashyap.desai@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1e793f6fc0db920400574211c48f9157a37e3945 ]

Commit 02b01e010afe ("megaraid_sas: return sync cache call with
success") modified the driver to successfully complete SYNCHRONIZE_CACHE
commands without passing them to the controller. Disk drive caches are
only explicitly managed by controller firmware when operating in RAID
mode. So this commit effectively disabled writeback cache flushing for
any drives used in JBOD mode, leading to data integrity failures.

[mkp: clarified patch description]

Fixes: 02b01e010afeeb49328d35650d70721d2ca3fd59
CC: stable@vger.kernel.org
Signed-off-by: Kashyap Desai &lt;kashyap.desai@broadcom.com&gt;
Signed-off-by: Sumit Saxena &lt;sumit.saxena@broadcom.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: Fix use-after-free</title>
<updated>2016-11-01T15:58:32+00:00</updated>
<author>
<name>Ming Lei</name>
<email>tom.leiming@gmail.com</email>
</author>
<published>2016-10-09T05:23:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a3da255ead60b6c3208eba3abfa536f32aa58f3a'/>
<id>a3da255ead60b6c3208eba3abfa536f32aa58f3a</id>
<content type='text'>
[ Upstream commit bcd8f2e94808fcddf6ef3af5f060a36820dcc432 ]

This patch fixes one use-after-free report[1] by KASAN.

In __scsi_scan_target(), when a type 31 device is probed,
SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned
again.

Inside the following scsi_report_lun_scan(), one new scsi_device
instance is allocated, and scsi_probe_and_add_lun() is called again to
probe the target and still see type 31 device, finally
__scsi_remove_device() is called to remove &amp; free the device at the end
of scsi_probe_and_add_lun(), so cause use-after-free in
scsi_report_lun_scan().

And the following SCSI log can be observed:

	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
	scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0)
	scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0
	scsi 0:0:2:0: scsi scan: REPORT LUN scan
	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
	BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104

This patch fixes the issue by moving the putting reference at
the end of scsi_report_lun_scan().

[1] KASAN report
==================================================================
[    3.274597] PM: Adding info for serio:serio1
[    3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304
[    3.275653] Read of size 4 by task kworker/u10:0/27
[    3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121
[    3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[    3.276797] Workqueue: events_unbound async_run_entry_fn
[    3.277083]  ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80
[    3.277532]  ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930
[    3.277989]  ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165
[    3.278436] Call Trace:
[    3.278528]  [&lt;ffffffff94bbc6c1&gt;] dump_stack+0x65/0x84
[    3.278797]  [&lt;ffffffff9459fec1&gt;] kasan_object_err+0x21/0x70
[    3.279063] device: 'psaux': device_add
[    3.279616]  [&lt;ffffffff945a0165&gt;] kasan_report_error+0x205/0x500
[    3.279651] PM: Adding info for No Bus:psaux
[    3.280202]  [&lt;ffffffff944ecd22&gt;] ? kfree_const+0x22/0x30
[    3.280486]  [&lt;ffffffff94bc2dc9&gt;] ? kobject_release+0x119/0x370
[    3.280805]  [&lt;ffffffff945a0543&gt;] __asan_report_load4_noabort+0x43/0x50
[    3.281170]  [&lt;ffffffff9507e1f7&gt;] ? __scsi_scan_target+0xd87/0xdf0
[    3.281506]  [&lt;ffffffff9507e1f7&gt;] __scsi_scan_target+0xd87/0xdf0
[    3.281848]  [&lt;ffffffff9507d470&gt;] ? scsi_add_device+0x30/0x30
[    3.282156]  [&lt;ffffffff94f7f660&gt;] ? pm_runtime_autosuspend_expiration+0x60/0x60
[    3.282570]  [&lt;ffffffff956ddb07&gt;] ? _raw_spin_lock+0x17/0x40
[    3.282880]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.283200]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.283563]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.283882]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.284173]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.284492]  [&lt;ffffffff941a8954&gt;] ? pwq_dec_nr_in_flight+0x124/0x2a0
[    3.284876]  [&lt;ffffffff941d1770&gt;] ? preempt_count_add+0x130/0x160
[    3.285207]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.285526]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.285844]  [&lt;ffffffff941aa810&gt;] ? process_one_work+0x12d0/0x12d0
[    3.286182]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.286443]  [&lt;ffffffff940855cd&gt;] ? __switch_to+0x88d/0x1430
[    3.286745]  [&lt;ffffffff941bb1a0&gt;] ? kthread_worker_fn+0x5a0/0x5a0
[    3.287085]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.287368]  [&lt;ffffffff941bb1a0&gt;] ? kthread_worker_fn+0x5a0/0x5a0
[    3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048
[    3.288064] Allocated:
[    3.288147] PID = 27
[    3.288218]  [&lt;ffffffff940b27ab&gt;] save_stack_trace+0x2b/0x50
[    3.288531]  [&lt;ffffffff9459f246&gt;] save_stack+0x46/0xd0
[    3.288806]  [&lt;ffffffff9459f4bd&gt;] kasan_kmalloc+0xad/0xe0
[    3.289098]  [&lt;ffffffff9459c07e&gt;] __kmalloc+0x13e/0x250
[    3.289378]  [&lt;ffffffff95078e5a&gt;] scsi_alloc_sdev+0xea/0xcf0
[    3.289701]  [&lt;ffffffff9507de76&gt;] __scsi_scan_target+0xa06/0xdf0
[    3.290034]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.290362]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.290724]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.291055]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.291354]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.291695]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.292022]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.292325]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.292594]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.292886] Freed:
[    3.292945] PID = 27
[    3.293016]  [&lt;ffffffff940b27ab&gt;] save_stack_trace+0x2b/0x50
[    3.293327]  [&lt;ffffffff9459f246&gt;] save_stack+0x46/0xd0
[    3.293600]  [&lt;ffffffff9459fa61&gt;] kasan_slab_free+0x71/0xb0
[    3.293916]  [&lt;ffffffff9459bac2&gt;] kfree+0xa2/0x1f0
[    3.294168]  [&lt;ffffffff9508158a&gt;] scsi_device_dev_release_usercontext+0x50a/0x730
[    3.294598]  [&lt;ffffffff941ace9a&gt;] execute_in_process_context+0xda/0x130
[    3.294974]  [&lt;ffffffff9508107c&gt;] scsi_device_dev_release+0x1c/0x20
[    3.295322]  [&lt;ffffffff94f566f6&gt;] device_release+0x76/0x1e0
[    3.295626]  [&lt;ffffffff94bc2db7&gt;] kobject_release+0x107/0x370
[    3.295942]  [&lt;ffffffff94bc29ce&gt;] kobject_put+0x4e/0xa0
[    3.296222]  [&lt;ffffffff94f56e17&gt;] put_device+0x17/0x20
[    3.296497]  [&lt;ffffffff9505201c&gt;] scsi_device_put+0x7c/0xa0
[    3.296801]  [&lt;ffffffff9507e1bc&gt;] __scsi_scan_target+0xd4c/0xdf0
[    3.297132]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.297458]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.297829]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.298156]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.298453]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.298777]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.299105]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.299408]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.299676]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.299967] Memory state around the buggy address:
[    3.300209]  ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.300608]  ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.300986] &gt;ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.301408]                    ^
[    3.301550]  ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    3.301987]  ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    3.302396]
==================================================================

Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Ming Lei &lt;tom.leiming@gmail.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit bcd8f2e94808fcddf6ef3af5f060a36820dcc432 ]

This patch fixes one use-after-free report[1] by KASAN.

In __scsi_scan_target(), when a type 31 device is probed,
SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned
again.

Inside the following scsi_report_lun_scan(), one new scsi_device
instance is allocated, and scsi_probe_and_add_lun() is called again to
probe the target and still see type 31 device, finally
__scsi_remove_device() is called to remove &amp; free the device at the end
of scsi_probe_and_add_lun(), so cause use-after-free in
scsi_report_lun_scan().

And the following SCSI log can be observed:

	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
	scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0)
	scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0
	scsi 0:0:2:0: scsi scan: REPORT LUN scan
	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
	BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104

This patch fixes the issue by moving the putting reference at
the end of scsi_report_lun_scan().

[1] KASAN report
==================================================================
[    3.274597] PM: Adding info for serio:serio1
[    3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304
[    3.275653] Read of size 4 by task kworker/u10:0/27
[    3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121
[    3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[    3.276797] Workqueue: events_unbound async_run_entry_fn
[    3.277083]  ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80
[    3.277532]  ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930
[    3.277989]  ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165
[    3.278436] Call Trace:
[    3.278528]  [&lt;ffffffff94bbc6c1&gt;] dump_stack+0x65/0x84
[    3.278797]  [&lt;ffffffff9459fec1&gt;] kasan_object_err+0x21/0x70
[    3.279063] device: 'psaux': device_add
[    3.279616]  [&lt;ffffffff945a0165&gt;] kasan_report_error+0x205/0x500
[    3.279651] PM: Adding info for No Bus:psaux
[    3.280202]  [&lt;ffffffff944ecd22&gt;] ? kfree_const+0x22/0x30
[    3.280486]  [&lt;ffffffff94bc2dc9&gt;] ? kobject_release+0x119/0x370
[    3.280805]  [&lt;ffffffff945a0543&gt;] __asan_report_load4_noabort+0x43/0x50
[    3.281170]  [&lt;ffffffff9507e1f7&gt;] ? __scsi_scan_target+0xd87/0xdf0
[    3.281506]  [&lt;ffffffff9507e1f7&gt;] __scsi_scan_target+0xd87/0xdf0
[    3.281848]  [&lt;ffffffff9507d470&gt;] ? scsi_add_device+0x30/0x30
[    3.282156]  [&lt;ffffffff94f7f660&gt;] ? pm_runtime_autosuspend_expiration+0x60/0x60
[    3.282570]  [&lt;ffffffff956ddb07&gt;] ? _raw_spin_lock+0x17/0x40
[    3.282880]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.283200]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.283563]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.283882]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.284173]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.284492]  [&lt;ffffffff941a8954&gt;] ? pwq_dec_nr_in_flight+0x124/0x2a0
[    3.284876]  [&lt;ffffffff941d1770&gt;] ? preempt_count_add+0x130/0x160
[    3.285207]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.285526]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.285844]  [&lt;ffffffff941aa810&gt;] ? process_one_work+0x12d0/0x12d0
[    3.286182]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.286443]  [&lt;ffffffff940855cd&gt;] ? __switch_to+0x88d/0x1430
[    3.286745]  [&lt;ffffffff941bb1a0&gt;] ? kthread_worker_fn+0x5a0/0x5a0
[    3.287085]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.287368]  [&lt;ffffffff941bb1a0&gt;] ? kthread_worker_fn+0x5a0/0x5a0
[    3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048
[    3.288064] Allocated:
[    3.288147] PID = 27
[    3.288218]  [&lt;ffffffff940b27ab&gt;] save_stack_trace+0x2b/0x50
[    3.288531]  [&lt;ffffffff9459f246&gt;] save_stack+0x46/0xd0
[    3.288806]  [&lt;ffffffff9459f4bd&gt;] kasan_kmalloc+0xad/0xe0
[    3.289098]  [&lt;ffffffff9459c07e&gt;] __kmalloc+0x13e/0x250
[    3.289378]  [&lt;ffffffff95078e5a&gt;] scsi_alloc_sdev+0xea/0xcf0
[    3.289701]  [&lt;ffffffff9507de76&gt;] __scsi_scan_target+0xa06/0xdf0
[    3.290034]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.290362]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.290724]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.291055]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.291354]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.291695]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.292022]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.292325]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.292594]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.292886] Freed:
[    3.292945] PID = 27
[    3.293016]  [&lt;ffffffff940b27ab&gt;] save_stack_trace+0x2b/0x50
[    3.293327]  [&lt;ffffffff9459f246&gt;] save_stack+0x46/0xd0
[    3.293600]  [&lt;ffffffff9459fa61&gt;] kasan_slab_free+0x71/0xb0
[    3.293916]  [&lt;ffffffff9459bac2&gt;] kfree+0xa2/0x1f0
[    3.294168]  [&lt;ffffffff9508158a&gt;] scsi_device_dev_release_usercontext+0x50a/0x730
[    3.294598]  [&lt;ffffffff941ace9a&gt;] execute_in_process_context+0xda/0x130
[    3.294974]  [&lt;ffffffff9508107c&gt;] scsi_device_dev_release+0x1c/0x20
[    3.295322]  [&lt;ffffffff94f566f6&gt;] device_release+0x76/0x1e0
[    3.295626]  [&lt;ffffffff94bc2db7&gt;] kobject_release+0x107/0x370
[    3.295942]  [&lt;ffffffff94bc29ce&gt;] kobject_put+0x4e/0xa0
[    3.296222]  [&lt;ffffffff94f56e17&gt;] put_device+0x17/0x20
[    3.296497]  [&lt;ffffffff9505201c&gt;] scsi_device_put+0x7c/0xa0
[    3.296801]  [&lt;ffffffff9507e1bc&gt;] __scsi_scan_target+0xd4c/0xdf0
[    3.297132]  [&lt;ffffffff9507e505&gt;] scsi_scan_channel+0x105/0x160
[    3.297458]  [&lt;ffffffff9507e8a2&gt;] scsi_scan_host_selected+0x212/0x2f0
[    3.297829]  [&lt;ffffffff9507eb3c&gt;] do_scsi_scan_host+0x1bc/0x250
[    3.298156]  [&lt;ffffffff9507efc1&gt;] do_scan_async+0x41/0x450
[    3.298453]  [&lt;ffffffff941c1fee&gt;] async_run_entry_fn+0xfe/0x610
[    3.298777]  [&lt;ffffffff941a9a84&gt;] process_one_work+0x544/0x12d0
[    3.299105]  [&lt;ffffffff941aa8e9&gt;] worker_thread+0xd9/0x12f0
[    3.299408]  [&lt;ffffffff941bb365&gt;] kthread+0x1c5/0x260
[    3.299676]  [&lt;ffffffff956dde9f&gt;] ret_from_fork+0x1f/0x40
[    3.299967] Memory state around the buggy address:
[    3.300209]  ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.300608]  ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.300986] &gt;ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    3.301408]                    ^
[    3.301550]  ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    3.301987]  ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    3.302396]
==================================================================

Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Ming Lei &lt;tom.leiming@gmail.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: fix upper bounds check of sense key in scsi_sense_key_string()</title>
<updated>2016-10-02T16:47:43+00:00</updated>
<author>
<name>Tyrel Datwyler</name>
<email>tyreld@linux.vnet.ibm.com</email>
</author>
<published>2016-08-12T22:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0dd4c68f4a9d5629fdb3e966a25bb52461c0970e'/>
<id>0dd4c68f4a9d5629fdb3e966a25bb52461c0970e</id>
<content type='text'>
[ Upstream commit a87eeb900dbb9f8202f96604d56e47e67c936b9d ]

Commit 655ee63cf371 ("scsi constants: command, sense key + additional
sense string") added a "Completed" sense string with key 0xF to
snstext[], but failed to updated the upper bounds check of the sense key
in scsi_sense_key_string().

Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings")
Cc: &lt;stable@vger.kernel.org&gt; # v3.12+
Signed-off-by: Tyrel Datwyler &lt;tyreld@linux.vnet.ibm.com&gt;
Reviewed-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a87eeb900dbb9f8202f96604d56e47e67c936b9d ]

Commit 655ee63cf371 ("scsi constants: command, sense key + additional
sense string") added a "Completed" sense string with key 0xF to
snstext[], but failed to updated the upper bounds check of the sense key
in scsi_sense_key_string().

Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings")
Cc: &lt;stable@vger.kernel.org&gt; # v3.12+
Signed-off-by: Tyrel Datwyler &lt;tyreld@linux.vnet.ibm.com&gt;
Reviewed-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
