* git://bedivere.hansenpartnership.com/git/scsi-rc-fixes-2.6: (25 commits)
[SCSI] bnx2i: Fixed the endian on TTT for NOP out transmission
[SCSI] libfc: fix referencing to fc_fcp_pkt from the frame pointer via fr_fsp()
[SCSI] libfc: block SCSI eh thread for blocked rports
[SCSI] libfc: fix fc_eh_host_reset
[SCSI] fcoe: Fix deadlock between fip's recv_work and rtnl
[SCSI] qla2xxx: Update version number to 8.03.07.07-k.
[SCSI] qla2xxx: Set the task attributes after memsetting fcp cmnd.
[SCSI] qla2xxx: Correct inadvertent loop state transitions during port-update handling.
[SCSI] qla2xxx: Save and restore irq in the response queue interrupt handler.
[SCSI] qla2xxx: Double check for command completion if abort mailbox command fails.
[SCSI] qla2xxx: Acquire hardware lock while manipulating dsd list.
[SCSI] qla2xxx: Fix qla24xx revision check while enabling interrupts.
[SCSI] qla2xxx: T10 DIF - Fix incorrect error reporting.
[SCSI] qla2xxx: T10 DIF - Handle uninitalized sectors.
[SCSI] hpsa: fix physical device lun and target numbering problem
[SCSI] hpsa: fix problem that OBDR devices are not detected
[SCSI] isci: add version number
[SCSI] isci: fix event-get pointer increment
[SCSI] isci: dynamic interrupt coalescing
[SCSI] isci: Leave requests alone if already terminating.
...
When CONFIG_NET is disabled, SCSI_QLA_ISCSI selects SCSI_ISCSI_ATTRS,
which uses network interfaces, so the build fails with multiple errors:
warning: (ISCSI_TCP && SCSI_CXGB3_ISCSI && SCSI_CXGB4_ISCSI && SCSI_QLA_ISCSI && INFINIBAND_ISER) selects SCSI_ISCSI_ATTRS which has unmet direct dependencies (SCSI && NET)
ERROR: "skb_trim" [drivers/scsi/scsi_transport_iscsi.ko] undefined!
ERROR: "netlink_kernel_create" [drivers/scsi/scsi_transport_iscsi.ko] undefined!
ERROR: "netlink_kernel_release" [drivers/scsi/scsi_transport_iscsi.ko] undefined!
...
so make SCSI_QLA_ISCSI also depend on NET to prevent the build errors.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Cc: Ravi Anand <ravi.anand@qlogic.com>
Cc: Vikas Chaudhary <vikas.chaudhary@qlogic.com>
Cc: iscsi-driver@qlogic.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The iscsi_nopout task's TTT is defined as __be32 while the DMA
memory to the chip is CPU specific. This creates a problem for
unsolicited NOP-In responses where the TTT is not the RESERVED
tag of 0xFFs. This patch adds a call to be32_to_cpu for the TTT
specified.
Signed-off-by: Eddie Wai <eddie.wai@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
In commit 6a716a8, while releasing the DDP context in case frame_send() failed,
the frame may already be freed, so we should store the pointer to fc_fcp_pkt and
release the DDP context using the locally stored fsp instead of getting fsp from
the fr_fsp(fp) on a frame.
Signed-off-by: Yi Zou <yi.zou@intel.com>
Reported-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Call fc_block_scsi_eh() in all fcoe eh to blocks
the scsi_eh thread for blocked rports.
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Reviewed-by: Yi Zou <yi.zou@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Current fc_eh_host_reset leaves lport offline
permanently due to FLOGI response getting
handled by LOGO response from last reset as both
had same exchange id.
So fix this by having end to end exches clean-up
using exchange abort along exches reset
done from fc_eh_host_reset. This would avoid
exchanges collision between the sessions across
the reset. In this case implicit login should have
done that but no aborting support for FIP
frames, so just wait till lport->r_a_tov before
restarting next flogi to ensure all exchanges
are good to use again for next session.
Below is the trace of LOGO from older session
coming ahead of FLOGI response with same exche id
0x203:-
617 86.435165 4e.00.0b -> ff.ff.fc FC ELS LOGO 0x203
618 86.435195 4e.00.0b -> b6.02.00 FC ELS LOGO 0x213
619 86.435220 4e.00.0b -> 18.03.00 FC ELS LOGO 0x223
620 86.435244 4e.00.0b -> 18.02.00 FC ELS LOGO 0x233
621 86.435267 4e.00.0b -> 18.01.00 FC ELS LOGO 0x243
622 86.435349 00.00.00 -> ff.ff.fe FC ELS FLOGI 0x203
623 86.435549 ff.ff.fc -> 4e.00.0b FC ELS ACC (LOGO) 0x203
624 86.438721 ff.ff.fe -> 4e.00.0b FC ELS ACC (FLOGI) 0x203
625 86.442059 18.03.00 -> 4e.00.0b FC ELS ACC (LOGO) 0x223
626 86.443683 b6.02.00 -> 4e.00.0b FC ELS ACC (LOGO) 0x213
627 86.447693 18.01.00 -> 4e.00.0b FC ELS ACC (LOGO) 0x243
628 86.453499 18.02.00 -> 4e.00.0b FC ELS ACC (LOGO) 0x233
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Reviewed-by: Yi Zou <yi.zou@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The memset of the fcp_cmnd struct needs to be moved so that it will not
zero-out valid data.
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Transitioning to a LOOP_UPDATE loop-state could cause the driver
to miss normal link/target processing. LOOP_UPDATE is a crufty
artifact leftover from at time the driver performed it's own
internal command-queuing. Safely remove this state.
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Close a small window where we could falsely fail an abort request if the mailbox
command fails but the command was returned during interrupt context.
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The dsd list shouldn't be manipulated without taking the per host hardware
lock to prevent multiple callers from trampling upon one another.
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Since we enable interrupts before initializing the firmware, use the chip
revision from PCI config space directly to perform the chip revision check.
Also remove the unnecessary firmware attributes test.
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This fix:
- Disables app tag peeking; correct tag check will be added when the
SCSI API is available.
- Always derive ref_tag from scsi_get_lba()
- Removes incorrect swap of FCP_LUN in FCP_CMND
- Moves app-tag error check before ref-tag check. The reason being,
currently there is no interface in SCSI to retrieve the app-tag
for protection I/Os, so driver puts zero for app-tag in the
firmware interface, but requests not to validate it, but when a
ref-tag error is detected by firmware, it would put
expected/actual tags for all the protection tags (guard/app/ref).
As driver checks for app tag error first, a ref-tag error is
incorrectly flagged as app-tag error.
- Convert HBA specific checks to capability based.
Signed-off-by: Arun Easi <arun.easi@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Driver needs to update protection bytes for uninitialized sectors as they are
not DMA-d.
Signed-off-by: Arun Easi <arun.easi@qlogic.com>
Reviewed-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
If a physical device exposed to the OS by hpsa
is replaced (e.g. one hot plug tape drive is replaced
by another, or a tape drive is placed into "OBDR" mode
in which it acts like a CD-ROM device) and a rescan is
initiated, the replaced device will be added to the
SCSI midlayer with target and lun numbers set to -1.
After that, a panic is likely to ensue. When a physical
device is replaced, the lun and target number should be
preserved.
Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Cc: stable@kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The test to detect OBDR ("One Button Disaster Recovery")
cd-rom devices was comparing against uninitialized data.
Fixed by moving the test for the device to where the
inquiry data is collected, and uninitialized variable
altogether as it wasn't really being used.
Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Cc: stable@kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Hardware only increments the put pointer on event types >= 4. Do not
increment the get pointer for event type 3.
Reported-by: Kapil Karkra <kapil.karkra@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Hardware allows both an outstanding number commands and a timeout value
(whichever occurs first) as a gate to the next interrupt generation. This
scheme at completion time looks at the remaining number of outstanding tasks
and sets the timeout to maximize small transaction operation. If transactions
are large (take more than a few 10s of microseconds to complete) then
performance is not interrupt processing bound, so the small timeouts this
scheme generates are overridden by the time it takes for a completion to
arrive.
Tested-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Instead of immediately completing any request that has a second
termination call made on it, wait for the TC done/abort HW event.
Signed-off-by: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Adding API update for adding isci_id entry scsi_host sysfs entry.
Also fixing up the sysfs registration to the scsi_host template
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Need the following workaround in the driver for interoperability with
the older Intel SSD drives and any other SATA drive that may exhibit the
same behavior. This is a corner case where SCU speed is limited to
either 3G or 1.5G and the drive has a period of DC idle when it switches
speed during SATA speed negotiation. Workaround :change PHYTOV[31:24]
from 0x36 to 0x3B.
Signed-off-by: Marcin Tomczak <marcin.tomczak@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The unsolicited frame control infrastructure requires a table of dma
addresses for the hardware to lookup the frame buffer location by an
index. The hardware expects the elements of this table to be 64-bit
quantities, so we cannot reference these elements as dma_addr_t. All
unsolicited frame protocols are affected, particularly SATA-PIO and SMP
which prevented direct-attached SATA drives and expander-attached drives
to not be discovered.
Cc: <stable@kernel.org>
Reported-by: Jacek Danecki <jacek.danecki@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
A bug (likely copy/paste) that has been carried from the original
implementation. The unsolicited frame handling structure returns the
d2h fis in the isci_request.stp.rsp buffer.
Cc: <stable@kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6: (71 commits)
[SCSI] fcoe: cleanup cpu selection for incoming requests
[SCSI] fcoe: add fip retry to avoid missing critical keep alive
[SCSI] libfc: fix warn on in lport retry
[SCSI] libfc: Remove the reference to FCP packet from scsi_cmnd in case of error
[SCSI] libfc: cleanup sending SRR request
[SCSI] libfc: two minor changes in comments
[SCSI] libfc, fcoe: ignore rx frame with wrong xid info
[SCSI] libfc: release exchg cache
[SCSI] libfc: use FC_MAX_ERROR_CNT
[SCSI] fcoe: remove unused ptype field in fcoe_rcv_info
[SCSI] bnx2fc: Update copyright and bump version to 1.0.4
[SCSI] bnx2fc: Tx BDs cache in write tasks
[SCSI] bnx2fc: Do not arm CQ when there are no CQEs
[SCSI] bnx2fc: hold tgt lock when calling cmd_release
[SCSI] bnx2fc: Enable support for sequence level error recovery
[SCSI] bnx2fc: HSI changes for tape
[SCSI] bnx2fc: Handle REC_TOV error code from firmware
[SCSI] bnx2fc: REC/SRR link service request and response handling
[SCSI] bnx2fc: Support 'sequence cleanup' task
[SCSI] dh_rdac: Associate HBA and storage in rdac_controller to support partitions in storage
...
Cleanup to:
- have selection for all types of frames, not just FCP.
- remove redundant cpu_online check once fcoe_select_cpu called
as this is not required since later code flow check for offlined
cpu.
- Simplify fcoe_select_cpu() by removing unnecessary checks to
skip curr_cpu, this also fixes possibly infinite loop in case
of curr_cpu is the only cpu while iterating in the loop.
This cleanup mainly applies to target as incoming request are
mostly for target, therefore Kiran has verified the patch
with target also.
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Kiran Patil <kiran.patil@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Use pending queue to retry FIP frame in case its tx
fails and use common pending queue for both fcoe
and fip frames using fcoe_port_send.
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The lport retry timer hits warn on in case
it has become ready in response from fip
login from fcoe_ctlr_flogi_send(), this is
possible but safe code path, therefore
removing this warn on.
Jun 22 03:16:30 10.0.16.6 [488198.316517] host3: Assigned Port ID 180f02
Jun 22 03:16:32 10.0.16.6 [488200.091561] ------------[ cut here ]------------
Jun 22 03:16:32 10.0.16.6 [488200.091586] WARNING: at
drivers/scsi/libfc/fc_lport.c:1355 fc_lport_timeout+0xd9/0xe0 [libfc]()
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
fc_queuecommand() allocates an FCP packet for each SCSI command and sends
it out on the wire. In the process it stores the reference to the FCP packet
in the scsi_cmnd structure.
Now, in case under stress testing the libfc exchange layer runs out of
exchanges the fc_queuecommand() may not be able to send out commands out on
the wire. In such a scenario if there is an error in sending the FCP packet
out the wire; fc_queuecommand() deletes the FCP packet from internal queue,
releases the FCP packet and returns a SCSI_MLQUEUE_HOST_BUSY status to the
scsi-ml. But, the reference to the FCP packet set in the scsi_cmnd is not
removed from the scsi_cmnd in this code path.
This might lead to a crash under stress testing where the scsi_cmnd failed by
fc_queuecommand() comes up to fc_eh_abort() via scsi eh thread. fc_eh_abort()
will get reference to the FCP packet to be aborted from the scsi_cmnd for
further FCP abort related processing and then try to release the FCP packet
that has already been released.
This patch removes the FCP packet reference from the scsi_cmnd before returning
back from fc_queuecommand() in case of an error in sending out the FCP packet.
Signed-off-by: Neerav Parikh <Neerav.Parikh@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The variable on stack, namely cdb_op, is not used but removed.
[ Patch reworked by Robert Love due to invalid patch format ]
Signed-off-by: Hillf Danton <dhillf@gmail.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
One change is to cleanup typo in comment for fc_fcp_recv(), another corrects
the misleading comment for fc_fcp_abts_resp().
[ Patch reworked by Robert Love due to invalid patch format ]
Signed-off-by: Hillf Danton <dhillf@gmail.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Drop the rx frame having xid with wrong cpu info
or received with xid not matching to our xid.
Not dropping such frame is causing panic as
that causes accessing data struct beyond their
bounds.
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
If fail to create workqueue, the newly created cache for exchg has to be
released.
Signed-off-by: Hillf Danton <dhillf@gmail.com>
Reviewed-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Though defined, FC_MAX_ERROR_CNT is not used. It is used now for CRC error in
the path of receiving FCP frame.
Signed-off-by: Hillf Danton <dhillf@gmail.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
There is no need to cache the ptype in fcoe_rcv_info struct as it is never
used anywhere.
Signed-off-by: Yi Zou <yi.zou@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
When there is a single BD for the entire data to be transmitted, use the BD
inside the SGL context and set the cached SGE indication in the task context
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Driver advertises its support for 'retry' bit and 'conf completion' bit in PRLI
params to enable support for 'sequence level error recovery'
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Program the firmware task structure with init_flags indicating the device is
'sequence level error recovery' capable.
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Driver decides to initiate REC on REC_TOV timer pop. The firmware maintains the
REC timer and informs the driver as a firmware error message, which is an
unsolicited event to the driver. Driver also issues REC on other unsolicited
events from firmware that indicate data loss.
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
For the devices that support sequence level error recovery, based on the REC
response, the firmware has to be informed about the offset from which the
retransmission should happen. Driver initiates sequence cleanup task to
firmware so that the firmware can program the task. Upon the sequence cleanup
completion, SRR is issued to retransmit the sequence.
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
rdac hardware handler assumes that there is one-to-one relation ship
between the host and the controller w.r.t lun. IOW, it does not
support "multiple storage partitions" within a storage.
Example:
HBA1 and HBA2 see lun 0 and 1 in storage A (1)
HBA3 and HBA4 see lun 0 and 1 in storage A (2)
HBA5 and HBA6 see lun 0 and 1 in storage A (3)
luns 0 and 1 in (1), (2) and (3) are totally different.
But, rdac handler treats the lun 0s (and lun 1s) as the same when
sending a mode select to the controller, which is wrong.
This patch makes the rdac hardware handler associate HBA and the
storage w.r.t lun (and not the host itself).
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
target: Convert to DIV_ROUND_UP_SECTOR_T usage for sectors / dev_max_sectors
kernel.h: Add DIV_ROUND_UP_ULL and DIV_ROUND_UP_SECTOR_T macro usage
iscsi-target: Add iSCSI fabric support for target v4.1
iscsi: Add Serial Number Arithmetic LT and GT into iscsi_proto.h
iscsi: Use struct scsi_lun in iscsi structs instead of u8[8]
iscsi: Resolve iscsi_proto.h naming conflicts with drivers/target/iscsi
The out_msi_disable label should be before cleanup_nomem to additionally
benefit from the call to iounmap. Subsequent gotos are adjusted to go to
out_msi_disable instead of cleanup_nomem, which now follows it. This is
safe because pci_disable_msi does nothing if pci_enable_msi was not called.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@r@
expression e1,e2;
statement S;
@@
e1 = pci_ioremap_bar(...);
... when != e1 = e2
when != iounmap(e1)
when any
(
if (<+...e1...+>) S
|
if(...) { ... return 0; }
|
if (...) { ... when != iounmap(e1)
when != if (...) { ... iounmap(e1) ... }
* return ...;
} else S
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
There's a code path in pmcraid that can be reached via device ioctl that
causes all sorts of ugliness, including heap corruption or triggering the
OOM killer due to consecutive allocation of large numbers of pages.
First, the user can call pmcraid_chr_ioctl(), with a type
PMCRAID_PASSTHROUGH_IOCTL. This calls through to
pmcraid_ioctl_passthrough(). Next, a pmcraid_passthrough_ioctl_buffer
is copied in, and the request_size variable is set to
buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit
signed value provided by the user. If a negative value is provided
here, bad things can happen. For example,
pmcraid_build_passthrough_ioadls() is called with this request_size,
which immediately calls pmcraid_alloc_sglist() with a negative size.
The resulting math on allocating a scatter list can result in an
overflow in the kzalloc() call (if num_elem is 0, the sglist will be
smaller than expected), or if num_elem is unexpectedly large the
subsequent loop will call alloc_pages() repeatedly, a high number of
pages will be allocated and the OOM killer might be invoked.
It looks like preventing this value from being negative in
pmcraid_ioctl_passthrough() would be sufficient.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>