1. 09 11月, 2016 8 次提交
  2. 13 8月, 2016 1 次提交
    • G
      mpt3sas: Fix resume on WarpDrive flash cards · ce7c6c9e
      Greg Edwards 提交于
      mpt3sas crashes on resume after suspend with WarpDrive flash cards.  The
      reply_post_host_index array is not set back up after the resume, and we
      deference a stale pointer in _base_interrupt().
      
      [   47.309711] BUG: unable to handle kernel paging request at ffffc90001f8006c
      [   47.318289] IP: [<ffffffffc00863ef>] _base_interrupt+0x49f/0xa30 [mpt3sas]
      [   47.326749] PGD 41ccaa067 PUD 41ccab067 PMD 3466c067 PTE 0
      [   47.333848] Oops: 0002 [#1] SMP
      ...
      [   47.452708] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.7.0 #6
      [   47.460506] Hardware name: Dell Inc. OptiPlex 990/06D7TR, BIOS A18 09/24/2013
      [   47.469629] task: ffffffff81c0d500 ti: ffffffff81c00000 task.ti: ffffffff81c00000
      [   47.479112] RIP: 0010:[<ffffffffc00863ef>]  [<ffffffffc00863ef>] _base_interrupt+0x49f/0xa30 [mpt3sas]
      [   47.490466] RSP: 0018:ffff88041d203e30  EFLAGS: 00010002
      [   47.497801] RAX: 0000000000000001 RBX: ffff880033f4c000 RCX: 0000000000000001
      [   47.506973] RDX: ffffc90001f8006c RSI: 0000000000000082 RDI: 0000000000000082
      [   47.516141] RBP: ffff88041d203eb0 R08: ffff8804118e2820 R09: 0000000000000001
      [   47.525300] R10: 0000000000000001 R11: 00000000100c0000 R12: 0000000000000000
      [   47.534457] R13: ffff880412c487e0 R14: ffff88041a8987d8 R15: 0000000000000001
      [   47.543632] FS:  0000000000000000(0000) GS:ffff88041d200000(0000) knlGS:0000000000000000
      [   47.553796] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   47.561632] CR2: ffffc90001f8006c CR3: 0000000001c06000 CR4: 00000000000406f0
      [   47.570883] Stack:
      [   47.575015]  000000001d211228 ffff88041d2100c0 ffff8800c47d8130 0000000000000100
      [   47.584625]  ffff8804100c0000 100c000000000000 ffff88041a8992a0 ffff88041a8987f8
      [   47.594230]  ffff88041d203e00 ffffffff81111e55 000000000000038c ffff880414ad4280
      [   47.603862] Call Trace:
      [   47.608474]  <IRQ>
      [   47.610413]  [<ffffffff81111e55>] ? call_timer_fn+0x35/0x120
      [   47.620539]  [<ffffffff81100a1f>] handle_irq_event_percpu+0x7f/0x1c0
      [   47.629061]  [<ffffffff81100b8c>] handle_irq_event+0x2c/0x50
      [   47.636859]  [<ffffffff81103fff>] handle_edge_irq+0x6f/0x130
      [   47.644654]  [<ffffffff8102fbf3>] handle_irq+0x73/0x120
      [   47.652011]  [<ffffffff810c6ada>] ? atomic_notifier_call_chain+0x1a/0x20
      [   47.660854]  [<ffffffff817e374b>] do_IRQ+0x4b/0xd0
      [   47.667777]  [<ffffffff817e160c>] common_interrupt+0x8c/0x8c
      [   47.675635]  <EOI>
      
      Move the reply_post_host_index array setup into
      mpt3sas_base_map_resources(), which is also in the resume path.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Edwards <gedwards@fireweed.org>
      Acked-by: NChaitra P B <chaitra.basappa@broadcom.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      ce7c6c9e
  3. 09 8月, 2016 5 次提交
  4. 16 7月, 2016 1 次提交
  5. 13 7月, 2016 2 次提交
  6. 23 5月, 2016 1 次提交
  7. 12 5月, 2016 6 次提交
  8. 26 4月, 2016 1 次提交
  9. 16 4月, 2016 2 次提交
  10. 24 3月, 2016 1 次提交
    • C
      mpt3sas: Don't overreach ioc->reply_post[] during initialization · 5ec8a175
      Calvin Owens 提交于
      In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull
      a pointer out of successive elements of ioc->reply_post[] for each entry
      in that list if RDPQ is enabled.
      
      Since the code pulls the pointer for the next iteration at the bottom of
      the loop, it triggers the a KASAN dump on the final iteration:
      
          BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0
          Read of size 8 by task modprobe/305
          <snip>
          Call Trace:
           [<ffffffff81dfc591>] dump_stack+0x4d/0x6c
           [<ffffffff814c9689>] print_trailer+0xf9/0x150
           [<ffffffff814ceda4>] object_err+0x34/0x40
           [<ffffffff814d1231>] kasan_report_error+0x221/0x530
           [<ffffffff814d1673>] __asan_report_load8_noabort+0x43/0x50
           [<ffffffffa0043637>] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas]
           [<ffffffffa0049a51>] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas]
           [<ffffffffa0053c93>] _scsih_probe+0xeb3/0x16b0 [mpt3sas]
           [<ffffffff81ebd047>] local_pci_probe+0xc7/0x170
           [<ffffffff81ebf2cf>] pci_device_probe+0x20f/0x290
           [<ffffffff820d50cd>] really_probe+0x17d/0x600
           [<ffffffff820d56a3>] __driver_attach+0x153/0x190
           [<ffffffff820cffac>] bus_for_each_dev+0x11c/0x1a0
           [<ffffffff820d421d>] driver_attach+0x3d/0x50
           [<ffffffff820d378a>] bus_add_driver+0x44a/0x5f0
           [<ffffffff820d666c>] driver_register+0x18c/0x3b0
           [<ffffffff81ebcb76>] __pci_register_driver+0x156/0x200
           [<ffffffffa00c8135>] _mpt3sas_init+0x135/0x1000 [mpt3sas]
           [<ffffffff81000423>] do_one_initcall+0x113/0x2b0
           [<ffffffff813caa5a>] do_init_module+0x1d0/0x4d8
           [<ffffffff81273909>] load_module+0x6729/0x8dc0
           [<ffffffff81276123>] SYSC_init_module+0x183/0x1a0
           [<ffffffff8127625e>] SyS_init_module+0xe/0x10
           [<ffffffff828fe7d7>] entry_SYSCALL_64_fastpath+0x12/0x6a
      
      Fix this by pulling the value at the beginning of the loop.
      Signed-off-by: NCalvin Owens <calvinowens@fb.com>
      Reviewed-by: NJohannes Thumshirn <jthumshirn@suse.de>
      Reviewed-by: NJens Axboe <axboe@fb.com>
      Acked-by: NChaitra Basappa <chaitra.basappa@broadcom.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      5ec8a175
  11. 10 3月, 2016 1 次提交
  12. 24 2月, 2016 11 次提交