aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/message/i2o/i2o_config.c
diff options
context:
space:
mode:
authorAlan Cox <alan@redhat.com>2008-10-16 01:02:47 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-10-16 14:21:38 -0400
commit9d793b0bcbbbc37d80241862dfa5257963d5415e (patch)
treeb842e5e92825d85fae63afadf4fcb4c1a681c28c /drivers/message/i2o/i2o_config.c
parent673c0c00382ed807f09d94e806f3519ddeeb4f70 (diff)
i2o: Fix 32/64bit DMA locking
The I2O ioctls assume 32bits. In itself that is fine as they are old cards and nobody uses 64bit. However on LKML it was noted this assumption is also made for allocated memory and is unsafe on 64bit systems. Fixing this is a mess. It turns out there is tons of crap buried in a header file that does racy 32/64bit filtering on the masks. So we: - Verify all callers of the racy code can sleep (i2o_dma_[re]alloc) - Move the code into a new i2o/memory.c file - Remove the gfp_mask argument so nobody can try and misuse the function - Wrap a mutex around the problem area (a single mutex is easy to do and none of this is performance relevant) - Switch the remaining problem kmalloc holdout to use i2o_dma_alloc Cc: Markus Lidel <Markus.Lidel@shadowconnect.com> Cc: Vasily Averin <vvs@sw.ru> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/message/i2o/i2o_config.c')
-rw-r--r--drivers/message/i2o/i2o_config.c31
1 files changed, 14 insertions, 17 deletions
diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 4238de98d4a6..a3fabdbe6ca6 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -260,7 +260,7 @@ static int i2o_cfg_swdl(unsigned long arg)
260 if (IS_ERR(msg)) 260 if (IS_ERR(msg))
261 return PTR_ERR(msg); 261 return PTR_ERR(msg);
262 262
263 if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize, GFP_KERNEL)) { 263 if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) {
264 i2o_msg_nop(c, msg); 264 i2o_msg_nop(c, msg);
265 return -ENOMEM; 265 return -ENOMEM;
266 } 266 }
@@ -339,7 +339,7 @@ static int i2o_cfg_swul(unsigned long arg)
339 if (IS_ERR(msg)) 339 if (IS_ERR(msg))
340 return PTR_ERR(msg); 340 return PTR_ERR(msg);
341 341
342 if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize, GFP_KERNEL)) { 342 if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) {
343 i2o_msg_nop(c, msg); 343 i2o_msg_nop(c, msg);
344 return -ENOMEM; 344 return -ENOMEM;
345 } 345 }
@@ -634,9 +634,7 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
634 sg_size = sg[i].flag_count & 0xffffff; 634 sg_size = sg[i].flag_count & 0xffffff;
635 p = &(sg_list[sg_index]); 635 p = &(sg_list[sg_index]);
636 /* Allocate memory for the transfer */ 636 /* Allocate memory for the transfer */
637 if (i2o_dma_alloc 637 if (i2o_dma_alloc(&c->pdev->dev, p, sg_size)) {
638 (&c->pdev->dev, p, sg_size,
639 PCI_DMA_BIDIRECTIONAL)) {
640 printk(KERN_DEBUG 638 printk(KERN_DEBUG
641 "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n", 639 "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
642 c->name, sg_size, i, sg_count); 640 c->name, sg_size, i, sg_count);
@@ -780,12 +778,11 @@ static int i2o_cfg_passthru(unsigned long arg)
780 u32 size = 0; 778 u32 size = 0;
781 u32 reply_size = 0; 779 u32 reply_size = 0;
782 u32 rcode = 0; 780 u32 rcode = 0;
783 void *sg_list[SG_TABLESIZE]; 781 struct i2o_dma sg_list[SG_TABLESIZE];
784 u32 sg_offset = 0; 782 u32 sg_offset = 0;
785 u32 sg_count = 0; 783 u32 sg_count = 0;
786 int sg_index = 0; 784 int sg_index = 0;
787 u32 i = 0; 785 u32 i = 0;
788 void *p = NULL;
789 i2o_status_block *sb; 786 i2o_status_block *sb;
790 struct i2o_message *msg; 787 struct i2o_message *msg;
791 unsigned int iop; 788 unsigned int iop;
@@ -842,6 +839,7 @@ static int i2o_cfg_passthru(unsigned long arg)
842 memset(sg_list, 0, sizeof(sg_list[0]) * SG_TABLESIZE); 839 memset(sg_list, 0, sizeof(sg_list[0]) * SG_TABLESIZE);
843 if (sg_offset) { 840 if (sg_offset) {
844 struct sg_simple_element *sg; 841 struct sg_simple_element *sg;
842 struct i2o_dma *p;
845 843
846 if (sg_offset * 4 >= size) { 844 if (sg_offset * 4 >= size) {
847 rcode = -EFAULT; 845 rcode = -EFAULT;
@@ -871,22 +869,22 @@ static int i2o_cfg_passthru(unsigned long arg)
871 goto sg_list_cleanup; 869 goto sg_list_cleanup;
872 } 870 }
873 sg_size = sg[i].flag_count & 0xffffff; 871 sg_size = sg[i].flag_count & 0xffffff;
872 p = &(sg_list[sg_index]);
873 if (i2o_dma_alloc(&c->pdev->dev, p, sg_size)) {
874 /* Allocate memory for the transfer */ 874 /* Allocate memory for the transfer */
875 p = kmalloc(sg_size, GFP_KERNEL);
876 if (!p) {
877 printk(KERN_DEBUG 875 printk(KERN_DEBUG
878 "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n", 876 "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
879 c->name, sg_size, i, sg_count); 877 c->name, sg_size, i, sg_count);
880 rcode = -ENOMEM; 878 rcode = -ENOMEM;
881 goto sg_list_cleanup; 879 goto sg_list_cleanup;
882 } 880 }
883 sg_list[sg_index++] = p; // sglist indexed with input frame, not our internal frame. 881 sg_index++;
884 /* Copy in the user's SG buffer if necessary */ 882 /* Copy in the user's SG buffer if necessary */
885 if (sg[i]. 883 if (sg[i].
886 flag_count & 0x04000000 /*I2O_SGL_FLAGS_DIR */ ) { 884 flag_count & 0x04000000 /*I2O_SGL_FLAGS_DIR */ ) {
887 // TODO 64bit fix 885 // TODO 64bit fix
888 if (copy_from_user 886 if (copy_from_user
889 (p, (void __user *)sg[i].addr_bus, 887 (p->virt, (void __user *)sg[i].addr_bus,
890 sg_size)) { 888 sg_size)) {
891 printk(KERN_DEBUG 889 printk(KERN_DEBUG
892 "%s: Could not copy SG buf %d FROM user\n", 890 "%s: Could not copy SG buf %d FROM user\n",
@@ -895,8 +893,7 @@ static int i2o_cfg_passthru(unsigned long arg)
895 goto sg_list_cleanup; 893 goto sg_list_cleanup;
896 } 894 }
897 } 895 }
898 //TODO 64bit fix 896 sg[i].addr_bus = p->phys;
899 sg[i].addr_bus = virt_to_bus(p);
900 } 897 }
901 } 898 }
902 899
@@ -908,7 +905,7 @@ static int i2o_cfg_passthru(unsigned long arg)
908 } 905 }
909 906
910 if (sg_offset) { 907 if (sg_offset) {
911 u32 rmsg[128]; 908 u32 rmsg[I2O_OUTBOUND_MSG_FRAME_SIZE];
912 /* Copy back the Scatter Gather buffers back to user space */ 909 /* Copy back the Scatter Gather buffers back to user space */
913 u32 j; 910 u32 j;
914 // TODO 64bit fix 911 // TODO 64bit fix
@@ -942,11 +939,11 @@ static int i2o_cfg_passthru(unsigned long arg)
942 sg_size = sg[j].flag_count & 0xffffff; 939 sg_size = sg[j].flag_count & 0xffffff;
943 // TODO 64bit fix 940 // TODO 64bit fix
944 if (copy_to_user 941 if (copy_to_user
945 ((void __user *)sg[j].addr_bus, sg_list[j], 942 ((void __user *)sg[j].addr_bus, sg_list[j].virt,
946 sg_size)) { 943 sg_size)) {
947 printk(KERN_WARNING 944 printk(KERN_WARNING
948 "%s: Could not copy %p TO user %x\n", 945 "%s: Could not copy %p TO user %x\n",
949 c->name, sg_list[j], 946 c->name, sg_list[j].virt,
950 sg[j].addr_bus); 947 sg[j].addr_bus);
951 rcode = -EFAULT; 948 rcode = -EFAULT;
952 goto sg_list_cleanup; 949 goto sg_list_cleanup;
@@ -973,7 +970,7 @@ sg_list_cleanup:
973 } 970 }
974 971
975 for (i = 0; i < sg_index; i++) 972 for (i = 0; i < sg_index; i++)
976 kfree(sg_list[i]); 973 i2o_dma_free(&c->pdev->dev, &sg_list[i]);
977 974
978cleanup: 975cleanup:
979 kfree(reply); 976 kfree(reply);
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-18 17:34:07 -0500