* re: mtip32xx: add a status field to struct mtip_cmd
@ 2017-04-21 14:06 Colin Ian King
2017-04-21 14:14 ` Jens Axboe
0 siblings, 1 reply; 6+ messages in thread
From: Colin Ian King @ 2017-04-21 14:06 UTC (permalink / raw)
To: Christoph Hellwig, Johannes Thumshirn, Jens Axboe
Cc: linux-kernel@vger.kernel.org
Hi,
CoverityScan found an issue with the following part of the patch:
- if (likely(!reserv))
- blk_mq_complete_request(rq, -ENODEV);
- else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
+ if (likely(!reserv)) {
+ cmd->status = -ENODEV;
+ blk_mq_complete_request(rq, 0);
+ } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
The issue is:
static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
{
struct driver_data *dd = (struct driver_data *)data;
struct mtip_cmd *cmd;
if (likely(!reserv)) {
cmd->status = -ENODEV;
CID 1430258 (#1 of 1): Uninitialized pointer write (UNINIT)4.
uninit_use: Using uninitialized value cmd.
..basically a null ptr dereference on cmd.
Colin
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: mtip32xx: add a status field to struct mtip_cmd 2017-04-21 14:06 mtip32xx: add a status field to struct mtip_cmd Colin Ian King @ 2017-04-21 14:14 ` Jens Axboe 2017-04-21 14:37 ` Christoph Hellwig 0 siblings, 1 reply; 6+ messages in thread From: Jens Axboe @ 2017-04-21 14:14 UTC (permalink / raw) To: Colin Ian King, Christoph Hellwig, Johannes Thumshirn Cc: linux-kernel@vger.kernel.org On 04/21/2017 08:06 AM, Colin Ian King wrote: > Hi, > > CoverityScan found an issue with the following part of the patch: > > - if (likely(!reserv)) > - blk_mq_complete_request(rq, -ENODEV); > - else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { > + if (likely(!reserv)) { > + cmd->status = -ENODEV; > + blk_mq_complete_request(rq, 0); > + } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { > > From: Jens Axboe <axboe@fb.com> Subject: [PATCH] mtip32xx: fix dereference of stack garbage We need to get the command payload from the request before we attempt to dereference it. Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd") Signed-off-by: Jens Axboe <axboe@fb.com> diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c index 66a6bd83faae..54c8736038de 100644 --- a/drivers/block/mtip32xx/mtip32xx.c +++ b/drivers/block/mtip32xx/mtip32xx.c @@ -4108,6 +4108,7 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv) struct mtip_cmd *cmd; if (likely(!reserv)) { + cmd = blk_mq_rq_to_pdu(rq); cmd->status = -ENODEV; blk_mq_complete_request(rq); } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { -- Jens Axboe ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: mtip32xx: add a status field to struct mtip_cmd 2017-04-21 14:14 ` Jens Axboe @ 2017-04-21 14:37 ` Christoph Hellwig 2017-04-21 14:47 ` Jens Axboe 0 siblings, 1 reply; 6+ messages in thread From: Christoph Hellwig @ 2017-04-21 14:37 UTC (permalink / raw) To: Jens Axboe Cc: Colin Ian King, Christoph Hellwig, Johannes Thumshirn, linux-kernel@vger.kernel.org On Fri, Apr 21, 2017 at 08:14:03AM -0600, Jens Axboe wrote: > From: Jens Axboe <axboe@fb.com> > Subject: [PATCH] mtip32xx: fix dereference of stack garbage > > We need to get the command payload from the request before > we attempt to dereference it. > > Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd") > Signed-off-by: Jens Axboe <axboe@fb.com> Looks fine: Reviewed-by: Christoph Hellwig <hch@lst.de> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: mtip32xx: add a status field to struct mtip_cmd 2017-04-21 14:37 ` Christoph Hellwig @ 2017-04-21 14:47 ` Jens Axboe 0 siblings, 0 replies; 6+ messages in thread From: Jens Axboe @ 2017-04-21 14:47 UTC (permalink / raw) To: Christoph Hellwig Cc: Colin Ian King, Johannes Thumshirn, linux-kernel@vger.kernel.org On 04/21/2017 08:37 AM, Christoph Hellwig wrote: > On Fri, Apr 21, 2017 at 08:14:03AM -0600, Jens Axboe wrote: >> From: Jens Axboe <axboe@fb.com> >> Subject: [PATCH] mtip32xx: fix dereference of stack garbage >> >> We need to get the command payload from the request before >> we attempt to dereference it. >> >> Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd") >> Signed-off-by: Jens Axboe <axboe@fb.com> > > Looks fine: > > Reviewed-by: Christoph Hellwig <hch@lst.de> Pushed, thanks. -- Jens Axboe ^ permalink raw reply [flat|nested] 6+ messages in thread
* kill req->errors V2
@ 2017-04-18 15:52 Christoph Hellwig
2017-04-18 15:52 ` Christoph Hellwig
0 siblings, 1 reply; 6+ messages in thread
From: Christoph Hellwig @ 2017-04-18 15:52 UTC (permalink / raw)
To: Jens Axboe
Cc: Josef Bacik, James Smart, Konrad Rzeszutek Wilk,
Roger Pau Monné, linux-scsi, linux-nvme, linux-block,
dm-devel
Currently the request structure has an errors field that is used in
various different ways. The oldest drivers use it as an error count,
blk-mq and the generic timeout code assume that it holds a Linux
errno for block completions, and various drivers use it for internal
status values, often overwriting them with Linux errnos later,
that is unless they are processing passthrough requests in which
case they'll leave their errors in it.
This series kills the ->errors field and replaced it with new fields
in the drivers (or an odd hack in a union in struct request for
two bitrotting old drivers).
Also available in the following git tree:
git://git.infradead.org/users/hch/block.git request-errors
Gitweb:
http://git.infradead.org/users/hch/block.git/shortlog/refs/heads/request-errors
Changes since V1:
- rebased on top the latest block for-next tree
- fix error handling in nfsd blocklayout
- dropped "scsi: fix fast-fail for non-passthrough requests"
^ permalink raw reply [flat|nested] 6+ messages in thread* mtip32xx: add a status field to struct mtip_cmd 2017-04-18 15:52 kill req->errors V2 Christoph Hellwig @ 2017-04-18 15:52 ` Christoph Hellwig 0 siblings, 0 replies; 6+ messages in thread From: Christoph Hellwig @ 2017-04-18 15:52 UTC (permalink / raw) To: Jens Axboe Cc: Josef Bacik, James Smart, Konrad Rzeszutek Wilk, Roger Pau Monné, linux-scsi, linux-nvme, linux-block, dm-devel, Christoph Hellwig From: Christoph Hellwig <hch@lst.de> Instead of using req->errors, which will go away. Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/block/mtip32xx/mtip32xx.c | 16 +++++++++------- drivers/block/mtip32xx/mtip32xx.h | 1 + 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c index 05e3e664ea1b..7406de29db58 100644 --- a/drivers/block/mtip32xx/mtip32xx.c +++ b/drivers/block/mtip32xx/mtip32xx.c @@ -241,7 +241,8 @@ static void mtip_async_complete(struct mtip_port *port, rq = mtip_rq_from_tag(dd, tag); - blk_mq_complete_request(rq, status); + cmd->status = status; + blk_mq_complete_request(rq, 0); } /* @@ -2910,18 +2911,19 @@ static void mtip_softirq_done_fn(struct request *rq) if (unlikely(cmd->unaligned)) up(&dd->port->cmd_slot_unal); - blk_mq_end_request(rq, rq->errors); + blk_mq_end_request(rq, cmd->status); } static void mtip_abort_cmd(struct request *req, void *data, bool reserved) { + struct mtip_cmd *cmd = blk_mq_rq_to_pdu(req); struct driver_data *dd = data; dbg_printk(MTIP_DRV_NAME " Aborting request, tag = %d\n", req->tag); clear_bit(req->tag, dd->port->cmds_to_issue); - req->errors = -EIO; + cmd->status = -EIO; mtip_softirq_done_fn(req); } @@ -3816,7 +3818,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx, if (likely(!ret)) return BLK_MQ_RQ_QUEUE_OK; - rq->errors = ret; return BLK_MQ_RQ_QUEUE_ERROR; } @@ -4106,9 +4107,10 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv) struct driver_data *dd = (struct driver_data *)data; struct mtip_cmd *cmd; - if (likely(!reserv)) - blk_mq_complete_request(rq, -ENODEV); - else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { + if (likely(!reserv)) { + cmd->status = -ENODEV; + blk_mq_complete_request(rq, 0); + } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL); if (cmd->comp_func) diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h index 7617888f7944..57b41528a824 100644 --- a/drivers/block/mtip32xx/mtip32xx.h +++ b/drivers/block/mtip32xx/mtip32xx.h @@ -352,6 +352,7 @@ struct mtip_cmd { int retries; /* The number of retries left for this command. */ int direction; /* Data transfer direction */ + int status; }; /* Structure used to describe a port. */ -- 2.11.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* mtip32xx: add a status field to struct mtip_cmd @ 2017-04-18 15:52 ` Christoph Hellwig 0 siblings, 0 replies; 6+ messages in thread From: Christoph Hellwig @ 2017-04-18 15:52 UTC (permalink / raw) From: Christoph Hellwig <hch@lst.de> Instead of using req->errors, which will go away. Signed-off-by: Christoph Hellwig <hch at lst.de> --- drivers/block/mtip32xx/mtip32xx.c | 16 +++++++++------- drivers/block/mtip32xx/mtip32xx.h | 1 + 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c index 05e3e664ea1b..7406de29db58 100644 --- a/drivers/block/mtip32xx/mtip32xx.c +++ b/drivers/block/mtip32xx/mtip32xx.c @@ -241,7 +241,8 @@ static void mtip_async_complete(struct mtip_port *port, rq = mtip_rq_from_tag(dd, tag); - blk_mq_complete_request(rq, status); + cmd->status = status; + blk_mq_complete_request(rq, 0); } /* @@ -2910,18 +2911,19 @@ static void mtip_softirq_done_fn(struct request *rq) if (unlikely(cmd->unaligned)) up(&dd->port->cmd_slot_unal); - blk_mq_end_request(rq, rq->errors); + blk_mq_end_request(rq, cmd->status); } static void mtip_abort_cmd(struct request *req, void *data, bool reserved) { + struct mtip_cmd *cmd = blk_mq_rq_to_pdu(req); struct driver_data *dd = data; dbg_printk(MTIP_DRV_NAME " Aborting request, tag = %d\n", req->tag); clear_bit(req->tag, dd->port->cmds_to_issue); - req->errors = -EIO; + cmd->status = -EIO; mtip_softirq_done_fn(req); } @@ -3816,7 +3818,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx, if (likely(!ret)) return BLK_MQ_RQ_QUEUE_OK; - rq->errors = ret; return BLK_MQ_RQ_QUEUE_ERROR; } @@ -4106,9 +4107,10 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv) struct driver_data *dd = (struct driver_data *)data; struct mtip_cmd *cmd; - if (likely(!reserv)) - blk_mq_complete_request(rq, -ENODEV); - else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { + if (likely(!reserv)) { + cmd->status = -ENODEV; + blk_mq_complete_request(rq, 0); + } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) { cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL); if (cmd->comp_func) diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h index 7617888f7944..57b41528a824 100644 --- a/drivers/block/mtip32xx/mtip32xx.h +++ b/drivers/block/mtip32xx/mtip32xx.h @@ -352,6 +352,7 @@ struct mtip_cmd { int retries; /* The number of retries left for this command. */ int direction; /* Data transfer direction */ + int status; }; /* Structure used to describe a port. */ -- 2.11.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-04-21 19:19 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-21 14:06 mtip32xx: add a status field to struct mtip_cmd Colin Ian King 2017-04-21 14:14 ` Jens Axboe 2017-04-21 14:37 ` Christoph Hellwig 2017-04-21 14:47 ` Jens Axboe -- strict thread matches above, loose matches on Subject: below -- 2017-04-18 15:52 kill req->errors V2 Christoph Hellwig 2017-04-18 15:52 ` mtip32xx: add a status field to struct mtip_cmd Christoph Hellwig 2017-04-18 15:52 ` Christoph Hellwig
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.