aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYinghai Lu <Yinghai.Lu@Sun.COM>2008-02-13 19:25:16 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-02-18 09:57:15 -0500
commit691b4773aa556d0975dbc25c93e6c8b839dad325 (patch)
treea74b3d7c43ac2e8026fac59c0084ae3041076e1c
parent1309d4e68497184d2fd87e892ddf14076c2bda98 (diff)
[SCSI] ses: fix data corruption
one system: initrd get courrupted: RAMDISK: Compressed image found at block 0 RAMDISK: incomplete write (-28 != 2048) 134217728 crc error VFS: Mounted root (ext2 filesystem). Freeing unused kernel memory: 388k freed init_special_inode: bogus i_mode (177777) Warning: unable to open an initial console. init_special_inode: bogus i_mode (177777) init_special_inode: bogus i_mode (177777) Kernel panic - not syncing: No init found. Try passing init= option to kernel. bisected to commit 9927c68864e9c39cc317b4f559309ba29e642168 Author: James Bottomley <James.Bottomley@HansenPartnership.com> Date: Sun Feb 3 15:48:56 2008 -0600 [SCSI] ses: add new Enclosure ULD changes: 1. change char to unsigned char to avoid type change later. 2. preserve len for page1 3. need to move desc_ptr even the entry is not enclosure_component_device/raid. so keep desc_ptr on right position 4. record page7 len, and double check if desc_ptr out of boundary before touch. 5. fix typo in subenclosure checking: should use hdr_buf instead. [jejb: style fixes] Signed-off-by: Yinghai Lu <yinghai.lu@sun.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r--drivers/scsi/ses.c126
1 files changed, 67 insertions, 59 deletions
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index a57fed47b39d..a6d96694d0a5 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -33,9 +33,9 @@
33#include <scsi/scsi_host.h> 33#include <scsi/scsi_host.h>
34 34
35struct ses_device { 35struct ses_device {
36 char *page1; 36 unsigned char *page1;
37 char *page2; 37 unsigned char *page2;
38 char *page10; 38 unsigned char *page10;
39 short page1_len; 39 short page1_len;
40 short page2_len; 40 short page2_len;
41 short page10_len; 41 short page10_len;
@@ -67,7 +67,7 @@ static int ses_probe(struct device *dev)
67static int ses_recv_diag(struct scsi_device *sdev, int page_code, 67static int ses_recv_diag(struct scsi_device *sdev, int page_code,
68 void *buf, int bufflen) 68 void *buf, int bufflen)
69{ 69{
70 char cmd[] = { 70 unsigned char cmd[] = {
71 RECEIVE_DIAGNOSTIC, 71 RECEIVE_DIAGNOSTIC,
72 1, /* Set PCV bit */ 72 1, /* Set PCV bit */
73 page_code, 73 page_code,
@@ -85,7 +85,7 @@ static int ses_send_diag(struct scsi_device *sdev, int page_code,
85{ 85{
86 u32 result; 86 u32 result;
87 87
88 char cmd[] = { 88 unsigned char cmd[] = {
89 SEND_DIAGNOSTIC, 89 SEND_DIAGNOSTIC,
90 0x10, /* Set PF bit */ 90 0x10, /* Set PF bit */
91 0, 91 0,
@@ -104,13 +104,13 @@ static int ses_send_diag(struct scsi_device *sdev, int page_code,
104 104
105static int ses_set_page2_descriptor(struct enclosure_device *edev, 105static int ses_set_page2_descriptor(struct enclosure_device *edev,
106 struct enclosure_component *ecomp, 106 struct enclosure_component *ecomp,
107 char *desc) 107 unsigned char *desc)
108{ 108{
109 int i, j, count = 0, descriptor = ecomp->number; 109 int i, j, count = 0, descriptor = ecomp->number;
110 struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); 110 struct scsi_device *sdev = to_scsi_device(edev->cdev.dev);
111 struct ses_device *ses_dev = edev->scratch; 111 struct ses_device *ses_dev = edev->scratch;
112 char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; 112 unsigned char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11];
113 char *desc_ptr = ses_dev->page2 + 8; 113 unsigned char *desc_ptr = ses_dev->page2 + 8;
114 114
115 /* Clear everything */ 115 /* Clear everything */
116 memset(desc_ptr, 0, ses_dev->page2_len - 8); 116 memset(desc_ptr, 0, ses_dev->page2_len - 8);
@@ -133,14 +133,14 @@ static int ses_set_page2_descriptor(struct enclosure_device *edev,
133 return ses_send_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); 133 return ses_send_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len);
134} 134}
135 135
136static char *ses_get_page2_descriptor(struct enclosure_device *edev, 136static unsigned char *ses_get_page2_descriptor(struct enclosure_device *edev,
137 struct enclosure_component *ecomp) 137 struct enclosure_component *ecomp)
138{ 138{
139 int i, j, count = 0, descriptor = ecomp->number; 139 int i, j, count = 0, descriptor = ecomp->number;
140 struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); 140 struct scsi_device *sdev = to_scsi_device(edev->cdev.dev);
141 struct ses_device *ses_dev = edev->scratch; 141 struct ses_device *ses_dev = edev->scratch;
142 char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; 142 unsigned char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11];
143 char *desc_ptr = ses_dev->page2 + 8; 143 unsigned char *desc_ptr = ses_dev->page2 + 8;
144 144
145 ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); 145 ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len);
146 146
@@ -160,17 +160,18 @@ static char *ses_get_page2_descriptor(struct enclosure_device *edev,
160static void ses_get_fault(struct enclosure_device *edev, 160static void ses_get_fault(struct enclosure_device *edev,
161 struct enclosure_component *ecomp) 161 struct enclosure_component *ecomp)
162{ 162{
163 char *desc; 163 unsigned char *desc;
164 164
165 desc = ses_get_page2_descriptor(edev, ecomp); 165 desc = ses_get_page2_descriptor(edev, ecomp);
166 ecomp->fault = (desc[3] & 0x60) >> 4; 166 if (desc)
167 ecomp->fault = (desc[3] & 0x60) >> 4;
167} 168}
168 169
169static int ses_set_fault(struct enclosure_device *edev, 170static int ses_set_fault(struct enclosure_device *edev,
170 struct enclosure_component *ecomp, 171 struct enclosure_component *ecomp,
171 enum enclosure_component_setting val) 172 enum enclosure_component_setting val)
172{ 173{
173 char desc[4] = {0 }; 174 unsigned char desc[4] = {0 };
174 175
175 switch (val) { 176 switch (val) {
176 case ENCLOSURE_SETTING_DISABLED: 177 case ENCLOSURE_SETTING_DISABLED:
@@ -190,26 +191,28 @@ static int ses_set_fault(struct enclosure_device *edev,
190static void ses_get_status(struct enclosure_device *edev, 191static void ses_get_status(struct enclosure_device *edev,
191 struct enclosure_component *ecomp) 192 struct enclosure_component *ecomp)
192{ 193{
193 char *desc; 194 unsigned char *desc;
194 195
195 desc = ses_get_page2_descriptor(edev, ecomp); 196 desc = ses_get_page2_descriptor(edev, ecomp);
196 ecomp->status = (desc[0] & 0x0f); 197 if (desc)
198 ecomp->status = (desc[0] & 0x0f);
197} 199}
198 200
199static void ses_get_locate(struct enclosure_device *edev, 201static void ses_get_locate(struct enclosure_device *edev,
200 struct enclosure_component *ecomp) 202 struct enclosure_component *ecomp)
201{ 203{
202 char *desc; 204 unsigned char *desc;
203 205
204 desc = ses_get_page2_descriptor(edev, ecomp); 206 desc = ses_get_page2_descriptor(edev, ecomp);
205 ecomp->locate = (desc[2] & 0x02) ? 1 : 0; 207 if (desc)
208 ecomp->locate = (desc[2] & 0x02) ? 1 : 0;
206} 209}
207 210
208static int ses_set_locate(struct enclosure_device *edev, 211static int ses_set_locate(struct enclosure_device *edev,
209 struct enclosure_component *ecomp, 212 struct enclosure_component *ecomp,
210 enum enclosure_component_setting val) 213 enum enclosure_component_setting val)
211{ 214{
212 char desc[4] = {0 }; 215 unsigned char desc[4] = {0 };
213 216
214 switch (val) { 217 switch (val) {
215 case ENCLOSURE_SETTING_DISABLED: 218 case ENCLOSURE_SETTING_DISABLED:
@@ -229,7 +232,7 @@ static int ses_set_active(struct enclosure_device *edev,
229 struct enclosure_component *ecomp, 232 struct enclosure_component *ecomp,
230 enum enclosure_component_setting val) 233 enum enclosure_component_setting val)
231{ 234{
232 char desc[4] = {0 }; 235 unsigned char desc[4] = {0 };
233 236
234 switch (val) { 237 switch (val) {
235 case ENCLOSURE_SETTING_DISABLED: 238 case ENCLOSURE_SETTING_DISABLED:
@@ -409,11 +412,11 @@ static int ses_intf_add(struct class_device *cdev,
409{ 412{
410 struct scsi_device *sdev = to_scsi_device(cdev->dev); 413 struct scsi_device *sdev = to_scsi_device(cdev->dev);
411 struct scsi_device *tmp_sdev; 414 struct scsi_device *tmp_sdev;
412 unsigned char *buf = NULL, *hdr_buf, *type_ptr, *desc_ptr, 415 unsigned char *buf = NULL, *hdr_buf, *type_ptr, *desc_ptr = NULL,
413 *addl_desc_ptr; 416 *addl_desc_ptr = NULL;
414 struct ses_device *ses_dev; 417 struct ses_device *ses_dev;
415 u32 result; 418 u32 result;
416 int i, j, types, len, components = 0; 419 int i, j, types, len, page7_len = 0, components = 0;
417 int err = -ENOMEM; 420 int err = -ENOMEM;
418 struct enclosure_device *edev; 421 struct enclosure_device *edev;
419 struct ses_component *scomp = NULL; 422 struct ses_component *scomp = NULL;
@@ -447,7 +450,7 @@ static int ses_intf_add(struct class_device *cdev,
447 * traversal routines more complex */ 450 * traversal routines more complex */
448 sdev_printk(KERN_ERR, sdev, 451 sdev_printk(KERN_ERR, sdev,
449 "FIXME driver has no support for subenclosures (%d)\n", 452 "FIXME driver has no support for subenclosures (%d)\n",
450 buf[1]); 453 hdr_buf[1]);
451 goto err_free; 454 goto err_free;
452 } 455 }
453 456
@@ -461,9 +464,8 @@ static int ses_intf_add(struct class_device *cdev,
461 goto recv_failed; 464 goto recv_failed;
462 465
463 types = buf[10]; 466 types = buf[10];
464 len = buf[11];
465 467
466 type_ptr = buf + 12 + len; 468 type_ptr = buf + 12 + buf[11];
467 469
468 for (i = 0; i < types; i++, type_ptr += 4) { 470 for (i = 0; i < types; i++, type_ptr += 4) {
469 if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || 471 if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
@@ -494,22 +496,21 @@ static int ses_intf_add(struct class_device *cdev,
494 /* The additional information page --- allows us 496 /* The additional information page --- allows us
495 * to match up the devices */ 497 * to match up the devices */
496 result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE); 498 result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE);
497 if (result) 499 if (!result) {
498 goto no_page10; 500
499 501 len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
500 len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; 502 buf = kzalloc(len, GFP_KERNEL);
501 buf = kzalloc(len, GFP_KERNEL); 503 if (!buf)
502 if (!buf) 504 goto err_free;
503 goto err_free; 505
504 506 result = ses_recv_diag(sdev, 10, buf, len);
505 result = ses_recv_diag(sdev, 10, buf, len); 507 if (result)
506 if (result) 508 goto recv_failed;
507 goto recv_failed; 509 ses_dev->page10 = buf;
508 ses_dev->page10 = buf; 510 ses_dev->page10_len = len;
509 ses_dev->page10_len = len; 511 buf = NULL;
510 buf = NULL; 512 }
511 513
512 no_page10:
513 scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); 514 scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL);
514 if (!scomp) 515 if (!scomp)
515 goto err_free; 516 goto err_free;
@@ -530,7 +531,7 @@ static int ses_intf_add(struct class_device *cdev,
530 if (result) 531 if (result)
531 goto simple_populate; 532 goto simple_populate;
532 533
533 len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; 534 page7_len = len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
534 /* add 1 for trailing '\0' we'll use */ 535 /* add 1 for trailing '\0' we'll use */
535 buf = kzalloc(len + 1, GFP_KERNEL); 536 buf = kzalloc(len + 1, GFP_KERNEL);
536 if (!buf) 537 if (!buf)
@@ -547,7 +548,8 @@ static int ses_intf_add(struct class_device *cdev,
547 len = (desc_ptr[2] << 8) + desc_ptr[3]; 548 len = (desc_ptr[2] << 8) + desc_ptr[3];
548 /* skip past overall descriptor */ 549 /* skip past overall descriptor */
549 desc_ptr += len + 4; 550 desc_ptr += len + 4;
550 addl_desc_ptr = ses_dev->page10 + 8; 551 if (ses_dev->page10)
552 addl_desc_ptr = ses_dev->page10 + 8;
551 } 553 }
552 type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; 554 type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11];
553 components = 0; 555 components = 0;
@@ -557,29 +559,35 @@ static int ses_intf_add(struct class_device *cdev,
557 struct enclosure_component *ecomp; 559 struct enclosure_component *ecomp;
558 560
559 if (desc_ptr) { 561 if (desc_ptr) {
560 len = (desc_ptr[2] << 8) + desc_ptr[3]; 562 if (desc_ptr >= buf + page7_len) {
561 desc_ptr += 4; 563 desc_ptr = NULL;
562 /* Add trailing zero - pushes into 564 } else {
563 * reserved space */ 565 len = (desc_ptr[2] << 8) + desc_ptr[3];
564 desc_ptr[len] = '\0'; 566 desc_ptr += 4;
565 name = desc_ptr; 567 /* Add trailing zero - pushes into
568 * reserved space */
569 desc_ptr[len] = '\0';
570 name = desc_ptr;
571 }
566 } 572 }
567 if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE && 573 if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
568 type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE) 574 type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE) {
569 continue; 575
570 ecomp = enclosure_component_register(edev, 576 ecomp = enclosure_component_register(edev,
571 components++, 577 components++,
572 type_ptr[0], 578 type_ptr[0],
573 name); 579 name);
574 if (desc_ptr) { 580
575 desc_ptr += len; 581 if (!IS_ERR(ecomp) && addl_desc_ptr)
576 if (!IS_ERR(ecomp))
577 ses_process_descriptor(ecomp, 582 ses_process_descriptor(ecomp,
578 addl_desc_ptr); 583 addl_desc_ptr);
579
580 if (addl_desc_ptr)
581 addl_desc_ptr += addl_desc_ptr[1] + 2;
582 } 584 }
585 if (desc_ptr)
586 desc_ptr += len;
587
588 if (addl_desc_ptr)
589 addl_desc_ptr += addl_desc_ptr[1] + 2;
590
583 } 591 }
584 } 592 }
585 kfree(buf); 593 kfree(buf);