linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-23 14:24:25 +08:00

History

Himanshu Madhani 1710ac1754 scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash() This patch fixes regression introduced by commit `f8f97b0c5b` ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path") where flash read/write routine cleanup left out code which resulted into checksum failure leading to use-after-free stack during driver load. Following stack trace is seen in the log file qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 10.01.00.16-k. qla2xxx [0000:00:0b.0]-001d: : Found an ISP2532 irq 11 iobase 0x0000000000f47f03. qla2xxx [0000:00:0b.0]-00cd:8: ISP Firmware failed checksum. qla2xxx [0000:00:0b.0]-00cf:8: Setup chip **FAILED**. qla2xxx [0000:00:0b.0]-00d6:8: Failed to initialize adapter - Adapter flags 2. ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xd0 Read of size 8 at addr ffff8880ca05a490 by task modprobe/857 CPU: 0 PID: 857 Comm: modprobe Not tainted 5.1.0-rc1-dbg+ #4 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x86/0xca print_address_description+0x6c/0x234 ? __list_del_entry_valid+0x15/0xd0 kasan_report.cold.3+0x1b/0x34 ? __list_del_entry_valid+0x15/0xd0 ? __kmem_cache_shutdown.cold.95+0xf5/0x176 ? __list_del_entry_valid+0x15/0xd0 __asan_load8+0x54/0x90 __list_del_entry_valid+0x15/0xd0 dma_pool_destroy+0x4f/0x260 ? dma_free_attrs+0xb4/0xd0 qla2x00_mem_free+0x529/0xcc0 [qla2xxx] ? kobject_put+0xdb/0x230 qla2x00_probe_one+0x2b5e/0x45f0 [qla2xxx] ? qla2xxx_pci_error_detected+0x210/0x210 [qla2xxx] ? match_held_lock+0x20/0x240 ? find_held_lock+0xca/0xf0 ? mark_held_locks+0x86/0xb0 ? _raw_spin_unlock_irqrestore+0x52/0x60 ? __pm_runtime_resume+0x5b/0xb0 ? lockdep_hardirqs_on+0x185/0x260 ? _raw_spin_unlock_irqrestore+0x52/0x60 ? trace_hardirqs_on+0x24/0x130 ? preempt_count_sub+0x13/0xc0 ? _raw_spin_unlock_irqrestore+0x3d/0x60 pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 ? device_driver_attach+0x90/0x90 driver_probe_device+0x113/0x170 ? device_driver_attach+0x90/0x90 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 ? subsys_dev_iter_exit+0x10/0x10 ? kasan_check_read+0x11/0x20 ? preempt_count_sub+0x13/0xc0 ? _raw_spin_unlock+0x2c/0x50 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 ? 0xffffffffa06c8000 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 ? trace_event_raw_event_initcall_finish+0x150/0x150 ? __kasan_kmalloc.constprop.5+0xc7/0xd0 ? kasan_unpoison_shadow+0x35/0x50 ? kasan_poison_shadow+0x2f/0x40 ? __asan_register_globals+0x5a/0x70 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 ? fsnotify+0x611/0x640 ? module_frob_arch_sections+0x20/0x20 ? kernel_read+0x74/0xa0 ? kasan_check_write+0x14/0x20 ? kernel_read_file+0x25e/0x320 ? do_mmap+0x42c/0x6c0 __do_sys_finit_module+0x133/0x1c0 ? __do_sys_finit_module+0x133/0x1c0 ? __do_sys_init_module+0x210/0x210 ? fput_many+0x1b/0xc0 ? fput+0xe/0x10 ? do_syscall_64+0x14/0x210 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8bd5c03219 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 fc 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff9d11de98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000055ef21596b50 RCX: 00007f8bd5c03219 RDX: 0000000000000000 RSI: 000055ef21596570 RDI: 0000000000000004 RBP: 000055ef21596570 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 R13: 000055ef21596c80 R14: 0000000000040000 R15: 000055ef21596b50 Allocated by task 857: save_stack+0x43/0xd0 __kasan_kmalloc.constprop.5+0xc7/0xd0 kasan_kmalloc+0x9/0x10 kmem_cache_alloc_trace+0x144/0x300 dma_pool_create+0xb5/0x3b0 qla2x00_mem_alloc+0xb98/0x1ad0 [qla2xxx] qla2x00_probe_one+0xe28/0x45f0 [qla2xxx] pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 driver_probe_device+0x113/0x170 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 __do_sys_finit_module+0x133/0x1c0 __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 857: save_stack+0x43/0xd0 __kasan_slab_free+0x139/0x190 kasan_slab_free+0xe/0x10 kfree+0xf0/0x2c0 dma_pool_destroy+0x24c/0x260 qla2x00_mem_free+0x529/0xcc0 [qla2xxx] qla2x00_free_device+0x167/0x1b0 [qla2xxx] qla2x00_probe_one+0x2b28/0x45f0 [qla2xxx] pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 driver_probe_device+0x113/0x170 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 __do_sys_finit_module+0x133/0x1c0 __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880ca05a400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 144 bytes inside of 192-byte region [ffff8880ca05a400, ffff8880ca05a4c0) The buggy address belongs to the page: page:ffffea0003281680 count:1 mapcount:0 mapping:ffff88811bf03380 index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab\|head) raw: 4000000000010200 0000000000000000 0000000c00000001 ffff88811bf03380 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880ca05a380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880ca05a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880ca05a480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880ca05a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880ca05a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== Fixes: `f8f97b0c5b` ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path") Reported-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>		2019-04-15 22:08:04 -04:00
..
Kconfig	scsi: qla2xxx: avoid unused-function warning	2017-07-01 17:14:58 -04:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
qla_attr.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_bsg.c	scsi: qla2xxx: Leave a blank line after declarations	2019-04-15 22:04:39 -04:00
qla_bsg.h	scsi: qla2xxx: Add 28xx flash primary/secondary status/image mechanism	2019-03-19 12:22:55 -04:00
qla_dbg.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_dbg.h	scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path	2019-03-19 12:22:54 -04:00
qla_def.h	scsi: qla2xxx: Move the port_state_str[] definition from a .h to a .c file	2019-04-15 22:04:40 -04:00
qla_devtbl.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
qla_dfs.c	scsi: qla2xxx: Leave a blank line after declarations	2019-04-15 22:04:39 -04:00
qla_fw.h	scsi: qla2xxx: Secure flash update support for ISP28XX	2019-03-19 12:22:55 -04:00
qla_gbl.h	scsi: qla2xxx: Move qla2x00_set_fcport_state() from a .h into a .c file	2019-04-15 22:04:40 -04:00
qla_gs.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_init.c	scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash()	2019-04-15 22:08:04 -04:00
qla_inline.h	scsi: qla2xxx: Move qla2x00_set_fcport_state() from a .h into a .c file	2019-04-15 22:04:40 -04:00
qla_iocb.c	scsi: qla2xxx: Declare qla24xx_build_scsi_crc_2_iocbs() static	2019-04-15 22:04:40 -04:00
qla_isr.c	scsi: qla2xxx: Move the port_state_str[] definition from a .h to a .c file	2019-04-15 22:04:40 -04:00
qla_mbx.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_mid.c	scsi: qla2xxx: Enable FC-NVME on NPIV ports	2018-12-12 20:38:13 -05:00
qla_mr.c	scsi: qla2xxx: Leave a blank line after declarations	2019-04-15 22:04:39 -04:00
qla_mr.h
qla_nvme.c	scsi: qla2xxx: Leave a blank line after declarations	2019-04-15 22:04:39 -04:00
qla_nvme.h	scsi: qla2xxx: Add First Burst support for FC-NVMe devices	2019-02-19 18:58:35 -05:00
qla_nx2.c	scsi: qla2xxx: Leave a blank line after declarations	2019-04-15 22:04:39 -04:00
qla_nx2.h	scsi: qla2xxx: Remove unused symbols	2018-02-12 11:43:24 -05:00
qla_nx.c	scsi: qla2xxx: Move the <linux/io-64-nonatomic-lo-hi.h> include directive	2019-04-15 22:04:40 -04:00
qla_nx.h	scsi: qla2xxx: Move the <linux/io-64-nonatomic-lo-hi.h> include directive	2019-04-15 22:04:40 -04:00
qla_os.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_settings.h
qla_sup.c	scsi: qla2xxx: Insert spaces where required	2019-04-15 22:04:40 -04:00
qla_target.c	scsi: qla2xxx: Remove two superfluous casts	2019-04-15 22:04:40 -04:00
qla_target.h	scsi: qla2xxx: Remove qla_tgt_cmd.data_work and qla_tgt_cmd.data_work_free	2019-04-15 22:04:40 -04:00
qla_tmpl.c	scsi: qla2xxx: Simplification of register address used in qla_tmpl.c	2019-03-19 12:22:55 -04:00
qla_tmpl.h	scsi: qla2xxx: Correction and improvement to fwdt processing	2019-03-19 12:22:55 -04:00
qla_version.h	scsi: qla2xxx: Update driver version to 10.01.00.16-k	2019-04-03 23:45:59 -04:00
tcm_qla2xxx.c	scsi: qla2xxx: Remove qla_tgt_cmd.data_work and qla_tgt_cmd.data_work_free	2019-04-15 22:04:40 -04:00
tcm_qla2xxx.h	scsi: qla2xxx: deadlock by configfs_depend_item	2018-12-19 21:26:38 -05:00