* [PATCH] mpt3sas: Fix memset in non-rdpq mode.
@ 2020-05-28 14:56 Suganath Prabu S
2020-06-03 2:31 ` Martin K. Petersen
0 siblings, 1 reply; 2+ messages in thread
From: Suganath Prabu S @ 2020-05-28 14:56 UTC (permalink / raw)
To: linux-scsi; +Cc: sreekanth.reddy, thenzl, martin.petersen, Suganath Prabu S
Replace dma_pool_alloc and memset with dma_pool_zalloc.
This fixes memset accessing out of range address when reply_queue
count is less than RDPQ_MAX_INDEX_IN_ONE_CHUNK (i.e. 16) in non-RDPQ
mode.
In non-RDPQ mode, the driver allocates a single contiguous pool of
size reply_queue's count * reqly_post_free_sz. But here the driver is
always memsetting this pool with size 16 * reqly_post_free_sz. so if
reply queue count is less then 16 (i.e. when msix vectors enabled is
less then 16) then the driver is accessing out of range address and
this results in 'BUG: unable to handle kernel paging request at
fff0x...x' bug.
This bug got introduced from below commit id,
commit 8012209eb26b7819385a6ec6eae4b1d0a0dbe585 ("scsi: mpt3sas:
Handle RDPQ DMA allocation in same 4G region")
To fix this out of range access, the driver uses dma_pool_zalloc API
to allocate the pool. so that this pool will be initialized with zeros
of actual pool size by this API itself
Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index beaea19..96b78fd 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4984,7 +4984,7 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
for (i = 0; i < count; i++) {
if ((i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0) && dma_alloc_count) {
ioc->reply_post[i].reply_post_free =
- dma_pool_alloc(ioc->reply_post_free_dma_pool,
+ dma_pool_zalloc(ioc->reply_post_free_dma_pool,
GFP_KERNEL,
&ioc->reply_post[i].reply_post_free_dma);
if (!ioc->reply_post[i].reply_post_free)
@@ -5008,9 +5008,6 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
ioc->reply_post[i].reply_post_free_dma));
return -EAGAIN;
}
- memset(ioc->reply_post[i].reply_post_free, 0,
- RDPQ_MAX_INDEX_IN_ONE_CHUNK *
- reply_post_free_sz);
dma_alloc_count--;
} else {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] mpt3sas: Fix memset in non-rdpq mode.
2020-05-28 14:56 [PATCH] mpt3sas: Fix memset in non-rdpq mode Suganath Prabu S
@ 2020-06-03 2:31 ` Martin K. Petersen
0 siblings, 0 replies; 2+ messages in thread
From: Martin K. Petersen @ 2020-06-03 2:31 UTC (permalink / raw)
To: linux-scsi, Suganath Prabu S; +Cc: Martin K . Petersen, sreekanth.reddy, thenzl
On Thu, 28 May 2020 10:56:17 -0400, Suganath Prabu S wrote:
> Replace dma_pool_alloc and memset with dma_pool_zalloc.
> This fixes memset accessing out of range address when reply_queue
> count is less than RDPQ_MAX_INDEX_IN_ONE_CHUNK (i.e. 16) in non-RDPQ
> mode.
>
> In non-RDPQ mode, the driver allocates a single contiguous pool of
> size reply_queue's count * reqly_post_free_sz. But here the driver is
> always memsetting this pool with size 16 * reqly_post_free_sz. so if
> reply queue count is less then 16 (i.e. when msix vectors enabled is
> less then 16) then the driver is accessing out of range address and
> this results in 'BUG: unable to handle kernel paging request at
> fff0x...x' bug.
>
> [...]
Applied to 5.8/scsi-queue, thanks!
[1/1] scsi: mpt3sas: Fix memset() in non-RDPQ mode
https://git.kernel.org/mkp/scsi/c/61e6ba03ea26
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-03 2:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-28 14:56 [PATCH] mpt3sas: Fix memset in non-rdpq mode Suganath Prabu S
2020-06-03 2:31 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).