R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8d9fd1f4ae
android_kernel_xiaomi_sm7250/drivers
History
Dan Carpenter 3dae5041c6 scsi: mptfusion: Fix double fetch bug in ioctl 
commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.

Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:

drivers/message/fusion/mptctl.c
   674          /* All of these commands require an interrupt or
   675           * are unknown/illegal.
   676           */
   677          if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
                                               ^^^^
We take this lock.

   678                  return ret;
   679
   680          if (cmd == MPTFWDOWNLOAD)
   681                  ret = mptctl_fw_download(arg);
                                                 ^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.

   682          else if (cmd == MPTCOMMAND)
   683                  ret = mptctl_mpt_command(arg);

The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power.  But it's still worth fixing.

This patch passes the "iocp" pointer to the functions to avoid the
second lookup.  That deletes 100 lines of code from the driver so
it's a nice clean up as well.

Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-23 08:21:28 +01:00
..
accessibility
acpi ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 2020-01-09 10:19:04 +01:00
amba
android binder: Handle start==NULL in binder_update_page_range() 2019-12-13 08:52:52 +01:00
ata libata: Fix retrieving of active qcs 2020-01-09 10:19:01 +01:00
atm atm: zatm: Fix empty body Clang warnings 2019-12-01 09:16:41 +01:00
auxdisplay auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach 2019-09-06 10:21:56 +02:00
base drivers/base/platform.c: kmemleak ignore a known leak 2019-12-05 09:21:04 +01:00
bcma
block xen/blkback: Avoid unmapping unmapped grant pages 2020-01-09 10:19:09 +01:00
bluetooth Bluetooth: btusb: fix PM leak in error case of setup 2020-01-09 10:19:04 +01:00
bus bus: ti-sysc: Fix getting optional clocks in clock_roles 2019-12-13 08:51:23 +01:00
cdrom cdrom: respect device capabilities during opening action 2020-01-04 19:13:12 +01:00
char ipmi: Don't allow device module unload when in use 2019-12-31 16:35:23 +01:00
clk clk: Don't try to enable critical clocks if prepare failed 2020-01-23 08:21:27 +01:00
clocksource clocksource/drivers/timer-of: Use unique device name instead of timer 2020-01-04 19:12:45 +01:00
connector
cpufreq cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull 2020-01-12 12:17:24 +01:00
cpuidle cpuidle: Do not unset the driver if it is there already 2019-12-17 20:35:00 +01:00
crypto crypto: virtio - implement missing support for output IVs 2020-01-17 19:47:04 +01:00
dax
dca
devfreq PM / devfreq: Check NULL governor in available_governors_show 2020-01-09 10:19:03 +01:00
dio
dma ioat: ioat_alloc_ring() failure handling. 2020-01-17 19:47:16 +01:00
dma-buf dma-buf: Fix memory leak in sync_file_merge() 2019-12-21 10:57:38 +01:00
edac EDAC/ghes: Fix grain calculation 2019-12-31 16:35:58 +01:00
eisa
extcon extcon: sm5502: Reset registers during initialization 2019-12-31 16:35:11 +01:00
firewire net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
firmware efi/gop: Fix memory leak in __gop_query32/64() 2020-01-12 12:17:08 +01:00
fmc
fpga fpga: altera-ps-spi: Fix getting of optional confd gpio 2019-09-21 07:16:53 +02:00
fsi fsi: core: Fix small accesses and unaligned offsets via sysfs 2019-12-31 16:35:55 +01:00
gnss
gpio gpio: mpc8xxx: Add platform device to gpiochip->parent 2020-01-17 19:47:14 +01:00
gpu drm/arm/mali: make malidp_mw_connector_helper_funcs static 2020-01-17 19:47:15 +01:00
hid HID: hidraw, uhid: Always report EPOLLOUT 2020-01-17 19:46:55 +01:00
hsi
hv vmbus: keep pointer to ring buffer page 2019-11-20 18:47:31 +01:00
hwmon hwmon: (npcm-750-pwm-fan) Change initial pwm target to 255 2019-11-24 08:21:01 +01:00
hwspinlock
hwtracing intel_th: pci: Add Elkhart Lake SOC support 2019-12-31 16:36:24 +01:00
i2c i2c: fix bus recovery stop mode timing 2020-01-14 20:06:58 +01:00
ide
idle
iio iio: buffer: align the size of scan bytes to size of the largest element 2020-01-23 08:21:27 +01:00
infiniband RDMA/srpt: Report the SCSI residual to the initiator 2020-01-17 19:47:03 +01:00
input Input: input_event - fix struct padding on sparc64 2020-01-14 20:07:01 +01:00
iommu iommu/mediatek: Correct the flush_iotlb_all callback 2020-01-17 19:47:11 +01:00
ipack
irqchip irqchip: ingenic: Error out if IRQ domain creation failed 2020-01-04 19:12:52 +01:00
isdn staging: gigaset: add endpoint-type sanity check 2019-12-17 20:34:33 +01:00
leds leds: lm3692x: Handle failure to probe the regulator 2020-01-04 19:12:43 +01:00
lightnvm lightnvm: pblk: consider max hw sectors supported for max_write_pgs 2019-11-24 08:20:52 +01:00
macintosh macintosh/windfarm_smu_sat: Fix debug output 2019-12-01 09:16:37 +01:00
mailbox mailbox: imx: Fix Tx doorbell shutdown path 2020-01-04 19:13:17 +01:00
mcb
md md: raid1: check rdev before reference in raid1_sync_request func 2020-01-09 10:18:57 +01:00
media media: exynos4-is: Fix recursive locking in isp_video_release() 2020-01-17 19:47:11 +01:00
memory memory: omap-gpmc: Get the header of the enum 2019-12-05 09:20:29 +01:00
memstick memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' 2019-10-29 09:20:07 +01:00
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:21:28 +01:00
mfd mfd: max8997: Enale irq-wakeup unconditionally 2019-12-01 09:16:57 +01:00
misc scsi: enclosure: Fix stale device oops with hot replug 2020-01-17 19:47:03 +01:00
mmc mmc: sdhci: Add a quirk for broken command queuing 2019-12-31 16:36:36 +01:00
mtd mtd: spi-nor: fix silent truncation in spi_nor_read_raw() 2020-01-17 19:47:12 +01:00
mux
net rtlwifi: Remove unnecessary NULL check in rtl_regd_init 2020-01-17 19:47:12 +01:00
nfc NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error 2019-12-13 08:51:03 +01:00
ntb ntb: intel: fix return value for ndev_vec_mask() 2019-12-01 09:17:13 +01:00
nubus
nvdimm libnvdimm/btt: fix variable 'rc' set but not used 2020-01-04 19:13:00 +01:00
nvme nvme-fc: fix double-free scenarios on hw queues 2020-01-09 10:18:54 +01:00
nvmem nvmem: imx-ocotp: reset error status on probe 2019-12-31 16:35:37 +01:00
of of: unittest: fix memory leak in attach_node_and_children 2019-12-17 20:36:04 +01:00
opp OPP: Return error on error from dev_pm_opp_get_opp_count() 2019-11-24 08:20:06 +01:00
oprofile
parisc parisc: Disable HP HSC-PCI Cards to prevent kernel crash 2019-10-05 13:10:04 +02:00
parport parport: load lowlevel driver if ports not found 2019-12-31 16:36:01 +01:00
pci PCI/PTM: Remove spurious "d" from granularity message 2020-01-17 19:47:08 +01:00
pcmcia
perf drivers/perf: arm_pmu: Fix failure path in PM notifier 2019-08-06 19:06:55 +02:00
phy phy: cpcap-usb: Fix flakey host idling and enumerating of devices 2020-01-14 20:07:08 +01:00
pinctrl pinctrl: lewisburg: Update pin list according to v1.1v6 2020-01-17 19:47:06 +01:00
platform platform/x86: GPD pocket fan: Use default values when wrong modparams are given 2020-01-17 19:47:04 +01:00
pnp
power power: supply: cpcap-battery: Fix signed counter sample register 2019-12-17 20:35:37 +01:00
powercap
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-08-04 09:30:56 +02:00
ps3
ptp ptp: fix the race between the release of ptp_clock and cdev 2020-01-04 19:13:35 +01:00
pwm pwm: Clear chip_data in pwm_put() 2019-12-05 09:21:29 +01:00
rapidio drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings 2019-08-06 19:06:52 +02:00
ras
regulator regulator: rn5t618: fix module aliases 2020-01-12 12:17:18 +01:00
remoteproc remoteproc: qcom: q6v5: Fix a race condition on fatal crash 2019-11-24 08:20:29 +01:00
reset reset: Fix memory leak in reset_control_array_put() 2019-12-05 09:19:36 +01:00
rpmsg rpmsg: glink: Free pending deferred work on remove 2019-12-21 10:57:30 +01:00
rtc rtc: brcmstb-waketimer: add missed clk_disable_unprepare 2020-01-17 19:47:13 +01:00
s390 s390/qeth: Fix vnicc_is_in_use if rx_bcast not set 2020-01-17 19:47:01 +01:00
sbus
scsi scsi: fnic: fix invalid stack access 2020-01-23 08:21:28 +01:00
sfi
sh
siox
slimbus slimbus: ngd: Fix build error on x86 2019-12-13 08:51:54 +01:00
sn
soc soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B} 2019-12-13 08:52:29 +01:00
soundwire soundwire: intel: fix PDI/stream mapping for Bulk 2019-12-31 16:35:55 +01:00
spi spi: atmel: fix handling of cs_change set on non-last xfer 2020-01-17 19:47:12 +01:00
spmi
ssb
staging staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 2020-01-14 20:07:05 +01:00
target scsi: target: iscsi: Wait for all commands to finish before freeing a session 2020-01-04 19:13:06 +01:00
tc
tee tee: optee: add missing of_node_put after of_device_is_available 2019-11-24 08:19:08 +01:00
thermal thermal: Fix deadlock in thermal thermal_zone_device_check 2019-12-13 08:52:50 +01:00
thunderbolt thunderbolt: Power cycle the router if NVM authentication fails 2019-12-05 09:21:27 +01:00
tty tty: serial: pch_uart: correct usage of dma_unmap_sg 2020-01-17 19:47:09 +01:00
uio vmbus: keep pointer to ring buffer page 2019-11-20 18:47:31 +01:00
usb USB: serial: quatech2: handle unbound ports 2020-01-23 08:21:28 +01:00
uwb
vfio vfio/pci: call irq_bypass_unregister_producer() before freeing irq 2019-12-21 10:57:37 +01:00
vhost vhost/vsock: accept only packets with the right dst_cid 2020-01-04 19:13:36 +01:00
video video/hdmi: Fix AVI bar unpack 2019-12-17 20:35:17 +01:00
virt virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr 2019-11-06 13:06:04 +01:00
virtio virtio-balloon: fix managed page counts when migrating pages between zones 2019-12-17 20:34:43 +01:00
visorbus
vlynq
vme
w1 w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size). 2019-12-01 09:16:22 +01:00
watchdog watchdog: Fix the race between the release of watchdog_core_data and cdev 2020-01-04 19:13:01 +01:00
xen xen/balloon: fix ballooned page accounting without hotplug enabled 2020-01-09 10:18:58 +01:00
zorro
Kconfig
Makefile