RE: UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7

From: <Don.Brace@microchip.com>
To: <cai@lca.pw>, <don.brace@microsemi.com>
Cc: <martin.petersen@oracle.com>, <scott.teel@microsemi.com>,
	<kevin.barnett@microsemi.com>, <esc.storagedev@microsemi.com>,
	<linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: RE: UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7
Date: Thu, 28 May 2020 13:46:02 +0000	[thread overview]
Message-ID: <SN6PR11MB2848B54B5E6152AA4A7BC261E18E0@SN6PR11MB2848.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20200526151926.GC991@lca.pw>

Working on this.
Can you send your configuration?
ssacli controller all show config detail

-----Original Message-----
From: linux-scsi-owner@vger.kernel.org [mailto:linux-scsi-owner@vger.kernel.org] On Behalf Of Qian Cai
Sent: Tuesday, May 26, 2020 10:19 AM
To: Don Brace <don.brace@microsemi.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>; Scott Teel <scott.teel@microsemi.com>; Kevin Barnett <kevin.barnett@microsemi.com>; esc.storagedev@microsemi.com; linux-scsi@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7

EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe

Sorry, adding a missing subject line.

On Tue, May 26, 2020 at 11:14:16AM -0400, Qian Cai wrote:
> The commit 64ce60cab246 ("hpsa: correct skipping masked peripherals") 
> trigger an UBSAN warning below.
>
> When i == 0 in hpsa_update_scsi_devices(),
>
> for (i = 0; i < nphysicals + nlogicals + 1; i++) { ...
>         int phys_dev_index = i - (raid_ctlr_position == 0);
>
> It ends up calling LUN[-1].
>
> &physdev_list->LUN[phys_dev_index]
>
> Should there by a test of underflow to set phys_dev_index == 0 in this case?
>
> [  118.395557][   T13] hpsa can't handle SMP requests
> [  118.444870][   T13] ================================================================================
> [  118.486725][   T13] UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7
> [  118.521606][   T13] index -1 is out of range for type 'struct ext_report_lun_entry [1024]'
> [  118.559481][   T13] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.7.0-rc6-next-20200522+ #3
> [  118.598179][   T13] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018
> [  118.632882][   T13] Workqueue: events work_for_cpu_fn
> [  118.656492][   T13] Call Trace:
> [  118.670899][   T13]  dump_stack+0x10b/0x17f
> [  118.690216][   T13]  __ubsan_handle_out_of_bounds+0xd2/0x110
> [  118.712593][  T378] bnx2x 0000:41:00.1: 63.008 Gb/s available PCIe bandwidth (8.0 GT/s PCIe x8 link)
> [  118.716249][   T13]  hpsa_update_scsi_devices+0x28e3/0x2cc0 [hpsa]
> [  118.786774][   T13]  hpsa_scan_start+0x228/0x260 [hpsa]
> [  118.810663][   T13]  ? _raw_spin_unlock_irqrestore+0x6a/0x80
> [  118.836529][   T13]  do_scsi_scan_host+0x8a/0x110
> [  118.858104][   T13]  scsi_scan_host+0x222/0x280
> [  118.879287][   T13]  ? hpsa_scsi_do_inquiry+0xcd/0xe0 [hpsa]
> [  118.907707][   T13]  hpsa_init_one+0x1b79/0x27c0 [hpsa]
> [  118.934818][   T13]  ? hpsa_find_device_by_sas_rphy+0xd0/0xd0 [hpsa]
> [  118.964279][   T13]  local_pci_probe+0x82/0xe0
> [  118.985405][   T13]  ? pci_name+0x70/0x70
> [  119.004244][   T13]  work_for_cpu_fn+0x3a/0x60
> [  119.024672][   T13]  process_one_work+0x49f/0x8f0
> [  119.046431][   T13]  process_scheduled_works+0x72/0xa0
> [  119.069906][   T13]  worker_thread+0x463/0x5b0
> [  119.090347][   T13]  kthread+0x21d/0x240
> [  119.108531][   T13]  ? pr_cont_work+0xa0/0xa0
> [  119.128450][   T13]  ? __write_once_size+0x30/0x30
> [  119.150405][   T13]  ret_from_fork+0x27/0x40