<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/scsi/aacraid/commctrl.c, branch linux-4.6.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>aacraid: Fix AIF triggered IOP_RESET</title>
<updated>2016-02-24T02:27:02+00:00</updated>
<author>
<name>Raghava Aditya Renukunta</name>
<email>raghavaaditya.renukunta@pmcs.com</email>
</author>
<published>2016-02-03T23:06:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbd185986ebafaeac900a1af1829fed2bf03242e'/>
<id>fbd185986ebafaeac900a1af1829fed2bf03242e</id>
<content type='text'>
while driver removal is in progress or PCI shutdown is invoked, driver
kills AIF aacraid thread, but IOCTL requests from the management tools
re-start AIF thread leading to IOP_RESET.

Fixed by setting adapter_shutdown flag when PCI shutdown is invoked.

Signed-off-by: Raghava Aditya Renukunta &lt;raghavaaditya.renukunta@pmcs.com&gt;
Reviewed-by: Shane Seymour &lt;shane.seymour@hpe.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
while driver removal is in progress or PCI shutdown is invoked, driver
kills AIF aacraid thread, but IOCTL requests from the management tools
re-start AIF thread leading to IOP_RESET.

Fixed by setting adapter_shutdown flag when PCI shutdown is invoked.

Signed-off-by: Raghava Aditya Renukunta &lt;raghavaaditya.renukunta@pmcs.com&gt;
Reviewed-by: Shane Seymour &lt;shane.seymour@hpe.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>aacraid: Created new mutex for ioctl path</title>
<updated>2016-02-24T02:27:02+00:00</updated>
<author>
<name>Raghava Aditya Renukunta</name>
<email>RaghavaAditya.Renukunta@pmcs.com</email>
</author>
<published>2016-02-03T23:06:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=222a9fb376df0f4aec32493a3fb5d18fa56979f2'/>
<id>222a9fb376df0f4aec32493a3fb5d18fa56979f2</id>
<content type='text'>
aac_mutex was used to create protect the ioctl path for only the compat
path, it would be make more sense to place mutex in aac_do_ioctl, which
is the main ioctl function call that handles all ioctl commands.

Created new mutex ioctl_mutex in struct aac_dev to protect switch case
in aac_do_ioctl and removed aac_mutex from aac_cfg_ioctl and
aac_compat_do_ioctl

Signed-off-by: Raghava Aditya Renukunta &lt;RaghavaAditya.Renukunta@pmcs.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
aac_mutex was used to create protect the ioctl path for only the compat
path, it would be make more sense to place mutex in aac_do_ioctl, which
is the main ioctl function call that handles all ioctl commands.

Created new mutex ioctl_mutex in struct aac_dev to protect switch case
in aac_do_ioctl and removed aac_mutex from aac_cfg_ioctl and
aac_compat_do_ioctl

Signed-off-by: Raghava Aditya Renukunta &lt;RaghavaAditya.Renukunta@pmcs.com&gt;
Reviewed-by: Tomas Henzl &lt;thenzl@redhat.com&gt;
Reviewed-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>aacraid: IOCTL pass-through command fix</title>
<updated>2015-04-09T23:44:49+00:00</updated>
<author>
<name>Mahesh Rajashekhara</name>
<email>Mahesh.Rajashekhara@pmcs.com</email>
</author>
<published>2015-03-26T14:41:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f5d1f7998b67d49263ee9d9a49669e1b8d0e302'/>
<id>2f5d1f7998b67d49263ee9d9a49669e1b8d0e302</id>
<content type='text'>
The Linux aacriad driver fails to detect the case of SG list count=0 on IOCTL
pass-through command and cause intermittent fault.  The result is the Linux
aacriad driver send down IOCTL pass-through command with one not initialized
SG list to firmware when receiving SG list count =0 on pass-through command.

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh.Rajashekhara@pmcs.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.de&gt;
Reviewed-by: Murthy Bhat &lt;Murthy.Bhat@pmcs.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The Linux aacriad driver fails to detect the case of SG list count=0 on IOCTL
pass-through command and cause intermittent fault.  The result is the Linux
aacriad driver send down IOCTL pass-through command with one not initialized
SG list to firmware when receiving SG list count =0 on pass-through command.

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh.Rajashekhara@pmcs.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.de&gt;
Reviewed-by: Murthy Bhat &lt;Murthy.Bhat@pmcs.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>aacraid: prevent invalid pointer dereference</title>
<updated>2013-11-20T00:27:39+00:00</updated>
<author>
<name>Mahesh Rajashekhara</name>
<email>Mahesh.Rajashekhara@pmcs.com</email>
</author>
<published>2013-10-31T08:31:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b4789b8e6be3151a955ade74872822f30e8cd914'/>
<id>b4789b8e6be3151a955ade74872822f30e8cd914</id>
<content type='text'>
It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd-&gt;sg.count to copy it over to srbcmd.

It is not correct to test (fibsize &lt; sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data.  So, we would recommend to add the following
(instead of test for fibsize == 0).

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh.Rajashekhara@pmcs.com&gt;
Reported-by: Nico Golde &lt;nico@ngolde.de&gt;
Reported-by: Fabian Yamaguchi &lt;fabs@goesec.de&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd-&gt;sg.count to copy it over to srbcmd.

It is not correct to test (fibsize &lt; sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data.  So, we would recommend to add the following
(instead of test for fibsize == 0).

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh.Rajashekhara@pmcs.com&gt;
Reported-by: Nico Golde &lt;nico@ngolde.de&gt;
Reported-by: Fabian Yamaguchi &lt;fabs@goesec.de&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drivers: avoid parsing names as kthread_run() format strings</title>
<updated>2013-07-03T23:07:41+00:00</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2013-07-03T22:04:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f170168b9a0b61ea1e647b082b38f605f1d3de3e'/>
<id>f170168b9a0b61ea1e647b082b38f605f1d3de3e</id>
<content type='text'>
Calling kthread_run with a single name parameter causes it to be handled
as a format string. Many callers are passing potentially dynamic string
content, so use "%s" in those cases to avoid any potential accidents.

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Calling kthread_run with a single name parameter causes it to be handled
as a format string. Many callers are passing potentially dynamic string
content, so use "%s" in those cases to avoid any potential accidents.

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] aacraid: Series 7 Async. (performance) mode support</title>
<updated>2012-07-20T07:59:04+00:00</updated>
<author>
<name>Mahesh Rajashekhara</name>
<email>Mahesh_Rajashekhara@pmc-sierra.com</email>
</author>
<published>2012-07-14T12:48:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=85d22bbf6787c240921539bba224eb221bfb8ee1'/>
<id>85d22bbf6787c240921539bba224eb221bfb8ee1</id>
<content type='text'>
- Series 7 Async. (performance) mode support added
- New scatter/gather list format for Series 7
- Driver converts s/g list to a firmware suitable list for best performance on
  Series 7, this can be disabled with driver parameter "aac_convert_sgl" for
  testing purposes
- New container read/write command structure for Series 7
- Fast response support for the SCSI pass-through path added
- Async. status response buffer changes

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh_Rajashekhara@pmc-sierra.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- Series 7 Async. (performance) mode support added
- New scatter/gather list format for Series 7
- Driver converts s/g list to a firmware suitable list for best performance on
  Series 7, this can be disabled with driver parameter "aac_convert_sgl" for
  testing purposes
- New container read/write command structure for Series 7
- Fast response support for the SCSI pass-through path added
- Async. status response buffer changes

Signed-off-by: Mahesh Rajashekhara &lt;Mahesh_Rajashekhara@pmc-sierra.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drivers/scsi/aacraid/commctrl.c: fix mem leak in aac_send_raw_srb()</title>
<updated>2012-01-08T22:15:21+00:00</updated>
<author>
<name>Jesper Juhl</name>
<email>jj@chaosbits.net</email>
</author>
<published>2012-01-08T21:44:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7dd72f5189b257f927cc3b35d98643a5c392f5c3'/>
<id>7dd72f5189b257f927cc3b35d98643a5c392f5c3</id>
<content type='text'>
We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() :

We allocate memory:

	...
	struct user_sgmap* usg;
	usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
	  + sizeof(struct sgmap), GFP_KERNEL);

and then neglect to free it:

	...
	for (i = 0; i &lt; usg-&gt;count; i++) {
		u64 addr;
		void* p;
		if (usg-&gt;sg[i].count &gt;
		    ((dev-&gt;adapter_info.options &amp;
		     AAC_OPT_NEW_COMM) ?
		      (dev-&gt;scsi_host_ptr-&gt;max_sectors &lt;&lt; 9) :
		      65536)) {
			rcode = -EINVAL;
			goto cleanup;
	... this 'goto' makes 'usg' go out of scope and leak the memory we
	    allocated.

Other exits properly kfree(usg), it's just here it is neglected.

Signed-off-by: Jesper Juhl &lt;jj@chaosbits.net&gt;
Cc: James Bottomley &lt;James.Bottomley@HansenPartnership.com&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() :

We allocate memory:

	...
	struct user_sgmap* usg;
	usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
	  + sizeof(struct sgmap), GFP_KERNEL);

and then neglect to free it:

	...
	for (i = 0; i &lt; usg-&gt;count; i++) {
		u64 addr;
		void* p;
		if (usg-&gt;sg[i].count &gt;
		    ((dev-&gt;adapter_info.options &amp;
		     AAC_OPT_NEW_COMM) ?
		      (dev-&gt;scsi_host_ptr-&gt;max_sectors &lt;&lt; 9) :
		      65536)) {
			rcode = -EINVAL;
			goto cleanup;
	... this 'goto' makes 'usg' go out of scope and leak the memory we
	    allocated.

Other exits properly kfree(usg), it's just here it is neglected.

Signed-off-by: Jesper Juhl &lt;jj@chaosbits.net&gt;
Cc: James Bottomley &lt;James.Bottomley@HansenPartnership.com&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family</title>
<updated>2011-03-23T16:36:58+00:00</updated>
<author>
<name>Mahesh Rajashekhara</name>
<email>Mahesh_Rajashekhara@pmc-sierra.com</email>
</author>
<published>2011-03-17T09:10:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e8b12f0fb8352237525961f14ec933e915848840'/>
<id>e8b12f0fb8352237525961f14ec933e915848840</id>
<content type='text'>
Added new hardware device 0x28b interface for PMC-Sierra's SRC based
controller family.

- new src.c file for 0x28b specific functions
- new XPORT header required
- sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT)
- async. Interface: different inbound queue handling, no outbound I2O
  queue available, using doorbell ("PmDoorBellResponseSent") and
  response buffer on the host ("host_rrq") for status
- changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending"
  bit to inform about pending AIF, "AifRequest" command to read AIF,
  "NoMoreAifDataAvailable" to mark the end of the AIFs

Signed-off-by: Mahesh Rajashekhara &lt;aacraid@pmc-sierra.com&gt;
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Added new hardware device 0x28b interface for PMC-Sierra's SRC based
controller family.

- new src.c file for 0x28b specific functions
- new XPORT header required
- sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT)
- async. Interface: different inbound queue handling, no outbound I2O
  queue available, using doorbell ("PmDoorBellResponseSent") and
  response buffer on the host ("host_rrq") for status
- changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending"
  bit to inform about pending AIF, "AifRequest" command to read AIF,
  "NoMoreAifDataAvailable" to mark the end of the AIFs

Signed-off-by: Mahesh Rajashekhara &lt;aacraid@pmc-sierra.com&gt;
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] aacraid: semaphore cleanup</title>
<updated>2010-09-17T02:54:09+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2010-09-07T14:32:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6de76cfc7db8844bc26ab9a60b20f50ad7851833'/>
<id>6de76cfc7db8844bc26ab9a60b20f50ad7851833</id>
<content type='text'>
Get rid of init_MUTEX[_LOCKED]() and use sema_init() instead.

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: aacraid@adaptec.com
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Get rid of init_MUTEX[_LOCKED]() and use sema_init() instead.

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: aacraid@adaptec.com
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] aacraid: Eliminate use after free</title>
<updated>2010-05-25T15:59:07+00:00</updated>
<author>
<name>Julia Lawall</name>
<email>julia@diku.dk</email>
</author>
<published>2010-05-15T09:46:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a52da632ceb9d8b776494563df579e87b7b586b'/>
<id>8a52da632ceb9d8b776494563df579e87b7b586b</id>
<content type='text'>
The debugging code using the freed structure is moved before the kfree.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// &lt;smpl&gt;
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE&lt;=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// &lt;/smpl&gt;

Signed-off-by: Julia Lawall &lt;julia@diku.dk&gt;
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The debugging code using the freed structure is moved before the kfree.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// &lt;smpl&gt;
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE&lt;=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// &lt;/smpl&gt;

Signed-off-by: Julia Lawall &lt;julia@diku.dk&gt;
Signed-off-by: James Bottomley &lt;James.Bottomley@suse.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
