mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/scsi/isci
History
Logan Gunthorpe cc29a1b0a3 scsi: isci: initialize shost fully before calling scsi_add_host() 
scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the
command size to allocate based on the prot_capabilities. In the isci
driver, scsi_host_set_prot() is called after scsi_add_host() so the command
size gets calculated to be smaller than it needs to be.  Eventually,
scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it
was sized correctly and a buffer overrun may occur.

However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line
size, the mistake can go unnoticed.

The bug was noticed after the struct request size was reduced by commit
9d037ad707 ("block: remove req->timeout_list")

Which likely reduced the allocated space for the request by an entire cache
line, enough that the overflow could be hit and it caused a panic, on boot,
at:

  RIP: 0010:t10_pi_complete+0x77/0x1c0
  Call Trace:
    <IRQ>
    sd_done+0xf5/0x340
    scsi_finish_command+0xc3/0x120
    blk_done_softirq+0x83/0xb0
    __do_softirq+0xa1/0x2e6
    irq_exit+0xbc/0xd0
    call_function_single_interrupt+0xf/0x20
    </IRQ>

sd_done() would call scsi_prot_sg_count() which reads the number of
entities in 'prot_sdb', but seeing 'prot_sdb' is located after the end of
the allocated space it reads a garbage number and erroneously calls
t10_pi_complete().

To prevent this, the calls to scsi_host_set_prot() are moved into
isci_host_alloc() before the call to scsi_add_host(). Out of caution, also
move the similar call to scsi_host_set_guard().

Fixes: 3d2d752549 ("[SCSI] isci: T10 DIF support")
Link: http://lkml.kernel.org/r/da851333-eadd-163a-8c78-e1f4ec5ec857@deltatee.com
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Cc: Intel SCU Linux support <intel-linux-scu@intel.com>
Cc: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jeff Moyer <jmoyer@redhat.com>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2019-01-08 22:27:24 -05:00
..
host.c scsi: isci: Change sci_controller_start_task's return type to sci_status 2018-10-16 21:38:47 -04:00
host.h scsi: isci: Change sci_controller_start_task's return type to sci_status 2018-10-16 21:38:47 -04:00
init.c scsi: isci: initialize shost fully before calling scsi_add_host() 2019-01-08 22:27:24 -05:00
isci.h
Makefile
phy.c scsi: isci: phy: Mark expected switch fall-through 2018-12-20 20:03:55 -05:00
phy.h
port.c
port.h
port_config.c
probe_roms.c
probe_roms.h
registers.h
remote_device.c scsi: isci: remote_device: Mark expected switch fall-throughs 2018-12-20 20:03:56 -05:00
remote_device.h
remote_node_context.c scsi: isci: remote_node_context: mark expected switch fall-throughs 2018-12-20 20:03:56 -05:00
remote_node_context.h
remote_node_table.c
remote_node_table.h
request.c scsi: isci: request: mark expected switch fall-through 2018-12-20 20:03:56 -05:00
request.h
sas.h
scu_completion_codes.h
scu_event_codes.h
scu_remote_node_context.h
scu_task_context.h
task.c scsi: isci: Change sci_controller_start_task's return type to sci_status 2018-10-16 21:38:47 -04:00
task.h
unsolicited_frame_control.c
unsolicited_frame_control.h