* [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
@ 2015-12-02 10:57 bugzilla-daemon
2015-12-03 14:05 ` [Bug 108771] " bugzilla-daemon
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: bugzilla-daemon @ 2015-12-02 10:57 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
Bug ID: 108771
Summary: scsi: ses: kasan: ses_enclosure_data_process use after
free on boot SAS2X28
Product: SCSI Drivers
Version: 2.5
Kernel Version: 4.3
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: scsi_drivers-other@kernel-bugs.osdl.org
Reporter: ptikhomirov@virtuozzo.com
Regression: No
Created attachment 196301
--> https://bugzilla.kernel.org/attachment.cgi?id=196301&action=edit
Full /var/log/messagess log and module ses.ko
Here is my setup:
Kernel: Linux 4.3 (tag:v4.3 commit:6a13feb9c8)
SCSI ses device: Host: scsi0 Channel: 00 Id: 16 Lun: 00 Vendor: LSI Model:
SAS2X28 Rev: 0e12 Type: Enclosure ANSI SCSI revision: 05
Full /var/log/messagess log in archive attached:
debug-kernel-kasan-system-log.txt
Module in archive attached: ses.ko
On debug kernel on boot when attaching enclosure scsi device, KASan detects use
after free in ses_enclosure_data_process+0xbe5(see kasan report in the end).
nm -A ./drivers/scsi/ses.ko | grep ses_enclosure_data_process
./drivers/scsi/ses.ko:0000000000002570 t ses_enclosure_data_process
objdump -D -S -l ./drivers/scsi/ses.ko --start-address=0x0000000000002570
On offset 0x3155(0x2570+0xbe5) there is code generated by kasan:
> 3144: 4c 89 5d a0 mov %r11,-0x60(%rbp)
3148: 44 89 45 a8 mov %r8d,-0x58(%rbp)
314c: 44 89 4d b0 mov %r9d,-0x50(%rbp)
/vzt/linux/drivers/scsi/ses.c:545
}
if (desc_ptr)
desc_ptr += len;
if (addl_desc_ptr)
addl_desc_ptr += addl_desc_ptr[1] + 2;
3150: e8 00 00 00 00 callq 3155
<ses_enclosure_data_process+0xbe5>
3155: 4c 8b 5d a0 mov -0x60(%rbp),%r11
3159: 44 8b 45 a8 mov -0x58(%rbp),%r8d
315d: 44 8b 4d b0 mov -0x50(%rbp),%r9d
3161: e9 34 f7 ff ff jmpq 289a
<ses_enclosure_data_process+0x32a>
To witch we jump from:
/vzt/linux/drivers/scsi/ses.c:545
addl_desc_ptr += addl_desc_ptr[1] + 2;
2877: 49 8d 7c 24 01 lea 0x1(%r12),%rdi
287c: 48 89 f8 mov %rdi,%rax
287f: 48 89 fa mov %rdi,%rdx
2882: 48 c1 e8 03 shr $0x3,%rax
2886: 83 e2 07 and $0x7,%edx
2889: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
288e: 38 d0 cmp %dl,%al
2890: 7f 08 jg 289a
<ses_enclosure_data_process+0x32a>
2892: 84 c0 test %al,%al
> 2894: 0f 85 aa 08 00 00 jne 3144 <ses_enclosure_data_process+0xbd4>
289a: 41 0f b6 44 24 01 movzbl 0x1(%r12),%eax
28a0: 4d 8d 64 04 02 lea 0x2(%r12,%rax,1),%r12
Address addl_desc_ptr[1] is not allocated here but we want to read it. Actualy
we iterate through ses_dev->page10 here and it ends unexpectedly. We get number
of iterations from ses_dev->page1_num_types and ses_dev->page1_types, so it
seam that meta-data given by device is not consistent for page 1 and page 10.
My ideas on this:
a) In ses_process_descriptor we get enclosure_component->addr from
addl_desc_ptr only for ENCLOSURE_COMPONENT_DEVICE and
ENCLOSURE_COMPONENT_ARRAY_DEVICE but iterate for all entries of all types, may
be we need to move to next entry in addl_desc_ptr for only those types?
b) May be we need same check as we have for page 7, to stop when we hit a bufer
end.
Sorry I'm not too common with SCSI Enclosure Services specification and how it
should work.
Thanks in advance for your help, Pavel.
Here is KASan output:
==================================================================
BUG: KASan: use after free in ses_enclosure_data_process+0xbe5/0xe40 [ses] at
addr ffff881fed1c8c01
Read of size 1 by task systemd-udevd/1348
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Slab 0xffffea007fb47200 objects=32 used=30 fp=0xffff881fed1c8800
flags=0x2fffff80004080
INFO: Object 0xffff881fed1c8c00 @offset=3072 fp=0xffff881fed1c8e00
Bytes b4 ffff881fed1c8bf0: 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
................
Object ffff881fed1c8c00: 00 8e 1c ed 1f 88 ff ff 08 8c 1c ed 1f 88 ff ff
................
Object ffff881fed1c8c10: 08 8c 1c ed 1f 88 ff ff 18 8c 1c ed 1f 88 ff ff
................
Object ffff881fed1c8c20: 18 8c 1c ed 1f 88 ff ff c0 ff ff ff 1f 00 00 00
................
Object ffff881fed1c8c30: 30 8c 1c ed 1f 88 ff ff 30 8c 1c ed 1f 88 ff ff
0.......0.......
Object ffff881fed1c8c40: 70 9e dc 81 ff ff ff ff c0 aa 8a 84 ff ff ff ff
p...............
Object ffff881fed1c8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c60: c0 dc 79 82 ff ff ff ff 00 00 00 00 00 00 00 00
..y.............
Object ffff881fed1c8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c90: b0 a0 1b 81 ff ff ff ff 28 8c 1c ed 1f 88 ff ff
........(.......
Object ffff881fed1c8ca0: 00 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 ..
.............
Object ffff881fed1c8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8cc0: 00 00 00 00 00 00 00 00 80 aa 8a 84 ff ff ff ff
................
Object ffff881fed1c8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8ce0: 00 dd 79 82 ff ff ff ff 00 00 00 00 00 00 00 00
..y.............
Object ffff881fed1c8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d10: 00 00 00 00 00 00 00 00 ab 9e fb ff 00 00 00 00
................
Object ffff881fed1c8d20: 00 00 00 00 03 00 00 00 00 00 00 00 06 00 00 00
................
Object ffff881fed1c8d30: 02 00 00 00 00 00 00 00 08 81 9a ea 1f 88 ff ff
................
Object ffff881fed1c8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d60: 00 00 00 00 c4 00 00 00 00 80 9a ea 1f 88 ff ff
................
Object ffff881fed1c8d70: 00 19 b4 ef 37 88 ff ff a0 66 dd 81 ff ff ff ff
....7....f......
Object ffff881fed1c8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
Object ffff881fed1c8dd0: ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
CPU: 0 PID: 1348 Comm: systemd-udevd Tainted: G B 4.3.0 #3
Hardware name: DEPO Computers X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS
3.2 03/04/2015
ffff881fed1c8c00 000000002924ed40 ffff8837ea77f6f8 ffffffff8199df07
ffff881ffd007340 ffff8837ea77f728 ffffffff815af4e9 ffff881ffd007340
ffffea007fb47200 ffff881fed1c8c00 ffff881fe85340c1 ffff8837ea77f750
Call Trace:
[<ffffffff8199df07>] dump_stack+0x4b/0x64
[<ffffffff815af4e9>] print_trailer+0xf9/0x150
[<ffffffff815b5e94>] object_err+0x34/0x40
[<ffffffff815b8a28>] kasan_report_error+0x1e8/0x3f0
[<ffffffff8125a53f>] ? __init_waitqueue_head+0x3f/0xa0
[<ffffffff81d675a9>] ? pm_runtime_init+0x399/0x450
[<ffffffff815b8c91>] __asan_report_load1_noabort+0x61/0x70
[<ffffffffa11fb155>] ? ses_enclosure_data_process+0xbe5/0xe40 [ses]
[<ffffffffa11fb155>] ses_enclosure_data_process+0xbe5/0xe40 [ses]
[<ffffffffa11fc1ce>] ses_intf_add+0x9ae/0xdf0 [ses]
[<ffffffff8127c100>] ? trace_hardirqs_on_caller+0x360/0x580
[<ffffffff81d4d1bf>] class_interface_register+0x1ef/0x300
[<ffffffff81d4cfd0>] ? class_dev_iter_exit+0x10/0x10
[<ffffffff81a021a0>] ? debug_object_active_state+0x370/0x370
[<ffffffff815b3b76>] ? kfree+0xe6/0x2a0
[<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[<ffffffffa1208000>] ? 0xffffffffa1208000
[<ffffffff81de57b8>] scsi_register_interface+0x38/0x50
[<ffffffffa1208013>] ses_init+0x13/0x1000 [ses]
[<ffffffff810021b1>] do_one_initcall+0x141/0x300
[<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[<ffffffff815b8156>] ? kasan_unpoison_shadow+0x36/0x50
[<ffffffff815b8156>] ? kasan_unpoison_shadow+0x36/0x50
[<ffffffff815b8267>] ? __asan_register_globals+0x87/0xa0
[<ffffffff814b00ee>] do_init_module+0x1d0/0x5aa
[<ffffffff81332b8f>] load_module+0x409f/0x61e0
[<ffffffff81325e50>] ? __symbol_put+0xc0/0xc0
[<ffffffff8132eaf0>] ? layout_and_allocate+0x3c80/0x3c80
[<ffffffff81619ee0>] ? open_exec+0x50/0x50
[<ffffffff813267ad>] ? copy_module_from_fd.isra.46+0x1dd/0x2f0
[<ffffffff8133502b>] SyS_finit_module+0x12b/0x160
[<ffffffff81334f00>] ? SyS_init_module+0x230/0x230
[<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[<ffffffff82523bb2>] entry_SYSCALL_64_fastpath+0x12/0x76
Memory state around the buggy address:
ffff881fed1c8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff881fed1c8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff881fed1c8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff881fed1c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff881fed1c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
```
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
@ 2015-12-03 14:05 ` bugzilla-daemon
2015-12-07 14:01 ` bugzilla-daemon
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: bugzilla-daemon @ 2015-12-03 14:05 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
Pavel Tikhomirov <ptikhomirov@virtuozzo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Other |SCSI
Product|SCSI Drivers |IO/Storage
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
2015-12-03 14:05 ` [Bug 108771] " bugzilla-daemon
@ 2015-12-07 14:01 ` bugzilla-daemon
2015-12-08 16:16 ` James Bottomley
2015-12-09 12:35 ` bugzilla-daemon
` (2 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: bugzilla-daemon @ 2015-12-07 14:01 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
--- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
Aditional info about enclosue(from that node, but older 3.10 based kernel):
[root@p9 crash]# modprobe sg
[root@p9 crash]# sg_map -i
/dev/sg0 LSI SAS2X28 0e12
/dev/sg1 /dev/sda LSI MR9260-4i 2.13
[root@p9 crash]# lsscsi -gs
[1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
-
[1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
3.99TB
[root@p9 crash]# sg_ses /dev/sg0
LSI SAS2X28 0e12
Supported diagnostic pages:
Supported Diagnostic Pages [sdp] [0x0]
Configuration (SES) [cf] [0x1]
Enclosure Status/Control (SES) [ec,es] [0x2]
Element Descriptor (SES) [ed] [0x7]
Additional Element Status (SES-2) [aes] [0xa]
Download Microcode (SES-2) [dm] [0xe]
[root@p9 crash]# sg_ses /dev/sg1
LSI MR9260-4i 2.13
disk device (not an enclosure)
Supported diagnostic pages:
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-07 14:01 ` bugzilla-daemon
@ 2015-12-08 16:16 ` James Bottomley
2015-12-09 12:35 ` Pavel Tikhomirov
0 siblings, 1 reply; 10+ messages in thread
From: James Bottomley @ 2015-12-08 16:16 UTC (permalink / raw)
To: bugzilla-daemon, Pavel Tikhomirov; +Cc: linux-scsi
On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>
> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>
> [root@p9 crash]# modprobe sg
> [root@p9 crash]# sg_map -i
> /dev/sg0 LSI SAS2X28 0e12
> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
> [root@p9 crash]# lsscsi -gs
> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
> -
> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
> 3.99TB
> [root@p9 crash]# sg_ses /dev/sg0
> LSI SAS2X28 0e12
> Supported diagnostic pages:
> Supported Diagnostic Pages [sdp] [0x0]
> Configuration (SES) [cf] [0x1]
> Enclosure Status/Control (SES) [ec,es] [0x2]
> Element Descriptor (SES) [ed] [0x7]
> Additional Element Status (SES-2) [aes] [0xa]
> Download Microcode (SES-2) [dm] [0xe]
> [root@p9 crash]# sg_ses /dev/sg1
> LSI MR9260-4i 2.13
> disk device (not an enclosure)
> Supported diagnostic pages:
OK, can you give us the contents of pages 1, 2 and 10 with
sg_ses --page=1 --hex /dev/sg0
sg_ses --page=2 --hex /dev/sg0
sg_ses --page=10 --hex /dev/sg0
The version of the kernel you do this on doesn't really matter.
Thanks,
James
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-08 16:16 ` James Bottomley
@ 2015-12-09 12:35 ` Pavel Tikhomirov
2015-12-10 0:43 ` James Bottomley
0 siblings, 1 reply; 10+ messages in thread
From: Pavel Tikhomirov @ 2015-12-09 12:35 UTC (permalink / raw)
To: James Bottomley, bugzilla-daemon; +Cc: linux-scsi
On 12/08/2015 07:16 PM, James Bottomley wrote:
> On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
> wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>
>> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>
>> [root@p9 crash]# modprobe sg
>> [root@p9 crash]# sg_map -i
>> /dev/sg0 LSI SAS2X28 0e12
>> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
>> [root@p9 crash]# lsscsi -gs
>> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
>> -
>> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
>> 3.99TB
>> [root@p9 crash]# sg_ses /dev/sg0
>> LSI SAS2X28 0e12
>> Supported diagnostic pages:
>> Supported Diagnostic Pages [sdp] [0x0]
>> Configuration (SES) [cf] [0x1]
>> Enclosure Status/Control (SES) [ec,es] [0x2]
>> Element Descriptor (SES) [ed] [0x7]
>> Additional Element Status (SES-2) [aes] [0xa]
>> Download Microcode (SES-2) [dm] [0xe]
>> [root@p9 crash]# sg_ses /dev/sg1
>> LSI MR9260-4i 2.13
>> disk device (not an enclosure)
>> Supported diagnostic pages:
>
> OK, can you give us the contents of pages 1, 2 and 10 with
>
> sg_ses --page=1 --hex /dev/sg0
> sg_ses --page=2 --hex /dev/sg0
> sg_ses --page=10 --hex /dev/sg0
>
> The version of the kernel you do this on doesn't really matter.
Here are these pages:
[root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Configuration (SES)
00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80
...........,P...
10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI
SAS2
20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28
0e12
30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13
."3DU...........
40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09
................
50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76
............Driv
60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e
SlotsTemperatu
70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re
SensorsFansVo
80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage
SensorsPow
90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er
SuppliesEnclo
a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS
Expander
b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS
ConnectorsE
c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports
[root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Enclosure Status (SES)
00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00
................
10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00
................
20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00
................
30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00
................
40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50
..,........P...P
50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3
...P............
60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G..
....
70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 .........
... ..
90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
... ..
a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
... ..
b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ...
..........
c0 00 00 00 00 ....
[root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Additional Element Status (SES-2)
00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00
........."......
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01
............."..
30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
................
40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80
."..........P...
60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00
....P...........
70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00
....."..........
80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04
........."......
a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05
............."..
c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf
........P.......
d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00
P...............
e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00
."..............
f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00
....."..........
110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08
........."......
130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80
....P.......P...
140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09
............."..
150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00
................
160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00
."..............
180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01
....."..........
1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7
P.......P.......
1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00
.........F...@..
1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff
P...............
1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff
................
1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07
................
1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
................
Thanks a lot,
Pavel
>
> Thanks,
>
> James
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
2015-12-03 14:05 ` [Bug 108771] " bugzilla-daemon
2015-12-07 14:01 ` bugzilla-daemon
@ 2015-12-09 12:35 ` bugzilla-daemon
2015-12-11 8:03 ` bugzilla-daemon
2016-12-30 9:54 ` bugzilla-daemon
4 siblings, 0 replies; 10+ messages in thread
From: bugzilla-daemon @ 2015-12-09 12:35 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
--- Comment #2 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
On 12/08/2015 07:16 PM, James Bottomley wrote:
> On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
> wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>
>> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>
>> [root@p9 crash]# modprobe sg
>> [root@p9 crash]# sg_map -i
>> /dev/sg0 LSI SAS2X28 0e12
>> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
>> [root@p9 crash]# lsscsi -gs
>> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
>> -
>> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
>> 3.99TB
>> [root@p9 crash]# sg_ses /dev/sg0
>> LSI SAS2X28 0e12
>> Supported diagnostic pages:
>> Supported Diagnostic Pages [sdp] [0x0]
>> Configuration (SES) [cf] [0x1]
>> Enclosure Status/Control (SES) [ec,es] [0x2]
>> Element Descriptor (SES) [ed] [0x7]
>> Additional Element Status (SES-2) [aes] [0xa]
>> Download Microcode (SES-2) [dm] [0xe]
>> [root@p9 crash]# sg_ses /dev/sg1
>> LSI MR9260-4i 2.13
>> disk device (not an enclosure)
>> Supported diagnostic pages:
>
> OK, can you give us the contents of pages 1, 2 and 10 with
>
> sg_ses --page=1 --hex /dev/sg0
> sg_ses --page=2 --hex /dev/sg0
> sg_ses --page=10 --hex /dev/sg0
>
> The version of the kernel you do this on doesn't really matter.
Here are these pages:
[root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Configuration (SES)
00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80
...........,P...
10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI
SAS2
20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28
0e12
30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13
."3DU...........
40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09
................
50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76
............Driv
60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e
SlotsTemperatu
70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re
SensorsFansVo
80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage
SensorsPow
90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er
SuppliesEnclo
a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS
Expander
b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS
ConnectorsE
c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports
[root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Enclosure Status (SES)
00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00
................
10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00
................
20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00
................
30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00
................
40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50
..,........P...P
50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3
...P............
60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G..
....
70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 .........
... ..
90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
... ..
a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
... ..
b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ...
..........
c0 00 00 00 00 ....
[root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
LSI SAS2X28 0e12
Response in hex from diagnostic page: Additional Element Status (SES-2)
00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00
........."......
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01
............."..
30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
................
40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80
."..........P...
60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00
....P...........
70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00
....."..........
80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04
........."......
a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05
............."..
c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf
........P.......
d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00
P...............
e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00
."..............
f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00
....."..........
110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08
........."......
130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80
....P.......P...
140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09
............."..
150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00
................
160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00
."..............
180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01
....."..........
1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7
P.......P.......
1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00
.........F...@..
1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff
P...............
1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff
................
1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07
................
1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
................
Thanks a lot,
Pavel
>
> Thanks,
>
> James
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-09 12:35 ` Pavel Tikhomirov
@ 2015-12-10 0:43 ` James Bottomley
2015-12-11 8:03 ` Pavel Tikhomirov
0 siblings, 1 reply; 10+ messages in thread
From: James Bottomley @ 2015-12-10 0:43 UTC (permalink / raw)
To: Pavel Tikhomirov; +Cc: bugzilla-daemon, linux-scsi
On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
>
> On 12/08/2015 07:16 PM, James Bottomley wrote:
> > On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
> > wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=108771
> >>
> >> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
> >> Aditional info about enclosue(from that node, but older 3.10 based kernel):
> >>
> >> [root@p9 crash]# modprobe sg
> >> [root@p9 crash]# sg_map -i
> >> /dev/sg0 LSI SAS2X28 0e12
> >> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
> >> [root@p9 crash]# lsscsi -gs
> >> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
> >> -
> >> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
> >> 3.99TB
> >> [root@p9 crash]# sg_ses /dev/sg0
> >> LSI SAS2X28 0e12
> >> Supported diagnostic pages:
> >> Supported Diagnostic Pages [sdp] [0x0]
> >> Configuration (SES) [cf] [0x1]
> >> Enclosure Status/Control (SES) [ec,es] [0x2]
> >> Element Descriptor (SES) [ed] [0x7]
> >> Additional Element Status (SES-2) [aes] [0xa]
> >> Download Microcode (SES-2) [dm] [0xe]
> >> [root@p9 crash]# sg_ses /dev/sg1
> >> LSI MR9260-4i 2.13
> >> disk device (not an enclosure)
> >> Supported diagnostic pages:
> >
> > OK, can you give us the contents of pages 1, 2 and 10 with
> >
> > sg_ses --page=1 --hex /dev/sg0
> > sg_ses --page=2 --hex /dev/sg0
> > sg_ses --page=10 --hex /dev/sg0
> >
> > The version of the kernel you do this on doesn't really matter.
>
> Here are these pages:
>
> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
> LSI SAS2X28 0e12
> Response in hex from diagnostic page: Configuration (SES)
> 00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80
> ...........,P...
> 10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI
> SAS2
> 20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28
> 0e12
> 30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13
> ."3DU...........
> 40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09
> ................
> 50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76
> ............Driv
> 60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e
> SlotsTemperatu
> 70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re
> SensorsFansVo
> 80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage
> SensorsPow
> 90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er
> SuppliesEnclo
> a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS
> Expander
> b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS
> ConnectorsE
> c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports
Wow, that's some crazy enclosure. The description says it's a single
primary subenclosure with 9 different element types comprising 12 Device
slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
supplies, 1 Enclosure, 1 SAS Expander, 14 SAS connectors, 2
Communications ports. For 38 total element descriptors
> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
> LSI SAS2X28 0e12
> Response in hex from diagnostic page: Enclosure Status (SES)
> 00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00
> ................
> 10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00
> ................
> 20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00
> ................
> 30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00
> ................
> 40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50
> ..,........P...P
> 50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3
> ...P............
> 60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G..
> ....
> 70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
> ................
> 80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 .........
> ... ..
> 90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
> ... ..
> a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
> ... ..
> b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ...
> ..........
> c0 00 00 00 00
Given each type has one overall descriptor followed by the individual
ones, we have 38 + 9 = 47 total descriptors, which is what we see here.
> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
> LSI SAS2X28 0e12
> Response in hex from diagnostic page: Additional Element Status (SES-2)
> 00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00
> ........."......
> 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01
> ............."..
> 30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80
> ."..........P...
> 60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00
> ....P...........
> 70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00
> ....."..........
> 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04
> ........."......
> a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05
> ............."..
> c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf
> ........P.......
> d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00
> P...............
> e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00
> ."..............
> f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00
> ....."..........
> 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08
> ........."......
> 130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80
> ....P.......P...
> 140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09
> ............."..
> 150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00
> ."..............
> 180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01
> ....."..........
> 1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7
> P.......P.......
> 1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00
> .........F...@..
> 1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff
> P...............
> 1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff
> ................
> 1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07
> ................
> 1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
> ................
OK, so this is the problem. There are 12 Array additional descriptors
and one for the expander. The standard says (6.1.13.1) that this is all
in order, so the problem is that ses.c expects every type to have an
additional element descriptor and we've just never run across an
enclosure with non-slot components before.
Does this patch fix it?
James
---
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 1736935..53ef1cb 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -561,7 +561,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
if (desc_ptr)
desc_ptr += len;
- if (addl_desc_ptr)
+ if (addl_desc_ptr &&
+ /* only find additional descriptions for specific devices */
+ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
+ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
+ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
+ /* these elements are optional */
+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
+ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
addl_desc_ptr += addl_desc_ptr[1] + 2;
}
diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
index 7be22da..a4cf57c 100644
--- a/include/linux/enclosure.h
+++ b/include/linux/enclosure.h
@@ -29,7 +29,11 @@
/* A few generic types ... taken from ses-2 */
enum enclosure_component_type {
ENCLOSURE_COMPONENT_DEVICE = 0x01,
+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
};
/* ses-2 common element status */
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-10 0:43 ` James Bottomley
@ 2015-12-11 8:03 ` Pavel Tikhomirov
0 siblings, 0 replies; 10+ messages in thread
From: Pavel Tikhomirov @ 2015-12-11 8:03 UTC (permalink / raw)
To: James Bottomley; +Cc: bugzilla-daemon, linux-scsi
On 12/10/2015 03:43 AM, James Bottomley wrote:
> On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
>>
>> On 12/08/2015 07:16 PM, James Bottomley wrote:
>>> On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
>>> wrote:
>>>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>>>
>>>> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
>>>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>>>
>>>> [root@p9 crash]# modprobe sg
>>>> [root@p9 crash]# sg_map -i
>>>> /dev/sg0 LSI SAS2X28 0e12
>>>> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
>>>> [root@p9 crash]# lsscsi -gs
>>>> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
>>>> -
>>>> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
>>>> 3.99TB
>>>> [root@p9 crash]# sg_ses /dev/sg0
>>>> LSI SAS2X28 0e12
>>>> Supported diagnostic pages:
>>>> Supported Diagnostic Pages [sdp] [0x0]
>>>> Configuration (SES) [cf] [0x1]
>>>> Enclosure Status/Control (SES) [ec,es] [0x2]
>>>> Element Descriptor (SES) [ed] [0x7]
>>>> Additional Element Status (SES-2) [aes] [0xa]
>>>> Download Microcode (SES-2) [dm] [0xe]
>>>> [root@p9 crash]# sg_ses /dev/sg1
>>>> LSI MR9260-4i 2.13
>>>> disk device (not an enclosure)
>>>> Supported diagnostic pages:
>>>
>>> OK, can you give us the contents of pages 1, 2 and 10 with
>>>
>>> sg_ses --page=1 --hex /dev/sg0
>>> sg_ses --page=2 --hex /dev/sg0
>>> sg_ses --page=10 --hex /dev/sg0
>>>
>>> The version of the kernel you do this on doesn't really matter.
>>
>> Here are these pages:
>>
>> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Configuration (SES)
>> 00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80
>> ...........,P...
>> 10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI
>> SAS2
>> 20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28
>> 0e12
>> 30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13
>> ."3DU...........
>> 40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09
>> ................
>> 50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76
>> ............Driv
>> 60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e
>> SlotsTemperatu
>> 70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re
>> SensorsFansVo
>> 80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage
>> SensorsPow
>> 90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er
>> SuppliesEnclo
>> a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS
>> Expander
>> b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS
>> ConnectorsE
>> c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports
>
> Wow, that's some crazy enclosure. The description says it's a single
> primary subenclosure with 9 different element types comprising 12 Device
> slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
> supplies, 1 Enclosure, 1 SAS Expander, 14 SAS connectors, 2
> Communications ports. For 38 total element descriptors
>
>> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Enclosure Status (SES)
>> 00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00
>> ................
>> 10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00
>> ................
>> 20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00
>> ................
>> 30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00
>> ................
>> 40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50
>> ..,........P...P
>> 50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3
>> ...P............
>> 60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G..
>> ....
>> 70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
>> ................
>> 80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 .........
>> ... ..
>> 90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
>> ... ..
>> a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
>> ... ..
>> b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ...
>> ..........
>> c0 00 00 00 00
>
> Given each type has one overall descriptor followed by the individual
> ones, we have 38 + 9 = 47 total descriptors, which is what we see here.
>
>> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Additional Element Status (SES-2)
>> 00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00
>> ........."......
>> 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01
>> ............."..
>> 30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80
>> ."..........P...
>> 60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00
>> ....P...........
>> 70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00
>> ....."..........
>> 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04
>> ........."......
>> a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05
>> ............."..
>> c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf
>> ........P.......
>> d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00
>> P...............
>> e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00
>> ."..............
>> f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00
>> ....."..........
>> 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08
>> ........."......
>> 130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80
>> ....P.......P...
>> 140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09
>> ............."..
>> 150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00
>> ."..............
>> 180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01
>> ....."..........
>> 1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7
>> P.......P.......
>> 1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00
>> .........F...@..
>> 1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff
>> P...............
>> 1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff
>> ................
>> 1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07
>> ................
>> 1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
>> ................
>
> OK, so this is the problem. There are 12 Array additional descriptors
> and one for the expander. The standard says (6.1.13.1) that this is all
> in order, so the problem is that ses.c expects every type to have an
> additional element descriptor and we've just never run across an
> enclosure with non-slot components before.
>
> Does this patch fix it?
It looks yes, I no more able to reproduce the warning from Kasan.
[ 22.919261] EDAC sbridge: Ver: 1.1.1
[ 22.921993] iTCO_vendor_support: vendor-support=0
[ 22.936523] ses 0:0:16:0: Attached Enclosure device
Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>
> James
>
> ---
>
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 1736935..53ef1cb 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -561,7 +561,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
> if (desc_ptr)
> desc_ptr += len;
>
> - if (addl_desc_ptr)
> + if (addl_desc_ptr &&
> + /* only find additional descriptions for specific devices */
> + (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
> + /* these elements are optional */
> + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
> addl_desc_ptr += addl_desc_ptr[1] + 2;
>
> }
> diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
> index 7be22da..a4cf57c 100644
> --- a/include/linux/enclosure.h
> +++ b/include/linux/enclosure.h
> @@ -29,7 +29,11 @@
> /* A few generic types ... taken from ses-2 */
> enum enclosure_component_type {
> ENCLOSURE_COMPONENT_DEVICE = 0x01,
> + ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
> + ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
> + ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
> ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
> + ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
> };
>
> /* ses-2 common element status */
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
` (2 preceding siblings ...)
2015-12-09 12:35 ` bugzilla-daemon
@ 2015-12-11 8:03 ` bugzilla-daemon
2016-12-30 9:54 ` bugzilla-daemon
4 siblings, 0 replies; 10+ messages in thread
From: bugzilla-daemon @ 2015-12-11 8:03 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
--- Comment #3 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
On 12/10/2015 03:43 AM, James Bottomley wrote:
> On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
>>
>> On 12/08/2015 07:16 PM, James Bottomley wrote:
>>> On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org
>>> wrote:
>>>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>>>
>>>> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@virtuozzo.com> ---
>>>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>>>
>>>> [root@p9 crash]# modprobe sg
>>>> [root@p9 crash]# sg_map -i
>>>> /dev/sg0 LSI SAS2X28 0e12
>>>> /dev/sg1 /dev/sda LSI MR9260-4i 2.13
>>>> [root@p9 crash]# lsscsi -gs
>>>> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0
>>>> -
>>>> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1
>>>> 3.99TB
>>>> [root@p9 crash]# sg_ses /dev/sg0
>>>> LSI SAS2X28 0e12
>>>> Supported diagnostic pages:
>>>> Supported Diagnostic Pages [sdp] [0x0]
>>>> Configuration (SES) [cf] [0x1]
>>>> Enclosure Status/Control (SES) [ec,es] [0x2]
>>>> Element Descriptor (SES) [ed] [0x7]
>>>> Additional Element Status (SES-2) [aes] [0xa]
>>>> Download Microcode (SES-2) [dm] [0xe]
>>>> [root@p9 crash]# sg_ses /dev/sg1
>>>> LSI MR9260-4i 2.13
>>>> disk device (not an enclosure)
>>>> Supported diagnostic pages:
>>>
>>> OK, can you give us the contents of pages 1, 2 and 10 with
>>>
>>> sg_ses --page=1 --hex /dev/sg0
>>> sg_ses --page=2 --hex /dev/sg0
>>> sg_ses --page=10 --hex /dev/sg0
>>>
>>> The version of the kernel you do this on doesn't really matter.
>>
>> Here are these pages:
>>
>> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Configuration (SES)
>> 00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80
>> ...........,P...
>> 10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI
>> SAS2
>> 20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28
>> 0e12
>> 30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13
>> ."3DU...........
>> 40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09
>> ................
>> 50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76
>> ............Driv
>> 60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e
>> SlotsTemperatu
>> 70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re
>> SensorsFansVo
>> 80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage
>> SensorsPow
>> 90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er
>> SuppliesEnclo
>> a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS
>> Expander
>> b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS
>> ConnectorsE
>> c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports
>
> Wow, that's some crazy enclosure. The description says it's a single
> primary subenclosure with 9 different element types comprising 12 Device
> slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
> supplies, 1 Enclosure, 1 SAS Expander, 14 SAS connectors, 2
> Communications ports. For 38 total element descriptors
>
>> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Enclosure Status (SES)
>> 00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00
>> ................
>> 10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00
>> ................
>> 20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00
>> ................
>> 30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00
>> ................
>> 40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50
>> ..,........P...P
>> 50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3
>> ...P............
>> 60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G..
>> ....
>> 70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
>> ................
>> 80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 .........
>> ... ..
>> 90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
>> ... ..
>> a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ...
>> ... ..
>> b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ...
>> ..........
>> c0 00 00 00 00
>
> Given each type has one overall descriptor followed by the individual
> ones, we have 38 + 9 = 47 total descriptors, which is what we see here.
>
>> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
>> LSI SAS2X28 0e12
>> Response in hex from diagnostic page: Additional Element Status (SES-2)
>> 00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00
>> ........."......
>> 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01
>> ............."..
>> 30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80
>> ."..........P...
>> 60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00
>> ....P...........
>> 70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00
>> ....."..........
>> 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04
>> ........."......
>> a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05
>> ............."..
>> c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf
>> ........P.......
>> d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00
>> P...............
>> e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00
>> ."..............
>> f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00
>> ....."..........
>> 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08
>> ........."......
>> 130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80
>> ....P.......P...
>> 140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09
>> ............."..
>> 150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00
>> ."..............
>> 180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ................
>> 190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01
>> ....."..........
>> 1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7
>> P.......P.......
>> 1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00
>> .........F...@..
>> 1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff
>> P...............
>> 1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff
>> ................
>> 1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07
>> ................
>> 1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
>> ................
>
> OK, so this is the problem. There are 12 Array additional descriptors
> and one for the expander. The standard says (6.1.13.1) that this is all
> in order, so the problem is that ses.c expects every type to have an
> additional element descriptor and we've just never run across an
> enclosure with non-slot components before.
>
> Does this patch fix it?
It looks yes, I no more able to reproduce the warning from Kasan.
[ 22.919261] EDAC sbridge: Ver: 1.1.1
[ 22.921993] iTCO_vendor_support: vendor-support=0
[ 22.936523] ses 0:0:16:0: Attached Enclosure device
Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>
> James
>
> ---
>
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 1736935..53ef1cb 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -561,7 +561,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
> if (desc_ptr)
> desc_ptr += len;
>
> - if (addl_desc_ptr)
> + if (addl_desc_ptr &&
> + /* only find additional descriptions for specific devices */
> + (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
> + /* these elements are optional */
> + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
> + type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
> addl_desc_ptr += addl_desc_ptr[1] + 2;
>
> }
> diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
> index 7be22da..a4cf57c 100644
> --- a/include/linux/enclosure.h
> +++ b/include/linux/enclosure.h
> @@ -29,7 +29,11 @@
> /* A few generic types ... taken from ses-2 */
> enum enclosure_component_type {
> ENCLOSURE_COMPONENT_DEVICE = 0x01,
> + ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
> + ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
> + ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
> ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
> + ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
> };
>
> /* ses-2 common element status */
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
` (3 preceding siblings ...)
2015-12-11 8:03 ` bugzilla-daemon
@ 2016-12-30 9:54 ` bugzilla-daemon
4 siblings, 0 replies; 10+ messages in thread
From: bugzilla-daemon @ 2016-12-30 9:54 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=108771
Pavel Tikhomirov <ptikhomirov@virtuozzo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |PATCH_ALREADY_AVAILABLE
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-12-30 9:54 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-02 10:57 [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
2015-12-03 14:05 ` [Bug 108771] " bugzilla-daemon
2015-12-07 14:01 ` bugzilla-daemon
2015-12-08 16:16 ` James Bottomley
2015-12-09 12:35 ` Pavel Tikhomirov
2015-12-10 0:43 ` James Bottomley
2015-12-11 8:03 ` Pavel Tikhomirov
2015-12-09 12:35 ` bugzilla-daemon
2015-12-11 8:03 ` bugzilla-daemon
2016-12-30 9:54 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.