From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tom Hatskevich <tom2001tom.23@gmail.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.9 63/97] scsi: mptfusion: Fix double fetch bug in ioctl
Date: Wed, 22 Jan 2020 10:29:07 +0100 [thread overview]
Message-ID: <20200122092806.519672371@linuxfoundation.org> (raw)
In-Reply-To: <20200122092755.678349497@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.
Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:
drivers/message/fusion/mptctl.c
674 /* All of these commands require an interrupt or
675 * are unknown/illegal.
676 */
677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
^^^^
We take this lock.
678 return ret;
679
680 if (cmd == MPTFWDOWNLOAD)
681 ret = mptctl_fw_download(arg);
^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.
682 else if (cmd == MPTCOMMAND)
683 ret = mptctl_mpt_command(arg);
The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power. But it's still worth fixing.
This patch passes the "iocp" pointer to the functions to avoid the
second lookup. That deletes 100 lines of code from the driver so
it's a nice clean up as well.
Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/message/fusion/mptctl.c | 213 +++++++++-------------------------------
1 file changed, 50 insertions(+), 163 deletions(-)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -100,19 +100,19 @@ struct buflist {
* Function prototypes. Called from OS entry point mptctl_ioctl.
* arg contents specific to function.
*/
-static int mptctl_fw_download(unsigned long arg);
-static int mptctl_getiocinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_gettargetinfo(unsigned long arg);
-static int mptctl_readtest(unsigned long arg);
-static int mptctl_mpt_command(unsigned long arg);
-static int mptctl_eventquery(unsigned long arg);
-static int mptctl_eventenable(unsigned long arg);
-static int mptctl_eventreport(unsigned long arg);
-static int mptctl_replace_fw(unsigned long arg);
-
-static int mptctl_do_reset(unsigned long arg);
-static int mptctl_hp_hostinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_hp_targetinfo(unsigned long arg);
+static int mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_getiocinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd);
+static int mptctl_gettargetinfo(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_readtest(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_mpt_command(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventquery(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventenable(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventreport(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_replace_fw(MPT_ADAPTER *iocp, unsigned long arg);
+
+static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_hp_hostinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd);
+static int mptctl_hp_targetinfo(MPT_ADAPTER *iocp, unsigned long arg);
static int mptctl_probe(struct pci_dev *, const struct pci_device_id *);
static void mptctl_remove(struct pci_dev *);
@@ -123,8 +123,8 @@ static long compat_mpctl_ioctl(struct fi
/*
* Private function calls.
*/
-static int mptctl_do_mpt_command(struct mpt_ioctl_command karg, void __user *mfPtr);
-static int mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen);
+static int mptctl_do_mpt_command(MPT_ADAPTER *iocp, struct mpt_ioctl_command karg, void __user *mfPtr);
+static int mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen);
static MptSge_t *kbuf_alloc_2_sgl(int bytes, u32 dir, int sge_offset, int *frags,
struct buflist **blp, dma_addr_t *sglbuf_dma, MPT_ADAPTER *ioc);
static void kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_dma,
@@ -656,19 +656,19 @@ __mptctl_ioctl(struct file *file, unsign
* by TM and FW reloads.
*/
if ((cmd & ~IOCSIZE_MASK) == (MPTIOCINFO & ~IOCSIZE_MASK)) {
- return mptctl_getiocinfo(arg, _IOC_SIZE(cmd));
+ return mptctl_getiocinfo(iocp, arg, _IOC_SIZE(cmd));
} else if (cmd == MPTTARGETINFO) {
- return mptctl_gettargetinfo(arg);
+ return mptctl_gettargetinfo(iocp, arg);
} else if (cmd == MPTTEST) {
- return mptctl_readtest(arg);
+ return mptctl_readtest(iocp, arg);
} else if (cmd == MPTEVENTQUERY) {
- return mptctl_eventquery(arg);
+ return mptctl_eventquery(iocp, arg);
} else if (cmd == MPTEVENTENABLE) {
- return mptctl_eventenable(arg);
+ return mptctl_eventenable(iocp, arg);
} else if (cmd == MPTEVENTREPORT) {
- return mptctl_eventreport(arg);
+ return mptctl_eventreport(iocp, arg);
} else if (cmd == MPTFWREPLACE) {
- return mptctl_replace_fw(arg);
+ return mptctl_replace_fw(iocp, arg);
}
/* All of these commands require an interrupt or
@@ -678,15 +678,15 @@ __mptctl_ioctl(struct file *file, unsign
return ret;
if (cmd == MPTFWDOWNLOAD)
- ret = mptctl_fw_download(arg);
+ ret = mptctl_fw_download(iocp, arg);
else if (cmd == MPTCOMMAND)
- ret = mptctl_mpt_command(arg);
+ ret = mptctl_mpt_command(iocp, arg);
else if (cmd == MPTHARDRESET)
- ret = mptctl_do_reset(arg);
+ ret = mptctl_do_reset(iocp, arg);
else if ((cmd & ~IOCSIZE_MASK) == (HP_GETHOSTINFO & ~IOCSIZE_MASK))
- ret = mptctl_hp_hostinfo(arg, _IOC_SIZE(cmd));
+ ret = mptctl_hp_hostinfo(iocp, arg, _IOC_SIZE(cmd));
else if (cmd == HP_GETTARGETINFO)
- ret = mptctl_hp_targetinfo(arg);
+ ret = mptctl_hp_targetinfo(iocp, arg);
else
ret = -EINVAL;
@@ -705,11 +705,10 @@ mptctl_ioctl(struct file *file, unsigned
return ret;
}
-static int mptctl_do_reset(unsigned long arg)
+static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg)
{
struct mpt_ioctl_diag_reset __user *urinfo = (void __user *) arg;
struct mpt_ioctl_diag_reset krinfo;
- MPT_ADAPTER *iocp;
if (copy_from_user(&krinfo, urinfo, sizeof(struct mpt_ioctl_diag_reset))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_do_reset - "
@@ -718,12 +717,6 @@ static int mptctl_do_reset(unsigned long
return -EFAULT;
}
- if (mpt_verify_adapter(krinfo.hdr.iocnum, &iocp) < 0) {
- printk(KERN_DEBUG MYNAM "%s@%d::mptctl_do_reset - ioc%d not found!\n",
- __FILE__, __LINE__, krinfo.hdr.iocnum);
- return -ENODEV; /* (-6) No such device or address */
- }
-
dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "mptctl_do_reset called.\n",
iocp->name));
@@ -754,7 +747,7 @@ static int mptctl_do_reset(unsigned long
* -ENOMSG if FW upload returned bad status
*/
static int
-mptctl_fw_download(unsigned long arg)
+mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg)
{
struct mpt_fw_xfer __user *ufwdl = (void __user *) arg;
struct mpt_fw_xfer kfwdl;
@@ -766,7 +759,7 @@ mptctl_fw_download(unsigned long arg)
return -EFAULT;
}
- return mptctl_do_fw_download(kfwdl.iocnum, kfwdl.bufp, kfwdl.fwlen);
+ return mptctl_do_fw_download(iocp, kfwdl.bufp, kfwdl.fwlen);
}
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
@@ -784,11 +777,10 @@ mptctl_fw_download(unsigned long arg)
* -ENOMSG if FW upload returned bad status
*/
static int
-mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen)
+mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen)
{
FWDownload_t *dlmsg;
MPT_FRAME_HDR *mf;
- MPT_ADAPTER *iocp;
FWDownloadTCSGE_t *ptsge;
MptSge_t *sgl, *sgIn;
char *sgOut;
@@ -808,17 +800,10 @@ mptctl_do_fw_download(int ioc, char __us
pFWDownloadReply_t ReplyMsg = NULL;
unsigned long timeleft;
- if (mpt_verify_adapter(ioc, &iocp) < 0) {
- printk(KERN_DEBUG MYNAM "ioctl_fwdl - ioc%d not found!\n",
- ioc);
- return -ENODEV; /* (-6) No such device or address */
- } else {
-
- /* Valid device. Get a message frame and construct the FW download message.
- */
- if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL)
- return -EAGAIN;
- }
+ /* Valid device. Get a message frame and construct the FW download message.
+ */
+ if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL)
+ return -EAGAIN;
dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT
"mptctl_do_fwdl called. mptctl_id = %xh.\n", iocp->name, mptctl_id));
@@ -826,8 +811,6 @@ mptctl_do_fw_download(int ioc, char __us
iocp->name, ufwbuf));
dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.fwlen = %d\n",
iocp->name, (int)fwlen));
- dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.ioc = %04xh\n",
- iocp->name, ioc));
dlmsg = (FWDownload_t*) mf;
ptsge = (FWDownloadTCSGE_t *) &dlmsg->SGL;
@@ -1238,13 +1221,11 @@ kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_
* -ENODEV if no such device/adapter
*/
static int
-mptctl_getiocinfo (unsigned long arg, unsigned int data_size)
+mptctl_getiocinfo (MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size)
{
struct mpt_ioctl_iocinfo __user *uarg = (void __user *) arg;
struct mpt_ioctl_iocinfo *karg;
- MPT_ADAPTER *ioc;
struct pci_dev *pdev;
- int iocnum;
unsigned int port;
int cim_rev;
struct scsi_device *sdev;
@@ -1272,14 +1253,6 @@ mptctl_getiocinfo (unsigned long arg, un
return PTR_ERR(karg);
}
- if (((iocnum = mpt_verify_adapter(karg->hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_getiocinfo() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- kfree(karg);
- return -ENODEV;
- }
-
/* Verify the data transfer size is correct. */
if (karg->hdr.maxDataSize != data_size) {
printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_getiocinfo - "
@@ -1385,15 +1358,13 @@ mptctl_getiocinfo (unsigned long arg, un
* -ENODEV if no such device/adapter
*/
static int
-mptctl_gettargetinfo (unsigned long arg)
+mptctl_gettargetinfo (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_targetinfo __user *uarg = (void __user *) arg;
struct mpt_ioctl_targetinfo karg;
- MPT_ADAPTER *ioc;
VirtDevice *vdevice;
char *pmem;
int *pdata;
- int iocnum;
int numDevices = 0;
int lun;
int maxWordsLeft;
@@ -1408,13 +1379,6 @@ mptctl_gettargetinfo (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_gettargetinfo() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_gettargetinfo called.\n",
ioc->name));
/* Get the port number and set the maximum number of bytes
@@ -1510,12 +1474,10 @@ mptctl_gettargetinfo (unsigned long arg)
* -ENODEV if no such device/adapter
*/
static int
-mptctl_readtest (unsigned long arg)
+mptctl_readtest (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_test __user *uarg = (void __user *) arg;
struct mpt_ioctl_test karg;
- MPT_ADAPTER *ioc;
- int iocnum;
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_test))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_readtest - "
@@ -1524,13 +1486,6 @@ mptctl_readtest (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_readtest() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_readtest called.\n",
ioc->name));
/* Fill in the data and return the structure to the calling
@@ -1571,12 +1526,10 @@ mptctl_readtest (unsigned long arg)
* -ENODEV if no such device/adapter
*/
static int
-mptctl_eventquery (unsigned long arg)
+mptctl_eventquery (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_eventquery __user *uarg = (void __user *) arg;
struct mpt_ioctl_eventquery karg;
- MPT_ADAPTER *ioc;
- int iocnum;
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventquery))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_eventquery - "
@@ -1585,13 +1538,6 @@ mptctl_eventquery (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_eventquery() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventquery called.\n",
ioc->name));
karg.eventEntries = MPTCTL_EVENT_LOG_SIZE;
@@ -1610,12 +1556,10 @@ mptctl_eventquery (unsigned long arg)
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
static int
-mptctl_eventenable (unsigned long arg)
+mptctl_eventenable (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_eventenable __user *uarg = (void __user *) arg;
struct mpt_ioctl_eventenable karg;
- MPT_ADAPTER *ioc;
- int iocnum;
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventenable))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_eventenable - "
@@ -1624,13 +1568,6 @@ mptctl_eventenable (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_eventenable() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventenable called.\n",
ioc->name));
if (ioc->events == NULL) {
@@ -1658,12 +1595,10 @@ mptctl_eventenable (unsigned long arg)
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
static int
-mptctl_eventreport (unsigned long arg)
+mptctl_eventreport (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_eventreport __user *uarg = (void __user *) arg;
struct mpt_ioctl_eventreport karg;
- MPT_ADAPTER *ioc;
- int iocnum;
int numBytes, maxEvents, max;
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventreport))) {
@@ -1673,12 +1608,6 @@ mptctl_eventreport (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_eventreport() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventreport called.\n",
ioc->name));
@@ -1712,12 +1641,10 @@ mptctl_eventreport (unsigned long arg)
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
static int
-mptctl_replace_fw (unsigned long arg)
+mptctl_replace_fw (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_replace_fw __user *uarg = (void __user *) arg;
struct mpt_ioctl_replace_fw karg;
- MPT_ADAPTER *ioc;
- int iocnum;
int newFwSize;
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
@@ -1727,13 +1654,6 @@ mptctl_replace_fw (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_replace_fw() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_replace_fw called.\n",
ioc->name));
/* If caching FW, Free the old FW image
@@ -1780,12 +1700,10 @@ mptctl_replace_fw (unsigned long arg)
* -ENOMEM if memory allocation error
*/
static int
-mptctl_mpt_command (unsigned long arg)
+mptctl_mpt_command (MPT_ADAPTER *ioc, unsigned long arg)
{
struct mpt_ioctl_command __user *uarg = (void __user *) arg;
struct mpt_ioctl_command karg;
- MPT_ADAPTER *ioc;
- int iocnum;
int rc;
@@ -1796,14 +1714,7 @@ mptctl_mpt_command (unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_mpt_command() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
- rc = mptctl_do_mpt_command (karg, &uarg->MF);
+ rc = mptctl_do_mpt_command (ioc, karg, &uarg->MF);
return rc;
}
@@ -1821,9 +1732,8 @@ mptctl_mpt_command (unsigned long arg)
* -EPERM if SCSI I/O and target is untagged
*/
static int
-mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
+mptctl_do_mpt_command (MPT_ADAPTER *ioc, struct mpt_ioctl_command karg, void __user *mfPtr)
{
- MPT_ADAPTER *ioc;
MPT_FRAME_HDR *mf = NULL;
MPIHeader_t *hdr;
char *psge;
@@ -1832,7 +1742,7 @@ mptctl_do_mpt_command (struct mpt_ioctl_
dma_addr_t dma_addr_in;
dma_addr_t dma_addr_out;
int sgSize = 0; /* Num SG elements */
- int iocnum, flagsLength;
+ int flagsLength;
int sz, rc = 0;
int msgContext;
u16 req_idx;
@@ -1847,13 +1757,6 @@ mptctl_do_mpt_command (struct mpt_ioctl_
bufIn.kptr = bufOut.kptr = NULL;
bufIn.len = bufOut.len = 0;
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_do_mpt_command() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-
spin_lock_irqsave(&ioc->taskmgmt_lock, flags);
if (ioc->ioc_reset_in_progress) {
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
@@ -2418,17 +2321,15 @@ done_free_mem:
* -ENOMEM if memory allocation error
*/
static int
-mptctl_hp_hostinfo(unsigned long arg, unsigned int data_size)
+mptctl_hp_hostinfo(MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size)
{
hp_host_info_t __user *uarg = (void __user *) arg;
- MPT_ADAPTER *ioc;
struct pci_dev *pdev;
char *pbuf=NULL;
dma_addr_t buf_dma;
hp_host_info_t karg;
CONFIGPARMS cfg;
ConfigPageHeader_t hdr;
- int iocnum;
int rc, cim_rev;
ToolboxIstwiReadWriteRequest_t *IstwiRWRequest;
MPT_FRAME_HDR *mf = NULL;
@@ -2452,12 +2353,6 @@ mptctl_hp_hostinfo(unsigned long arg, un
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_hp_hostinfo() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT ": mptctl_hp_hostinfo called.\n",
ioc->name));
@@ -2670,15 +2565,13 @@ retry_wait:
* -ENOMEM if memory allocation error
*/
static int
-mptctl_hp_targetinfo(unsigned long arg)
+mptctl_hp_targetinfo(MPT_ADAPTER *ioc, unsigned long arg)
{
hp_target_info_t __user *uarg = (void __user *) arg;
SCSIDevicePage0_t *pg0_alloc;
SCSIDevicePage3_t *pg3_alloc;
- MPT_ADAPTER *ioc;
MPT_SCSI_HOST *hd = NULL;
hp_target_info_t karg;
- int iocnum;
int data_sz;
dma_addr_t page_dma;
CONFIGPARMS cfg;
@@ -2692,12 +2585,6 @@ mptctl_hp_targetinfo(unsigned long arg)
return -EFAULT;
}
- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
- (ioc == NULL)) {
- printk(KERN_DEBUG MYNAM "%s::mptctl_hp_targetinfo() @%d - ioc%d not found!\n",
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
return -EINVAL;
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
@@ -2865,7 +2752,7 @@ compat_mptfwxfer_ioctl(struct file *filp
kfw.fwlen = kfw32.fwlen;
kfw.bufp = compat_ptr(kfw32.bufp);
- ret = mptctl_do_fw_download(kfw.iocnum, kfw.bufp, kfw.fwlen);
+ ret = mptctl_do_fw_download(iocp, kfw.bufp, kfw.fwlen);
mutex_unlock(&iocp->ioctl_cmds.mutex);
@@ -2919,7 +2806,7 @@ compat_mpt_command(struct file *filp, un
/* Pass new structure to do_mpt_command
*/
- ret = mptctl_do_mpt_command (karg, &uarg->MF);
+ ret = mptctl_do_mpt_command (iocp, karg, &uarg->MF);
mutex_unlock(&iocp->ioctl_cmds.mutex);
next prev parent reply other threads:[~2020-01-22 9:35 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.9 00/97] 4.9.211-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 01/97] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 02/97] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 03/97] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 04/97] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 05/97] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 06/97] rsi: add fix for crash during assertions Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 07/97] arm64: mm: BUG on unsupported manipulations of live kernel mappings Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 08/97] arm64: dont open code page table entry creation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 09/97] arm64: mm: Change page table pointer name in p[md]_set_huge() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 10/97] arm64: Enforce BBM for huge IO/VMAP mappings Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 11/97] arm64: Make sure permission updates happen for pmd/pud Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 12/97] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 13/97] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 14/97] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 15/97] wimax: i2400: fix memory leak Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 16/97] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 17/97] ext4: fix use-after-free race with debug_want_extra_isize Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 18/97] ext4: add more paranoia checking in ext4_expand_extra_isize handling Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 19/97] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 20/97] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 21/97] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 22/97] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 23/97] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 24/97] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 25/97] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 26/97] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 27/97] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 28/97] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 29/97] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 30/97] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 31/97] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 32/97] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 33/97] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 34/97] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 35/97] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 36/97] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 37/97] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 38/97] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 39/97] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 40/97] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 41/97] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 42/97] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 43/97] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 44/97] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 45/97] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 46/97] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 47/97] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 48/97] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 49/97] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 50/97] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 51/97] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 52/97] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 53/97] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 54/97] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 55/97] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 56/97] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 57/97] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 58/97] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 59/97] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 60/97] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 61/97] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 62/97] USB: serial: quatech2: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` Greg Kroah-Hartman [this message]
2020-01-22 9:29 ` [PATCH 4.9 64/97] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 65/97] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 66/97] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 67/97] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 68/97] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 69/97] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 70/97] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 71/97] USB: serial: io_edgeport: use irqsave() in USBs complete callback Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 72/97] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 73/97] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 74/97] scsi: fnic: use kernels %pM format option to print MAC Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 75/97] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 76/97] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 77/97] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 78/97] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 79/97] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 80/97] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 81/97] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 82/97] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 83/97] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 84/97] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 85/97] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 86/97] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 87/97] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 88/97] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 89/97] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 90/97] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 91/97] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 92/97] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 93/97] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 94/97] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 95/97] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 96/97] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 97/97] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 14:36 ` [PATCH 4.9 00/97] 4.9.211-stable review Naresh Kamboju
2020-01-22 14:57 ` Jon Hunter
2020-01-22 18:59 ` Guenter Roeck
2020-01-22 20:52 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122092806.519672371@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=tom2001tom.23@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).