From patchwork Sat May 27 20:42:00 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Hutchings <benh@debian.org>
X-Patchwork-Id: 687171
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 5E7E2C7EE2E
 for <linux-scsi@archiver.kernel.org>; Sat, 27 May 2023 20:42:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229596AbjE0UmT (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Sat, 27 May 2023 16:42:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55972 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229471AbjE0UmR (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Sat, 27 May 2023 16:42:17 -0400
Received: from stravinsky.debian.org (stravinsky.debian.org
 [IPv6:2001:41b8:202:deb::311:108])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F264AC;
 Sat, 27 May 2023 13:42:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:MIME-Version:Content-Type:Date:Cc:To:
 From:Subject:Message-ID:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:In-Reply-To:References;
 bh=7/omKClvBv5roEm+6JrsREj3kRVwfTW5izAWN3uT+Bo=;
 b=FDgZ4wtdpWcSiZVO5B3HMNyXbT
 NijbSYhXq1SHe7YLwLb1CI0zaW7H9faXcMbnj1rN4K5OVpNvoLUWmrtfRYxGw0iWFsYKzI8OqyPRS
 VrK48Z3NtAh6SODVOi9mZucI95Xv6GmNuq52/I8RV4lb71VvLf0+HczCEK1wz4ANpkSBEISZ8xRtA
 GKAiI/XmIYPRyWd9vlruQ9Oma+b+caVpgBtguhIyTGM99B5/Y+TCXrlAdIqhcKtEeRCLyDxT6JBrH
 QlLVYkFmKbw7slkOnFJPnr1nx3lWQu70wqH8cAVJIVZVj8d3y3DfF5RfohLerhzVb1yIA7HDVwqh8
 Ak86UzqQ==;
Received: from authenticated user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.94.2) (envelope-from <benh@debian.org>)
 id 1q30jm-00CVBY-Ci; Sat, 27 May 2023 20:42:06 +0000
Message-ID: <b1d71ba992d0adab2519dff17f6d241279c0f5f1.camel@debian.org>
Subject: dpt_i2o fixes for stable
From: Ben Hutchings <benh@debian.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Sasha Levin <sashal@kernel.org>
Cc: stable <stable@vger.kernel.org>, Arnd Bergmann <arnd@arndb.de>,
 linux-scsi <linux-scsi@vger.kernel.org>, security@kernel.org
Date: Sat, 27 May 2023 22:42:00 +0200
Organization: Debian
User-Agent: Evolution 3.46.4-1 
MIME-Version: 1.0
X-Debian-User: benh
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

I'm proposing to address the most obvious issues with dpt_i2o on stable
branches.  At this stage it may be better to remove it as has been done
upstream, but I'd rather limit the regression for anyone still using
the hardware.

The changes are:

- "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)",
  which closes security flaws including CVE-2023-2007.
- "scsi: dpt_i2o: Do not process completions with invalid addresses",
  which removes the remaining bus_to_virt() call and may slightly
  improve handling of misbehaving hardware.

These changes have been compiled on all the relevant stable branches,
but I don't have hardware to test on.

Ben.

>From 157298ea77a54f7793b370cb8cdfa967811adb66 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Sat, 27 May 2023 15:52:48 +0200
Subject: [PATCH 2/2] scsi: dpt_i2o: Do not process completions with invalid
 addresses

adpt_isr() reads reply addresses from a hardware register, which
should always be within the DMA address range of the device's pool of
reply address buffers.  In case the address is out of range, it tries
to muddle on, converting to a virtual address using bus_to_virt().

bus_to_virt() does not take DMA addresses, and it doesn't make sense
to try to handle the completion in this case.  Ignore it and continue
looping to service the interrupt.  If a completion has been lost then
the SCSI core should eventually time-out and trigger a reset.

There is no corresponding upstream commit, because this driver was
removed upstream.

Fixes: 67af2b060e02 ("[SCSI] dpt_i2o: move from virt_to_bus/bus_to_virt ...")
Signed-off-by: Ben Hutchings <benh@debian.org>
---
 drivers/scsi/Kconfig   | 2 +-
 drivers/scsi/dpt_i2o.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/Kconfig b/drivers/scsi/Kconfig
index 701b61ec76ee..6524e1fe54d2 100644
--- a/drivers/scsi/Kconfig
+++ b/drivers/scsi/Kconfig
@@ -444,7 +444,7 @@ config SCSI_MVUMI
 
 config SCSI_DPT_I2O
 	tristate "Adaptec I2O RAID support "
-	depends on SCSI && PCI && VIRT_TO_BUS
+	depends on SCSI && PCI
 	help
 	  This driver supports all of Adaptec's I2O based RAID controllers as 
 	  well as the DPT SmartRaid V cards.  This is an Adaptec maintained
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 85f4d6535154..43ec5657a935 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -56,7 +56,7 @@ MODULE_DESCRIPTION("Adaptec I2O RAID Driver");
 #include <linux/mutex.h>
 
 #include <asm/processor.h>	/* for boot_cpu_data */
-#include <asm/io.h>		/* for virt_to_bus, etc. */
+#include <asm/io.h>
 
 #include <scsi/scsi.h>
 #include <scsi/scsi_cmnd.h>
@@ -1865,7 +1865,7 @@ static irqreturn_t adpt_isr(int irq, void *dev_id)
 		} else {
 			/* Ick, we should *never* be here */
 			printk(KERN_ERR "dpti: reply frame not from pool\n");
-			reply = (u8 *)bus_to_virt(m);
+			continue;
 		}
 
 		if (readl(reply) & MSG_FAIL) {