Skip to content

Commit f56577e

Browse files
suganathprabu0512martinkpetersen
suganathprabu0512
authored and
martinkpetersen
committed
scsi: mpt3sas: Fix reply queue count in non RDPQ mode
For non RDPQ mode, the driver allocates a single contiguous block of memory pool for all reply descriptor post queues and passes down a single address in the ReplyDescriptorPostQueueAddress field of the IOC Init Request Message to the firmware. So reply_post queue will have only one entry which holds the address of this single contiguous block of memory pool. While allocating the reply descriptor post queue pool, driver should loop only once in non-RDPQ mode. But the driver is looping for ioc->reply_queue_count number of times even though reply_post queue's queue depth is only one in non-RDPQ mode. This leads to 'BUG: KASAN: use-after-free in base_alloc_rdpq_dma_pool'. The fix is to loop only once while allocating memory for the reply descriptor post queue in non-RDPQ mode Fixes: 8012209 ("scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region") Link: https://lore.kernel.org/r/[email protected] Reported-by: Tomas Henzl <[email protected]> Reviewed-by: Tomas Henzl <[email protected]> Signed-off-by: Suganath Prabu S <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]>
1 parent 7217e6e commit f56577e

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

drivers/scsi/mpt3sas/mpt3sas_base.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4809,6 +4809,7 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
48094809
int j = 0;
48104810
int dma_alloc_count = 0;
48114811
struct chain_tracker *ct;
4812+
int count = ioc->rdpq_array_enable ? ioc->reply_queue_count : 1;
48124813

48134814
dexitprintk(ioc, ioc_info(ioc, "%s\n", __func__));
48144815

@@ -4850,9 +4851,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
48504851
}
48514852

48524853
if (ioc->reply_post) {
4853-
dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
4854+
dma_alloc_count = DIV_ROUND_UP(count,
48544855
RDPQ_MAX_INDEX_IN_ONE_CHUNK);
4855-
for (i = 0; i < ioc->reply_queue_count; i++) {
4856+
for (i = 0; i < count; i++) {
48564857
if (i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0
48574858
&& dma_alloc_count) {
48584859
if (ioc->reply_post[i].reply_post_free) {
@@ -4973,14 +4974,14 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
49734974
* Driver uses limitation of
49744975
* VENTURA_SERIES to manage INVADER_SERIES as well.
49754976
*/
4976-
dma_alloc_count = DIV_ROUND_UP(ioc->reply_queue_count,
4977+
dma_alloc_count = DIV_ROUND_UP(count,
49774978
RDPQ_MAX_INDEX_IN_ONE_CHUNK);
49784979
ioc->reply_post_free_dma_pool =
49794980
dma_pool_create("reply_post_free pool",
49804981
&ioc->pdev->dev, sz, 16, 0);
49814982
if (!ioc->reply_post_free_dma_pool)
49824983
return -ENOMEM;
4983-
for (i = 0; i < ioc->reply_queue_count; i++) {
4984+
for (i = 0; i < count; i++) {
49844985
if ((i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0) && dma_alloc_count) {
49854986
ioc->reply_post[i].reply_post_free =
49864987
dma_pool_alloc(ioc->reply_post_free_dma_pool,

0 commit comments

Comments
 (0)