From patchwork Tue Jan 10 01:55:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
X-Patchwork-Id: 641596
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 726D3C54EBD
 for <linux-scsi@archiver.kernel.org>; Tue, 10 Jan 2023 01:55:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229445AbjAJBzo (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Mon, 9 Jan 2023 20:55:44 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37766 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229762AbjAJBzn (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Mon, 9 Jan 2023 20:55:43 -0500
Received: from esa2.hgst.iphmx.com (esa2.hgst.iphmx.com [68.232.143.124])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A6EC913F23
 for <linux-scsi@vger.kernel.org>;
 Mon,  9 Jan 2023 17:55:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
 t=1673315741; x=1704851741;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=8QTa+ZXhS+gfABgWpDdnMlCj5JOX+WkkogmapTpAIVY=;
 b=m9F1vtQwAlx5HoK8an2+AGWgNLuJFPFZosWuPh7HQtwBx04QQ4BZhzGi
 MYIcsJ+T57SnCDTbp8oOmGnQeO4pIE+NTNDnEYTE0/f5NcTuKxw24Rv3I
 MU/0X4puUsitjTIs2Lz8IKPz1EukFCdsG3UpeXA+vuY5DtO3Ckso7piU+
 HXtfLowbwZd3zzq2MgTWx64DozEF3BzAxtamQ+h9kbcueIBHY2iZzsb2X
 CjMM9149nSI9Ureg7cTU2zBA1iGBerRENsYc7wlF8j9dxo2Qq4GG7tu/I
 TG7J/vQpPNOsJWNtBIeqHYpmV/j1yfv1i1lSRAk1tcJIps+FxsgD58KUQ g==;
X-IronPort-AV: E=Sophos;i="5.96,313,1665417600"; d="scan'208";a="324698278"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
 ([199.255.45.15])
 by ob1.hgst.iphmx.com with ESMTP; 10 Jan 2023 09:55:41 +0800
IronPort-SDR: lvFwycepLoOYg1vUoQ3UPWdg5CZ5lMrjEWNNbEbd4Uyatu0mEA9Rn65GHyvPiSBYAshzzqrpZu
 tjRtUvcP78a1J2LdK2dz+Wnaflks7IZ4buztOPGw0BjkzQUZBi4KJRZAuV7mNCDpOEMoCRrHzu
 4BUmyKmtFL8aPZ7Xjh8Mt/XU0rxcO6o+vPpbsTBSBdbwnO3wIRg+GfUJ11e7m+vs0bSJS4yVDa
 kUQny6NJX8PbO9EMAiy9x2BmCUfUV+z4UXl60/vlN1jEkh3vCOgzC1fH67EX8xq4AwdOU9bFpO
 a8o=
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
 by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256;
 09 Jan 2023 17:07:47 -0800
IronPort-SDR: KnfoTVmeQn5zM7HhfV1U6wSdrWPqDnTpj0nWkg3vAPR4WtnOzOv8X+4JoTUEd4Rgy+uH3MSFBx
 5eDhxzoIy63cJTcCfzLPfie7sPclUBleDmMcvvpyHVT10ye05s+4sTGi0jBirVgbVLZv1Th9Hh
 QJR1XQjumkLnKOSILF6uCi1v/ooAnDBhW+xrIXU98G3lxz8Z/rpf3WX00E8mHFQ50K1UnAp6+R
 q7SmtZ2626EXbkE/itK4XXqxbyo+k4/YWmHyUs000t4fC5gAuZx12MBGrLCxJ8bFhg20XBlugK
 TM8=
WDCIronportException: Internal
Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com)
 ([10.149.52.207])
 by uls-op-cesaip02.wdc.com with ESMTP; 09 Jan 2023 17:55:41 -0800
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
 Kashyap Desai <kashyap.desai@broadcom.com>,
 Sumit Saxena <sumit.saxena@broadcom.com>,
 Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>,
 Damien Le Moal <damien.lemoal@opensource.wdc.com>,
 Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: [PATCH v3 1/5] scsi: mpi3mr: remove unnecessary memcpy
Date: Tue, 10 Jan 2023 10:55:34 +0900
Message-Id: <20230110015538.201332-2-shinichiro.kawasaki@wdc.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
References: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

In the function mpi3mr_get_all_tgt_info, devmap_info points to
alltgt_info->dmi then there is no need to memcpy data from devmap_info
to alltgt_info->dmi. Remove the unnecessary memcpy. This also allows to
remove the local variable 'rval' and the goto label 'out'.

Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/scsi/mpi3mr/mpi3mr_app.c | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 9baac224b213..5bbfdff70570 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -293,7 +293,6 @@ static long mpi3mr_bsg_pel_enable(struct mpi3mr_ioc *mrioc,
 static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 	struct bsg_job *job)
 {
-	long rval = -EINVAL;
 	u16 num_devices = 0, i = 0, size;
 	unsigned long flags;
 	struct mpi3mr_tgt_dev *tgtdev;
@@ -304,7 +303,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 	if (job->request_payload.payload_len < sizeof(u32)) {
 		dprint_bsg_err(mrioc, "%s: invalid size argument\n",
 		    __func__);
-		return rval;
+		return -EINVAL;
 	}
 
 	spin_lock_irqsave(&mrioc->tgtdev_lock, flags);
@@ -349,20 +348,12 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 	usr_entrylen = (job->request_payload.payload_len - sizeof(u32)) / sizeof(*devmap_info);
 	usr_entrylen *= sizeof(*devmap_info);
 	min_entrylen = min(usr_entrylen, kern_entrylen);
-	if (min_entrylen && (!memcpy(&alltgt_info->dmi, devmap_info, min_entrylen))) {
-		dprint_bsg_err(mrioc, "%s:%d: device map info copy failed\n",
-		    __func__, __LINE__);
-		rval = -EFAULT;
-		goto out;
-	}
 
 	sg_copy_from_buffer(job->request_payload.sg_list,
 			    job->request_payload.sg_cnt,
 			    alltgt_info, job->request_payload.payload_len);
-	rval = 0;
-out:
 	kfree(alltgt_info);
-	return rval;
+	return 0;
 }
 /**
  * mpi3mr_get_change_count - Get topology change count

From patchwork Tue Jan 10 01:55:35 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
X-Patchwork-Id: 641184
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 6DA39C54EBD
 for <linux-scsi@archiver.kernel.org>; Tue, 10 Jan 2023 01:55:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S230367AbjAJBzq (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Mon, 9 Jan 2023 20:55:46 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37768 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229772AbjAJBzn (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Mon, 9 Jan 2023 20:55:43 -0500
Received: from esa2.hgst.iphmx.com (esa2.hgst.iphmx.com [68.232.143.124])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2F0813F81
 for <linux-scsi@vger.kernel.org>;
 Mon,  9 Jan 2023 17:55:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
 t=1673315742; x=1704851742;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=yP+pfioZVPWpcD8jAC85tCAaBqkXEUgxq9uVOK+1vnM=;
 b=qLd/BO3FutusRhF/fOPKIM66WtgKz5WuABhnpy+5Q2n53/up//UaG5Wz
 bgvlkDUlnPnzIAko5xB3oo0FHBvQqdqKFj+RHBV4ttWf9dOVqcQ0ivmZS
 b85eA5WoVrtJ6dPpUWfn8L+dm4W+JNkvInVdWkKHHxFhNRYmlKgXCDGfL
 rh8WxXU/nTsVMTgcRgOzUElbfE8cj/8BtCK4KyN4+eBuh9OI3nlyYCDBr
 CuBeBZ/0U772c5RAsuudTSFlDJ6ipeO1e8waKquw0pAFqV83XFLEUxVQu
 7jaSQvSRs8YbzySddLPZprZt+pb4DiDJsOBlSf4+151Rnray0ygwa6vVE g==;
X-IronPort-AV: E=Sophos;i="5.96,313,1665417600"; d="scan'208";a="324698281"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
 ([199.255.45.15])
 by ob1.hgst.iphmx.com with ESMTP; 10 Jan 2023 09:55:42 +0800
IronPort-SDR: oorP4nn5SgHGkrgnqHfGj4J+zCeOVUz/y6eJ6NER/ChDuRCeYSxmnRxBH4rDSKWKlncZ/n5cZr
 q/vzwk7vv9TVz51aLlcDsT+80lVx+k39CHKHZwf5k0l6WW/Uf7Fvpt6XIeQlDlnafkhqUs5/Vw
 HRZD0V2UnDF4LfMYcddQ+biZA2psoZZop2lc3zM5MZWqctfHoDFHB/AhlOlzyj+HcQh2WgMEyj
 vxDJipnEhB7hU7qrGe+U0t5m1fyVCc4vLTIYncEzeJbB3yai5iAgEdBKLEl8Kq1vulsjldwD3V
 tXg=
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
 by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256;
 09 Jan 2023 17:07:48 -0800
IronPort-SDR: Jx2nqKqoveCzDuVh5fYF0UCFBm16qx8Hr/gNdg/ifcfrFmiQz5zroSKaN8sKmmazOEJxlssUGJ
 kxiXXGzGydTqJs1xiwIDkqhzAiaRGU+ry931KEGXRREgs7OqcnQ1jFjB+/+gbDZnSvgZyCScL6
 pDPZy3P0IPNrSb0XuDhXF3OA9YEZmNZyTmysTvYEJUzEtyFtbUUs19hhdlVo027XAmWR7u2lKm
 L5GpO8fXgyf61MSpe9dSBa1d4OpXKp5Jw7kexkjScuUxqkf8b34yNyHwlIUNcQuIZUHIpWncOr
 u/g=
WDCIronportException: Internal
Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com)
 ([10.149.52.207])
 by uls-op-cesaip02.wdc.com with ESMTP; 09 Jan 2023 17:55:42 -0800
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
 Kashyap Desai <kashyap.desai@broadcom.com>,
 Sumit Saxena <sumit.saxena@broadcom.com>,
 Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>,
 Damien Le Moal <damien.lemoal@opensource.wdc.com>,
 Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: [PATCH v3 2/5] scsi: mpi3mr: fix calculation of valid entry length in
 alltgt_info
Date: Tue, 10 Jan 2023 10:55:35 +0900
Message-Id: <20230110015538.201332-3-shinichiro.kawasaki@wdc.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
References: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

The function mpi3mr_get_all_tgt_info calculates valid entry length in
alltgt_info whose type is pointer to struct mpi3mr_device_map_info.
However, the calculation assumes that the struct would have size of u32.
This results in wrong entry length. Fix the calculation to use the size
of *alltgt_info in place of u32.

Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/scsi/mpi3mr/mpi3mr_app.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 5bbfdff70570..239cb5e07b24 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -345,7 +345,8 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 
 	memcpy(&alltgt_info->num_devices, &num_devices, sizeof(num_devices));
 
-	usr_entrylen = (job->request_payload.payload_len - sizeof(u32)) / sizeof(*devmap_info);
+	usr_entrylen = (job->request_payload.payload_len - sizeof(*alltgt_info))
+		/ sizeof(*devmap_info);
 	usr_entrylen *= sizeof(*devmap_info);
 	min_entrylen = min(usr_entrylen, kern_entrylen);
 

From patchwork Tue Jan 10 01:55:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
X-Patchwork-Id: 641595
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id E7648C54EBE
 for <linux-scsi@archiver.kernel.org>; Tue, 10 Jan 2023 01:55:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229772AbjAJBzv (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Mon, 9 Jan 2023 20:55:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37774 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S230139AbjAJBzp (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Mon, 9 Jan 2023 20:55:45 -0500
Received: from esa2.hgst.iphmx.com (esa2.hgst.iphmx.com [68.232.143.124])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80FF121BA
 for <linux-scsi@vger.kernel.org>;
 Mon,  9 Jan 2023 17:55:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
 t=1673315744; x=1704851744;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=wW+KssJAu8gxTpF6QvSsxjg7SpGp9UJec9248/IUPW4=;
 b=rLn1Nie7njwTIDic6yngvf5kEIZdtwkCdxgFESJAPgh91fqncsWQng2V
 be0qAricYuuUXaglv6jao3s8OPeK3BZ3LPIvIhPjl01njXLGsI9FJjbj1
 7j9VDaz6gqNYagEI95OtEGVVkoKi+8VnZsPo+YivRS//JxCAFwdo3Whvz
 Yye68rx/HibM6XT9lFST2j7O1GVWjFBfEOwWYbedzQzPX1j4+VDwqdU5l
 B/UoJXbB9ptmgaheYvH1i2xSQ1vgLkgj70OizRk94Ud01bnZUEifNvpmW
 VAtFOUphlTOPHXIPYKdl3WAO2dW2dsJeX/qVjmqOb2n/8oyEgtyOqARLU w==;
X-IronPort-AV: E=Sophos;i="5.96,313,1665417600"; d="scan'208";a="324698284"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
 ([199.255.45.15])
 by ob1.hgst.iphmx.com with ESMTP; 10 Jan 2023 09:55:44 +0800
IronPort-SDR: dzS26NABok8eVEoTV/UdNGx0d1iAvVg8CYW7WoWDodNvq34fcXTFLxbE1+RXDZDYmv2boEVsR1
 7Z0aUYrnO2dP3pae/7pTPh4Z02AJZYBgU/r1E8uQMnwXvhX4PEbpIRHsY4IDWUwf/KoRt358fO
 MUFc85kTimF+TlJ4U68fCBGmrg9bGKGVgPCGvjNx1J5+Io8THyIAGC6d5xuxxy7nVK4NDPDpcJ
 cHKW87AuPlGBW4Ymc5kq41L8MYDl0NGpX5RFNSjKq99qjQqsmzcskdCGjuO9jRlHfrhGlvBneD
 wSg=
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
 by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256;
 09 Jan 2023 17:07:49 -0800
IronPort-SDR: /STikF90tjRXR0MiaQUdtldNm27j2mB9YkyvOpsxg6X71Fm96pTEDro5/GIU9g5M4kZsgZcEpS
 bYFJK8AMQTpNFNhCBcCWZ3pgsG4mPHG+It9GEdNQLsFLSyj4AqJaawIRMzyEfgcBunsjMSIzrb
 n1tdjqeSQ1zK4b3fwhnwQH/97/zf87niQwuakyoVof5jhwBp58+QxmQWwiaSgPSlEyTLftaIzU
 JGtb6keqeCzzHTpNaqp+QQpOOmrCGzak3xHR3PPkYBHTVfwCc/Fd9MR5tvbe0+QJdHXk5OrzRQ
 n/k=
WDCIronportException: Internal
Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com)
 ([10.149.52.207])
 by uls-op-cesaip02.wdc.com with ESMTP; 09 Jan 2023 17:55:43 -0800
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
 Kashyap Desai <kashyap.desai@broadcom.com>,
 Sumit Saxena <sumit.saxena@broadcom.com>,
 Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>,
 Damien Le Moal <damien.lemoal@opensource.wdc.com>,
 Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: [PATCH v3 3/5] scsi: mpi3mr: fix alltgt_info copy size
Date: Tue, 10 Jan 2023 10:55:36 +0900
Message-Id: <20230110015538.201332-4-shinichiro.kawasaki@wdc.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
References: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds
the valid entry length in alltgt_info. However, it does not refer
min_entrylen when it calls sg_copy_from_buffer to copy the valid entries
from alltgt_info to job->request_payload. Instead, it specifies the
payload length which is larger than the alltgt_info size, then it causes
"BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct
length referring the calculated min_entrylen.

Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 239cb5e07b24..3b4ae044f4c0 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -352,7 +352,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 
 	sg_copy_from_buffer(job->request_payload.sg_list,
 			    job->request_payload.sg_cnt,
-			    alltgt_info, job->request_payload.payload_len);
+			    alltgt_info, sizeof(*alltgt_info) + min_entrylen);
 	kfree(alltgt_info);
 	return 0;
 }

From patchwork Tue Jan 10 01:55:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
X-Patchwork-Id: 641183
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id CCA59C5479D
 for <linux-scsi@archiver.kernel.org>; Tue, 10 Jan 2023 01:55:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229762AbjAJBzw (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Mon, 9 Jan 2023 20:55:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37804 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S230453AbjAJBzq (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Mon, 9 Jan 2023 20:55:46 -0500
Received: from esa2.hgst.iphmx.com (esa2.hgst.iphmx.com [68.232.143.124])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE5BD1869B
 for <linux-scsi@vger.kernel.org>;
 Mon,  9 Jan 2023 17:55:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
 t=1673315745; x=1704851745;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=sgAev5VzvlIv5c4/OhZ3LiIg69h8A1vafDAPidAnZ3w=;
 b=mAsbbz9ARRoIwczVYcEtCwxPGSXf2xTar2w06a8GhMev3R5doOckyAjx
 Ckw7nsmIVpKakDFR2qG6t+s36mTJ+4uEydOj2+RiGXOot07S/1fO+6hAS
 71SbEdw+XnRfCdmi0fuobfCYEYFXXzw7EE9S86VV32AmlhzeCUPJRi8rv
 xFLyZq0gEzDm9bmBPEbMOnIcVcFaSHEOUUSSCUOaIGQrDrzIaHHIxrVnr
 4QWEOt6RPRtQMqi6TlvU/Jh67KAo5o9RQgVZhUGEfaG/5lY9edCtoB8we
 XfH25+kWwDmTsbBs1iemdgMOjLPe1j+N+LXPrdoDHv+bFrfc3drmPvlfs w==;
X-IronPort-AV: E=Sophos;i="5.96,313,1665417600"; d="scan'208";a="324698289"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
 ([199.255.45.15])
 by ob1.hgst.iphmx.com with ESMTP; 10 Jan 2023 09:55:45 +0800
IronPort-SDR: hHbd/+9Umvsv4sRgo4y9HCPmH3nyoB7Oe1/NskTPvH8MxZgCGucUvKIfW7LNPA1Lb+p4FEwG/V
 07rvqkhckmH0Jo6l+xBpty7+l1SOieRfEF2ChDOUVyCH31ExYfNmPmC0pZevFbsOp3pv5Pbv0m
 v0avidFHsp3P8temjlDHcwwD//YTnCPV4OjZv4h4Gh4dYyqplOFVcS3/em5LoRjMhYs7zAznxK
 W9vyucRl0y81FUeJ82FEVspnF9PvGfcsw5xUWlNcfmUcFHDkDbOLQ/aj7esDdoEaMXxfzyqmVh
 xE4=
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
 by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256;
 09 Jan 2023 17:07:51 -0800
IronPort-SDR: hReiqU8yvp8IG+ZDCp8yFHm3JlO0OA6Sl/iWd0HOAfEHqqWMcR7CxGh1f6r3lOg9yqUA5mP7T3
 boAcw7qQNTDWIF5euULW182TanjvhMfm42dK+X04MGaWK55GktofWcKg6HTV4ELCBt0wmTtuC+
 G/oWrcBCj6UMiK0YWPMTVXQgmJaaquQAe8ZtgWzsNDobVKQfvOMhZH26OgSGxwr+WYq8aR97YP
 amEi8ZKPsUP+flG7HlDNVCeAJUjjblulWvcjSw2zgHLAZ9MvphSu0YC04JtNwcMa878t1mkTqR
 YmE=
WDCIronportException: Internal
Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com)
 ([10.149.52.207])
 by uls-op-cesaip02.wdc.com with ESMTP; 09 Jan 2023 17:55:45 -0800
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
 Kashyap Desai <kashyap.desai@broadcom.com>,
 Sumit Saxena <sumit.saxena@broadcom.com>,
 Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>,
 Damien Le Moal <damien.lemoal@opensource.wdc.com>,
 Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: [PATCH v3 4/5] scsi: mpi3mr: use number of bits to manage bitmap sizes
Date: Tue, 10 Jan 2023 10:55:37 +0900
Message-Id: <20230110015538.201332-5-shinichiro.kawasaki@wdc.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
References: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using
byte as unit. However, bitmap helper functions assume that bitmaps are
allocated using unsigned long as unit. This gap causes memory access
beyond the bitmap sizes and results in "BUG: KASAN: slab-out-of-bounds".
The BUG was observed at firmware download to eHBA-9600. Call trace
indicated that the out-of-bounds access happened in find_first_zero_bit
called from mpi3mr_send_event_ack for miroc->evtack_cmds_bitmap.

To fix the BUG, do not use bytes to manage bitmap sizes. Instead, use
number of bits, and call bitmap helper functions which take number of
bits as arguments. For memory allocation, call bitmap_zalloc instead of
kzalloc. For zero clear, call bitmap_clear instead of memset. For
resize, call bitmap_zalloc and bitmap_copy instead of krealloc.

Remove three fields for bitmap byte sizes in struct scmd_priv, which are
no longer required. Replace the field dev_handle_bitmap_sz with
dev_handle_bitmap_bits to keep number of bits of removepend_bitmap
across resize.

Fixes: c5758fc72b92 ("scsi: mpi3mr: Gracefully handle online FW update operation")
Fixes: e844adb1fbdc ("scsi: mpi3mr: Implement SCSI error handler hooks")
Fixes: c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic")
Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
---
 drivers/scsi/mpi3mr/mpi3mr.h    | 10 +----
 drivers/scsi/mpi3mr/mpi3mr_fw.c | 68 ++++++++++++++-------------------
 2 files changed, 30 insertions(+), 48 deletions(-)

diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h
index def4c5e15cd8..8a438f248a82 100644
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -955,19 +955,16 @@ struct scmd_priv {
  * @chain_buf_count: Chain buffer count
  * @chain_buf_pool: Chain buffer pool
  * @chain_sgl_list: Chain SGL list
- * @chain_bitmap_sz: Chain buffer allocator bitmap size
  * @chain_bitmap: Chain buffer allocator bitmap
  * @chain_buf_lock: Chain buffer list lock
  * @bsg_cmds: Command tracker for BSG command
  * @host_tm_cmds: Command tracker for task management commands
  * @dev_rmhs_cmds: Command tracker for device removal commands
  * @evtack_cmds: Command tracker for event ack commands
- * @devrem_bitmap_sz: Device removal bitmap size
  * @devrem_bitmap: Device removal bitmap
- * @dev_handle_bitmap_sz: Device handle bitmap size
+ * @dev_handle_bitmap_bits: Number of bits in device handle bitmap
  * @removepend_bitmap: Remove pending bitmap
  * @delayed_rmhs_list: Delayed device removal list
- * @evtack_cmds_bitmap_sz: Event Ack bitmap size
  * @evtack_cmds_bitmap: Event Ack bitmap
  * @delayed_evtack_cmds_list: Delayed event acknowledgment list
  * @ts_update_counter: Timestamp update counter
@@ -1128,7 +1125,6 @@ struct mpi3mr_ioc {
 	u32 chain_buf_count;
 	struct dma_pool *chain_buf_pool;
 	struct chain_element *chain_sgl_list;
-	u16  chain_bitmap_sz;
 	void *chain_bitmap;
 	spinlock_t chain_buf_lock;
 
@@ -1136,12 +1132,10 @@ struct mpi3mr_ioc {
 	struct mpi3mr_drv_cmd host_tm_cmds;
 	struct mpi3mr_drv_cmd dev_rmhs_cmds[MPI3MR_NUM_DEVRMCMD];
 	struct mpi3mr_drv_cmd evtack_cmds[MPI3MR_NUM_EVTACKCMD];
-	u16 devrem_bitmap_sz;
 	void *devrem_bitmap;
-	u16 dev_handle_bitmap_sz;
+	u16 dev_handle_bitmap_bits;
 	void *removepend_bitmap;
 	struct list_head delayed_rmhs_list;
-	u16 evtack_cmds_bitmap_sz;
 	void *evtack_cmds_bitmap;
 	struct list_head delayed_evtack_cmds_list;
 
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 0c4aabaefdcc..8ed4566772ca 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -1128,7 +1128,6 @@ static int mpi3mr_issue_and_process_mur(struct mpi3mr_ioc *mrioc,
 static int
 mpi3mr_revalidate_factsdata(struct mpi3mr_ioc *mrioc)
 {
-	u16 dev_handle_bitmap_sz;
 	void *removepend_bitmap;
 
 	if (mrioc->facts.reply_sz > mrioc->reply_sz) {
@@ -1160,25 +1159,24 @@ mpi3mr_revalidate_factsdata(struct mpi3mr_ioc *mrioc)
 		    "\tcontroller while sas transport support is enabled at the\n"
 		    "\tdriver, please reboot the system or reload the driver\n");
 
-	dev_handle_bitmap_sz = mrioc->facts.max_devhandle / 8;
-	if (mrioc->facts.max_devhandle % 8)
-		dev_handle_bitmap_sz++;
-	if (dev_handle_bitmap_sz > mrioc->dev_handle_bitmap_sz) {
-		removepend_bitmap = krealloc(mrioc->removepend_bitmap,
-		    dev_handle_bitmap_sz, GFP_KERNEL);
+	if (mrioc->facts.max_devhandle > mrioc->dev_handle_bitmap_bits) {
+		removepend_bitmap = bitmap_zalloc(mrioc->facts.max_devhandle,
+						  GFP_KERNEL);
 		if (!removepend_bitmap) {
 			ioc_err(mrioc,
-			    "failed to increase removepend_bitmap sz from: %d to %d\n",
-			    mrioc->dev_handle_bitmap_sz, dev_handle_bitmap_sz);
+				"failed to increase removepend_bitmap bits from %d to %d\n",
+				mrioc->dev_handle_bitmap_bits,
+				mrioc->facts.max_devhandle);
 			return -EPERM;
 		}
-		memset(removepend_bitmap + mrioc->dev_handle_bitmap_sz, 0,
-		    dev_handle_bitmap_sz - mrioc->dev_handle_bitmap_sz);
+		bitmap_copy(removepend_bitmap, mrioc->removepend_bitmap,
+			    mrioc->dev_handle_bitmap_bits);
 		mrioc->removepend_bitmap = removepend_bitmap;
 		ioc_info(mrioc,
-		    "increased dev_handle_bitmap_sz from %d to %d\n",
-		    mrioc->dev_handle_bitmap_sz, dev_handle_bitmap_sz);
-		mrioc->dev_handle_bitmap_sz = dev_handle_bitmap_sz;
+			 "increased bits of dev_handle_bitmap from %d to %d\n",
+			 mrioc->dev_handle_bitmap_bits,
+			 mrioc->facts.max_devhandle);
+		mrioc->dev_handle_bitmap_bits = mrioc->facts.max_devhandle;
 	}
 
 	return 0;
@@ -2957,27 +2955,18 @@ static int mpi3mr_alloc_reply_sense_bufs(struct mpi3mr_ioc *mrioc)
 	if (!mrioc->pel_abort_cmd.reply)
 		goto out_failed;
 
-	mrioc->dev_handle_bitmap_sz = mrioc->facts.max_devhandle / 8;
-	if (mrioc->facts.max_devhandle % 8)
-		mrioc->dev_handle_bitmap_sz++;
-	mrioc->removepend_bitmap = kzalloc(mrioc->dev_handle_bitmap_sz,
-	    GFP_KERNEL);
+	mrioc->dev_handle_bitmap_bits = mrioc->facts.max_devhandle;
+	mrioc->removepend_bitmap = bitmap_zalloc(mrioc->dev_handle_bitmap_bits,
+						 GFP_KERNEL);
 	if (!mrioc->removepend_bitmap)
 		goto out_failed;
 
-	mrioc->devrem_bitmap_sz = MPI3MR_NUM_DEVRMCMD / 8;
-	if (MPI3MR_NUM_DEVRMCMD % 8)
-		mrioc->devrem_bitmap_sz++;
-	mrioc->devrem_bitmap = kzalloc(mrioc->devrem_bitmap_sz,
-	    GFP_KERNEL);
+	mrioc->devrem_bitmap = bitmap_zalloc(MPI3MR_NUM_DEVRMCMD, GFP_KERNEL);
 	if (!mrioc->devrem_bitmap)
 		goto out_failed;
 
-	mrioc->evtack_cmds_bitmap_sz = MPI3MR_NUM_EVTACKCMD / 8;
-	if (MPI3MR_NUM_EVTACKCMD % 8)
-		mrioc->evtack_cmds_bitmap_sz++;
-	mrioc->evtack_cmds_bitmap = kzalloc(mrioc->evtack_cmds_bitmap_sz,
-	    GFP_KERNEL);
+	mrioc->evtack_cmds_bitmap = bitmap_zalloc(MPI3MR_NUM_EVTACKCMD,
+						  GFP_KERNEL);
 	if (!mrioc->evtack_cmds_bitmap)
 		goto out_failed;
 
@@ -3415,10 +3404,7 @@ static int mpi3mr_alloc_chain_bufs(struct mpi3mr_ioc *mrioc)
 		if (!mrioc->chain_sgl_list[i].addr)
 			goto out_failed;
 	}
-	mrioc->chain_bitmap_sz = num_chains / 8;
-	if (num_chains % 8)
-		mrioc->chain_bitmap_sz++;
-	mrioc->chain_bitmap = kzalloc(mrioc->chain_bitmap_sz, GFP_KERNEL);
+	mrioc->chain_bitmap = bitmap_zalloc(num_chains, GFP_KERNEL);
 	if (!mrioc->chain_bitmap)
 		goto out_failed;
 	return retval;
@@ -4190,10 +4176,11 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc)
 		for (i = 0; i < MPI3MR_NUM_EVTACKCMD; i++)
 			memset(mrioc->evtack_cmds[i].reply, 0,
 			    sizeof(*mrioc->evtack_cmds[i].reply));
-		memset(mrioc->removepend_bitmap, 0, mrioc->dev_handle_bitmap_sz);
-		memset(mrioc->devrem_bitmap, 0, mrioc->devrem_bitmap_sz);
-		memset(mrioc->evtack_cmds_bitmap, 0,
-		    mrioc->evtack_cmds_bitmap_sz);
+		bitmap_clear(mrioc->removepend_bitmap, 0,
+			     mrioc->dev_handle_bitmap_bits);
+		bitmap_clear(mrioc->devrem_bitmap, 0, MPI3MR_NUM_DEVRMCMD);
+		bitmap_clear(mrioc->evtack_cmds_bitmap, 0,
+			     MPI3MR_NUM_EVTACKCMD);
 	}
 
 	for (i = 0; i < mrioc->num_queues; i++) {
@@ -4887,9 +4874,10 @@ int mpi3mr_soft_reset_handler(struct mpi3mr_ioc *mrioc,
 
 	mpi3mr_flush_delayed_cmd_lists(mrioc);
 	mpi3mr_flush_drv_cmds(mrioc);
-	memset(mrioc->devrem_bitmap, 0, mrioc->devrem_bitmap_sz);
-	memset(mrioc->removepend_bitmap, 0, mrioc->dev_handle_bitmap_sz);
-	memset(mrioc->evtack_cmds_bitmap, 0, mrioc->evtack_cmds_bitmap_sz);
+	bitmap_clear(mrioc->devrem_bitmap, 0, MPI3MR_NUM_DEVRMCMD);
+	bitmap_clear(mrioc->removepend_bitmap, 0,
+		     mrioc->dev_handle_bitmap_bits);
+	bitmap_clear(mrioc->evtack_cmds_bitmap, 0, MPI3MR_NUM_EVTACKCMD);
 	mpi3mr_flush_host_io(mrioc);
 	mpi3mr_cleanup_fwevt_list(mrioc);
 	mpi3mr_invalidate_devhandles(mrioc);

From patchwork Tue Jan 10 01:55:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
X-Patchwork-Id: 641594
Return-Path: <linux-scsi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 940C4C54EBD
 for <linux-scsi@archiver.kernel.org>; Tue, 10 Jan 2023 01:55:56 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S235410AbjAJBzy (ORCPT <rfc822;linux-scsi@archiver.kernel.org>);
 Mon, 9 Jan 2023 20:55:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37842 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S235141AbjAJBzs (ORCPT
 <rfc822;linux-scsi@vger.kernel.org>); Mon, 9 Jan 2023 20:55:48 -0500
Received: from esa2.hgst.iphmx.com (esa2.hgst.iphmx.com [68.232.143.124])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 226CC13FBD
 for <linux-scsi@vger.kernel.org>;
 Mon,  9 Jan 2023 17:55:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
 t=1673315747; x=1704851747;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=8Sk1KzQf3MXLeqmOmnpE3ihCiIwWfhiOm/7AuwYLKJA=;
 b=ZohIOwp3VSUGJjUcDY1U41opDLcIgjn2qJ2YJlOAgaJLx9h83m7ieh9b
 DrmwbNxQgDvmbMPBuRjXvWKh61QpQ5obwpBAuQAbRhl9bL1KrBbHs3qGN
 Rk8woH6JYN0LnPOG/UAnKzOflb9q+yI9g3q1/7yrvu8VErBFMVN9lZGwa
 jnyMkukK9Y+atcSehcKcFh8kwNcyeV/l6B9ZgS74A2zWBzEc07/QB43M0
 CoZ4n4UIGw/9qWIej/Mbpy7xbOF1wEAKPQ5y0VIqnvKN1C1nq8lUX1vx9
 Is3aaaM5AAi3wHjG/TbzY/LqLl7JyfTi5g/SyUIYmZNu9cf+lrxunUj36 Q==;
X-IronPort-AV: E=Sophos;i="5.96,313,1665417600"; d="scan'208";a="324698292"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
 ([199.255.45.15])
 by ob1.hgst.iphmx.com with ESMTP; 10 Jan 2023 09:55:47 +0800
IronPort-SDR: isqYYZcBmy7Mv9wzgBHQU1FkYoElqys70MQos/s6Czc8vHmhr4uAJl9x8XAGcMIGcWTkGqzMcI
 LrhpkwfVS1xZG77T1BAz30LaWI3RetyHtp5vYGkJ/yTxAbQpkSYt+w1HKBsyPSwKTdn5B7kV7z
 ECxE7iLFz5cGRORhp044q3B71rVuKyJqNLoztcrDw6DwKdL1Mnn3Lj2dAm7+bnBAEAHAxq1WD5
 ey5W7Msoha6NgeBrnLfYG2TxaCjrKaL1wLeNNQk/vhgYUQCSy+dFouqBnEveZjvDpAWmV6Cf47
 RYw=
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
 by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256;
 09 Jan 2023 17:07:52 -0800
IronPort-SDR: Q4ASEkSVrvvP05kocg5ybFIGw/nJ3DFeAskBN2uZHvuUhG/nK0sDUQzSCRkvovhAJSKlqnI/O2
 4lhtwOIciwLC1SNDGy1v+Ly86O749Gn3DtG3mgH5+F/UHiReQQL8sTnwx2CldXeqnL6M4CkCHY
 LZ3IWVFi/liQhrvW0rvy/TiG9JfamXGicFfKhrZGAEcwncidIQbN0ahWZXBBhH590PhZxo8Ja/
 uvEmEBUDthFrXLIx5S5+U99qZEWo+VxVglvNggG7X3CYfFVf8RMxdRzhvTCKIdTbucAaz/2gYi
 DL8=
WDCIronportException: Internal
Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com)
 ([10.149.52.207])
 by uls-op-cesaip02.wdc.com with ESMTP; 09 Jan 2023 17:55:46 -0800
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
 Kashyap Desai <kashyap.desai@broadcom.com>,
 Sumit Saxena <sumit.saxena@broadcom.com>,
 Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>,
 Damien Le Moal <damien.lemoal@opensource.wdc.com>,
 Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: [PATCH v3 5/5] scsi: mpi3mr: fix missing mrioc->evtack_cmds
 initialization
Date: Tue, 10 Jan 2023 10:55:38 +0900
Message-Id: <20230110015538.201332-6-shinichiro.kawasaki@wdc.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
References: <20230110015538.201332-1-shinichiro.kawasaki@wdc.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org

The commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic")
introduced an array mrioc->evtack_cmds. But initialization of the array
elements was missed. They are just zero cleared. The function
mpi3mr_complete_evt_ack refers host_tag field of the elements. Due to
zero value of the host_tag field, the functions calls clear_bit for
mrico->evtack_cmds_bitmap with wrong bit index. This results in memory
access to invalid address and "BUG: KASAN: use-after-free". This BUG was
observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add
the missing initialization of mrioc->evtack_cmds.

Fixes: c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
---
 drivers/scsi/mpi3mr/mpi3mr_os.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
index 3306de7170f6..6eaeba41072c 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -4952,6 +4952,10 @@ mpi3mr_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 		mpi3mr_init_drv_cmd(&mrioc->dev_rmhs_cmds[i],
 		    MPI3MR_HOSTTAG_DEVRMCMD_MIN + i);
 
+	for (i = 0; i < MPI3MR_NUM_EVTACKCMD; i++)
+		mpi3mr_init_drv_cmd(&mrioc->evtack_cmds[i],
+				    MPI3MR_HOSTTAG_EVTACKCMD_MIN + i);
+
 	if (pdev->revision)
 		mrioc->enable_segqueue = true;