git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 98cb7e4413d189cd2b54daf993a4667d9788c0bb Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
   3 Date: Wed, 19 Jan 2011 10:01:14 +0100
   4 Subject: [SCSI] megaraid_sas: Sanity check user supplied length before passing it to dma_alloc_coherent()
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
  10
  11 commit 98cb7e4413d189cd2b54daf993a4667d9788c0bb upstream.
  12
  13 The ioc->sgl[i].iov_len value is supplied by the ioctl caller, and can be
  14 zero in some cases.  Assume that's valid and continue without error.
  15
  16 Fixes (multiple individual reports of the same problem for quite a while):
  17
  18 http://marc.info/?l=linux-ide&m=128941801715301
  19 http://bugs.debian.org/604627
  20 http://www.mail-archive.com/linux-poweredge@dell.com/msg02575.html
  21
  22 megasas: Failed to alloc kernel SGL buffer for IOCTL
  23
  24 and
  25
  26 [   69.162538] ------------[ cut here ]------------
  27 [   69.162806] kernel BUG at /build/buildd/linux-2.6.32/lib/swiotlb.c:368!
  28 [   69.163134] invalid opcode: 0000 [#1] SMP
  29 [   69.163570] last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
  30 [   69.163975] CPU 0
  31 [   69.164227] Modules linked in: fbcon tileblit font bitblit softcursor vga16fb vgastate ioatdma radeon ttm drm_kms_helper shpchp drm i2c_algo_bit lp parport floppy pata_jmicron megaraid_sas igb dca
  32 [   69.167419] Pid: 1206, comm: smartctl Tainted: G        W  2.6.32-25-server #45-Ubuntu X8DTN
  33 [   69.167843] RIP: 0010:[<ffffffff812c4dc5>]  [<ffffffff812c4dc5>] map_single+0x255/0x260
  34 [   69.168370] RSP: 0018:ffff88081c0ebc58  EFLAGS: 00010246
  35 [   69.168655] RAX: 000000000003bffc RBX: 00000000ffffffff RCX: 0000000000000002
  36 [   69.169000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88001dffe000
  37 [   69.169346] RBP: ffff88081c0ebcb8 R08: 0000000000000000 R09: ffff880000030840
  38 [   69.169691] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000000
  39 [   69.170036] R13: 00000000ffffffff R14: 0000000000000001 R15: 0000000000200000
  40 [   69.170382] FS:  00007fb8de189720(0000) GS:ffff88001de00000(0000) knlGS:0000000000000000
  41 [   69.170794] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  42 [   69.171094] CR2: 00007fb8dd59237c CR3: 000000081a790000 CR4: 00000000000006f0
  43 [   69.171439] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  44 [   69.171784] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  45 [   69.172130] Process smartctl (pid: 1206, threadinfo ffff88081c0ea000, task ffff88081a760000)
  46 [   69.194513] Stack:
  47 [   69.205788]  0000000000000034 00000002817e3390 0000000000000000 ffff88081c0ebe00
  48 [   69.217739] <0> 0000000000000000 000000000003bffc 0000000000000000 0000000000000000
  49 [   69.241250] <0> 0000000000000000 00000000ffffffff ffff88081c5b4080 ffff88081c0ebe00
  50 [   69.277310] Call Trace:
  51 [   69.289278]  [<ffffffff812c52ac>] swiotlb_alloc_coherent+0xec/0x130
  52 [   69.301118]  [<ffffffff81038b31>] x86_swiotlb_alloc_coherent+0x61/0x70
  53 [   69.313045]  [<ffffffffa002d0ce>] megasas_mgmt_fw_ioctl+0x1ae/0x690 [megaraid_sas]
  54 [   69.336399]  [<ffffffffa002d748>] megasas_mgmt_ioctl_fw+0x198/0x240 [megaraid_sas]
  55 [   69.359346]  [<ffffffffa002f695>] megasas_mgmt_ioctl+0x35/0x50 [megaraid_sas]
  56 [   69.370902]  [<ffffffff81153b12>] vfs_ioctl+0x22/0xa0
  57 [   69.382322]  [<ffffffff8115da2a>] ? alloc_fd+0x10a/0x150
  58 [   69.393622]  [<ffffffff81153cb1>] do_vfs_ioctl+0x81/0x410
  59 [   69.404696]  [<ffffffff8155cc13>] ? do_page_fault+0x153/0x3b0
  60 [   69.415761]  [<ffffffff811540c1>] sys_ioctl+0x81/0xa0
  61 [   69.426640]  [<ffffffff810121b2>] system_call_fastpath+0x16/0x1b
  62 [   69.437491] Code: fe ff ff 48 8b 3d 74 38 76 00 41 bf 00 00 20 00 e8 51 f5 d7 ff 83 e0 ff 48 05 ff 07 00 00 48 c1 e8 0b 48 89 45 c8 e9 13 fe ff ff <0f> 0b eb fe 0f 1f 80 00 00 00 00 55 48 89 e5 48 83 ec 20 4c 89
  63 [   69.478216] RIP  [<ffffffff812c4dc5>] map_single+0x255/0x260
  64 [   69.489668]  RSP <ffff88081c0ebc58>
  65 [   69.500975] ---[ end trace 6a2181b634e2abc7 ]---
  66
  67 Reported-by: Bokhan Artem <aptem@ngs.ru>
  68 Reported by: Marc-Christian Petersen <m.c.p@gmx.de>
  69 Signed-off-by: Bjørn Mork <bjorn@mork.no>
  70 Cc: Michael Benz <Michael.Benz@lsi.com>
  71 Signed-off-by: James Bottomley <James.Bottomley@suse.de>
  72 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  73
  74 ---
  75  drivers/scsi/megaraid/megaraid_sas_base.c |    3 +++
  76  1 file changed, 3 insertions(+)
  77
  78 --- a/drivers/scsi/megaraid/megaraid_sas_base.c
  79 +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
  80 @@ -4611,6 +4611,9 @@ megasas_mgmt_fw_ioctl(struct megasas_ins
  81          * For each user buffer, create a mirror buffer and copy in
  82          */
  83         for (i = 0; i < ioc->sge_count; i++) {
  84 +               if (!ioc->sgl[i].iov_len)
  85 +                       continue;
  86 +
  87                 kbuff_arr[i] = dma_alloc_coherent(&instance->pdev->dev,
  88                                                     ioc->sgl[i].iov_len,
  89                                                     &buf_handle, GFP_KERNEL);