linux-toradex.git/drivers/scsi/aacraid/commctrl.c, branch v3.11 Linux kernel for Apalis and Colibri modules drivers: avoid parsing names as kthread_run() format strings 2013-07-03T23:07:41+00:00 Kees Cook keescook@chromium.org 2013-07-03T22:04:58+00:00 f170168b9a0b61ea1e647b082b38f605f1d3de3e Calling kthread_run with a single name parameter causes it to be handled as a format string. Many callers are passing potentially dynamic string content, so use "%s" in those cases to avoid any potential accidents. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Calling kthread_run with a single name parameter causes it to be handled
as a format string. Many callers are passing potentially dynamic string
content, so use "%s" in those cases to avoid any potential accidents.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[SCSI] aacraid: Series 7 Async. (performance) mode support 2012-07-20T07:59:04+00:00 Mahesh Rajashekhara Mahesh_Rajashekhara@pmc-sierra.com 2012-07-14T12:48:51+00:00 85d22bbf6787c240921539bba224eb221bfb8ee1 - Series 7 Async. (performance) mode support added - New scatter/gather list format for Series 7 - Driver converts s/g list to a firmware suitable list for best performance on Series 7, this can be disabled with driver parameter "aac_convert_sgl" for testing purposes - New container read/write command structure for Series 7 - Fast response support for the SCSI pass-through path added - Async. status response buffer changes Signed-off-by: Mahesh Rajashekhara <Mahesh_Rajashekhara@pmc-sierra.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com> 
- Series 7 Async. (performance) mode support added
- New scatter/gather list format for Series 7
- Driver converts s/g list to a firmware suitable list for best performance on
  Series 7, this can be disabled with driver parameter "aac_convert_sgl" for
  testing purposes
- New container read/write command structure for Series 7
- Fast response support for the SCSI pass-through path added
- Async. status response buffer changes

Signed-off-by: Mahesh Rajashekhara <Mahesh_Rajashekhara@pmc-sierra.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
drivers/scsi/aacraid/commctrl.c: fix mem leak in aac_send_raw_srb() 2012-01-08T22:15:21+00:00 Jesper Juhl jj@chaosbits.net 2012-01-08T21:44:19+00:00 7dd72f5189b257f927cc3b35d98643a5c392f5c3 We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() : We allocate memory: ... struct user_sgmap* usg; usg = kmalloc(actual_fibsize - sizeof(struct aac_srb) + sizeof(struct sgmap), GFP_KERNEL); and then neglect to free it: ... for (i = 0; i < usg->count; i++) { u64 addr; void* p; if (usg->sg[i].count > ((dev->adapter_info.options & AAC_OPT_NEW_COMM) ? (dev->scsi_host_ptr->max_sectors << 9) : 65536)) { rcode = -EINVAL; goto cleanup; ... this 'goto' makes 'usg' go out of scope and leak the memory we allocated. Other exits properly kfree(usg), it's just here it is neglected. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() :

We allocate memory:

	...
	struct user_sgmap* usg;
	usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
	  + sizeof(struct sgmap), GFP_KERNEL);

and then neglect to free it:

	...
	for (i = 0; i < usg->count; i++) {
		u64 addr;
		void* p;
		if (usg->sg[i].count >
		    ((dev->adapter_info.options &
		     AAC_OPT_NEW_COMM) ?
		      (dev->scsi_host_ptr->max_sectors << 9) :
		      65536)) {
			rcode = -EINVAL;
			goto cleanup;
	... this 'goto' makes 'usg' go out of scope and leak the memory we
	    allocated.

Other exits properly kfree(usg), it's just here it is neglected.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family 2011-03-23T16:36:58+00:00 Mahesh Rajashekhara Mahesh_Rajashekhara@pmc-sierra.com 2011-03-17T09:10:32+00:00 e8b12f0fb8352237525961f14ec933e915848840 Added new hardware device 0x28b interface for PMC-Sierra's SRC based controller family. - new src.c file for 0x28b specific functions - new XPORT header required - sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT) - async. Interface: different inbound queue handling, no outbound I2O queue available, using doorbell ("PmDoorBellResponseSent") and response buffer on the host ("host_rrq") for status - changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending" bit to inform about pending AIF, "AifRequest" command to read AIF, "NoMoreAifDataAvailable" to mark the end of the AIFs Signed-off-by: Mahesh Rajashekhara <aacraid@pmc-sierra.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de> 
Added new hardware device 0x28b interface for PMC-Sierra's SRC based
controller family.

- new src.c file for 0x28b specific functions
- new XPORT header required
- sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT)
- async. Interface: different inbound queue handling, no outbound I2O
  queue available, using doorbell ("PmDoorBellResponseSent") and
  response buffer on the host ("host_rrq") for status
- changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending"
  bit to inform about pending AIF, "AifRequest" command to read AIF,
  "NoMoreAifDataAvailable" to mark the end of the AIFs

Signed-off-by: Mahesh Rajashekhara <aacraid@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
[SCSI] aacraid: semaphore cleanup 2010-09-17T02:54:09+00:00 Thomas Gleixner tglx@linutronix.de 2010-09-07T14:32:47+00:00 6de76cfc7db8844bc26ab9a60b20f50ad7851833 Get rid of init_MUTEX[_LOCKED]() and use sema_init() instead. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: aacraid@adaptec.com Signed-off-by: James Bottomley <James.Bottomley@suse.de> 
Get rid of init_MUTEX[_LOCKED]() and use sema_init() instead.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: aacraid@adaptec.com
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
[SCSI] aacraid: Eliminate use after free 2010-05-25T15:59:07+00:00 Julia Lawall julia@diku.dk 2010-05-15T09:46:12+00:00 8a52da632ceb9d8b776494563df579e87b7b586b The debugging code using the freed structure is moved before the kfree. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @free@ expression E; position p; @@ kfree@p(E) @@ expression free.E, subE<=free.E, E1; position free.p; @@ kfree@p(E) ... ( subE = E1 | * E ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: James Bottomley <James.Bottomley@suse.de> 
The debugging code using the freed structure is moved before the kfree.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE<=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
[SCSI] aacraid: fix File System going into read-only mode 2010-01-17T18:16:17+00:00 Penchala Narasimha Reddy Chilakala, ERS-HCLTech narasimhareddyc@hcl.in 2009-12-21T13:09:27+00:00 cacb6dc3d7fea751879a225c15e48228415e6359 These particular problems were reported by Cisco and SAP and customers as well. Cisco reported on RHEL4 U6 and SAP reported on SLES9 SP4 and SLES10 SP2. We added these fixes on RHEL4 U6 and gave a private build to IBM and Cisco. Cisco and IBM tested it for more than 15 days and they reported that they did not see the issue so far. Before the fix, Cisco used to see the issue within 5 days. We generated a patch for SLES9 SP4 and SLES10 SP2 and submitted to Novell. Novell applied the patch and gave a test build to SAP. SAP tested and reported that the build is working properly. We also tested in our lab using the tools "dishogsync", which is IO stress tool and the tool was provided by Cisco. Issue1: File System going into read-only mode Root cause: The driver tends to not free the memory (FIB) when the management request exits prematurely. The accumulation of such un-freed memory causes the driver to fail to allocate anymore memory (FIB) and hence return 0x70000 value to the upper layer, which puts the file system into read only mode. Fix details: The fix makes sure to free the memory (FIB) even if the request exits prematurely hence ensuring the driver wouldn't run out of memory (FIBs). Issue2: False Raid Alert occurs When the Physical Drives and Logical drives are reported as deleted or added, even though there is no change done on the system Root cause: Driver IOCTLs is signaled with EINTR while waiting on response from the lower layers. Returning "EINTR" will never initiate internal retry. Fix details: The issue was fixed by replacing "EINTR" with "ERESTARTSYS" for mid-layer retries. Signed-off-by: Penchala Narasimha Reddy <ServeRAIDDriver@hcl.in> Signed-off-by: James Bottomley <James.Bottomley@suse.de> 
These particular problems were reported by Cisco and SAP and customers
as well. Cisco reported on RHEL4 U6 and SAP reported on SLES9 SP4 and
SLES10 SP2. We added these fixes on RHEL4 U6 and gave a private build
to IBM and Cisco. Cisco and IBM tested it for more than 15 days and
they reported that they did not see the issue so far. Before the fix,
Cisco used to see the issue within 5 days. We generated a patch for
SLES9 SP4 and SLES10 SP2 and submitted to Novell. Novell applied the
patch and gave a test build to SAP. SAP tested and reported that the
build is working properly.

We also tested in our lab using the tools "dishogsync", which is IO
stress tool and the tool was provided by Cisco.

Issue1:  File System going into read-only mode

Root cause: The driver tends to not free the memory (FIB) when the
management request exits prematurely. The accumulation of such
un-freed memory causes the driver to fail to allocate anymore memory
(FIB) and hence return 0x70000 value to the upper layer, which puts
the file system into read only mode.

Fix details: The fix makes sure to free the memory (FIB) even if the
request exits prematurely hence ensuring the driver wouldn't run out
of memory (FIBs).


Issue2: False Raid Alert occurs

When the Physical Drives and Logical drives are reported as deleted or
added, even though there is no change done on the system

Root cause: Driver IOCTLs is signaled with EINTR while waiting on
response from the lower layers. Returning "EINTR" will never initiate
internal retry.

Fix details: The issue was fixed by replacing "EINTR" with
"ERESTARTSYS" for mid-layer retries.

Signed-off-by: Penchala Narasimha Reddy <ServeRAIDDriver@hcl.in>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
[SCSI] Clean up my email address and use a single standard address for everything 2008-12-29T17:24:12+00:00 Alan Cox alan@lxorguk.ukuu.org.uk 2008-10-27T15:16:36+00:00 fa195afe4ad3f6d85a9b7cc236ae85c05ca8db03 Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> 
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
[SCSI] aacraid: check pci_alloc_consistent errors 2008-12-29T17:24:11+00:00 FUJITA Tomonori fujita.tomonori@lab.ntt.co.jp 2008-10-23T08:36:08+00:00 e98991130df36bc429f341a2f21519c39c52afe3 We need to check the address that pci_alloc_consistent() returns since it might fail. When pci_alloc_consistent() fails, some IOMMUs set the dma_handle argument to zero. So we can't use fibptr->hw_fib_pa directly here. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Cc: Aacraid List <aacraid@adaptec.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> 
We need to check the address that pci_alloc_consistent() returns since
it might fail.

When pci_alloc_consistent() fails, some IOMMUs set the dma_handle
argument to zero. So we can't use fibptr->hw_fib_pa directly here.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: Aacraid List <aacraid@adaptec.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
[SCSI] aacraid: prevent copy_from_user() BUG! 2008-07-12T13:22:24+00:00 Mark Salyzyn Mark_Salyzyn@adaptec.com 2008-05-28T19:32:55+00:00 090507157f3bc43dd925fda50f8aca7d03b616b6 Seen: kernel BUG at arch/i386/lib/usercopy.c:872 under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out ioctl condition in the aacraid driver. Adaptec's special ioctl scb passthrough needs to check the validity of the individual scatter gather count fields to the maximum the adapter supports. Doing so will have the side effect of preventing copy_from_user() from bugging out while populating the dma buffers. This is a hardening effort, issue was triggered by an errant version of the management tools and thus the BUG should not be seen in the field. [jejb: fixed up compile failure] Signed-off-by: Mark Salyzyn <aacraid@adaptec.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> 
Seen:

	kernel BUG at arch/i386/lib/usercopy.c:872

under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out
ioctl condition in the aacraid driver.

Adaptec's special ioctl scb passthrough needs to check the validity of
the individual scatter gather count fields to the maximum the adapter
supports. Doing so will have the side effect of preventing
copy_from_user() from bugging out while populating the dma buffers.
This is a hardening effort, issue was triggered by an errant version
of the management tools and thus the BUG should not be seen in the
field.

[jejb: fixed up compile failure]
Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>