From patchwork Mon Jun 22 22:33:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian King X-Patchwork-Id: 6657641 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 34599C05AC for ; Mon, 22 Jun 2015 22:34:01 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8A4B9205FF for ; Mon, 22 Jun 2015 22:34:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4FBDE205FA for ; Mon, 22 Jun 2015 22:33:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751626AbbFVWd6 (ORCPT ); Mon, 22 Jun 2015 18:33:58 -0400 Received: from e37.co.us.ibm.com ([32.97.110.158]:48916 "EHLO e37.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751633AbbFVWd4 (ORCPT ); Mon, 22 Jun 2015 18:33:56 -0400 Received: from /spool/local by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 22 Jun 2015 16:33:56 -0600 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 22 Jun 2015 16:33:53 -0600 X-Helo: d03dlp03.boulder.ibm.com X-MailFrom: brking@linux.vnet.ibm.com X-RcptTo: stable@vger.kernel.org Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 9AD2319D803E; Mon, 22 Jun 2015 16:24:53 -0600 (MDT) Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t5MMXCYf58392596; Mon, 22 Jun 2015 15:33:12 -0700 Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) by d03av04.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t5MMXqKa011681; Mon, 22 Jun 2015 16:33:52 -0600 Received: from localhost.localdomain (sig-9-65-154-59.ibm.com [9.65.154.59]) by d03av04.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id t5MMXpZR011546; Mon, 22 Jun 2015 16:33:51 -0600 Message-Id: <201506222233.t5MMXpZR011546@d03av04.boulder.ibm.com> Subject: [PATCH 1/1] ipr: Fix incorrect trace indexing To: James.Bottomley@HansenPartnership.com Cc: linux-scsi@vger.kernel.org, wenxiong@linux.vnet.ibm.com, krisman@linux.vnet.ibm.com, brking@linux.vnet.ibm.com, stable@vger.kernel.org From: Brian King Date: Mon, 22 Jun 2015 17:33:50 -0500 X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15062222-0025-0000-0000-00000EF5D45B Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP James, One more ipr patch to go on top of my previous series I sent. This one fixes a pretty nasty bug that can cause us to go writing in memory that is not ours. 8< When ipr's internal driver trace was changed to an atomic, a signed/unsigned bug slipped in which results in us indexing backwards in our memory buffer writing on memory that does not below to us. This patch fixes this by removing the modulo and instead just mask off the low bits. Cc: Signed-off-by: Brian King Reviewed-by: Wen Xiong Reviewed-by: Gabriel Krisman Bertazi --- drivers/scsi/ipr.c | 5 +++-- drivers/scsi/ipr.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff -puN drivers/scsi/ipr.h~ipr_trace_index_fix drivers/scsi/ipr.h --- linux/drivers/scsi/ipr.h~ipr_trace_index_fix 2015-06-22 16:52:15.649018937 -0500 +++ linux-bjking1/drivers/scsi/ipr.h 2015-06-22 16:52:31.895895037 -0500 @@ -1487,6 +1487,7 @@ struct ipr_ioa_cfg { #define IPR_NUM_TRACE_INDEX_BITS 8 #define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS) +#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1) #define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES) char trace_start[8]; #define IPR_TRACE_START_LABEL "trace" diff -puN drivers/scsi/ipr.c~ipr_trace_index_fix drivers/scsi/ipr.c --- linux/drivers/scsi/ipr.c~ipr_trace_index_fix 2015-06-22 16:52:17.800002537 -0500 +++ linux-bjking1/drivers/scsi/ipr.c 2015-06-22 16:53:17.327548285 -0500 @@ -599,9 +599,10 @@ static void ipr_trc_hook(struct ipr_cmnd { struct ipr_trace_entry *trace_entry; struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; + unsigned int trace_index; - trace_entry = &ioa_cfg->trace[atomic_add_return - (1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES]; + trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK; + trace_entry = &ioa_cfg->trace[trace_index]; trace_entry->time = jiffies; trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0]; trace_entry->type = type;