From Olatunji:
A tool that I m building for finding memory faults in
Linux drivers is reporting that the following loop, in
qla2x00_mbx_completion(), reads outside the allocated io memory
while reading ISP2200 mailbox registers. I would appreciate your
help in confirming this bug.
...
wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 1);
for (cnt = 1; cnt < ha->mbx_count; cnt++) {
if (IS_QLA2200(ha) && cnt == 8)
wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 8);
if (cnt == 4 || cnt == 5)
ha->mailbox_out[cnt] = qla2x00_debounce_register(wptr);
else
ha->mailbox_out[cnt] = RD_REG_WORD(wptr);
wptr++;
}
...
During isp2200 initialization (qla2x00_probe_one), ha->mbx_count
is set to 32, even though isp2200 has 24 mailbox registers
(mailbox0 ... mailbox23). Therefore the loop runs for
cnt=[1..31], wptr walks off the allocated mailbox register region
at cnt==24, and results in out-of-bounds reads.
Although I observed this problem in linux2.6.17.1, I
confirmed that it also exists in 2.6.37 and 3.1-rc4.
Fortunately, the reads outside the 24 mailbox registers are
benign. For correctness, limit the driver's read to 24.
JIRA Key: V2632FC-95
* ISP2100 HBAs.
*/
#define MAILBOX_REGISTER_COUNT_2100 8
+#define MAILBOX_REGISTER_COUNT_2200 24
#define MAILBOX_REGISTER_COUNT 32
#define QLA2200A_RISC_ROM_VER 4
ha->nvram_data_off = ~0;
ha->isp_ops = &qla2100_isp_ops;
} else if (IS_QLA2200(ha)) {
- ha->mbx_count = MAILBOX_REGISTER_COUNT;
+ ha->mbx_count = MAILBOX_REGISTER_COUNT_2200;
req_length = REQUEST_ENTRY_CNT_2200;
rsp_length = RESPONSE_ENTRY_CNT_2100;
ha->max_loop_id = SNS_LAST_LOOP_ID_2100;
projects / users / jedix / linux-maple.git / commitdiff