On 7/22/19 2:20 AM, Christoph Hellwig wrote:
We should only call dma_max_mapping_size for devices that have a DMA mask set, otherwise we can run into a NULL pointer dereference that will crash the system. Also we need to do right shift to get the sectors from the size in bytes, not a left shift. Fixes: bdd17bdef7d8 ("scsi: core: take the DMA max mapping size into account") Reported-by: Bart Van Assche <bvanassche@xxxxxxx> Reported-by: Ming Lei <tom.leiming@xxxxxxxxx> Signed-off-by: Christoph Hellwig <hch@xxxxxx> --- drivers/scsi/scsi_lib.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 9381171c2fc0..11e64b50497f 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1784,8 +1784,10 @@ void __scsi_init_queue(struct Scsi_Host *shost, struct request_queue *q) blk_queue_max_integrity_segments(q, shost->sg_prot_tablesize); }- shost->max_sectors = min_t(unsigned int, shost->max_sectors,- dma_max_mapping_size(dev) << SECTOR_SHIFT); + if (dev->dma_mask) { + shost->max_sectors = min_t(unsigned int, shost->max_sectors, + dma_max_mapping_size(dev) >> SECTOR_SHIFT); + } blk_queue_max_hw_sectors(q, shost->max_sectors); if (shost->unchecked_isa_dma) blk_queue_bounce_limit(q, BLK_BOUNCE_ISA);
Is it possible that a device defines a maximum mapping size but no DMA mask? Is the NULL pointer dereference that can happen an attempt to dereference dev->dma_ops? Have you considered to test the get_dma_ops() return value instead of dev->dma_mask? I think that would make this code easier to read.
Thanks, Bart.
