mvumi_make_sgl() does not check if mapping dma memory succeed.
The patch adds return error code if the mapping failed and
if scsi_bufflen(scmd) is zero. The latter is just in case
since the only call site of mvumi_make_sgl() check the scsi_bufflen(scmd)
before the call.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/scsi/mvumi.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
index 247df5e79b71..49f8b20f5d91 100644
--- a/drivers/scsi/mvumi.c
+++ b/drivers/scsi/mvumi.c
@@ -232,11 +232,14 @@ static int mvumi_make_sgl(struct mvumi_hba *mhba, struct scsi_cmnd *scmd,
sgd_inc(mhba, m_sg);
}
} else {
- scmd->SCp.dma_handle = scsi_bufflen(scmd) ?
- pci_map_single(mhba->pdev, scsi_sglist(scmd),
- scsi_bufflen(scmd),
- (int) scmd->sc_data_direction)
- : 0;
+ if (!scsi_bufflen(scmd))
+ return -1;
+ scmd->SCp.dma_handle = pci_map_single(mhba->pdev,
+ scsi_sglist(scmd),
+ scsi_bufflen(scmd),
+ (int) scmd->sc_data_direction);
+ if (pci_dma_mapping_error(mhba->pdev, scmd->SCp.dma_handle))
+ return -1;
busaddr = scmd->SCp.dma_handle;
m_sg->baseaddr_l = cpu_to_le32(lower_32_bits(busaddr));
m_sg->baseaddr_h = cpu_to_le32(upper_32_bits(busaddr));
--
2.7.4
On Sat, Apr 22, 2017 at 02:17:50AM +0300, Alexey Khoroshilov wrote:
> } else {
> - scmd->SCp.dma_handle = scsi_bufflen(scmd) ?
> - pci_map_single(mhba->pdev, scsi_sglist(scmd),
> - scsi_bufflen(scmd),
> - (int) scmd->sc_data_direction)
> - : 0;
> + if (!scsi_bufflen(scmd))
> + return -1;
> + scmd->SCp.dma_handle = pci_map_single(mhba->pdev,
> + scsi_sglist(scmd),
> + scsi_bufflen(scmd),
> + (int) scmd->sc_data_direction);
> + if (pci_dma_mapping_error(mhba->pdev, scmd->SCp.dma_handle))
> + return -1;
This looks completely broken. Why would you DMA map the in-memory
struct scatterlist? It has no meaning for the hardware.
In fact this whole branch (and the equivalent in the unmap path)
are dead - SCSI commands that transfer data always have a SG entry.
So the right fix is to remove the !scsi_sg_count(scmd) map/unmap
path.
As Christoph Hellwig noted, SCSI commands that transfer data
always have a SG entry. The patch removes dead code in
mvumi_make_sgl(), mvumi_complete_cmd() and mvumi_timed_out()
that handle zero scsi_sg_count(scmd) case.
Also the patch adds pci_unmap_sg() on failure path in mvumi_make_sgl().
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/scsi/mvumi.c | 85 ++++++++++++++++------------------------------------
1 file changed, 26 insertions(+), 59 deletions(-)
diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
index 247df5e79b71..fe97401ad192 100644
--- a/drivers/scsi/mvumi.c
+++ b/drivers/scsi/mvumi.c
@@ -210,39 +210,27 @@ static int mvumi_make_sgl(struct mvumi_hba *mhba, struct scsi_cmnd *scmd,
unsigned int sgnum = scsi_sg_count(scmd);
dma_addr_t busaddr;
- if (sgnum) {
- sg = scsi_sglist(scmd);
- *sg_count = pci_map_sg(mhba->pdev, sg, sgnum,
- (int) scmd->sc_data_direction);
- if (*sg_count > mhba->max_sge) {
- dev_err(&mhba->pdev->dev, "sg count[0x%x] is bigger "
- "than max sg[0x%x].\n",
- *sg_count, mhba->max_sge);
- return -1;
- }
- for (i = 0; i < *sg_count; i++) {
- busaddr = sg_dma_address(&sg[i]);
- m_sg->baseaddr_l = cpu_to_le32(lower_32_bits(busaddr));
- m_sg->baseaddr_h = cpu_to_le32(upper_32_bits(busaddr));
- m_sg->flags = 0;
- sgd_setsz(mhba, m_sg, cpu_to_le32(sg_dma_len(&sg[i])));
- if ((i + 1) == *sg_count)
- m_sg->flags |= 1U << mhba->eot_flag;
-
- sgd_inc(mhba, m_sg);
- }
- } else {
- scmd->SCp.dma_handle = scsi_bufflen(scmd) ?
- pci_map_single(mhba->pdev, scsi_sglist(scmd),
- scsi_bufflen(scmd),
- (int) scmd->sc_data_direction)
- : 0;
- busaddr = scmd->SCp.dma_handle;
+ sg = scsi_sglist(scmd);
+ *sg_count = pci_map_sg(mhba->pdev, sg, sgnum,
+ (int) scmd->sc_data_direction);
+ if (*sg_count > mhba->max_sge) {
+ dev_err(&mhba->pdev->dev,
+ "sg count[0x%x] is bigger than max sg[0x%x].\n",
+ *sg_count, mhba->max_sge);
+ pci_unmap_sg(mhba->pdev, sg, sgnum,
+ (int) scmd->sc_data_direction);
+ return -1;
+ }
+ for (i = 0; i < *sg_count; i++) {
+ busaddr = sg_dma_address(&sg[i]);
m_sg->baseaddr_l = cpu_to_le32(lower_32_bits(busaddr));
m_sg->baseaddr_h = cpu_to_le32(upper_32_bits(busaddr));
- m_sg->flags = 1U << mhba->eot_flag;
- sgd_setsz(mhba, m_sg, cpu_to_le32(scsi_bufflen(scmd)));
- *sg_count = 1;
+ m_sg->flags = 0;
+ sgd_setsz(mhba, m_sg, cpu_to_le32(sg_dma_len(&sg[i])));
+ if ((i + 1) == *sg_count)
+ m_sg->flags |= 1U << mhba->eot_flag;
+
+ sgd_inc(mhba, m_sg);
}
return 0;
@@ -1350,21 +1338,10 @@ static void mvumi_complete_cmd(struct mvumi_hba *mhba, struct mvumi_cmd *cmd,
break;
}
- if (scsi_bufflen(scmd)) {
- if (scsi_sg_count(scmd)) {
- pci_unmap_sg(mhba->pdev,
- scsi_sglist(scmd),
- scsi_sg_count(scmd),
- (int) scmd->sc_data_direction);
- } else {
- pci_unmap_single(mhba->pdev,
- scmd->SCp.dma_handle,
- scsi_bufflen(scmd),
- (int) scmd->sc_data_direction);
-
- scmd->SCp.dma_handle = 0;
- }
- }
+ if (scsi_bufflen(scmd))
+ pci_unmap_sg(mhba->pdev, scsi_sglist(scmd),
+ scsi_sg_count(scmd),
+ (int) scmd->sc_data_direction);
cmd->scmd->scsi_done(scmd);
mvumi_return_cmd(mhba, cmd);
}
@@ -2171,19 +2148,9 @@ static enum blk_eh_timer_return mvumi_timed_out(struct scsi_cmnd *scmd)
scmd->result = (DRIVER_INVALID << 24) | (DID_ABORT << 16);
scmd->SCp.ptr = NULL;
if (scsi_bufflen(scmd)) {
- if (scsi_sg_count(scmd)) {
- pci_unmap_sg(mhba->pdev,
- scsi_sglist(scmd),
- scsi_sg_count(scmd),
- (int)scmd->sc_data_direction);
- } else {
- pci_unmap_single(mhba->pdev,
- scmd->SCp.dma_handle,
- scsi_bufflen(scmd),
- (int)scmd->sc_data_direction);
-
- scmd->SCp.dma_handle = 0;
- }
+ pci_unmap_sg(mhba->pdev, scsi_sglist(scmd),
+ scsi_sg_count(scmd),
+ (int)scmd->sc_data_direction);
}
mvumi_return_cmd(mhba, cmd);
spin_unlock_irqrestore(mhba->shost->host_lock, flags);
--
2.7.4
Looks fine,
Reviewed-by: Christoph Hellwig <[email protected]>
Note that there is plenty opportunity for cleanup even in the moved
code section, but let's get this issue sorted out only for now.
Alexey,
> As Christoph Hellwig noted, SCSI commands that transfer data
> always have a SG entry. The patch removes dead code in
> mvumi_make_sgl(), mvumi_complete_cmd() and mvumi_timed_out()
> that handle zero scsi_sg_count(scmd) case.
>
> Also the patch adds pci_unmap_sg() on failure path in mvumi_make_sgl().
Applied to 4.12/scsi-queue, thanks!
--
Martin K. Petersen Oracle Linux Engineering