summaryrefslogtreecommitdiff
path: root/drivers/scsi/mpt3sas
diff options
context:
space:
mode:
authorSuganath Prabu S <suganath-prabu.subramani@broadcom.com>2020-05-22 06:35:58 -0400
committerMartin K. Petersen <martin.petersen@oracle.com>2020-05-26 19:57:59 -0400
commitf56577e8c7d0f3054f97d1f0d1cbe9a4d179cc47 (patch)
tree16fe084a8cc95e1a0bf25da2b74972a44ad6874c /drivers/scsi/mpt3sas
parent7217e6e694da3aae6d17db8a7f7460c8d4817ebf (diff)
scsi: mpt3sas: Fix reply queue count in non RDPQ mode
For non RDPQ mode, the driver allocates a single contiguous block of memory pool for all reply descriptor post queues and passes down a single address in the ReplyDescriptorPostQueueAddress field of the IOC Init Request Message to the firmware. So reply_post queue will have only one entry which holds the address of this single contiguous block of memory pool. While allocating the reply descriptor post queue pool, driver should loop only once in non-RDPQ mode. But the driver is looping for ioc->reply_queue_count number of times even though reply_post queue's queue depth is only one in non-RDPQ mode. This leads to 'BUG: KASAN: use-after-free in base_alloc_rdpq_dma_pool'. The fix is to loop only once while allocating memory for the reply descriptor post queue in non-RDPQ mode Fixes: 8012209eb26b ("scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region") Link: https://lore.kernel.org/r/20200522103558.5710-1-suganath-prabu.subramani@broadcom.com Reported-by: Tomas Henzl <thenzl@redhat.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/mpt3sas')
-rw-r--r--drivers/scsi/mpt3sas/mpt3sas_base.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index dc260fef9897..beaea1933f5c 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4809,6 +4809,7 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
int j = 0;
int dma_alloc_count = 0;
struct chain_tracker *ct;
+ int count = ioc->rdpq_array_enable ? ioc->reply_queue_count : 1;
dexitprintk(ioc, ioc_info(ioc, "%s\n", __func__));
@@ -4850,9 +4851,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
}
if (ioc->reply_post) {
- dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
+ dma_alloc_count = DIV_ROUND_UP(count,
RDPQ_MAX_INDEX_IN_ONE_CHUNK);
- for (i = 0; i < ioc->reply_queue_count; i++) {
+ for (i = 0; i < count; i++) {
if (i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0
&& dma_alloc_count) {
if (ioc->reply_post[i].reply_post_free) {
@@ -4973,14 +4974,14 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
* Driver uses limitation of
* VENTURA_SERIES to manage INVADER_SERIES as well.
*/
- dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
+ dma_alloc_count = DIV_ROUND_UP(count,
RDPQ_MAX_INDEX_IN_ONE_CHUNK);
ioc->reply_post_free_dma_pool =
dma_pool_create("reply_post_free pool",
&ioc->pdev->dev, sz, 16, 0);
if (!ioc->reply_post_free_dma_pool)
return -ENOMEM;
- for (i = 0; i < ioc->reply_queue_count; i++) {
+ for (i = 0; i < count; i++) {
if ((i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0) && dma_alloc_count) {
ioc->reply_post[i].reply_post_free =
dma_pool_alloc(ioc->reply_post_free_dma_pool,