scsi: mpt3sas: Fix reply queue count in non RDPQ mode

For non RDPQ mode, the driver allocates a single contiguous block of memory pool for all reply descriptor post queues and passes down a single address in the ReplyDescriptorPostQueueAddress field of the IOC Init Request Message to the firmware. So reply_post queue will have only one entry which holds the address of this single contiguous block of memory pool. While allocating the reply descriptor post queue pool, driver should loop only once in non-RDPQ mode. But the driver is looping for ioc->reply_queue_count number of times even though reply_post queue's queue depth is only one in non-RDPQ mode. This leads to 'BUG: KASAN: use-after-free in base_alloc_rdpq_dma_pool'. The fix is to loop only once while allocating memory for the reply descriptor post queue in non-RDPQ mode Fixes: 8012209e ("scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region") Link: https://lore.kernel.org/r/20200522103558.5710-1-suganath-prabu.subramani@broadcom.comReported-by: Tomas Henzl <thenzl@redhat.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

scsi: mpt3sas: Fix reply queue count in non RDPQ mode
For non RDPQ mode, the driver allocates a single contiguous block of memory pool for all reply descriptor post queues and passes down a single address in the ReplyDescriptorPostQueueAddress field of the IOC Init Request Message to the firmware. So reply_post queue will have only one entry which holds the address of this single contiguous block of memory pool. While allocating the reply descriptor post queue pool, driver should loop only once in non-RDPQ mode. But the driver is looping for ioc->reply_queue_count number of times even though reply_post queue's queue depth is only one in non-RDPQ mode. This leads to 'BUG: KASAN: use-after-free in base_alloc_rdpq_dma_pool'. The fix is to loop only once while allocating memory for the reply descriptor post queue in non-RDPQ mode Fixes: 8012209e ("scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region") Link: https://lore.kernel.org/r/20200522103558.5710-1-suganath-prabu.subramani@broadcom.comReported-by: Tomas Henzl <thenzl@redhat.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
f56577e8 · Suganath Prabu S · Martin K. Petersen · 7217e6e6 · f56577e8
Commit f56577e8 authored May 22, 2020 by Suganath Prabu S Committed by Martin K. Petersen May 26, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

drivers/scsi/mpt3sas/mpt3sas_base.c drivers/scsi/mpt3sas/mpt3sas_base.c +5 -4

No files found.
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4809,6 +4809,7 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
 	int j = 0;
 	int dma_alloc_count = 0;
 	struct chain_tracker *ct;
+	int count = ioc->rdpq_array_enable ? ioc->reply_queue_count : 1;

 	dexitprintk(ioc, ioc_info(ioc, "%s\n", __func__));

@@ -4850,9 +4851,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
 	}

 	if (ioc->reply_post) {
-		dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
+		dma_alloc_count = DIV_ROUND_UP(count,
 				RDPQ_MAX_INDEX_IN_ONE_CHUNK);
-		for (i = 0; i < ioc->reply_queue_count; i++) {
+		for (i = 0; i < count; i++) {
 			if (i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0
 			    && dma_alloc_count) {
 				if (ioc->reply_post[i].reply_post_free) {
@@ -4973,14 +4974,14 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
 	 *  Driver uses limitation of
 	 *  VENTURA_SERIES to manage INVADER_SERIES as well.
 	 */
-	dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
+	dma_alloc_count = DIV_ROUND_UP(count,
 				RDPQ_MAX_INDEX_IN_ONE_CHUNK);
 	ioc->reply_post_free_dma_pool =
 		dma_pool_create("reply_post_free pool",
 		    &ioc->pdev->dev, sz, 16, 0);
 	if (!ioc->reply_post_free_dma_pool)
 		return -ENOMEM;
-	for (i = 0; i < ioc->reply_queue_count; i++) {
+	for (i = 0; i < count; i++) {
 		if ((i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0) && dma_alloc_count) {
 			ioc->reply_post[i].reply_post_free =
 			    dma_pool_alloc(ioc->reply_post_free_dma_pool,