linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Calvin Owens <calvinowens@fb.com>,
	Johannes Thumshirn <jthumshirn@suse.de>,
	Jens Axboe <axboe@fb.com>,
	Chaitra Basappa <chaitra.basappa@broadcom.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 24/92] mpt3sas: Dont overreach ioc->reply_post[] during initialization
Date: Wed,  9 Aug 2017 13:36:52 -0700	[thread overview]
Message-ID: <20170809202156.483190360@linuxfoundation.org> (raw)
In-Reply-To: <20170809202155.435709888@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Calvin Owens <calvinowens@fb.com>

commit 5ec8a1753bc29efa7e4b1391d691c9c719b30257 upstream.

In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull
a pointer out of successive elements of ioc->reply_post[] for each entry
in that list if RDPQ is enabled.

Since the code pulls the pointer for the next iteration at the bottom of
the loop, it triggers the a KASAN dump on the final iteration:

    BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0
    Read of size 8 by task modprobe/305
    <snip>
    Call Trace:
     [<ffffffff81dfc591>] dump_stack+0x4d/0x6c
     [<ffffffff814c9689>] print_trailer+0xf9/0x150
     [<ffffffff814ceda4>] object_err+0x34/0x40
     [<ffffffff814d1231>] kasan_report_error+0x221/0x530
     [<ffffffff814d1673>] __asan_report_load8_noabort+0x43/0x50
     [<ffffffffa0043637>] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas]
     [<ffffffffa0049a51>] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas]
     [<ffffffffa0053c93>] _scsih_probe+0xeb3/0x16b0 [mpt3sas]
     [<ffffffff81ebd047>] local_pci_probe+0xc7/0x170
     [<ffffffff81ebf2cf>] pci_device_probe+0x20f/0x290
     [<ffffffff820d50cd>] really_probe+0x17d/0x600
     [<ffffffff820d56a3>] __driver_attach+0x153/0x190
     [<ffffffff820cffac>] bus_for_each_dev+0x11c/0x1a0
     [<ffffffff820d421d>] driver_attach+0x3d/0x50
     [<ffffffff820d378a>] bus_add_driver+0x44a/0x5f0
     [<ffffffff820d666c>] driver_register+0x18c/0x3b0
     [<ffffffff81ebcb76>] __pci_register_driver+0x156/0x200
     [<ffffffffa00c8135>] _mpt3sas_init+0x135/0x1000 [mpt3sas]
     [<ffffffff81000423>] do_one_initcall+0x113/0x2b0
     [<ffffffff813caa5a>] do_init_module+0x1d0/0x4d8
     [<ffffffff81273909>] load_module+0x6729/0x8dc0
     [<ffffffff81276123>] SYSC_init_module+0x183/0x1a0
     [<ffffffff8127625e>] SyS_init_module+0xe/0x10
     [<ffffffff828fe7d7>] entry_SYSCALL_64_fastpath+0x12/0x6a

Fix this by pulling the value at the beginning of the loop.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Jens Axboe <axboe@fb.com>
Acked-by: Chaitra Basappa <chaitra.basappa@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/mpt3sas/mpt3sas_base.c |   33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4378,14 +4378,13 @@ _base_make_ioc_ready(struct MPT3SAS_ADAP
 static int
 _base_make_ioc_operational(struct MPT3SAS_ADAPTER *ioc, int sleep_flag)
 {
-	int r, i;
+	int r, i, index;
 	unsigned long	flags;
 	u32 reply_address;
 	u16 smid;
 	struct _tr_list *delayed_tr, *delayed_tr_next;
 	struct adapter_reply_queue *reply_q;
-	long reply_post_free;
-	u32 reply_post_free_sz, index = 0;
+	Mpi2ReplyDescriptorsUnion_t *reply_post_free_contig;
 
 	dinitprintk(ioc, pr_info(MPT3SAS_FMT "%s\n", ioc->name,
 	    __func__));
@@ -4456,27 +4455,27 @@ _base_make_ioc_operational(struct MPT3SA
 		_base_assign_reply_queues(ioc);
 
 	/* initialize Reply Post Free Queue */
-	reply_post_free_sz = ioc->reply_post_queue_depth *
-	    sizeof(Mpi2DefaultReplyDescriptor_t);
-	reply_post_free = (long)ioc->reply_post[index].reply_post_free;
+	index = 0;
+	reply_post_free_contig = ioc->reply_post[0].reply_post_free;
 	list_for_each_entry(reply_q, &ioc->reply_queue_list, list) {
+		/*
+		 * If RDPQ is enabled, switch to the next allocation.
+		 * Otherwise advance within the contiguous region.
+		 */
+		if (ioc->rdpq_array_enable) {
+			reply_q->reply_post_free =
+				ioc->reply_post[index++].reply_post_free;
+		} else {
+			reply_q->reply_post_free = reply_post_free_contig;
+			reply_post_free_contig += ioc->reply_post_queue_depth;
+		}
+
 		reply_q->reply_post_host_index = 0;
-		reply_q->reply_post_free = (Mpi2ReplyDescriptorsUnion_t *)
-		    reply_post_free;
 		for (i = 0; i < ioc->reply_post_queue_depth; i++)
 			reply_q->reply_post_free[i].Words =
 			    cpu_to_le64(ULLONG_MAX);
 		if (!_base_is_controller_msix_enabled(ioc))
 			goto skip_init_reply_post_free_queue;
-		/*
-		 * If RDPQ is enabled, switch to the next allocation.
-		 * Otherwise advance within the contiguous region.
-		 */
-		if (ioc->rdpq_array_enable)
-			reply_post_free = (long)
-			    ioc->reply_post[++index].reply_post_free;
-		else
-			reply_post_free += reply_post_free_sz;
 	}
  skip_init_reply_post_free_queue:
 

  parent reply	other threads:[~2017-08-09 20:41 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-09 20:36 [PATCH 3.18 00/92] 3.18.64-stable review - take 2 Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 01/92] af_key: Add lock to key dump Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 02/92] pstore: Make spinlock per zone instead of global Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 03/92] net: reduce skb_warn_bad_offload() noise Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 04/92] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 05/92] md/raid5: add thread_group worker async_tx_issue_pending_all Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 06/92] drm/vmwgfx: Fix gcc-7.1.1 warning Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 07/92] KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 08/92] KVM: PPC: Book3S HV: Reload HTM registers explicitly Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 09/92] KVM: PPC: Book3S HV: Save/restore host values of debug registers Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 10/92] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 11/92] Staging: comedi: comedi_fops: Avoid orphaned proc entry Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 12/92] Bluetooth: bnep: bnep_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 13/92] Bluetooth: Fix potential NULL dereference Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 14/92] Bluetooth: cmtp: cmtp_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 15/92] net: phy: Do not perform software reset for Generic PHY Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 16/92] isdn: Fix a sleep-in-atomic bug Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 17/92] string: provide strscpy() Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 18/92] strscpy: zero any trailing garbage bytes in the destination Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 19/92] isdn/i4l: fix buffer overflow Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 20/92] wil6210: fix deadlock when using fw_no_recovery option Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 21/92] mailbox: always wait in mbox_send_message for blocking Tx mode Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 22/92] mailbox: skip complete wait event if timer expired Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 23/92] mailbox: handle empty message in tx_tick Greg Kroah-Hartman
2017-08-09 20:36 ` Greg Kroah-Hartman [this message]
2017-08-09 20:36 ` [PATCH 3.18 25/92] kaweth: fix firmware download Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 26/92] kaweth: fix oops upon failed memory allocation Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 29/92] sh_eth: Fix ethtool operation crash when net device is down Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 30/92] net, sched: fix soft lockup in tc_classify Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 31/92] ipmi/watchdog: fix watchdog timeout set on reboot Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 32/92] dentry name snapshots Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 33/92] [media] v4l: s5c73m3: fix negation operator Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 34/92] pstore: Allow prz to control need for locking Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 35/92] pstore: Correctly initialize spinlock and flags Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 36/92] pstore: Use dynamic spinlock initializer Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 37/92] net: skb_needs_check() accepts CHECKSUM_NONE for tx Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 38/92] tpm: fix a kernel memory leak in tpm-sysfs.c Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 39/92] x86/mce/AMD: Make the init code more robust Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 40/92] r8169: add support for RTL8168 series add-on card Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 42/92] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 43/92] net/mlx4: Remove BUG_ON from ICM allocation routine Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 44/92] drm/msm: Ensure that the hardware write pointer is valid Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 45/92] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 46/92] vfio-pci: use 32-bit comparisons for register address for gcc-4.5 Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 47/92] ASoC: tlv320aic3x: Mark the RESET register as volatile Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 48/92] spi: dw: Make debugfs name unique between instances Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 49/92] vlan: Propagate MAC address to VLANs Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 50/92] xfrm: Dont use sk_family for socket policy lookups Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 51/92] tile: add <asm/word-at-a-time.h> and enable support functions Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 52/92] word-at-a-time.h: support zero_bytemask() on alpha and tile Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 53/92] Make asm/word-at-a-time.h available on all architectures Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 54/92] arch/powerpc: provide zero_bytemask() for big-endian Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 55/92] tile: use global strscpy() rather than private copy Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 56/92] libata: array underflow in ata_find_dev() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 57/92] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 58/92] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 59/92] ASoC: do not close shared backend dailink Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 61/92] mm/page_alloc: Remove kernel address exposure in free_reserved_area() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 62/92] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 63/92] ext4: fix overflow caused by missing cast in ext4_resize_fs() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 64/92] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 65/92] target: Avoid mappedlun symlink creation during lun shutdown Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 66/92] iscsi-target: Always wait for kthread_should_stop() before kthread exit Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 67/92] iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 68/92] iscsi-target: Fix initial login PDU asynchronous socket close OOPs Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 69/92] iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 70/92] f2fs: sanity check checkpoint segno and blkoff Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 71/92] net: Zero terminate ifr_name in dev_ifname() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 72/92] ipv6: avoid overflow of offset in ip6_find_1stfragopt Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 73/92] ipv4: initialize fib_trie prior to register_netdev_notifier call Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 74/92] rtnetlink: allocate more memory for dev_set_mac_address() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 75/92] mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 76/92] packet: fix use-after-free in prb_retire_rx_blk_timer_expired() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 77/92] dccp: fix a memleak for dccp_feat_init err process Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 78/92] sctp: dont dereference ptr before leaving _sctp_walk_{params, errors}() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 79/92] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 80/92] net: phy: Correctly process PHY_HALTED in phy_stop_machine() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 81/92] xen-netback: correctly schedule rate-limited queues Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 82/92] wext: handle NULL extra data in iwe_stream_add_point better Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 83/92] sh_eth: R8A7740 supports packet shecksumming Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 84/92] tg3: Fix race condition in tg3_get_stats64() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 85/92] x86/boot: Add missing declaration of string functions Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 86/92] scsi: qla2xxx: Get mutex lock before checking optrom_state Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 87/92] ARM: 8632/1: ftrace: fix syscall name matching Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 88/92] mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 89/92] lib/Kconfig.debug: fix frv build failure Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 90/92] signal: protect SIGNAL_UNKILLABLE from unintentional clearing Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 91/92] mm: dont dereference struct page fields of invalid pages Greg Kroah-Hartman
2017-08-09 20:38 ` [PATCH 3.18 92/92] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output Greg Kroah-Hartman
2017-08-09 23:59 ` [PATCH 3.18 00/92] 3.18.64-stable review - take 2 Shuah Khan
2017-08-10  2:34   ` Greg Kroah-Hartman
2017-08-10  0:29 ` Guenter Roeck
2017-08-10  2:34   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170809202156.483190360@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=amit.pundir@linaro.org \
    --cc=axboe@fb.com \
    --cc=calvinowens@fb.com \
    --cc=chaitra.basappa@broadcom.com \
    --cc=jthumshirn@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).