* FAILED: patch "[PATCH] s390/cio: fix out-of-bounds access on cio_ignore free" failed to apply to 5.15-stable tree
@ 2022-10-31 6:50 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2022-10-31 6:50 UTC (permalink / raw)
To: oberpar, egorenar, gor, stable, vneethv; +Cc: stable
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
Possible dependencies:
1b6074112742 ("s390/cio: fix out-of-bounds access on cio_ignore free")
0c3812c347bf ("s390/cio: derive cdev information only for IO-subchannels")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 1b6074112742f65ece71b0f299ca5a6a887d2db6 Mon Sep 17 00:00:00 2001
From: Peter Oberparleiter <oberpar@linux.ibm.com>
Date: Fri, 14 Oct 2022 12:24:58 +0200
Subject: [PATCH] s390/cio: fix out-of-bounds access on cio_ignore free
The channel-subsystem-driver scans for newly available devices whenever
device-IDs are removed from the cio_ignore list using a command such as:
echo free >/proc/cio_ignore
Since an I/O device scan might interfer with running I/Os, commit
172da89ed0ea ("s390/cio: avoid excessive path-verification requests")
introduced an optimization to exclude online devices from the scan.
The newly added check for online devices incorrectly assumes that
an I/O-subchannel's drvdata points to a struct io_subchannel_private.
For devices that are bound to a non-default I/O subchannel driver, such
as the vfio_ccw driver, this results in an out-of-bounds read access
during each scan.
Fix this by changing the scan logic to rely on a driver-independent
online indication. For this we can use struct subchannel->config.ena,
which is the driver's requested subchannel-enabled state. Since I/Os
can only be started on enabled subchannels, this matches the intent
of the original optimization of not scanning devices where I/O might
be running.
Fixes: 172da89ed0ea ("s390/cio: avoid excessive path-verification requests")
Fixes: 0c3812c347bf ("s390/cio: derive cdev information only for IO-subchannels")
Cc: <stable@vger.kernel.org> # v5.15
Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index 913b6ddd040b..c7db95398500 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -753,13 +753,9 @@ static int __unset_online(struct device *dev, void *data)
{
struct idset *set = data;
struct subchannel *sch = to_subchannel(dev);
- struct ccw_device *cdev;
- if (sch->st == SUBCHANNEL_TYPE_IO) {
- cdev = sch_get_cdev(sch);
- if (cdev && cdev->online)
- idset_sch_del(set, sch->schid);
- }
+ if (sch->st == SUBCHANNEL_TYPE_IO && sch->config.ena)
+ idset_sch_del(set, sch->schid);
return 0;
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-10-31 6:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-31 6:50 FAILED: patch "[PATCH] s390/cio: fix out-of-bounds access on cio_ignore free" failed to apply to 5.15-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.