summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJunxiao Bi <junxiao.bi@oracle.com>2019-07-22 19:15:24 +0300
committerMartin K. Petersen <martin.petersen@oracle.com>2019-07-24 05:14:06 +0300
commit3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 (patch)
tree67790f64114d0ea270b39b3bb64ed7722771a311
parent359603a3847e58843881db87e5f464bb85539e95 (diff)
downloadlinux-3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29.tar.xz
scsi: megaraid_sas: fix panic on loading firmware crashdump
While loading fw crashdump in function fw_crash_buffer_show(), left bytes in one dma chunk was not checked, if copying size over it, overflow access will cause kernel panic. Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r--drivers/scsi/megaraid/megaraid_sas_base.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 2590746c81e3..f9f07935556e 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3163,6 +3163,7 @@ fw_crash_buffer_show(struct device *cdev,
(struct megasas_instance *) shost->hostdata;
u32 size;
unsigned long dmachunk = CRASH_DMA_BUF_SIZE;
+ unsigned long chunk_left_bytes;
unsigned long src_addr;
unsigned long flags;
u32 buff_offset;
@@ -3186,6 +3187,8 @@ fw_crash_buffer_show(struct device *cdev,
}
size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset;
+ chunk_left_bytes = dmachunk - (buff_offset % dmachunk);
+ size = (size > chunk_left_bytes) ? chunk_left_bytes : size;
size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size;
src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +