From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukasz Dorau <lukasz.dorau@intel.com>,
Maciej Patelczyk <maciej.patelczyk@intel.com>,
Dan Williams <dan.j.williams@intel.com>,
James Bottomley <JBottomley@Parallels.com>
Subject: [PATCH 3.10 68/85] SCSI: isci: correct erroneous for_each_isci_host macro
Date: Thu, 20 Mar 2014 17:10:11 -0700 [thread overview]
Message-ID: <20140321000608.393574246@linuxfoundation.org> (raw)
In-Reply-To: <20140321000558.606667505@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukasz Dorau <lukasz.dorau@intel.com>
commit c59053a23d586675c25d789a7494adfdc02fba57 upstream.
In the first place, the loop 'for' in the macro 'for_each_isci_host'
(drivers/scsi/isci/host.h:314) is incorrect, because it accesses
the 3rd element of 2 element array. After the 2nd iteration it executes
the instruction:
ihost = to_pci_info(pdev)->hosts[2]
(while the size of the 'hosts' array equals 2) and reads an
out of range element.
In the second place, this loop is incorrectly optimized by GCC v4.8
(see http://marc.info/?l=linux-kernel&m=138998871911336&w=2).
As a result, on platforms with two SCU controllers,
the loop is executed more times than it can be (for i=0,1 and 2).
It causes kernel panic during entering the S3 state
and the following oops after 'rmmod isci':
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff8131360b>] __list_add+0x1b/0xc0
Oops: 0000 [#1] SMP
RIP: 0010:[<ffffffff8131360b>] [<ffffffff8131360b>] __list_add+0x1b/0xc0
Call Trace:
[<ffffffff81661b84>] __mutex_lock_slowpath+0x114/0x1b0
[<ffffffff81661c3f>] mutex_lock+0x1f/0x30
[<ffffffffa03e97cb>] sas_disable_events+0x1b/0x50 [libsas]
[<ffffffffa03e9818>] sas_unregister_ha+0x18/0x60 [libsas]
[<ffffffffa040316e>] isci_unregister+0x1e/0x40 [isci]
[<ffffffffa0403efd>] isci_pci_remove+0x5d/0x100 [isci]
[<ffffffff813391cb>] pci_device_remove+0x3b/0xb0
[<ffffffff813fbf7f>] __device_release_driver+0x7f/0xf0
[<ffffffff813fc8f8>] driver_detach+0xa8/0xb0
[<ffffffff813fbb8b>] bus_remove_driver+0x9b/0x120
[<ffffffff813fcf2c>] driver_unregister+0x2c/0x50
[<ffffffff813381f3>] pci_unregister_driver+0x23/0x80
[<ffffffffa04152f8>] isci_exit+0x10/0x1e [isci]
[<ffffffff810d199b>] SyS_delete_module+0x16b/0x2d0
[<ffffffff81012a21>] ? do_notify_resume+0x61/0xa0
[<ffffffff8166ce29>] system_call_fastpath+0x16/0x1b
The loop has been corrected.
This patch fixes kernel panic during entering the S3 state
and the above oops.
Signed-off-by: Lukasz Dorau <lukasz.dorau@intel.com>
Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
Tested-by: Lukasz Dorau <lukasz.dorau@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/isci/host.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/scsi/isci/host.h
+++ b/drivers/scsi/isci/host.h
@@ -311,9 +311,8 @@ static inline struct Scsi_Host *to_shost
}
#define for_each_isci_host(id, ihost, pdev) \
- for (id = 0, ihost = to_pci_info(pdev)->hosts[id]; \
- id < ARRAY_SIZE(to_pci_info(pdev)->hosts) && ihost; \
- ihost = to_pci_info(pdev)->hosts[++id])
+ for (id = 0; id < SCI_MAX_CONTROLLERS && \
+ (ihost = to_pci_info(pdev)->hosts[id]); id++)
static inline void wait_for_start(struct isci_host *ihost)
{
next prev parent reply other threads:[~2014-03-21 0:10 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-21 0:09 [PATCH 3.10 00/85] 3.10.34-stable review Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 01/85] ocfs2: fix quota file corruption Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 02/85] ocfs2 syncs the wrong range Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 03/85] sched: Fix double normalization of vruntime Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 04/85] rapidio/tsi721: fix tasklet termination in dma channel release Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 05/85] net-tcp: fastopen: fix high order allocations Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 06/85] neigh: recompute reachabletime before returning from neigh_periodic_work() Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 07/85] virtio-net: alloc big buffers also when guest can receive UFO Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 08/85] ipv6: reuse ip6_frag_id from ip6_ufo_append_data Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 09/85] sfc: check for NULL efx->ptp_data in efx_ptp_event Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 10/85] ipv6: ipv6_find_hdr restore prev functionality Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 11/85] tg3: Dont check undefined error bits in RXBD Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 12/85] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 13/85] mac80211: send control port protocol frames to the VO queue Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 14/85] mac80211: fix AP powersave TX vs. wakeup race Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 15/85] mac80211: dont validate unchanged AP bandwidth while tracking Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 16/85] mac80211: fix association to 20/40 MHz VHT networks Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 17/85] mac80211: clear sequence/fragment number in QoS-null frames Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 18/85] ath9k: Fix ETSI compliance for AR9462 2.0 Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 19/85] iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 20/85] iwlwifi: fix TX status for aggregated packets Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 21/85] iwlwifi: disable TX AMPDU by default for iwldvm Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 22/85] mwifiex: clean pcie ring only when device is present Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 23/85] mwifiex: add NULL check for PCIe Rx skb Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 24/85] mwifiex: fix cmd and Tx data timeout issue for PCIe cards Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 25/85] mwifiex: do not advertise usb autosuspend support Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 26/85] mwifiex: copy APs HT capability info correctly Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 27/85] mwifiex: save and copy APs VHT " Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 28/85] ARM: 7811/1: locks: use early clobber in arch_spin_trylock Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 30/85] ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2 Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 31/85] ALSA: usb-audio: Add quirk for Logitech Webcam C500 Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 32/85] ALSA: hda - Added inverted digital-mic handling for Acer TravelMate 8371 Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 33/85] ALSA: hda - Add missing loopback merge path for AD1884/1984 codecs Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 34/85] powerpc: Align p_dyn, p_rela and p_st symbols Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 35/85] ARM: 7991/1: sa1100: fix compile problem on Collie Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 36/85] regulator: core: Replace direct ops->enable usage Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 37/85] x86: Ignore NMIs that come in during early boot Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 38/85] x86: fix compile error due to X86_TRAP_NMI use in asm files Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 39/85] x86/amd/numa: Fix northbridge quirk to assign correct NUMA node Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 40/85] usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 41/85] usb: Make DELAY_INIT quirk wait 100ms between Get Configuration requests Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 42/85] genirq: Remove racy waitqueue_active check Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 43/85] cpuset: fix a race condition in __cpuset_node_allowed_softwall() Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 44/85] ACPI / resources: ignore invalid ACPI device resources Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 45/85] tracing: Do not add event files for modules that fail tracepoints Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 46/85] firewire: net: fix use after free Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 47/85] firewire: dont use PREPARE_DELAYED_WORK Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 48/85] libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 (2BA30001) Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 49/85] spi: spi-ath79: fix initial GPIO CS line setup Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 50/85] NFS: Fix a delegation callback race Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 51/85] NFSv4: nfs4_stateid_is_current should return true for an invalid stateid Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 52/85] ACPI / sleep: Add extra checks for HW Reduced ACPI mode sleep states Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 53/85] iscsi-target: Fix iscsit_get_tpg_from_np tpg_state bug Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 54/85] fs/proc/base.c: fix GPF in /proc/$PID/map_files Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 55/85] drm/radeon/atom: select the proper number of lanes in transmitter setup Greg Kroah-Hartman
2014-03-21 0:09 ` [PATCH 3.10 56/85] ASoC: pcm: free path list before exiting from error conditions Greg Kroah-Hartman
2014-03-22 18:55 ` Mark Brown
2014-03-24 4:34 ` Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 57/85] ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 59/85] PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 60/85] vmxnet3: fix netpoll race condition Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 61/85] vmxnet3: fix building without CONFIG_PCI_MSI Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 62/85] mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 63/85] dm cache: fix truncation bug when copying a block to/from >2TB fast device Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 64/85] dm cache: fix access beyond end of origin device Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 65/85] net: unix socket code abuses csum_partial Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 66/85] can: flexcan: flexcan_open(): fix error path if flexcan_chip_start() fails Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 67/85] SCSI: isci: fix reset timeout handling Greg Kroah-Hartman
2014-03-21 0:10 ` Greg Kroah-Hartman [this message]
2014-03-21 0:10 ` [PATCH 3.10 69/85] SCSI: qla2xxx: Poll during initialization for ISP25xx and ISP83xx Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 70/85] SCSI: storvsc: NULL pointer dereference fix Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 71/85] x86, fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 72/85] Btrfs: fix data corruption when reading/updating compressed extents Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 73/85] ALSA: oxygen: modify adjust_dg_dac_routing function Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 74/85] jiffies: Avoid undefined behavior from signed overflow Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 75/85] s390/dasd: hold request queue sysfs lock when calling elevator_init() Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 76/85] Fix mountpoint reference leakage in linkat Greg Kroah-Hartman
2014-03-21 0:11 ` Oleg Drokin
2014-03-21 0:38 ` Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 78/85] bio-integrity: Fix bio_integrity_verify segment start bug Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 79/85] tick: Make oneshot broadcast robust vs. CPU offlining Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 80/85] iwlwifi: mvm: dont WARN when statistics are handled late Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 81/85] ARM: 7864/1: Handle 64-bit memory in case of 32-bit phys_addr_t Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 82/85] ARM: ignore memory below PHYS_OFFSET Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 83/85] iscsi/iser-target: Use list_del_init for ->i_conn_node Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 84/85] iscsi/iser-target: Fix isert_conn->state hung shutdown issues Greg Kroah-Hartman
2014-03-21 0:10 ` [PATCH 3.10 85/85] iser-target: Fix post_send_buf_count for RDMA READ/WRITE Greg Kroah-Hartman
2014-03-21 5:28 ` [PATCH 3.10 00/85] 3.10.34-stable review Guenter Roeck
2014-03-22 21:56 ` Shuah Khan
2014-03-24 4:35 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140321000608.393574246@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=JBottomley@Parallels.com \
--cc=dan.j.williams@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lukasz.dorau@intel.com \
--cc=maciej.patelczyk@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).