In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.
Reported-by: NPengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa3 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: NDave Carroll <david.carroll@microsemi.com>
Reviewed-by: NJohannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>

Use kmemdup when some other buffer is immediately copied into allocated
region. It replaces call to allocation followed by memcpy, by a single
call to kmemdup.
Signed-off-by: NMuhammad Falak R Wani <falakreyaz@gmail.com>
Reviewed-by: NRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>

while driver removal is in progress or PCI shutdown is invoked, driver
kills AIF aacraid thread, but IOCTL requests from the management tools
re-start AIF thread leading to IOP_RESET.

Fixed by setting adapter_shutdown flag when PCI shutdown is invoked.
Signed-off-by: NRaghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
Reviewed-by: NShane Seymour <shane.seymour@hpe.com>
Reviewed-by: NJohannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: NTomas Henzl <thenzl@redhat.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>

aac_mutex was used to create protect the ioctl path for only the compat
path, it would be make more sense to place mutex in aac_do_ioctl, which
is the main ioctl function call that handles all ioctl commands.

Created new mutex ioctl_mutex in struct aac_dev to protect switch case
in aac_do_ioctl and removed aac_mutex from aac_cfg_ioctl and
aac_compat_do_ioctl
Signed-off-by: NRaghava Aditya Renukunta <RaghavaAditya.Renukunta@pmcs.com>
Reviewed-by: NTomas Henzl <thenzl@redhat.com>
Reviewed-by: NJohannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>

The Linux aacriad driver fails to detect the case of SG list count=0 on IOCTL
pass-through command and cause intermittent fault.  The result is the Linux
aacriad driver send down IOCTL pass-through command with one not initialized
SG list to firmware when receiving SG list count =0 on pass-through command.
Signed-off-by: NMahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Reviewed-by: NHannes Reinecke <hare@suse.de>
Reviewed-by: NMurthy Bhat <Murthy.Bhat@pmcs.com>
Signed-off-by: NJames Bottomley <JBottomley@Odin.com>

It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd->sg.count to copy it over to srbcmd.

It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data.  So, we would recommend to add the following
(instead of test for fibsize == 0).
Signed-off-by: NMahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Reported-by: NNico Golde <nico@ngolde.de>
Reported-by: NFabian Yamaguchi <fabs@goesec.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Calling kthread_run with a single name parameter causes it to be handled
as a format string. Many callers are passing potentially dynamic string
content, so use "%s" in those cases to avoid any potential accidents.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

- Series 7 Async. (performance) mode support added
- New scatter/gather list format for Series 7
- Driver converts s/g list to a firmware suitable list for best performance on
  Series 7, this can be disabled with driver parameter "aac_convert_sgl" for
  testing purposes
- New container read/write command structure for Series 7
- Fast response support for the SCSI pass-through path added
- Async. status response buffer changes
Signed-off-by: NMahesh Rajashekhara <Mahesh_Rajashekhara@pmc-sierra.com>
Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>

We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() :

We allocate memory:

	...
	struct user_sgmap* usg;
	usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
	  + sizeof(struct sgmap), GFP_KERNEL);

and then neglect to free it:

	...
	for (i = 0; i < usg->count; i++) {
		u64 addr;
		void* p;
		if (usg->sg[i].count >
		    ((dev->adapter_info.options &
		     AAC_OPT_NEW_COMM) ?
		      (dev->scsi_host_ptr->max_sectors << 9) :
		      65536)) {
			rcode = -EINVAL;
			goto cleanup;
	... this 'goto' makes 'usg' go out of scope and leak the memory we
	    allocated.

Other exits properly kfree(usg), it's just here it is neglected.
Signed-off-by: NJesper Juhl <jj@chaosbits.net>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Added new hardware device 0x28b interface for PMC-Sierra's SRC based
controller family.

- new src.c file for 0x28b specific functions
- new XPORT header required
- sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT)
- async. Interface: different inbound queue handling, no outbound I2O
  queue available, using doorbell ("PmDoorBellResponseSent") and
  response buffer on the host ("host_rrq") for status
- changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending"
  bit to inform about pending AIF, "AifRequest" command to read AIF,
  "NoMoreAifDataAvailable" to mark the end of the AIFs
Signed-off-by: NMahesh Rajashekhara <aacraid@pmc-sierra.com>
Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>

Get rid of init_MUTEX[_LOCKED]() and use sema_init() instead.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Cc: aacraid@adaptec.com
Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>

The debugging code using the freed structure is moved before the kfree.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE<=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// </smpl>
Signed-off-by: NJulia Lawall <julia@diku.dk>
Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>

These particular problems were reported by Cisco and SAP and customers
as well. Cisco reported on RHEL4 U6 and SAP reported on SLES9 SP4 and
SLES10 SP2. We added these fixes on RHEL4 U6 and gave a private build
to IBM and Cisco. Cisco and IBM tested it for more than 15 days and
they reported that they did not see the issue so far. Before the fix,
Cisco used to see the issue within 5 days. We generated a patch for
SLES9 SP4 and SLES10 SP2 and submitted to Novell. Novell applied the
patch and gave a test build to SAP. SAP tested and reported that the
build is working properly.

We also tested in our lab using the tools "dishogsync", which is IO
stress tool and the tool was provided by Cisco.

Issue1:  File System going into read-only mode

Root cause: The driver tends to not free the memory (FIB) when the
management request exits prematurely. The accumulation of such
un-freed memory causes the driver to fail to allocate anymore memory
(FIB) and hence return 0x70000 value to the upper layer, which puts
the file system into read only mode.

Fix details: The fix makes sure to free the memory (FIB) even if the
request exits prematurely hence ensuring the driver wouldn't run out
of memory (FIBs).


Issue2: False Raid Alert occurs

When the Physical Drives and Logical drives are reported as deleted or
added, even though there is no change done on the system

Root cause: Driver IOCTLs is signaled with EINTR while waiting on
response from the lower layers. Returning "EINTR" will never initiate
internal retry.

Fix details: The issue was fixed by replacing "EINTR" with
"ERESTARTSYS" for mid-layer retries.
Signed-off-by: NPenchala Narasimha Reddy <ServeRAIDDriver@hcl.in>
Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>

Signed-off-by: NAlan Cox <alan@redhat.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

We need to check the address that pci_alloc_consistent() returns since
it might fail.

When pci_alloc_consistent() fails, some IOMMUs set the dma_handle
argument to zero. So we can't use fibptr->hw_fib_pa directly here.
Signed-off-by: NFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: Aacraid List <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

Seen:

	kernel BUG at arch/i386/lib/usercopy.c:872

under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out
ioctl condition in the aacraid driver.

Adaptec's special ioctl scb passthrough needs to check the validity of
the individual scatter gather count fields to the maximum the adapter
supports. Doing so will have the side effect of preventing
copy_from_user() from bugging out while populating the dma buffers.
This is a hardening effort, issue was triggered by an errant version
of the management tools and thus the BUG should not be seen in the
field.

[jejb: fixed up compile failure]
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

Signed-off-by: NMatthew Wilcox <willy@linux.intel.com>

The first patch (a119ee8e) was a bit
too aggressive and nested the locks (!) unit testing was in
error. This patch was reverted by
203a512f.

This new patch should fix the locks correctly.
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

This reverts commit a119ee8e.

Adaptec found this was causing system lockups.
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

Alan noticed the lack of locking surrounding the driver's dealings
with the fib context managed by the trio of ioctls that are used by
the RAID management applications to retrieve Adapter Initiated FIBs. I
merely expanded the fib lock to include the fib context. There have
been no field reports of any issues generally because the applications
are relatively static and do not come and go often enough to stress
this area. I bloated this patch a little with some space junk.
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

I was amazed at how much embedded space was present in the aacraid
driver source files. Just selected five files from the set to clean up
for now and the attached patch swelled to 73K in size!

- Removed trailing space or tabs
- Removed spaces embedded within tabs
- Replaced leading 8 spaces with tabs
- Removed spaces before )
- Removed ClusterCommand as it was unused (noticed it as one triggered by above)
- Replaced scsi_status comparison with 0x02, to compare against SAM_STATUS_CHECK_CONDITION.
- Replaced a long series of spaces with tabs
- Replaced some simple if...defined() with ifdef/ifndef
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

The 'entry' automatic variable was defined at the top and within a
block that uses it, removed the definition from the block that uses
it. Some cosmetic changes were made while in the same file. This patch
should be inert.
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

Use of ptrdiff_t in places like

-                       if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len))
+                       if (!access_ok(VERIFY_WRITE, (u8 __user *)
+                                               (ptrdiff_t) u_tmp->rx_buf,
+                                               u_tmp->len))

is wrong; for one thing, it's a bad C (it's what uintptr_t is for; in general
we are not even promised that ptrdiff_t is large enough to hold a pointer,
just enough to hold a difference between two pointers within the same object).
For another, it confuses the fsck out of sparse.

Use unsigned long or uintptr_t instead.  There are several places misusing
ptrdiff_t; fixed.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Unsigned long is not always the same size as a pointer, namely on 32 bit
systems with 64 bit address space. Ptrdiff_t is the same size as a
pointer in all configurations. By using ptrdiff_t we can mitigate the
warning messages on these configurations. There should be no side
effects of this patch.
Signed-off-by: NMark Salyzyn <aacraid@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn,

The raw srb ioctl is supposed to be able to take packets with 32 and 64 bit
virtual address SG elements, it did not handle the frames with 64 bit SG
elements well when communicating with 64 bit DMA capable adapters, and it did
not handle the 32 bit limited DMA adapters at all.  The enclosed patch now
handles all four quadrants (32 bit / 64 bit SG elements in SRB requests + 32
bit or 64 bit DMA capable adapters)

This fix is required before Java based management applications in a 64 bit user
space can submit raw srb requests to the array physical components via the
ioctl mechanism, the allocated user memory pool on 64 bit machines under this
environment forced the management software's hands to submit 64 bit user space
virtual address SG elements in via the ioctl.
Signed-off-by: NMark Haverkamp <markh@linux-foundation.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn,

Outstanding ioctl calls still have some problems with aborting cleanly
in the face of a reset iop recovery action should the adapter ever enter
into a Firmware Assert (BlinkLED) condition. The enclosed patch resolves
some uncovered flawed handling.
Signed-off-by: NMark Haverkamp <markh@linux-foundation.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn,

This patch is to resolve a namespace issue that will result from a patch
expected in the future that adds a new interface; rationalized as
correcting a long term issue where hw_fib, instead of hw_fib_va, refers
to the virtual address space and hw_fib_pa refers to the physical
address space. A small fragment of this patch also cleans up an unused
variable that was close to the patch fragments.
Signed-off-by: NMark Haverkamp <markh@linux-foundation.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

After Al Viro (finally) succeeded in removing the sched.h #include in module.h
recently, it makes sense again to remove other superfluous sched.h includes.
There are quite a lot of files which include it but don't actually need
anything defined in there.  Presumably these includes were once needed for
macros that used to live in sched.h, but moved to other header files in the
course of cleaning it up.

To ease the pain, this time I did not fiddle with any header files and only
removed #includes from .c-files, which tend to cause less trouble.

Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
configs in arch/arm/configs on arm.  I also checked that no new warnings were
introduced by the patch (actually, some warnings are removed that were emitted
by unnecessarily included header files).
Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Received from Mark Salyzyn

If the adapter is in blinkled (Firmware Assert) when error recovery
timeout actions have been triggered, perform an adapter warm reset and
restart the initialization.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn

This patch allows the FSACTL_SEND_LARGE_FIB, FSACTL_SENDFIB and
FSACTL_SEND_RAW_SRB ioctl calls into the aacraid driver to be
interruptible. Only necessary if the adapter and/or the management
software has gone into some sort of misbehavior and the system is being
rebooted, thus permitting the user management software applications to
be killed relatively cleanly. The FIB queue resource is held out of the
free queue until the adapter finally, if ever, completes the command.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Use ARRAY_SIZE macro instead of sizeof(x)/sizeof(x[0]) and remove
duplicates of the macro.
Signed-off-by: NTobias Klauser <tklauser@nuerscht.ch>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn

Since the helper thread for the driver can be killed unceremoniously by
an application, we detect the loss of the helper and restart it.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn,

Reduce the possibility of namespace collision.  Prefix with aac_.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn.

If the adapter has not instructed us otherwise that it can handle a
'large' FIB, then it can handle at most a 2KB FIB.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn.

This patch resolves a compiler warning on 64 bit architectures.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn.

The compat field needed to be in cpu order.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn from Adaptec:

If the Adapter is quiet and does not produce an AIF event packets to be
picked up by the management applications for longer than the timeout
interval of two minutes, the cleanup code that deals with aging out
registrants could erroneously drop the registration. The timeout is
there to clean up should the management application die and fail to poll
for updated AIF event packets.

Moving the timer update from the ioctl code that delivers an AIF to the
polling registrant to the bottom of the ioctl means the timeout is reset
with any management application polling activity regardless if an AIF is
delivered or not removing the erroneous timeout cleanups.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Received from Mark Salyzyn from Adaptec.

Fixes a bug in check_revision.  It should return the driver version not
the firmware version.
Update driver version number.
Update driver version string.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

The wrong sgmap structure is being assigned in aac_send_raw_srb.
Signed-off-by: NMark Haverkamp <markh@osdl.org>
Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>

Signed-off-by: NDave Jones <davej@redhat.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>