diff options
author | Yinghai Lu <Yinghai.Lu@Sun.COM> | 2008-02-13 19:25:16 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2008-02-18 09:57:15 -0500 |
commit | 691b4773aa556d0975dbc25c93e6c8b839dad325 (patch) | |
tree | a74b3d7c43ac2e8026fac59c0084ae3041076e1c /drivers/scsi | |
parent | 1309d4e68497184d2fd87e892ddf14076c2bda98 (diff) |
[SCSI] ses: fix data corruption
one system: initrd get courrupted:
RAMDISK: Compressed image found at block 0
RAMDISK: incomplete write (-28 != 2048) 134217728
crc error
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 388k freed
init_special_inode: bogus i_mode (177777)
Warning: unable to open an initial console.
init_special_inode: bogus i_mode (177777)
init_special_inode: bogus i_mode (177777)
Kernel panic - not syncing: No init found. Try passing init= option to kernel.
bisected to
commit 9927c68864e9c39cc317b4f559309ba29e642168
Author: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Sun Feb 3 15:48:56 2008 -0600
[SCSI] ses: add new Enclosure ULD
changes:
1. change char to unsigned char to avoid type change later.
2. preserve len for page1
3. need to move desc_ptr even the entry is not enclosure_component_device/raid.
so keep desc_ptr on right position
4. record page7 len, and double check if desc_ptr out of boundary before touch.
5. fix typo in subenclosure checking: should use hdr_buf instead.
[jejb: style fixes]
Signed-off-by: Yinghai Lu <yinghai.lu@sun.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers/scsi')
-rw-r--r-- | drivers/scsi/ses.c | 126 |
1 files changed, 67 insertions, 59 deletions
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index a57fed47b39d..a6d96694d0a5 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c | |||
@@ -33,9 +33,9 @@ | |||
33 | #include <scsi/scsi_host.h> | 33 | #include <scsi/scsi_host.h> |
34 | 34 | ||
35 | struct ses_device { | 35 | struct ses_device { |
36 | char *page1; | 36 | unsigned char *page1; |
37 | char *page2; | 37 | unsigned char *page2; |
38 | char *page10; | 38 | unsigned char *page10; |
39 | short page1_len; | 39 | short page1_len; |
40 | short page2_len; | 40 | short page2_len; |
41 | short page10_len; | 41 | short page10_len; |
@@ -67,7 +67,7 @@ static int ses_probe(struct device *dev) | |||
67 | static int ses_recv_diag(struct scsi_device *sdev, int page_code, | 67 | static int ses_recv_diag(struct scsi_device *sdev, int page_code, |
68 | void *buf, int bufflen) | 68 | void *buf, int bufflen) |
69 | { | 69 | { |
70 | char cmd[] = { | 70 | unsigned char cmd[] = { |
71 | RECEIVE_DIAGNOSTIC, | 71 | RECEIVE_DIAGNOSTIC, |
72 | 1, /* Set PCV bit */ | 72 | 1, /* Set PCV bit */ |
73 | page_code, | 73 | page_code, |
@@ -85,7 +85,7 @@ static int ses_send_diag(struct scsi_device *sdev, int page_code, | |||
85 | { | 85 | { |
86 | u32 result; | 86 | u32 result; |
87 | 87 | ||
88 | char cmd[] = { | 88 | unsigned char cmd[] = { |
89 | SEND_DIAGNOSTIC, | 89 | SEND_DIAGNOSTIC, |
90 | 0x10, /* Set PF bit */ | 90 | 0x10, /* Set PF bit */ |
91 | 0, | 91 | 0, |
@@ -104,13 +104,13 @@ static int ses_send_diag(struct scsi_device *sdev, int page_code, | |||
104 | 104 | ||
105 | static int ses_set_page2_descriptor(struct enclosure_device *edev, | 105 | static int ses_set_page2_descriptor(struct enclosure_device *edev, |
106 | struct enclosure_component *ecomp, | 106 | struct enclosure_component *ecomp, |
107 | char *desc) | 107 | unsigned char *desc) |
108 | { | 108 | { |
109 | int i, j, count = 0, descriptor = ecomp->number; | 109 | int i, j, count = 0, descriptor = ecomp->number; |
110 | struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); | 110 | struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); |
111 | struct ses_device *ses_dev = edev->scratch; | 111 | struct ses_device *ses_dev = edev->scratch; |
112 | char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; | 112 | unsigned char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; |
113 | char *desc_ptr = ses_dev->page2 + 8; | 113 | unsigned char *desc_ptr = ses_dev->page2 + 8; |
114 | 114 | ||
115 | /* Clear everything */ | 115 | /* Clear everything */ |
116 | memset(desc_ptr, 0, ses_dev->page2_len - 8); | 116 | memset(desc_ptr, 0, ses_dev->page2_len - 8); |
@@ -133,14 +133,14 @@ static int ses_set_page2_descriptor(struct enclosure_device *edev, | |||
133 | return ses_send_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); | 133 | return ses_send_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); |
134 | } | 134 | } |
135 | 135 | ||
136 | static char *ses_get_page2_descriptor(struct enclosure_device *edev, | 136 | static unsigned char *ses_get_page2_descriptor(struct enclosure_device *edev, |
137 | struct enclosure_component *ecomp) | 137 | struct enclosure_component *ecomp) |
138 | { | 138 | { |
139 | int i, j, count = 0, descriptor = ecomp->number; | 139 | int i, j, count = 0, descriptor = ecomp->number; |
140 | struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); | 140 | struct scsi_device *sdev = to_scsi_device(edev->cdev.dev); |
141 | struct ses_device *ses_dev = edev->scratch; | 141 | struct ses_device *ses_dev = edev->scratch; |
142 | char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; | 142 | unsigned char *type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; |
143 | char *desc_ptr = ses_dev->page2 + 8; | 143 | unsigned char *desc_ptr = ses_dev->page2 + 8; |
144 | 144 | ||
145 | ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); | 145 | ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len); |
146 | 146 | ||
@@ -160,17 +160,18 @@ static char *ses_get_page2_descriptor(struct enclosure_device *edev, | |||
160 | static void ses_get_fault(struct enclosure_device *edev, | 160 | static void ses_get_fault(struct enclosure_device *edev, |
161 | struct enclosure_component *ecomp) | 161 | struct enclosure_component *ecomp) |
162 | { | 162 | { |
163 | char *desc; | 163 | unsigned char *desc; |
164 | 164 | ||
165 | desc = ses_get_page2_descriptor(edev, ecomp); | 165 | desc = ses_get_page2_descriptor(edev, ecomp); |
166 | ecomp->fault = (desc[3] & 0x60) >> 4; | 166 | if (desc) |
167 | ecomp->fault = (desc[3] & 0x60) >> 4; | ||
167 | } | 168 | } |
168 | 169 | ||
169 | static int ses_set_fault(struct enclosure_device *edev, | 170 | static int ses_set_fault(struct enclosure_device *edev, |
170 | struct enclosure_component *ecomp, | 171 | struct enclosure_component *ecomp, |
171 | enum enclosure_component_setting val) | 172 | enum enclosure_component_setting val) |
172 | { | 173 | { |
173 | char desc[4] = {0 }; | 174 | unsigned char desc[4] = {0 }; |
174 | 175 | ||
175 | switch (val) { | 176 | switch (val) { |
176 | case ENCLOSURE_SETTING_DISABLED: | 177 | case ENCLOSURE_SETTING_DISABLED: |
@@ -190,26 +191,28 @@ static int ses_set_fault(struct enclosure_device *edev, | |||
190 | static void ses_get_status(struct enclosure_device *edev, | 191 | static void ses_get_status(struct enclosure_device *edev, |
191 | struct enclosure_component *ecomp) | 192 | struct enclosure_component *ecomp) |
192 | { | 193 | { |
193 | char *desc; | 194 | unsigned char *desc; |
194 | 195 | ||
195 | desc = ses_get_page2_descriptor(edev, ecomp); | 196 | desc = ses_get_page2_descriptor(edev, ecomp); |
196 | ecomp->status = (desc[0] & 0x0f); | 197 | if (desc) |
198 | ecomp->status = (desc[0] & 0x0f); | ||
197 | } | 199 | } |
198 | 200 | ||
199 | static void ses_get_locate(struct enclosure_device *edev, | 201 | static void ses_get_locate(struct enclosure_device *edev, |
200 | struct enclosure_component *ecomp) | 202 | struct enclosure_component *ecomp) |
201 | { | 203 | { |
202 | char *desc; | 204 | unsigned char *desc; |
203 | 205 | ||
204 | desc = ses_get_page2_descriptor(edev, ecomp); | 206 | desc = ses_get_page2_descriptor(edev, ecomp); |
205 | ecomp->locate = (desc[2] & 0x02) ? 1 : 0; | 207 | if (desc) |
208 | ecomp->locate = (desc[2] & 0x02) ? 1 : 0; | ||
206 | } | 209 | } |
207 | 210 | ||
208 | static int ses_set_locate(struct enclosure_device *edev, | 211 | static int ses_set_locate(struct enclosure_device *edev, |
209 | struct enclosure_component *ecomp, | 212 | struct enclosure_component *ecomp, |
210 | enum enclosure_component_setting val) | 213 | enum enclosure_component_setting val) |
211 | { | 214 | { |
212 | char desc[4] = {0 }; | 215 | unsigned char desc[4] = {0 }; |
213 | 216 | ||
214 | switch (val) { | 217 | switch (val) { |
215 | case ENCLOSURE_SETTING_DISABLED: | 218 | case ENCLOSURE_SETTING_DISABLED: |
@@ -229,7 +232,7 @@ static int ses_set_active(struct enclosure_device *edev, | |||
229 | struct enclosure_component *ecomp, | 232 | struct enclosure_component *ecomp, |
230 | enum enclosure_component_setting val) | 233 | enum enclosure_component_setting val) |
231 | { | 234 | { |
232 | char desc[4] = {0 }; | 235 | unsigned char desc[4] = {0 }; |
233 | 236 | ||
234 | switch (val) { | 237 | switch (val) { |
235 | case ENCLOSURE_SETTING_DISABLED: | 238 | case ENCLOSURE_SETTING_DISABLED: |
@@ -409,11 +412,11 @@ static int ses_intf_add(struct class_device *cdev, | |||
409 | { | 412 | { |
410 | struct scsi_device *sdev = to_scsi_device(cdev->dev); | 413 | struct scsi_device *sdev = to_scsi_device(cdev->dev); |
411 | struct scsi_device *tmp_sdev; | 414 | struct scsi_device *tmp_sdev; |
412 | unsigned char *buf = NULL, *hdr_buf, *type_ptr, *desc_ptr, | 415 | unsigned char *buf = NULL, *hdr_buf, *type_ptr, *desc_ptr = NULL, |
413 | *addl_desc_ptr; | 416 | *addl_desc_ptr = NULL; |
414 | struct ses_device *ses_dev; | 417 | struct ses_device *ses_dev; |
415 | u32 result; | 418 | u32 result; |
416 | int i, j, types, len, components = 0; | 419 | int i, j, types, len, page7_len = 0, components = 0; |
417 | int err = -ENOMEM; | 420 | int err = -ENOMEM; |
418 | struct enclosure_device *edev; | 421 | struct enclosure_device *edev; |
419 | struct ses_component *scomp = NULL; | 422 | struct ses_component *scomp = NULL; |
@@ -447,7 +450,7 @@ static int ses_intf_add(struct class_device *cdev, | |||
447 | * traversal routines more complex */ | 450 | * traversal routines more complex */ |
448 | sdev_printk(KERN_ERR, sdev, | 451 | sdev_printk(KERN_ERR, sdev, |
449 | "FIXME driver has no support for subenclosures (%d)\n", | 452 | "FIXME driver has no support for subenclosures (%d)\n", |
450 | buf[1]); | 453 | hdr_buf[1]); |
451 | goto err_free; | 454 | goto err_free; |
452 | } | 455 | } |
453 | 456 | ||
@@ -461,9 +464,8 @@ static int ses_intf_add(struct class_device *cdev, | |||
461 | goto recv_failed; | 464 | goto recv_failed; |
462 | 465 | ||
463 | types = buf[10]; | 466 | types = buf[10]; |
464 | len = buf[11]; | ||
465 | 467 | ||
466 | type_ptr = buf + 12 + len; | 468 | type_ptr = buf + 12 + buf[11]; |
467 | 469 | ||
468 | for (i = 0; i < types; i++, type_ptr += 4) { | 470 | for (i = 0; i < types; i++, type_ptr += 4) { |
469 | if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || | 471 | if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || |
@@ -494,22 +496,21 @@ static int ses_intf_add(struct class_device *cdev, | |||
494 | /* The additional information page --- allows us | 496 | /* The additional information page --- allows us |
495 | * to match up the devices */ | 497 | * to match up the devices */ |
496 | result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE); | 498 | result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE); |
497 | if (result) | 499 | if (!result) { |
498 | goto no_page10; | 500 | |
499 | 501 | len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; | |
500 | len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; | 502 | buf = kzalloc(len, GFP_KERNEL); |
501 | buf = kzalloc(len, GFP_KERNEL); | 503 | if (!buf) |
502 | if (!buf) | 504 | goto err_free; |
503 | goto err_free; | 505 | |
504 | 506 | result = ses_recv_diag(sdev, 10, buf, len); | |
505 | result = ses_recv_diag(sdev, 10, buf, len); | 507 | if (result) |
506 | if (result) | 508 | goto recv_failed; |
507 | goto recv_failed; | 509 | ses_dev->page10 = buf; |
508 | ses_dev->page10 = buf; | 510 | ses_dev->page10_len = len; |
509 | ses_dev->page10_len = len; | 511 | buf = NULL; |
510 | buf = NULL; | 512 | } |
511 | 513 | ||
512 | no_page10: | ||
513 | scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); | 514 | scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); |
514 | if (!scomp) | 515 | if (!scomp) |
515 | goto err_free; | 516 | goto err_free; |
@@ -530,7 +531,7 @@ static int ses_intf_add(struct class_device *cdev, | |||
530 | if (result) | 531 | if (result) |
531 | goto simple_populate; | 532 | goto simple_populate; |
532 | 533 | ||
533 | len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; | 534 | page7_len = len = (hdr_buf[2] << 8) + hdr_buf[3] + 4; |
534 | /* add 1 for trailing '\0' we'll use */ | 535 | /* add 1 for trailing '\0' we'll use */ |
535 | buf = kzalloc(len + 1, GFP_KERNEL); | 536 | buf = kzalloc(len + 1, GFP_KERNEL); |
536 | if (!buf) | 537 | if (!buf) |
@@ -547,7 +548,8 @@ static int ses_intf_add(struct class_device *cdev, | |||
547 | len = (desc_ptr[2] << 8) + desc_ptr[3]; | 548 | len = (desc_ptr[2] << 8) + desc_ptr[3]; |
548 | /* skip past overall descriptor */ | 549 | /* skip past overall descriptor */ |
549 | desc_ptr += len + 4; | 550 | desc_ptr += len + 4; |
550 | addl_desc_ptr = ses_dev->page10 + 8; | 551 | if (ses_dev->page10) |
552 | addl_desc_ptr = ses_dev->page10 + 8; | ||
551 | } | 553 | } |
552 | type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; | 554 | type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; |
553 | components = 0; | 555 | components = 0; |
@@ -557,29 +559,35 @@ static int ses_intf_add(struct class_device *cdev, | |||
557 | struct enclosure_component *ecomp; | 559 | struct enclosure_component *ecomp; |
558 | 560 | ||
559 | if (desc_ptr) { | 561 | if (desc_ptr) { |
560 | len = (desc_ptr[2] << 8) + desc_ptr[3]; | 562 | if (desc_ptr >= buf + page7_len) { |
561 | desc_ptr += 4; | 563 | desc_ptr = NULL; |
562 | /* Add trailing zero - pushes into | 564 | } else { |
563 | * reserved space */ | 565 | len = (desc_ptr[2] << 8) + desc_ptr[3]; |
564 | desc_ptr[len] = '\0'; | 566 | desc_ptr += 4; |
565 | name = desc_ptr; | 567 | /* Add trailing zero - pushes into |
568 | * reserved space */ | ||
569 | desc_ptr[len] = '\0'; | ||
570 | name = desc_ptr; | ||
571 | } | ||
566 | } | 572 | } |
567 | if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE && | 573 | if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || |
568 | type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE) | 574 | type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE) { |
569 | continue; | 575 | |
570 | ecomp = enclosure_component_register(edev, | 576 | ecomp = enclosure_component_register(edev, |
571 | components++, | 577 | components++, |
572 | type_ptr[0], | 578 | type_ptr[0], |
573 | name); | 579 | name); |
574 | if (desc_ptr) { | 580 | |
575 | desc_ptr += len; | 581 | if (!IS_ERR(ecomp) && addl_desc_ptr) |
576 | if (!IS_ERR(ecomp)) | ||
577 | ses_process_descriptor(ecomp, | 582 | ses_process_descriptor(ecomp, |
578 | addl_desc_ptr); | 583 | addl_desc_ptr); |
579 | |||
580 | if (addl_desc_ptr) | ||
581 | addl_desc_ptr += addl_desc_ptr[1] + 2; | ||
582 | } | 584 | } |
585 | if (desc_ptr) | ||
586 | desc_ptr += len; | ||
587 | |||
588 | if (addl_desc_ptr) | ||
589 | addl_desc_ptr += addl_desc_ptr[1] + 2; | ||
590 | |||
583 | } | 591 | } |
584 | } | 592 | } |
585 | kfree(buf); | 593 | kfree(buf); |