summaryrefslogtreecommitdiff
path: root/drivers/scsi
diff options
context:
space:
mode:
authorSuganath Prabu S <suganath-prabu.subramani@broadcom.com>2020-05-28 10:56:17 -0400
committerMartin K. Petersen <martin.petersen@oracle.com>2020-06-02 21:39:31 -0400
commit61e6ba03ea26f0205e535862009ff6ffdbf4de0c (patch)
tree9ed277da9d9d794656316074b926d3d482585c5f /drivers/scsi
parent0267ffce562c8bbf9b57ebe0e38445ad04972890 (diff)
downloadlwn-61e6ba03ea26f0205e535862009ff6ffdbf4de0c.tar.gz
lwn-61e6ba03ea26f0205e535862009ff6ffdbf4de0c.zip
scsi: mpt3sas: Fix memset() in non-RDPQ mode
Fix memset() accessing out of range address when reply_queue count is less than RDPQ_MAX_INDEX_IN_ONE_CHUNK (i.e. 16) in non-RDPQ mode. In non-RDPQ mode, the driver allocates a single contiguous pool of size reply_queue's count * reqly_post_free_sz. But the driver is always memsetting this pool with size 16 * reqly_post_free_sz. If reply queue count is less than 16 (i.e. when MSI-X vectors enabled < 16), the driver is accessing out of range address and this results in 'BUG: unable to handle kernel paging request at fff0x...x' bug. Make driver use dma_pool_zalloc() API to allocate and zero the pool. Link: https://lore.kernel.org/r/20200528145617.27252-1-suganath-prabu.subramani@broadcom.com Fixes: 8012209eb26b ("scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region") Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi')
-rw-r--r--drivers/scsi/mpt3sas/mpt3sas_base.c5
1 files changed, 1 insertions, 4 deletions
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index beaea1933f5c..96b78fdc6b8a 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4984,7 +4984,7 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
for (i = 0; i < count; i++) {
if ((i % RDPQ_MAX_INDEX_IN_ONE_CHUNK == 0) && dma_alloc_count) {
ioc->reply_post[i].reply_post_free =
- dma_pool_alloc(ioc->reply_post_free_dma_pool,
+ dma_pool_zalloc(ioc->reply_post_free_dma_pool,
GFP_KERNEL,
&ioc->reply_post[i].reply_post_free_dma);
if (!ioc->reply_post[i].reply_post_free)
@@ -5008,9 +5008,6 @@ base_alloc_rdpq_dma_pool(struct MPT3SAS_ADAPTER *ioc, int sz)
ioc->reply_post[i].reply_post_free_dma));
return -EAGAIN;
}
- memset(ioc->reply_post[i].reply_post_free, 0,
- RDPQ_MAX_INDEX_IN_ONE_CHUNK *
- reply_post_free_sz);
dma_alloc_count--;
} else {