* re: mtip32xx: add a status field to struct mtip_cmd
@ 2017-04-21 14:06 Colin Ian King
2017-04-21 14:14 ` Jens Axboe
0 siblings, 1 reply; 6+ messages in thread
From: Colin Ian King @ 2017-04-21 14:06 UTC (permalink / raw)
To: Christoph Hellwig, Johannes Thumshirn, Jens Axboe; +Cc: linux-kernel
Hi,
CoverityScan found an issue with the following part of the patch:
- if (likely(!reserv))
- blk_mq_complete_request(rq, -ENODEV);
- else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
+ if (likely(!reserv)) {
+ cmd->status = -ENODEV;
+ blk_mq_complete_request(rq, 0);
+ } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
The issue is:
static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
{
struct driver_data *dd = (struct driver_data *)data;
struct mtip_cmd *cmd;
if (likely(!reserv)) {
cmd->status = -ENODEV;
CID 1430258 (#1 of 1): Uninitialized pointer write (UNINIT)4.
uninit_use: Using uninitialized value cmd.
..basically a null ptr dereference on cmd.
Colin
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: mtip32xx: add a status field to struct mtip_cmd
2017-04-21 14:06 mtip32xx: add a status field to struct mtip_cmd Colin Ian King
@ 2017-04-21 14:14 ` Jens Axboe
2017-04-21 14:37 ` Christoph Hellwig
0 siblings, 1 reply; 6+ messages in thread
From: Jens Axboe @ 2017-04-21 14:14 UTC (permalink / raw)
To: Colin Ian King, Christoph Hellwig, Johannes Thumshirn; +Cc: linux-kernel
On 04/21/2017 08:06 AM, Colin Ian King wrote:
> Hi,
>
> CoverityScan found an issue with the following part of the patch:
>
> - if (likely(!reserv))
> - blk_mq_complete_request(rq, -ENODEV);
> - else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
> + if (likely(!reserv)) {
> + cmd->status = -ENODEV;
> + blk_mq_complete_request(rq, 0);
> + } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
>
>
From: Jens Axboe <axboe@fb.com>
Subject: [PATCH] mtip32xx: fix dereference of stack garbage
We need to get the command payload from the request before
we attempt to dereference it.
Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd")
Signed-off-by: Jens Axboe <axboe@fb.com>
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 66a6bd83faae..54c8736038de 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -4108,6 +4108,7 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
struct mtip_cmd *cmd;
if (likely(!reserv)) {
+ cmd = blk_mq_rq_to_pdu(rq);
cmd->status = -ENODEV;
blk_mq_complete_request(rq);
} else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
--
Jens Axboe
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: mtip32xx: add a status field to struct mtip_cmd
2017-04-21 14:14 ` Jens Axboe
@ 2017-04-21 14:37 ` Christoph Hellwig
2017-04-21 14:47 ` Jens Axboe
0 siblings, 1 reply; 6+ messages in thread
From: Christoph Hellwig @ 2017-04-21 14:37 UTC (permalink / raw)
To: Jens Axboe
Cc: Colin Ian King, Christoph Hellwig, Johannes Thumshirn, linux-kernel
On Fri, Apr 21, 2017 at 08:14:03AM -0600, Jens Axboe wrote:
> From: Jens Axboe <axboe@fb.com>
> Subject: [PATCH] mtip32xx: fix dereference of stack garbage
>
> We need to get the command payload from the request before
> we attempt to dereference it.
>
> Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd")
> Signed-off-by: Jens Axboe <axboe@fb.com>
Looks fine:
Reviewed-by: Christoph Hellwig <hch@lst.de>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: mtip32xx: add a status field to struct mtip_cmd
2017-04-21 14:37 ` Christoph Hellwig
@ 2017-04-21 14:47 ` Jens Axboe
0 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2017-04-21 14:47 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: Colin Ian King, Johannes Thumshirn, linux-kernel
On 04/21/2017 08:37 AM, Christoph Hellwig wrote:
> On Fri, Apr 21, 2017 at 08:14:03AM -0600, Jens Axboe wrote:
>> From: Jens Axboe <axboe@fb.com>
>> Subject: [PATCH] mtip32xx: fix dereference of stack garbage
>>
>> We need to get the command payload from the request before
>> we attempt to dereference it.
>>
>> Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd")
>> Signed-off-by: Jens Axboe <axboe@fb.com>
>
> Looks fine:
>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
Pushed, thanks.
--
Jens Axboe
^ permalink raw reply [flat|nested] 6+ messages in thread
* mtip32xx: add a status field to struct mtip_cmd
2017-04-18 15:52 kill req->errors V2 Christoph Hellwig
@ 2017-04-18 15:52 ` Christoph Hellwig
0 siblings, 0 replies; 6+ messages in thread
From: Christoph Hellwig @ 2017-04-18 15:52 UTC (permalink / raw)
To: Jens Axboe
Cc: Josef Bacik, James Smart, Konrad Rzeszutek Wilk,
Roger Pau Monné,
linux-scsi, linux-nvme, linux-block, dm-devel, Christoph Hellwig
From: Christoph Hellwig <hch@lst.de>
Instead of using req->errors, which will go away.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
drivers/block/mtip32xx/mtip32xx.c | 16 +++++++++-------
drivers/block/mtip32xx/mtip32xx.h | 1 +
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 05e3e664ea1b..7406de29db58 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -241,7 +241,8 @@ static void mtip_async_complete(struct mtip_port *port,
rq = mtip_rq_from_tag(dd, tag);
- blk_mq_complete_request(rq, status);
+ cmd->status = status;
+ blk_mq_complete_request(rq, 0);
}
/*
@@ -2910,18 +2911,19 @@ static void mtip_softirq_done_fn(struct request *rq)
if (unlikely(cmd->unaligned))
up(&dd->port->cmd_slot_unal);
- blk_mq_end_request(rq, rq->errors);
+ blk_mq_end_request(rq, cmd->status);
}
static void mtip_abort_cmd(struct request *req, void *data,
bool reserved)
{
+ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(req);
struct driver_data *dd = data;
dbg_printk(MTIP_DRV_NAME " Aborting request, tag = %d\n", req->tag);
clear_bit(req->tag, dd->port->cmds_to_issue);
- req->errors = -EIO;
+ cmd->status = -EIO;
mtip_softirq_done_fn(req);
}
@@ -3816,7 +3818,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx,
if (likely(!ret))
return BLK_MQ_RQ_QUEUE_OK;
- rq->errors = ret;
return BLK_MQ_RQ_QUEUE_ERROR;
}
@@ -4106,9 +4107,10 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
struct driver_data *dd = (struct driver_data *)data;
struct mtip_cmd *cmd;
- if (likely(!reserv))
- blk_mq_complete_request(rq, -ENODEV);
- else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
+ if (likely(!reserv)) {
+ cmd->status = -ENODEV;
+ blk_mq_complete_request(rq, 0);
+ } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL);
if (cmd->comp_func)
diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h
index 7617888f7944..57b41528a824 100644
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -352,6 +352,7 @@ struct mtip_cmd {
int retries; /* The number of retries left for this command. */
int direction; /* Data transfer direction */
+ int status;
};
/* Structure used to describe a port. */
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* mtip32xx: add a status field to struct mtip_cmd
@ 2017-04-18 15:52 ` Christoph Hellwig
0 siblings, 0 replies; 6+ messages in thread
From: Christoph Hellwig @ 2017-04-18 15:52 UTC (permalink / raw)
From: Christoph Hellwig <hch@lst.de>
Instead of using req->errors, which will go away.
Signed-off-by: Christoph Hellwig <hch at lst.de>
---
drivers/block/mtip32xx/mtip32xx.c | 16 +++++++++-------
drivers/block/mtip32xx/mtip32xx.h | 1 +
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 05e3e664ea1b..7406de29db58 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -241,7 +241,8 @@ static void mtip_async_complete(struct mtip_port *port,
rq = mtip_rq_from_tag(dd, tag);
- blk_mq_complete_request(rq, status);
+ cmd->status = status;
+ blk_mq_complete_request(rq, 0);
}
/*
@@ -2910,18 +2911,19 @@ static void mtip_softirq_done_fn(struct request *rq)
if (unlikely(cmd->unaligned))
up(&dd->port->cmd_slot_unal);
- blk_mq_end_request(rq, rq->errors);
+ blk_mq_end_request(rq, cmd->status);
}
static void mtip_abort_cmd(struct request *req, void *data,
bool reserved)
{
+ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(req);
struct driver_data *dd = data;
dbg_printk(MTIP_DRV_NAME " Aborting request, tag = %d\n", req->tag);
clear_bit(req->tag, dd->port->cmds_to_issue);
- req->errors = -EIO;
+ cmd->status = -EIO;
mtip_softirq_done_fn(req);
}
@@ -3816,7 +3818,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx,
if (likely(!ret))
return BLK_MQ_RQ_QUEUE_OK;
- rq->errors = ret;
return BLK_MQ_RQ_QUEUE_ERROR;
}
@@ -4106,9 +4107,10 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
struct driver_data *dd = (struct driver_data *)data;
struct mtip_cmd *cmd;
- if (likely(!reserv))
- blk_mq_complete_request(rq, -ENODEV);
- else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
+ if (likely(!reserv)) {
+ cmd->status = -ENODEV;
+ blk_mq_complete_request(rq, 0);
+ } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL);
if (cmd->comp_func)
diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h
index 7617888f7944..57b41528a824 100644
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -352,6 +352,7 @@ struct mtip_cmd {
int retries; /* The number of retries left for this command. */
int direction; /* Data transfer direction */
+ int status;
};
/* Structure used to describe a port. */
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-04-21 19:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-21 14:06 mtip32xx: add a status field to struct mtip_cmd Colin Ian King
2017-04-21 14:14 ` Jens Axboe
2017-04-21 14:37 ` Christoph Hellwig
2017-04-21 14:47 ` Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2017-04-18 15:52 kill req->errors V2 Christoph Hellwig
2017-04-18 15:52 ` mtip32xx: add a status field to struct mtip_cmd Christoph Hellwig
2017-04-18 15:52 ` Christoph Hellwig
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.