- 06 Dec, 2023 4 commits
-
-
Kees Cook authored
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). Overflow should be impossible here, but actually check for buffer sizes being identical with BUILD_BUG_ON(), and include a run-time check as well. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: James E.J. Bottomley <jejb@linux.ibm.com> Cc: Steffen Maier <maier@linux.ibm.com> Cc: Benjamin Block <bblock@linux.ibm.com> Cc: Heiko Carstens <hca@linux.ibm.com> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Alexander Gordeev <agordeev@linux.ibm.com> Cc: Christian Borntraeger <borntraeger@linux.ibm.com> Cc: Sven Schnelle <svens@linux.ibm.com> Cc: Azeem Shaikh <azeemshaikh38@gmail.com> Cc: <linux-s390@vger.kernel.org> Cc: <linux-scsi@vger.kernel.org> Signed-off-by:
Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20231130204056.it.978-kees@kernel.orgAcked-by:
Benjamin Block <bblock@linux.ibm.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com>
-
Benjamin Coddington authored
SBC-4, Table 13 allows READ CAPACITY for all PR types. Signed-off-by:
Benjamin Coddington <bcodding@redhat.com> Link: https://lore.kernel.org/r/ad095388dbc550c5b199a1dfa71bcbfc575a7abe.1701272679.git.bcodding@redhat.comReviewed-by:
Mike Christie <michael.christie@oracle.com> Signed-off-by:
-
Artem Chernyshev authored
In fnic_init_module() exists redundant check for return value from fnic_debugfs_init(), because at moment it only can return zero. It make sense to process theoretical vmalloc() failure. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9730ddfb ("scsi: fnic: remove redundant assignment of variable rc") Signed-off-by:
Artem Chernyshev <artem.chernyshev@red-soft.ru> Link: https://lore.kernel.org/r/20231128111008.2280507-1-artem.chernyshev@red-soft.ruReviewed-by:
Karan Tilak Kumar <kartilak@cisco.com> Signed-off-by:
-
Ziqi Chen authored
The Message Signaled Interrupts (MSI) support has been introduced in UFSHCI version 4.0 (JESD223E). The MSI is the recommended interrupt approach for MCQ. If choose to use MSI, in UFS DT, we need to provide msi-parent property that point to the hardware entity which serves as the MSI controller for this UFS controller. Acked-by:
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Acked-by:
Conor Dooley <conor.dooley@microchip.com> Signed-off-by:
Ziqi Chen <quic_ziqichen@quicinc.com> Link: https://lore.kernel.org/r/1701144469-1018-1-git-send-email-quic_ziqichen@quicinc.comReviewed-by:
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by:
-
- 25 Nov, 2023 16 commits
-
-
Martin K. Petersen authored
Driver update from ching Huang <ching2048@areca.com.tw>. Signed-off-by: -
ching Huang authored
Signed-off-by:
ching Huang <ching2048@areca.com.tw> Link: https://lore.kernel.org/r/514898a472dfdf0502afe27d127ed5145a1fb915.camel@areca.com.twSigned-off-by:
-
ching Huang authored
Add support for Areca RAID controllers with PCI device IDs 1883 and 1886. Signed-off-by:
-
ching Huang authored
Add support for new Areca RAID controller ARC-1688 Signed-off-by:
-
Abhinav Singh authored
Sparse static analysis tool generates a warning with this message "Using plain integer as NULL pointer". Fix it. Signed-off-by:
Abhinav Singh <singhabhinav9051571833@gmail.com> Link: https://lore.kernel.org/r/20231109215049.1466431-1-singhabhinav9051571833@gmail.comSigned-off-by:
-
Martin K. Petersen authored
Sumit Saxena <sumit.saxena@broadcom.com> says: These patches add support for Broadcom's SAS5116 IO/RAID controllers in mpi3mr driver. Link: https://lore.kernel.org/r/20231123160132.4155-1-sumit.saxena@broadcom.comSigned-off-by:
-
Sumit Saxena authored
Update driver version to 8.5.0.0.50. Signed-off-by:
Sumit Saxena <sumit.saxena@broadcom.com> Link: https://lore.kernel.org/r/20231123160132.4155-6-sumit.saxena@broadcom.comSigned-off-by:
-
Sumit Saxena authored
Inform controller firmware that driver supports status reply descriptor. Signed-off-by:
-
Sumit Saxena authored
SAS5116 controllers supports maximum 48 physical PHYs. Modify driver to accommodate up to 64 PHYs (though current need is to support 48 PHYs). Signed-off-by:
-
Sumit Saxena authored
Add PCI IDs checks for the cases where SAS5116 diverges from SAS4116 in behavior. Signed-off-by:
-
Sumit Saxena authored
Add support for Broadcom's SAS5116 IO/RAID controllers PCI IDs. Signed-off-by:
-
Bart Van Assche authored
ufshcd_prepare_utp_scsi_cmd_upiu() only uses the lowest eight bits of lrbp->task_tag. Issue a runtime warning if this results in truncation. Signed-off-by:
Bart Van Assche <bvanassche@acm.org> Link: https://lore.kernel.org/r/20231115193359.2262044-1-bvanassche@acm.orgSigned-off-by:
-
Bart Van Assche authored
Calling scsi_eh_scmd_add() may cause the error handler never to be woken up because this may result in shost->host_failed to become larger than scsi_host_busy(shost). Hence complain if scsi_eh_scmd_add() is called after SCMD_STATE_INFLIGHT has been cleared. Cc: Hannes Reinecke <hare@suse.de> Cc: Damien Le Moal <damien.lemoal@opensource.wdc.com> Cc: Mike Christie <michael.christie@oracle.com> Cc: John Garry <john.g.garry@oracle.com> Cc: Ming Lei <ming.lei@redhat.com> Signed-off-by:
-
Bart Van Assche authored
Fix the following sparse warning: drivers/scsi/bfa/bfad_bsg.c:2553:50: sparse: sparse: incorrect type in initializer (different base types) Fixes: 2e5a6c3b ("scsi: bfa: Convert bfad_reset_sdev_bflags() from a macro into a function") Reported-by:
kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202311031255.lmSPisIk-lkp@intel.com/Signed-off-by:
-
Akinobu Mita authored
The UFS driver has two driver-specific fault injection mechanisms (trigger_eh and timeout). Each fault injection configuration can only be specified by a module parameter and cannot be reconfigured without reloading the driver. Also, each configuration is common to all HBAs. This change adds the following subdirectories for each UFS HBA when debugfs is enabled: /sys/kernel/debug/ufshcd/<HBA>/timeout_inject /sys/kernel/debug/ufshcd/<HBA>/trigger_eh_inject Each fault injection attribute can be dynamically set per HBA by a corresponding file in these directories. This is tested with QEMU UFS devices. Signed-off-by:
Akinobu Mita <akinobu.mita@gmail.com> Link: https://lore.kernel.org/r/20231118124443.1007116-1-akinobu.mita@gmail.comReviewed-by:
-
Stanley Jhu authored
Change the maintainer of MediaTek UFS hooks to Peter Wang. The original maintainer, Stanley Chu, who could previously be reached at stanley.chu@mediatek.com, has left MediaTek. Update the email address accordingly and list Stanley as reviewer. Cc: Stanley Chu <stanley.chu@mediatek.com> Reviewed-by:
Peter Wang <peter.wang@mediatek.com> Reviewed-by:
Macpaul Lin <macpaul.lin@mediatek.com> Signed-off-by:
Stanley Jhu <chu.stanley@gmail.com> Link: https://lore.kernel.org/r/20231117103810.527-1-chu.stanley@gmail.comSigned-off-by:
-
- 15 Nov, 2023 20 commits
-
-
Tomas Henzl authored
The mpt3sas_ctl_exit() should be called after communication with the controller stops but currently it may cause false warnings about not released memory. Fix this by letting mpt3sas_ctl_exit() handle misc driver release per driver and release DMA in mpt3sas_ctl_release() per ioc. Signed-off-by:
Tomas Henzl <thenzl@redhat.com> Link: https://lore.kernel.org/r/20231019153706.7967-1-thenzl@redhat.comSigned-off-by:
-
Can Guo authored
Having UFS power info available in sysfs makes it easier to tell the state of the link during runtime considering we have a bunch of power saving features and various combinations for backward compatibility. Reviewed-by:
Bean Huo <beanhuo@micron.com> Reviewed-by:
Can Guo <quic_cang@quicinc.com> Link: https://lore.kernel.org/r/1698890324-7374-1-git-send-email-quic_cang@quicinc.comReviewed-by:
Avri Altman <avri.altman@wdc.com> Signed-off-by:
-
Martin K. Petersen authored
Justin Tee <justintee8345@gmail.com> says: Update lpfc to revision 14.2.0.16 This patch set contains a user input range check correction, static code analyzer fixes, refactoring of clean up code, and logging enhancements. The patches were cut against Martin's 6.7/scsi-queue tree. Link: https://lore.kernel.org/r/20231031191224.150862-1-justintee8345@gmail.comSigned-off-by:
-
Martin K. Petersen authored
A series of patches from Justin Stitt. Signed-off-by: -
Martin K. Petersen authored
James Seo <james@equiv.tech> says: Commit df8fc4e9 ("kbuild: Enable -fstrict-flex-arrays=3") has resulted in the only arrays that UBSAN_BOUNDS considers unbounded being trailing arrays declared with [] as the last member of a struct. Unbounded trailing arrays declared with [1] are common in mpt3sas, which is causing spurious warnings to appear in some situations, e.g. when more than one physical disk is connected: UBSAN: array-index-out-of-bounds in drivers/scsi/mpt3sas/mpt3sas_scsih.c:6810:36 index 1 is out of range for type 'MPI2_SAS_IO_UNIT0_PHY_DATA [1]' which relates to this unbounded array access: port_id = sas_iounit_pg0->PhyData[i].Port; and is just one example of 10 similar warnings currently occurring for me during boot. This series converts most trailing arrays declared with [1] in mptsas into proper C99 flexible array members. Those that are not unbounded and really are fixed-length arrays of length 1 are left alone. I didn't find any conversions that required further source edits besides changing [1] to [], and everything seems to work with my SAS2008-based add-in card, but please look things over in case I missed something subtle. Rounding out the series are some opportunistic cleanups. The only dependency is that patch 7 ("Use struct_size() for struct size calculations") depends on patches 3-5. Link: https://lore.kernel.org/r/20230806170604.16143-1-james@equiv.techSigned-off-by:
-
Justin Tee authored
Update copyrights to 2023 for files modified in the 14.2.0.16 patch set. Signed-off-by:
Justin Tee <justin.tee@broadcom.com> Link: https://lore.kernel.org/r/20231031191224.150862-10-justintee8345@gmail.comReviewed-by:
Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by:
-
Justin Tee authored
Update lpfc version to 14.2.0.16. Signed-off-by:
-
Justin Tee authored
Typically, debugging discovery issues requires the ndlp reference count, nlp flags, transport flags, and the io tag for root cause analysis. Modify important discovery log messages to include one or more of these attributes to aid in debugging and support. Signed-off-by:
-
Justin Tee authored
A lot of repeated clean up code exists when freeing mailbox commands in lpfc_mem_free_all(). Introduce a lpfc_mem_free_sli_mbox() helper routine to refactor the copy-paste code. Additionally, reinitialize the mailbox command structure context pointers to NULL in lpfc_sli4_mbox_cmd_free(). Signed-off-by:
-
Justin Tee authored
Add a check in lpfc_poll_eratt() when the driver is unloading. There is no point to check for error attention events if the driver is rmmod'ed. If the driver is reloaded, as part of insmod initialization, then a fresh reset is always asserted to start clean and free of error attention events. Signed-off-by:
-
Justin Tee authored
In lpfc_check_nlp_post_devloss(), retaking of the ndlp lock in the if statement is useless because the very next line unlocks. Simply return to avoid relocking. Signed-off-by:
-
Justin Tee authored
Smatch called out a warning for null checking a ptr that is assigned by list_entry(). list_entry() does not return null and, if the list is empty, can return an invalid ptr. Thus, the !psrp check does not execute properly. drivers/scsi/lpfc/lpfc_els.c:2133 lpfc_cmpl_els_plogi() warn: list_entry() does not return NULL 'prsp' Replace list_entry() with list_get_first(), which does a list_empty() check before returning the first entry. Fixes: a3c3c0a8 ("scsi: lpfc: Validate ELS LS_ACC completion payload") Reported-by:
Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/linux-scsi/01b7568f-4ab4-4d56-bfa6-9ecc5fc261fe@moroto.mountain/Signed-off-by:
-
Justin Tee authored
Because file_name and phba->ModelName are both declared a size 80 bytes, the extra ".grp" file extension could cause an overflow into file_name. Define a ELX_FW_NAME_SIZE macro with value 84. 84 incorporates the 4 extra characters from ".grp". file_name is changed to be declared as a char and initialized to zeros i.e. null chars. Signed-off-by:
-
Justin Tee authored
Currently, the ras_fwlog_func sysfs parameter allows users to input a value greater than three when selecting a PCI function to enable RAS fw logging feature. The user's input is sanity checked in lpfc_sli4_ras_init(), but allowing an input greater than three doesn't make sense because the max number of ports per HBA is four. Change the allowable range from [0, 7] to [0, 3]. Signed-off-by:
-
Justin Stitt authored
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. To keep node->current_state_name and node->prev_state_name NUL-padded and NUL-terminated let's use strscpy_pad() as this implicitly provides both. For the swap between the two, a simple memcpy() will suffice. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by:
Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20231026-strncpy-drivers-scsi-elx-libefc-efc_node-h-v2-1-5c083d0c13f4@google.comReviewed-by:
-
Justin Stitt authored
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. 'hw' is kzalloc'd just before this string assignment: | hw = kzalloc(sizeof(struct csio_hw), GFP_KERNEL); ... which means any NUL-padding is redundant. Since CSIO_DRV_VERSION is a small string literal (smaller than sizeof(dest)): ... there is functionally no change in this swap from strncpy() to strscpy(). Nonetheless, let's make the change for robustness' sake -- as it will ensure that drv_version is _always_ NUL-terminated. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by:
-
Justin Stitt authored
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. These labels get copied out to the user so lets make sure they are NUL-terminated and NUL-padded. vparams is already memset to 0 so we don't need to do any NUL-padding (like what strncpy() is doing). Considering the above, a suitable replacement is strscpy() [2] due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. Let's also opt to use the more idiomatic strscpy() usage of: (dest, src, sizeof(dest)) as this more closely ties the destination buffer to the length. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by:
-
Justin Stitt authored
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. We expect hba->chip_num to be NUL-terminated based on its usage with format strings: snprintf(fc_host_symbolic_name(lport->host), 256, "%s (QLogic %s) v%s over %s", BNX2FC_NAME, hba->chip_num, BNX2FC_VERSION, interface->netdev->name); Moreover, NUL-padding is not required as hba is zero-allocated from its callsite: hba = kzalloc(sizeof(*hba), GFP_KERNEL); Considering the above, a suitable replacement is strscpy() [2] due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. Regarding stats_addr->version, I've opted to also use strscpy() instead of strscpy_pad() as I typically see these XYZ_get_strings() pass zero-allocated data. I couldn't track all of where bnx2fc_ulp_get_stats() is used and if required, we could opt for strscpy_pad(). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by:
-
Justin Stitt authored
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. This pattern of strncpy(dest, src, strlen(src)) is extremely bug-prone. This pattern basically never results in NUL-terminated destination strings unless `dest` was zero-initialized. The current implementation may be accidentally correct as tw_dev is zero-allocated via: host = scsi_host_alloc(&driver_template, sizeof(TW_Device_Extension)); ... tw_dev = shost_priv(host); ... wherein scsi_host_alloc() zero-allocates host: shost = kzalloc(sizeof(struct Scsi_Host) + privsize, GFP_KERNEL); Also, further suggesting this change is worthwhile is another strscpy() usage in 3w-9xxx.c: strscpy(tw_dev->tw_compat_info.driver_version, TW_DRIVER_VERSION, sizeof(tw_dev->tw_compat_info.driver_version)); Considering the above, a suitable replacement is strscpy() [2] due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. Let's not be accidentally correct, let's be definitely correct. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: -
James Seo authored
mpt3sas_scsih.c:_scsih_scan_for_devices_after_reset() allocates and fetches a MPI2_CONFIG_PAGE_RAID_VOL_0 struct (Mpi2RaidVolPage0_t) and a MPI2_CONFIG_PAGE_RAID_VOL_1 struct (Mpi2RaidVolPage1_t), but does not include the terminal flexible array members in the struct size calculations, fetch those members, or otherwise use those members in any way. These dynamic allocations can be replaced with local variables. Signed-off-by:
James Seo <james@equiv.tech> Link: https://lore.kernel.org/r/20230806170604.16143-13-james@equiv.techTested-by:
Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by:
-
