From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Quinn Tran <qutran@marvell.com>,
Himanshu Madhani <himanshu.madhani@oracle.com>,
Saurav Kashyap <skashyap@marvell.com>,
Nilesh Javali <njavali@marvell.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 041/100] scsi: qla2xxx: Fix use after free in bsg
Date: Mon, 3 May 2021 12:37:30 -0400 [thread overview]
Message-ID: <20210503163829.2852775-41-sashal@kernel.org> (raw)
In-Reply-To: <20210503163829.2852775-1-sashal@kernel.org>
From: Quinn Tran <qutran@marvell.com>
[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ]
On bsg command completion, bsg_job_done() was called while qla driver
continued to access the bsg_job buffer. bsg_job_done() would free up
resources that ended up being reused by other task while the driver
continued to access the buffers. As a result, driver was reading garbage
data.
localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80
localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0
localhost kernel:
localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump:
loaded Tainted: G OE --------- - - 4.18.0-193.el8.x86_64+debug #1
localhost kernel: Hardware name: HP ProLiant DL360
Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016
localhost kernel: Call Trace:
localhost kernel: <IRQ>
localhost kernel: dump_stack+0x9a/0xf0
localhost kernel: print_address_description.cold.3+0x9/0x23b
localhost kernel: kasan_report.cold.4+0x65/0x95
localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0
localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx]
Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_bsg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index 23b604832a54..7fa085969a63 100644
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -24,10 +24,11 @@ void qla2x00_bsg_job_done(srb_t *sp, int res)
struct bsg_job *bsg_job = sp->u.bsg_job;
struct fc_bsg_reply *bsg_reply = bsg_job->reply;
+ sp->free(sp);
+
bsg_reply->result = res;
bsg_job_done(bsg_job, bsg_reply->result,
bsg_reply->reply_payload_rcv_len);
- sp->free(sp);
}
void qla2x00_bsg_sp_free(srb_t *sp)
--
2.30.2
next prev parent reply other threads:[~2021-05-03 16:49 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-03 16:36 [PATCH AUTOSEL 5.10 001/100] drm: Added orientation quirk for OneGX1 Pro Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 002/100] drm/qxl: do not run release if qxl failed to init Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 003/100] drm/qxl: release shadow on shutdown Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 004/100] drm/ast: Fix invalid usage of AST_MAX_HWC_WIDTH in cursor atomic_check Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 005/100] drm/amd/display: changing sr exit latency Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 006/100] drm/ast: fix memory leak when unload the driver Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 007/100] drm/amd/display: Check for DSC support instead of ASIC revision Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 008/100] drm/amd/display: Don't optimize bandwidth before disabling planes Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 009/100] drm/amdgpu/display: buffer INTERRUPT_LOW_IRQ_CONTEXT interrupt work Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` [PATCH AUTOSEL 5.10 010/100] drm/amd/display/dc/dce/dce_aux: Remove duplicate line causing 'field overwritten' issue Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:36 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 011/100] scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 012/100] scsi: lpfc: Fix pt2pt connection does not recover after LOGO Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 013/100] drm/amdgpu: Fix some unload driver issues Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 014/100] sched/pelt: Fix task util_est update filtering Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 015/100] kvfree_rcu: Use same set of GFP flags as does single-argument Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 016/100] scsi: target: pscsi: Fix warning in pscsi_complete_cmd() Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 017/100] media: ite-cir: check for receive overflow Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 018/100] media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 019/100] media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 020/100] atomisp: don't let it go past pipes array Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 021/100] power: supply: bq27xxx: fix power_avg for newer ICs Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 022/100] extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 023/100] extcon: arizona: Fix various races on driver unbind Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 024/100] media: media/saa7164: fix saa7164_encoder_register() memory leak bugs Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 025/100] media: gspca/sq905.c: fix uninitialized variable Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 026/100] media: pci: saa7164: Rudimentary spelling fixes in the file saa7164-types.h Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 027/100] power: supply: Use IRQF_ONESHOT Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 028/100] backlight: qcom-wled: Use sink_addr for sync toggle Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 029/100] backlight: qcom-wled: Fix FSC update issue for WLED5 Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 030/100] drm/bridge/analogix/anx78xx: Setup encoder before registering connector Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 031/100] drm/bridge/analogix/anx78xx: Cleanup on error in anx78xx_bridge_attach() Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 032/100] drm/amdgpu: mask the xgmi number of hops reported from psp to kfd Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 033/100] drm/amdkfd: Fix UBSAN shift-out-of-bounds warning Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 034/100] drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 035/100] drm/amd/pm: fix workload mismatch on vega10 Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 036/100] drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 037/100] drm/amd/display: DCHUB underflow counter increasing in some scenarios Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 038/100] drm/amd/display: fix dml prefetch validation Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 039/100] scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 040/100] drm/vkms: fix misuse of WARN_ON Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` Sasha Levin [this message]
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 042/100] mmc: sdhci-esdhc-imx: validate pinctrl before use it Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 043/100] mmc: sdhci-pci: Add PCI IDs for Intel LKF Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 044/100] mmc: sdhci-brcmstb: Remove CQE quirk Sasha Levin
2021-05-03 16:37 ` Sasha Levin
2021-05-03 16:37 ` [PATCH AUTOSEL 5.10 045/100] ata: ahci: Disable SXS for Hisilicon Kunpeng920 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210503163829.2852775-41-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=himanshu.madhani@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=njavali@marvell.com \
--cc=qutran@marvell.com \
--cc=skashyap@marvell.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.