| From 30571d3a1c752a98985255bc61e10b4c6d19a83f Mon Sep 17 00:00:00 2001 |
| From: John Garry <john.garry@huawei.com> |
| Date: Thu, 9 Jul 2020 20:23:19 +0800 |
| Subject: [PATCH] scsi: scsi_debug: Add check for sdebug_max_queue during |
| module init |
| |
| commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb upstream. |
| |
| sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like |
| this can be triggered by passing an out-of-range value: |
| |
| Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 |
| pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) |
| pc : schedule_resp+0x2a4/0xa70 [scsi_debug] |
| lr : schedule_resp+0x52c/0xa70 [scsi_debug] |
| sp : ffff800022ab36f0 |
| x29: ffff800022ab36f0 x28: ffff0023a935a610 |
| x27: ffff800008e0a648 x26: 0000000000000003 |
| x25: ffff0023e84f3200 x24: 00000000003d0900 |
| x23: 0000000000000000 x22: 0000000000000000 |
| x21: ffff0023be60a320 x20: ffff0023be60b538 |
| x19: ffff800008e13000 x18: 0000000000000000 |
| x17: 0000000000000000 x16: 0000000000000000 |
| x15: 0000000000000000 x14: 0000000000000000 |
| x13: 0000000000000000 x12: 0000000000000000 |
| x11: 0000000000000000 x10: 0000000000000000 |
| x9 : 0000000000000001 x8 : 0000000000000000 |
| x7 : 0000000000000000 x6 : 00000000000000c1 |
| x5 : 0000020000200000 x4 : dead0000000000ff |
| x3 : 0000000000000200 x2 : 0000000000000200 |
| x1 : ffff800008e13d88 x0 : 0000000000000000 |
| Call trace: |
| schedule_resp+0x2a4/0xa70 [scsi_debug] |
| scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] |
| scsi_queue_rq+0x698/0x840 |
| __blk_mq_try_issue_directly+0x108/0x228 |
| blk_mq_request_issue_directly+0x58/0x98 |
| blk_mq_try_issue_list_directly+0x5c/0xf0 |
| blk_mq_sched_insert_requests+0x18c/0x200 |
| blk_mq_flush_plug_list+0x11c/0x190 |
| blk_flush_plug_list+0xdc/0x110 |
| blk_finish_plug+0x38/0x210 |
| blkdev_direct_IO+0x450/0x4d8 |
| generic_file_read_iter+0x84/0x180 |
| blkdev_read_iter+0x3c/0x50 |
| aio_read+0xc0/0x170 |
| io_submit_one+0x5c8/0xc98 |
| __arm64_sys_io_submit+0x1b0/0x258 |
| el0_svc_common.constprop.3+0x68/0x170 |
| do_el0_svc+0x24/0x90 |
| el0_sync_handler+0x13c/0x1a8 |
| el0_sync+0x158/0x180 |
| Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) |
| |
| In addition, it should not be less than 1. |
| |
| So add checks for these, and fail the module init for those cases. |
| |
| [mkp: changed if condition to match error message] |
| |
| Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com |
| Fixes: c483739430f1 ("scsi_debug: add multiple queue support") |
| Reviewed-by: Ming Lei <ming.lei@redhat.com> |
| Acked-by: Douglas Gilbert <dgilbert@interlog.com> |
| Signed-off-by: John Garry <john.garry@huawei.com> |
| Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c |
| index 32965ec76965..44181a2cbf18 100644 |
| --- a/drivers/scsi/scsi_debug.c |
| +++ b/drivers/scsi/scsi_debug.c |
| @@ -5296,6 +5296,12 @@ static int __init scsi_debug_init(void) |
| pr_err("submit_queues must be 1 or more\n"); |
| return -EINVAL; |
| } |
| + |
| + if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { |
| + pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); |
| + return -EINVAL; |
| + } |
| + |
| sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), |
| GFP_KERNEL); |
| if (sdebug_q_arr == NULL) |
| -- |
| 2.27.0 |
| |