tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"Six fairly small fixes. The ipr, mpt3sas and ses ones all trigger
oopses. The megaraid one fixes an attach failure on io mapped only
cards, the fcoe one is an obvious problem in the error path and the
aacraid one is a theoretical security issue (ability to trick the
kernel into a buffer overrun)"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
ses: Fix racy cleanup of /sys in remove_dev()
mpt3sas: Fix resume on WarpDrive flash cards
ipr: Fix sync scsi scan
megaraid_sas: Fix probing cards without io port
aacraid: Check size values after double-fetch from user
fcoe: Use kfree_skb() instead of kfree()

Linus Torvalds b2848792 080ebb15

+29 -19
+11 -2
drivers/scsi/aacraid/commctrl.c
··· 63 63 struct fib *fibptr; 64 64 struct hw_fib * hw_fib = (struct hw_fib *)0; 65 65 dma_addr_t hw_fib_pa = (dma_addr_t)0LL; 66 - unsigned size; 66 + unsigned int size, osize; 67 67 int retval; 68 68 69 69 if (dev->in_reset) { ··· 87 87 * will not overrun the buffer when we copy the memory. Return 88 88 * an error if we would. 89 89 */ 90 - size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); 90 + osize = size = le16_to_cpu(kfib->header.Size) + 91 + sizeof(struct aac_fibhdr); 91 92 if (size < le16_to_cpu(kfib->header.SenderSize)) 92 93 size = le16_to_cpu(kfib->header.SenderSize); 93 94 if (size > dev->max_fib_size) { ··· 116 115 117 116 if (copy_from_user(kfib, arg, size)) { 118 117 retval = -EFAULT; 118 + goto cleanup; 119 + } 120 + 121 + /* Sanity check the second copy */ 122 + if ((osize != le16_to_cpu(kfib->header.Size) + 123 + sizeof(struct aac_fibhdr)) 124 + || (size < le16_to_cpu(kfib->header.SenderSize))) { 125 + retval = -EINVAL; 119 126 goto cleanup; 120 127 } 121 128
+1 -1
drivers/scsi/fcoe/fcoe_ctlr.c
··· 2923 2923 mutex_unlock(&fip->ctlr_mutex); 2924 2924 2925 2925 drop: 2926 - kfree(skb); 2926 + kfree_skb(skb); 2927 2927 return rc; 2928 2928 } 2929 2929
+3 -3
drivers/scsi/megaraid/megaraid_sas_base.c
··· 5037 5037 /* Find first memory bar */ 5038 5038 bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); 5039 5039 instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); 5040 - if (pci_request_selected_regions(instance->pdev, instance->bar, 5040 + if (pci_request_selected_regions(instance->pdev, 1<<instance->bar, 5041 5041 "megasas: LSI")) { 5042 5042 dev_printk(KERN_DEBUG, &instance->pdev->dev, "IO memory region busy!\n"); 5043 5043 return -EBUSY; ··· 5339 5339 iounmap(instance->reg_set); 5340 5340 5341 5341 fail_ioremap: 5342 - pci_release_selected_regions(instance->pdev, instance->bar); 5342 + pci_release_selected_regions(instance->pdev, 1<<instance->bar); 5343 5343 5344 5344 return -EINVAL; 5345 5345 } ··· 5360 5360 5361 5361 iounmap(instance->reg_set); 5362 5362 5363 - pci_release_selected_regions(instance->pdev, instance->bar); 5363 + pci_release_selected_regions(instance->pdev, 1<<instance->bar); 5364 5364 } 5365 5365 5366 5366 /**
+1 -1
drivers/scsi/megaraid/megaraid_sas_fusion.c
··· 2603 2603 2604 2604 iounmap(instance->reg_set); 2605 2605 2606 - pci_release_selected_regions(instance->pdev, instance->bar); 2606 + pci_release_selected_regions(instance->pdev, 1<<instance->bar); 2607 2607 } 2608 2608 2609 2609 /**
+11 -11
drivers/scsi/mpt3sas/mpt3sas_base.c
··· 2188 2188 } else 2189 2189 ioc->msix96_vector = 0; 2190 2190 2191 + if (ioc->is_warpdrive) { 2192 + ioc->reply_post_host_index[0] = (resource_size_t __iomem *) 2193 + &ioc->chip->ReplyPostHostIndex; 2194 + 2195 + for (i = 1; i < ioc->cpu_msix_table_sz; i++) 2196 + ioc->reply_post_host_index[i] = 2197 + (resource_size_t __iomem *) 2198 + ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1) 2199 + * 4))); 2200 + } 2201 + 2191 2202 list_for_each_entry(reply_q, &ioc->reply_queue_list, list) 2192 2203 pr_info(MPT3SAS_FMT "%s: IRQ %d\n", 2193 2204 reply_q->name, ((ioc->msix_enable) ? "PCI-MSI-X enabled" : ··· 5290 5279 r = mpt3sas_base_map_resources(ioc); 5291 5280 if (r) 5292 5281 goto out_free_resources; 5293 - 5294 - if (ioc->is_warpdrive) { 5295 - ioc->reply_post_host_index[0] = (resource_size_t __iomem *) 5296 - &ioc->chip->ReplyPostHostIndex; 5297 - 5298 - for (i = 1; i < ioc->cpu_msix_table_sz; i++) 5299 - ioc->reply_post_host_index[i] = 5300 - (resource_size_t __iomem *) 5301 - ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1) 5302 - * 4))); 5303 - } 5304 5282 5305 5283 pci_set_drvdata(ioc->pdev, ioc->shost); 5306 5284 r = _base_get_ioc_facts(ioc, CAN_SLEEP);
+2 -1
drivers/scsi/ses.c
··· 778 778 if (!edev) 779 779 return; 780 780 781 + enclosure_unregister(edev); 782 + 781 783 ses_dev = edev->scratch; 782 784 edev->scratch = NULL; 783 785 ··· 791 789 kfree(edev->component[0].scratch); 792 790 793 791 put_device(&edev->edev); 794 - enclosure_unregister(edev); 795 792 } 796 793 797 794 static void ses_intf_remove(struct device *cdev,