From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
sathya.prakash@broadcom.com, kashyap.desai@broadcom.com,
sreekanth.reddy@broadcom.com,
James.Bottomley@HansenPartnership.com,
mpi3mr-linuxdrv.pdl@broadcom.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 6.12 25/36] scsi: mpi3mr: Synchronize access to ioctl data buffer
Date: Wed, 11 Dec 2024 13:49:41 -0500 [thread overview]
Message-ID: <20241211185028.3841047-25-sashal@kernel.org> (raw)
In-Reply-To: <20241211185028.3841047-1-sashal@kernel.org>
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 367ac16e5ff2dcd6b7f00a8f94e6ba98875cb397 ]
The driver serializes ioctls through a mutex lock but access to the
ioctl data buffer is not guarded by the mutex. This results in multiple
user threads being able to write to the driver's ioctl buffer
simultaneously.
Protect the ioctl buffer with the ioctl mutex.
Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20241110194405.10108-2-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_app.c | 36 ++++++++++++++++++++++----------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 01f035f9330e4..10b8e4dc64f8b 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -2329,6 +2329,15 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
if (!mrioc)
return -ENODEV;
+ if (mutex_lock_interruptible(&mrioc->bsg_cmds.mutex))
+ return -ERESTARTSYS;
+
+ if (mrioc->bsg_cmds.state & MPI3MR_CMD_PENDING) {
+ dprint_bsg_err(mrioc, "%s: command is in use\n", __func__);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
+ return -EAGAIN;
+ }
+
if (!mrioc->ioctl_sges_allocated) {
dprint_bsg_err(mrioc, "%s: DMA memory was not allocated\n",
__func__);
@@ -2339,13 +2348,16 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
karg->timeout = MPI3MR_APP_DEFAULT_TIMEOUT;
mpi_req = kzalloc(MPI3MR_ADMIN_REQ_FRAME_SZ, GFP_KERNEL);
- if (!mpi_req)
+ if (!mpi_req) {
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
return -ENOMEM;
+ }
mpi_header = (struct mpi3_request_header *)mpi_req;
bufcnt = karg->buf_entry_list.num_of_entries;
drv_bufs = kzalloc((sizeof(*drv_bufs) * bufcnt), GFP_KERNEL);
if (!drv_bufs) {
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -ENOMEM;
goto out;
}
@@ -2353,6 +2365,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
dout_buf = kzalloc(job->request_payload.payload_len,
GFP_KERNEL);
if (!dout_buf) {
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -ENOMEM;
goto out;
}
@@ -2360,6 +2373,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
din_buf = kzalloc(job->reply_payload.payload_len,
GFP_KERNEL);
if (!din_buf) {
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -ENOMEM;
goto out;
}
@@ -2435,6 +2449,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
(mpi_msg_size > MPI3MR_ADMIN_REQ_FRAME_SZ)) {
dprint_bsg_err(mrioc, "%s: invalid MPI message size\n",
__func__);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2447,6 +2462,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
if (invalid_be) {
dprint_bsg_err(mrioc, "%s: invalid buffer entries passed\n",
__func__);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2454,12 +2470,14 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
if (sgl_dout_iter > (dout_buf + job->request_payload.payload_len)) {
dprint_bsg_err(mrioc, "%s: data_out buffer length mismatch\n",
__func__);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
if (sgl_din_iter > (din_buf + job->reply_payload.payload_len)) {
dprint_bsg_err(mrioc, "%s: data_in buffer length mismatch\n",
__func__);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2472,6 +2490,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
dprint_bsg_err(mrioc, "%s:%d: invalid data transfer size passed for function 0x%x din_size = %d, dout_size = %d\n",
__func__, __LINE__, mpi_header->function, din_size,
dout_size);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2480,6 +2499,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
dprint_bsg_err(mrioc,
"%s:%d: invalid data transfer size passed for function 0x%x din_size=%d\n",
__func__, __LINE__, mpi_header->function, din_size);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2487,6 +2507,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
dprint_bsg_err(mrioc,
"%s:%d: invalid data transfer size passed for function 0x%x dout_size = %d\n",
__func__, __LINE__, mpi_header->function, dout_size);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2497,6 +2518,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
dprint_bsg_err(mrioc, "%s:%d: invalid message size passed:%d:%d:%d:%d\n",
__func__, __LINE__, din_cnt, dout_cnt, din_size,
dout_size);
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
rval = -EINVAL;
goto out;
}
@@ -2544,6 +2566,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
continue;
if (mpi3mr_map_data_buffer_dma(mrioc, drv_buf_iter, desc_count)) {
rval = -ENOMEM;
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
dprint_bsg_err(mrioc, "%s:%d: mapping data buffers failed\n",
__func__, __LINE__);
goto out;
@@ -2556,20 +2579,11 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
sense_buff_k = kzalloc(erbsz, GFP_KERNEL);
if (!sense_buff_k) {
rval = -ENOMEM;
+ mutex_unlock(&mrioc->bsg_cmds.mutex);
goto out;
}
}
- if (mutex_lock_interruptible(&mrioc->bsg_cmds.mutex)) {
- rval = -ERESTARTSYS;
- goto out;
- }
- if (mrioc->bsg_cmds.state & MPI3MR_CMD_PENDING) {
- rval = -EAGAIN;
- dprint_bsg_err(mrioc, "%s: command is in use\n", __func__);
- mutex_unlock(&mrioc->bsg_cmds.mutex);
- goto out;
- }
if (mrioc->unrecoverable) {
dprint_bsg_err(mrioc, "%s: unrecoverable controller\n",
__func__);
--
2.43.0
next prev parent reply other threads:[~2024-12-11 18:51 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 18:49 [PATCH AUTOSEL 6.12 01/36] watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 02/36] watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 03/36] Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 04/36] watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 05/36] watchdog: s3c2410_wdt: add support for exynosautov920 SoC Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 06/36] scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 07/36] scsi: megaraid_sas: Fix for a potential deadlock Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 08/36] udf: Skip parent dir link count update if corrupted Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 09/36] udf: Verify inode link counts before performing rename Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 10/36] ALSA: ump: Don't open legacy substream for an inactive group Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 11/36] ALSA: ump: Indicate the inactive group in legacy substream names Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 12/36] ALSA: ump: Update legacy substream names upon FB info update Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 13/36] ALSA: hda/conexant: fix Z60MR100 startup pop issue Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 14/36] ALSA: sh: Use standard helper for buffer accesses Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 15/36] smb: server: Fix building with GCC 15 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 16/36] regmap: Use correct format specifier for logging range errors Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 17/36] LoongArch: Fix reserving screen info memory for above-4G firmware Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 18/36] LoongArch/irq: Use seq_put_decimal_ull_width() for decimal values Sasha Levin
2024-12-11 19:14 ` Thomas Gleixner
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 19/36] LoongArch: BPF: Adjust the parameter of emit_jirl() Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 20/36] platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 21/36] bpf: Zero index arg error string for dynptr and iter Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 22/36] net: sched: fix ordering of qlen adjustment Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 23/36] spi: intel: Add Panther Lake SPI controller support Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 24/36] scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Levin
2024-12-11 18:49 ` Sasha Levin [this message]
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 26/36] scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 27/36] scsi: mpi3mr: Start controller indexing from 0 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 28/36] scsi: mpi3mr: Handling of fault code for insufficient power Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 29/36] scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 30/36] ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 31/36] spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 32/36] drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 33/36] drm/dp_mst: Reset message rx state after OOM " Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 34/36] virtio-blk: don't keep queue frozen during system suspend Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 35/36] blk-mq: register cpuhp callback after hctx is added to xarray table Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 36/36] blk-mq: move cpuhp callback registering out of q->sysfs_lock Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241211185028.3841047-25-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=kashyap.desai@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mpi3mr-linuxdrv.pdl@broadcom.com \
--cc=ranjan.kumar@broadcom.com \
--cc=sathya.prakash@broadcom.com \
--cc=sreekanth.reddy@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox