From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Calvin Owens <calvinowens@fb.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
Jens Axboe <axboe@fb.com>,
Chaitra Basappa <chaitra.basappa@broadcom.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 24/50] mpt3sas: Dont overreach ioc->reply_post[] during initialization
Date: Fri, 4 Aug 2017 16:16:10 -0700 [thread overview]
Message-ID: <20170804231552.409493438@linuxfoundation.org> (raw)
In-Reply-To: <20170804231550.830518786@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvinowens@fb.com>
commit 5ec8a1753bc29efa7e4b1391d691c9c719b30257 upstream.
In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull
a pointer out of successive elements of ioc->reply_post[] for each entry
in that list if RDPQ is enabled.
Since the code pulls the pointer for the next iteration at the bottom of
the loop, it triggers the a KASAN dump on the final iteration:
BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0
Read of size 8 by task modprobe/305
<snip>
Call Trace:
[<ffffffff81dfc591>] dump_stack+0x4d/0x6c
[<ffffffff814c9689>] print_trailer+0xf9/0x150
[<ffffffff814ceda4>] object_err+0x34/0x40
[<ffffffff814d1231>] kasan_report_error+0x221/0x530
[<ffffffff814d1673>] __asan_report_load8_noabort+0x43/0x50
[<ffffffffa0043637>] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas]
[<ffffffffa0049a51>] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas]
[<ffffffffa0053c93>] _scsih_probe+0xeb3/0x16b0 [mpt3sas]
[<ffffffff81ebd047>] local_pci_probe+0xc7/0x170
[<ffffffff81ebf2cf>] pci_device_probe+0x20f/0x290
[<ffffffff820d50cd>] really_probe+0x17d/0x600
[<ffffffff820d56a3>] __driver_attach+0x153/0x190
[<ffffffff820cffac>] bus_for_each_dev+0x11c/0x1a0
[<ffffffff820d421d>] driver_attach+0x3d/0x50
[<ffffffff820d378a>] bus_add_driver+0x44a/0x5f0
[<ffffffff820d666c>] driver_register+0x18c/0x3b0
[<ffffffff81ebcb76>] __pci_register_driver+0x156/0x200
[<ffffffffa00c8135>] _mpt3sas_init+0x135/0x1000 [mpt3sas]
[<ffffffff81000423>] do_one_initcall+0x113/0x2b0
[<ffffffff813caa5a>] do_init_module+0x1d0/0x4d8
[<ffffffff81273909>] load_module+0x6729/0x8dc0
[<ffffffff81276123>] SYSC_init_module+0x183/0x1a0
[<ffffffff8127625e>] SyS_init_module+0xe/0x10
[<ffffffff828fe7d7>] entry_SYSCALL_64_fastpath+0x12/0x6a
Fix this by pulling the value at the beginning of the loop.
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Jens Axboe <axboe@fb.com>
Acked-by: Chaitra Basappa <chaitra.basappa@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4378,14 +4378,13 @@ _base_make_ioc_ready(struct MPT3SAS_ADAP
static int
_base_make_ioc_operational(struct MPT3SAS_ADAPTER *ioc, int sleep_flag)
{
- int r, i;
+ int r, i, index;
unsigned long flags;
u32 reply_address;
u16 smid;
struct _tr_list *delayed_tr, *delayed_tr_next;
struct adapter_reply_queue *reply_q;
- long reply_post_free;
- u32 reply_post_free_sz, index = 0;
+ Mpi2ReplyDescriptorsUnion_t *reply_post_free_contig;
dinitprintk(ioc, pr_info(MPT3SAS_FMT "%s\n", ioc->name,
__func__));
@@ -4456,27 +4455,27 @@ _base_make_ioc_operational(struct MPT3SA
_base_assign_reply_queues(ioc);
/* initialize Reply Post Free Queue */
- reply_post_free_sz = ioc->reply_post_queue_depth *
- sizeof(Mpi2DefaultReplyDescriptor_t);
- reply_post_free = (long)ioc->reply_post[index].reply_post_free;
+ index = 0;
+ reply_post_free_contig = ioc->reply_post[0].reply_post_free;
list_for_each_entry(reply_q, &ioc->reply_queue_list, list) {
+ /*
+ * If RDPQ is enabled, switch to the next allocation.
+ * Otherwise advance within the contiguous region.
+ */
+ if (ioc->rdpq_array_enable) {
+ reply_q->reply_post_free =
+ ioc->reply_post[index++].reply_post_free;
+ } else {
+ reply_q->reply_post_free = reply_post_free_contig;
+ reply_post_free_contig += ioc->reply_post_queue_depth;
+ }
+
reply_q->reply_post_host_index = 0;
- reply_q->reply_post_free = (Mpi2ReplyDescriptorsUnion_t *)
- reply_post_free;
for (i = 0; i < ioc->reply_post_queue_depth; i++)
reply_q->reply_post_free[i].Words =
cpu_to_le64(ULLONG_MAX);
if (!_base_is_controller_msix_enabled(ioc))
goto skip_init_reply_post_free_queue;
- /*
- * If RDPQ is enabled, switch to the next allocation.
- * Otherwise advance within the contiguous region.
- */
- if (ioc->rdpq_array_enable)
- reply_post_free = (long)
- ioc->reply_post[++index].reply_post_free;
- else
- reply_post_free += reply_post_free_sz;
}
skip_init_reply_post_free_queue:
next prev parent reply other threads:[~2017-08-04 23:28 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-04 23:15 [PATCH 3.18 00/50] 3.18.64-stable review Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 01/50] af_key: Add lock to key dump Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 02/50] pstore: Make spinlock per zone instead of global Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 03/50] net: reduce skb_warn_bad_offload() noise Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 04/50] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 05/50] md/raid5: add thread_group worker async_tx_issue_pending_all Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 06/50] drm/vmwgfx: Fix gcc-7.1.1 warning Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 07/50] KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 08/50] KVM: PPC: Book3S HV: Reload HTM registers explicitly Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 09/50] KVM: PPC: Book3S HV: Save/restore host values of debug registers Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 10/50] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 11/50] Staging: comedi: comedi_fops: Avoid orphaned proc entry Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 12/50] Bluetooth: bnep: bnep_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 13/50] Bluetooth: Fix potential NULL dereference Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 14/50] Bluetooth: cmtp: cmtp_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 15/50] net: phy: Do not perform software reset for Generic PHY Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 16/50] isdn: Fix a sleep-in-atomic bug Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 17/50] string: provide strscpy() Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 18/50] strscpy: zero any trailing garbage bytes in the destination Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 19/50] isdn/i4l: fix buffer overflow Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 20/50] wil6210: fix deadlock when using fw_no_recovery option Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 21/50] mailbox: always wait in mbox_send_message for blocking Tx mode Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 22/50] mailbox: skip complete wait event if timer expired Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 23/50] mailbox: handle empty message in tx_tick Greg Kroah-Hartman
2017-08-04 23:16 ` Greg Kroah-Hartman [this message]
2017-08-04 23:16 ` [PATCH 3.18 25/50] kaweth: fix firmware download Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 26/50] kaweth: fix oops upon failed memory allocation Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 27/50] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 28/50] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 29/50] sh_eth: Fix ethtool operation crash when net device is down Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 30/50] net, sched: fix soft lockup in tc_classify Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 31/50] ipmi/watchdog: fix watchdog timeout set on reboot Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 32/50] dentry name snapshots Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 33/50] [media] v4l: s5c73m3: fix negation operator Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 34/50] pstore: Allow prz to control need for locking Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 35/50] pstore: Correctly initialize spinlock and flags Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 36/50] pstore: Use dynamic spinlock initializer Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 37/50] net: skb_needs_check() accepts CHECKSUM_NONE for tx Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 38/50] tpm: fix a kernel memory leak in tpm-sysfs.c Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 39/50] x86/mce/AMD: Make the init code more robust Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 40/50] r8169: add support for RTL8168 series add-on card Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 42/50] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 43/50] net/mlx4: Remove BUG_ON from ICM allocation routine Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 44/50] drm/msm: Ensure that the hardware write pointer is valid Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 45/50] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 46/50] vfio-pci: use 32-bit comparisons for register address for gcc-4.5 Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 47/50] ASoC: tlv320aic3x: Mark the RESET register as volatile Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 48/50] spi: dw: Make debugfs name unique between instances Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 49/50] vlan: Propagate MAC address to VLANs Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 50/50] xfrm: Dont use sk_family for socket policy lookups Greg Kroah-Hartman
2017-08-05 1:43 ` [PATCH 3.18 00/50] 3.18.64-stable review Guenter Roeck
2017-08-05 2:46 ` Greg Kroah-Hartman
2017-08-05 2:51 ` Greg Kroah-Hartman
2017-08-05 3:00 ` Greg Kroah-Hartman
2017-08-05 4:01 ` Guenter Roeck
2017-08-05 15:43 ` Greg Kroah-Hartman
2017-08-05 5:55 ` Willy Tarreau
2017-08-05 6:02 ` Willy Tarreau
2017-08-05 15:43 ` Greg Kroah-Hartman
2017-08-05 19:11 ` Guenter Roeck
2017-08-07 19:34 ` Greg Kroah-Hartman
2017-08-08 4:11 ` Guenter Roeck
2017-08-05 3:57 ` Guenter Roeck
2017-08-05 15:45 ` Greg Kroah-Hartman
2017-08-05 1:52 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170804231552.409493438@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=axboe@fb.com \
--cc=calvinowens@fb.com \
--cc=chaitra.basappa@broadcom.com \
--cc=jthumshirn@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).