linux-toradex.git/drivers/scsi, branch v3.10.2 Linux kernel for Apalis and Colibri modules SCSI: sd: Fix parsing of 'temporary ' cache mode prefix 2013-07-13T18:42:27+00:00 Ben Hutchings ben@decadent.org.uk 2013-05-27T18:07:19+00:00 312cf3e4cf531e1f729624464bce7542025f7cbe commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream. Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing performance problems' added temp as a pointer to "temporary " and used sizeof(temp) - 1 as its length. But sizeof(temp) is the size of the pointer, not the size of the string constant. Change temp to a static array so that sizeof() does what was intended. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream.

Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing
performance problems' added temp as a pointer to "temporary " and used
sizeof(temp) - 1 as its length.  But sizeof(temp) is the size of the
pointer, not the size of the string constant.  Change temp to a static
array so that sizeof() does what was intended.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
block: do not pass disk names as format strings 2013-07-13T18:42:26+00:00 Kees Cook keescook@chromium.org 2013-07-03T22:01:14+00:00 88ce7cf76ced99962699d0ebb4d47d6a88b94c29 commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. Disk names may contain arbitrary strings, so they must not be interpreted as format strings. It seems that only md allows arbitrary strings to be used for disk names, but this could allow for a local memory corruption from uid 0 into ring 0. CVE-2013-2851 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.

Disk names may contain arbitrary strings, so they must not be
interpreted as format strings.  It seems that only md allows arbitrary
strings to be used for disk names, but this could allow for a local
memory corruption from uid 0 into ring 0.

CVE-2013-2851

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'fcoe1' into fixes 2013-06-27T06:08:22+00:00 James Bottomley JBottomley@Parallels.com 2013-06-27T06:08:22+00:00 a9e94ec3504ead4b87a929bc57f5aa99a6590437 This patch fixes a critical bug that was introduced in 3.9 related to VLAN tagging FCoE frames. 
This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.
Merge tag 'fcoe' into fixes 2013-06-27T06:07:53+00:00 James Bottomley JBottomley@Parallels.com 2013-06-27T06:07:53+00:00 36a279686bc02d340eb213a9f2a0b67e50de64b4 3.10 fixes 
3.10 fixes
fcoe: Use correct API to set vlan tag for FCoE Ethertype skbs 2013-06-25T19:23:19+00:00 Robert Love robert.w.love@intel.com 2013-06-19T01:56:54+00:00 2884d4230867c8a46cf701214051e923301e7429 fcoe_xmit was coded such that it would skip the vlan net device/layer and instead set some vlan flags and transmit on the real net device. The real net device has code that would add the vlan tag for fcoe skbs. This avoids some extra processing for data frames and provides a small performance improvement. Since fcoe_xmit was not using the vlan net device, __vlan_put_tag within the real net device's xmit routine was ultimately being called to set the vlan tag. With the below change the behavior of __vlan_put_tag changed slightly, it now sets the skb->protocol = vlan_proto. vlan_proto was not a field being set by fcoe_xmit, so the skb->protocol is now not being set to ETH_P_8021Q, as it should be. This patch converts fcoe_xmit to use the vlan_put_tag routine which will tag the skb and fcoe will continue to transmit fcoe skbs on the real net device. For reference, the below change was the one that altered the __vlan_put_tag behavior. commit 86a9bad3ab6b6f858fd4443b48738cabbb6d094c Author: Patrick McHardy <kaber@trash.net> Date: Fri Apr 19 02:04:30 2013 +0000 net: vlan: add protocol argument to packet tagging functions Add a protocol argument to the VLAN packet tagging functions. In case of HW tagging, we need that protocol available in the ndo_start_xmit functions, so it is stored in a new field in the skb. The new field fits into a hole (on 64 bit) and doesn't increase the sks's size. Signed-off-by: Robert Love <robert.w.love@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> 
fcoe_xmit was coded such that it would skip the vlan net device/layer
and instead set some vlan flags and transmit on the real net device.
The real net device has code that would add the vlan tag for fcoe skbs.
This avoids some extra processing for data frames and provides a small
performance improvement.

Since fcoe_xmit was not using the vlan net device, __vlan_put_tag
within the real net device's xmit routine was ultimately being
called to set the vlan tag.

With the below change the behavior of __vlan_put_tag changed slightly,
it now sets the skb->protocol = vlan_proto. vlan_proto was not a field
being set by fcoe_xmit, so the skb->protocol is now not being set to
ETH_P_8021Q, as it should be.

This patch converts fcoe_xmit to use the vlan_put_tag routine which
will tag the skb and fcoe will continue to transmit fcoe skbs on the
real net device.

For reference, the below change was the one that altered the
__vlan_put_tag behavior.

  commit 86a9bad3ab6b6f858fd4443b48738cabbb6d094c
  Author: Patrick McHardy <kaber@trash.net>
  Date:   Fri Apr 19 02:04:30 2013 +0000

      net: vlan: add protocol argument to packet tagging functions

      Add a protocol argument to the VLAN packet tagging functions. In case of HW
      tagging, we need that protocol available in the ndo_start_xmit functions,
      so it is stored in a new field in the skb. The new field fits into a hole
      (on 64 bit) and doesn't increase the sks's size.

Signed-off-by: Robert Love <robert.w.love@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-06-22T18:54:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-06-22T18:54:06+00:00 67e5b2fad4e9848a954fd97de0509ec5cb6e6d47 Pull SCSI target fixes from Nicholas Bellinger: "Included is the recent tcm_qla2xxx residual underrun length fix from Roland, along with Joern's iscsi-target patch for session_lock breakage within iscsit_stop_time2retain_timer() code. Both are CC'ed to stable. The remaining two are specific to recent iscsi-target + iser conversion changes. One drops some left-over debug noise, and Andy's patch fixes configfs attribute handling during an explicit network portal feature bit disable when iser-target is unsupported." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: iscsi-target: Remove left over v3.10-rc debug printks target/iscsi: Fix op=disable + error handling cases in np_store_iser tcm_qla2xxx: Fix residual for underrun commands that fail target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer() 
Pull SCSI target fixes from Nicholas Bellinger:
 "Included is the recent tcm_qla2xxx residual underrun length fix from
  Roland, along with Joern's iscsi-target patch for session_lock
  breakage within iscsit_stop_time2retain_timer() code.  Both are CC'ed
  to stable.

  The remaining two are specific to recent iscsi-target + iser
  conversion changes.  One drops some left-over debug noise, and Andy's
  patch fixes configfs attribute handling during an explicit network
  portal feature bit disable when iser-target is unsupported."

* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  iscsi-target: Remove left over v3.10-rc debug printks
  target/iscsi: Fix op=disable + error handling cases in np_store_iser
  tcm_qla2xxx: Fix residual for underrun commands that fail
  target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()
lseek(fd, n, SEEK_END) does *not* go to eof - n 2013-06-16T18:10:53+00:00 Al Viro viro@ZenIV.linux.org.uk 2013-06-16T17:06:06+00:00 8177a9d79c0e942dcac3312f15585d0344d505a5 When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
When you copy some code, you are supposed to read it.  If nothing else,
there's a chance to spot and fix an obvious bug instead of sharing it...

X-Song: "I Got It From Agnes", by Tom Lehrer
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ Tom Lehrer? You're dating yourself, Al ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
tcm_qla2xxx: Fix residual for underrun commands that fail 2013-06-14T08:12:56+00:00 Roland Dreier roland@purestorage.com 2013-06-05T16:54:17+00:00 b5aff3d2747bea08b386edd070941a45611ffe51 Suppose an initiator sends a DATA IN command with an allocation length shorter than the FC transfer length -- we get a target message like TARGET_CORE[qla2xxx]: Expected Transfer Length: 256 does not match SCSI CDB Length: 0 for SAM Opcode: 0x12 In that case, the target core adjusts the data_length and sets se_cmd->residual_count for the underrun. But now suppose that command fails and we end up in tcm_qla2xxx_queue_status() -- that function unconditionally overwrites residual_count with the already adjusted data_length, and the initiator will burp with a message like qla2xxx [0000:00:06.0]-301d:0: Dropped frame(s) detected (0x100 of 0x100 bytes). Fix this by adding on to the existing underflow residual count instead. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Cc: Chad Dupuis <chad.dupuis@qlogic.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
Suppose an initiator sends a DATA IN command with an allocation length
shorter than the FC transfer length -- we get a target message like

    TARGET_CORE[qla2xxx]: Expected Transfer Length: 256 does not match SCSI CDB Length: 0 for SAM Opcode: 0x12

In that case, the target core adjusts the data_length and sets
se_cmd->residual_count for the underrun.  But now suppose that command
fails and we end up in tcm_qla2xxx_queue_status() -- that function
unconditionally overwrites residual_count with the already adjusted
data_length, and the initiator will burp with a message like

    qla2xxx [0000:00:06.0]-301d:0: Dropped frame(s) detected (0x100 of 0x100 bytes).

Fix this by adding on to the existing underflow residual count instead.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: Giridhar Malavali <giridhar.malavali@qlogic.com>
Cc: Chad Dupuis <chad.dupuis@qlogic.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-06-01T11:05:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-06-01T11:05:20+00:00 008bd2de940114a2d781b2efdd1a34a0fcf0f7ec Pull scsi target fixes from Nicholas Bellinger: "The highlights include: - Re-instate sess->wait_list in target_wait_for_sess_cmds() for active I/O shutdown handling in fabrics using se_cmd->cmd_kref - Make ib_srpt call target_sess_cmd_list_set_waiting() during session shutdown - Fix FILEIO off-by-one READ_CAPACITY bug for !S_ISBLK export - Fix iscsi-target login error heap buffer overflow (Kees) - Fix iscsi-target active I/O shutdown handling regression in v3.10-rc1 A big thanks to Kees Cook for fixing a long standing login error buffer overflow bug. All patches are CC'ed to stable with the exception of the v3.10-rc1 specific regression + other minor target cleanup." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: iscsi-target: Fix iscsit_free_cmd() se_cmd->cmd_kref shutdown handling target: Propigate up ->cmd_kref put return via transport_generic_free_cmd iscsi-target: fix heap buffer overflow on error target/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session target: Re-instate sess_wait_list for target_wait_for_sess_cmds target: Remove unused wait_for_tasks bit in target_wait_for_sess_cmds 
Pull scsi target fixes from Nicholas Bellinger:
 "The highlights include:

   - Re-instate sess->wait_list in target_wait_for_sess_cmds() for
     active I/O shutdown handling in fabrics using se_cmd->cmd_kref
   - Make ib_srpt call target_sess_cmd_list_set_waiting() during session
     shutdown
   - Fix FILEIO off-by-one READ_CAPACITY bug for !S_ISBLK export
   - Fix iscsi-target login error heap buffer overflow (Kees)
   - Fix iscsi-target active I/O shutdown handling regression in
     v3.10-rc1

  A big thanks to Kees Cook for fixing a long standing login error
  buffer overflow bug.

  All patches are CC'ed to stable with the exception of the v3.10-rc1
  specific regression + other minor target cleanup."

* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  iscsi-target: Fix iscsit_free_cmd() se_cmd->cmd_kref shutdown handling
  target: Propigate up ->cmd_kref put return via transport_generic_free_cmd
  iscsi-target: fix heap buffer overflow on error
  target/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export
  ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session
  target: Re-instate sess_wait_list for target_wait_for_sess_cmds
  target: Remove unused wait_for_tasks bit in target_wait_for_sess_cmds
fix buffer leak after "scsi: saner replacements for ->proc_info()" 2013-05-31T19:16:51+00:00 Jan Beulich JBeulich@suse.com 2013-05-29T12:26:53+00:00 801d9d26bfd6e88e9cf0efbb30b649d1bdc15dcf That patch failed to set proc_scsi_fops' .release method. Signed-off-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
That patch failed to set proc_scsi_fops' .release method.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>