From: Sumit Saxena <sumit.saxena@broadcom.com>
To: cai@lca.pw
Cc: akpm@linux-foundation.org,
Kashyap Desai <kashyap.desai@broadcom.com>,
Shivasharan Srikanteshwara
<shivasharan.srikanteshwara@broadcom.com>,
"James E. J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Tomas Henzl <thenzl@redhat.com>, Christoph Hellwig <hch@lst.de>,
"PDL,MEGARAIDLINUX" <megaraidlinux.pdl@broadcom.com>,
Linux SCSI List <linux-scsi@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RESEND PATCH v2] megaraid: fix out-of-bound array accesses
Date: Thu, 20 Dec 2018 13:25:12 +0530 [thread overview]
Message-ID: <CAL2rwxrBn6bn0-5GR8nbPys7tS0+x8CzVYCSf_yPFEnvktTktw@mail.gmail.com> (raw)
In-Reply-To: <20181213132727.57058-1-cai@lca.pw>
On Thu, Dec 13, 2018 at 6:57 PM Qian Cai <cai@lca.pw> wrote:
>
> UBSAN reported those with MegaRAID SAS-3 3108,
>
> [ 77.467308] UBSAN: Undefined behaviour in drivers/scsi/megaraid/megaraid_sas_fp.c:117:32
> [ 77.475402] index 255 is out of range for type 'MR_LD_SPAN_MAP [1]'
> [ 77.481677] CPU: 16 PID: 333 Comm: kworker/16:1 Not tainted 4.20.0-rc5+ #1
> [ 77.488556] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.50 06/01/2018
> [ 77.495791] Workqueue: events work_for_cpu_fn
> [ 77.500154] Call trace:
> [ 77.502610] dump_backtrace+0x0/0x2c8
> [ 77.506279] show_stack+0x24/0x30
> [ 77.509604] dump_stack+0x118/0x19c
> [ 77.513098] ubsan_epilogue+0x14/0x60
> [ 77.516765] __ubsan_handle_out_of_bounds+0xfc/0x13c
> [ 77.521767] mr_update_load_balance_params+0x150/0x158 [megaraid_sas]
> [ 77.528230] MR_ValidateMapInfo+0x2cc/0x10d0 [megaraid_sas]
> [ 77.533825] megasas_get_map_info+0x244/0x2f0 [megaraid_sas]
> [ 77.539505] megasas_init_adapter_fusion+0x9b0/0xf48 [megaraid_sas]
> [ 77.545794] megasas_init_fw+0x1ab4/0x3518 [megaraid_sas]
> [ 77.551212] megasas_probe_one+0x2c4/0xbe0 [megaraid_sas]
> [ 77.556614] local_pci_probe+0x7c/0xf0
> [ 77.560365] work_for_cpu_fn+0x34/0x50
> [ 77.564118] process_one_work+0x61c/0xf08
> [ 77.568129] worker_thread+0x534/0xa70
> [ 77.571882] kthread+0x1c8/0x1d0
> [ 77.575114] ret_from_fork+0x10/0x1c
>
> [ 89.240332] UBSAN: Undefined behaviour in drivers/scsi/megaraid/megaraid_sas_fp.c:117:32
> [ 89.248426] index 255 is out of range for type 'MR_LD_SPAN_MAP [1]'
> [ 89.254700] CPU: 16 PID: 95 Comm: kworker/u130:0 Not tainted 4.20.0-rc5+ #1
> [ 89.261665] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.50 06/01/2018
> [ 89.268903] Workqueue: events_unbound async_run_entry_fn
> [ 89.274222] Call trace:
> [ 89.276680] dump_backtrace+0x0/0x2c8
> [ 89.280348] show_stack+0x24/0x30
> [ 89.283671] dump_stack+0x118/0x19c
> [ 89.287167] ubsan_epilogue+0x14/0x60
> [ 89.290835] __ubsan_handle_out_of_bounds+0xfc/0x13c
> [ 89.295828] MR_LdRaidGet+0x50/0x58 [megaraid_sas]
> [ 89.300638] megasas_build_io_fusion+0xbb8/0xd90 [megaraid_sas]
> [ 89.306576] megasas_build_and_issue_cmd_fusion+0x138/0x460 [megaraid_sas]
> [ 89.313468] megasas_queue_command+0x398/0x3d0 [megaraid_sas]
> [ 89.319222] scsi_dispatch_cmd+0x1dc/0x8a8
> [ 89.323321] scsi_request_fn+0x8e8/0xdd0
> [ 89.327249] __blk_run_queue+0xc4/0x158
> [ 89.331090] blk_execute_rq_nowait+0xf4/0x158
> [ 89.335449] blk_execute_rq+0xdc/0x158
> [ 89.339202] __scsi_execute+0x130/0x258
> [ 89.343041] scsi_probe_and_add_lun+0x2fc/0x1488
> [ 89.347661] __scsi_scan_target+0x1cc/0x8c8
> [ 89.351848] scsi_scan_channel.part.3+0x8c/0xc0
> [ 89.356382] scsi_scan_host_selected+0x130/0x1f0
> [ 89.361002] do_scsi_scan_host+0xd8/0xf0
> [ 89.364927] do_scan_async+0x9c/0x320
> [ 89.368594] async_run_entry_fn+0x138/0x420
> [ 89.372780] process_one_work+0x61c/0xf08
> [ 89.376793] worker_thread+0x13c/0xa70
> [ 89.380546] kthread+0x1c8/0x1d0
> [ 89.383778] ret_from_fork+0x10/0x1c
>
> This is because when populating Driver Map using firmware raid map, all
> non-existing VDs set their ldTgtIdToLd to 0xff, so it can be skipped
> later.
>
> From drivers/scsi/megaraid/megaraid_sas_base.c ,
> memset(instance->ld_ids, 0xff, MEGASAS_MAX_LD_IDS);
>
> From drivers/scsi/megaraid/megaraid_sas_fp.c ,
> /* For non existing VDs, iterate to next VD*/
> if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1))
> continue;
>
> However, there are a few places that failed to skip those non-existing
> VDs due to off-by-one errors. Then, those 0xff leaked into
> MR_LdRaidGet(0xff, map) and triggered the out-of-bound accesses.
>
> Fixes: 51087a8617fe (megaraid_sas : Extended VD support)
> Signed-off-by: Qian Cai <cai@lca.pw>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
> ---
> drivers/scsi/megaraid/megaraid_sas_fp.c | 2 +-
> drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c
> index 59ecbb3b53b5..a33628550425 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_fp.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
> @@ -1266,7 +1266,7 @@ void mr_update_load_balance_params(struct MR_DRV_RAID_MAP_ALL *drv_map,
>
> for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) {
> ld = MR_TargetIdToLdGet(ldCount, drv_map);
> - if (ld >= MAX_LOGICAL_DRIVES_EXT) {
> + if (ld >= MAX_LOGICAL_DRIVES_EXT - 1) {
> lbInfo[ldCount].loadBalanceFlag = 0;
> continue;
> }
> diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
> index f74b5ea24f0f..49eaa87608f6 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
> @@ -2832,7 +2832,7 @@ static void megasas_build_ld_nonrw_fusion(struct megasas_instance *instance,
> device_id < instance->fw_supported_vd_count)) {
>
> ld = MR_TargetIdToLdGet(device_id, local_map_ptr);
> - if (ld >= instance->fw_supported_vd_count)
> + if (ld >= instance->fw_supported_vd_count - 1)
> fp_possible = 0;
> else {
> raid = MR_LdRaidGet(ld, local_map_ptr);
> --
> 2.17.2 (Apple Git-113)
>
next prev parent reply other threads:[~2018-12-20 7:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <d2fe9d6a-3716-98d2-e311-74188b259038@gmx.us>
2018-12-06 15:53 ` [PATCH] megaraid: fix a out-of-bound array access Qian Cai
2018-12-06 21:22 ` [PATCH v2] megaraid: fix out-of-bound array accesses Qian Cai
2018-12-13 13:27 ` [RESEND PATCH " Qian Cai
2018-12-13 13:27 ` Qian Cai
2018-12-19 4:24 ` Martin K. Petersen
2018-12-20 7:55 ` Sumit Saxena [this message]
2018-12-20 7:55 ` Sumit Saxena
2018-12-21 0:50 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAL2rwxrBn6bn0-5GR8nbPys7tS0+x8CzVYCSf_yPFEnvktTktw@mail.gmail.com \
--to=sumit.saxena@broadcom.com \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=hch@lst.de \
--cc=jejb@linux.vnet.ibm.com \
--cc=kashyap.desai@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=megaraidlinux.pdl@broadcom.com \
--cc=shivasharan.srikanteshwara@broadcom.com \
--cc=thenzl@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.