|
|
3c6e85 |
From 035ffe68fc976c04a594d4e9dd9c36b22043760c Mon Sep 17 00:00:00 2001
|
|
|
3c6e85 |
From: Himanshu Madhani <hmadhani@redhat.com>
|
|
|
3c6e85 |
Date: Thu, 1 Aug 2019 15:55:36 -0400
|
|
|
3c6e85 |
Subject: [PATCH 076/124] [scsi] scsi: qla2xxx: Fix read offset in
|
|
|
3c6e85 |
qla24xx_load_risc_flash()
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Message-id: <20190801155618.12650-77-hmadhani@redhat.com>
|
|
|
3c6e85 |
Patchwork-id: 267872
|
|
|
3c6e85 |
O-Subject: [RHEL 7.8 e-stor PATCH 076/118] scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash()
|
|
|
3c6e85 |
Bugzilla: 1729270
|
|
|
3c6e85 |
RH-Acked-by: Jarod Wilson <jarod@redhat.com>
|
|
|
3c6e85 |
RH-Acked-by: Tony Camuso <tcamuso@redhat.com>
|
|
|
3c6e85 |
|
|
|
3c6e85 |
From: Himanshu Madhani <hmadhani@marvell.com>
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Bugzilla 1729270
|
|
|
3c6e85 |
|
|
|
3c6e85 |
This patch fixes regression introduced by commit f8f97b0c5b7f ("scsi:
|
|
|
3c6e85 |
qla2xxx: Cleanups for NVRAM/Flash read/write path") where flash read/write
|
|
|
3c6e85 |
routine cleanup left out code which resulted into checksum failure leading
|
|
|
3c6e85 |
to use-after-free stack during driver load.
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Following stack trace is seen in the log file
|
|
|
3c6e85 |
|
|
|
3c6e85 |
qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 10.01.00.16-k.
|
|
|
3c6e85 |
qla2xxx [0000:00:0b.0]-001d: : Found an ISP2532 irq 11 iobase 0x0000000000f47f03.
|
|
|
3c6e85 |
qla2xxx [0000:00:0b.0]-00cd:8: ISP Firmware failed checksum.
|
|
|
3c6e85 |
qla2xxx [0000:00:0b.0]-00cf:8: Setup chip ****FAILED****.
|
|
|
3c6e85 |
qla2xxx [0000:00:0b.0]-00d6:8: Failed to initialize adapter - Adapter flags 2.
|
|
|
3c6e85 |
==================================================================
|
|
|
3c6e85 |
BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xd0
|
|
|
3c6e85 |
Read of size 8 at addr ffff8880ca05a490 by task modprobe/857
|
|
|
3c6e85 |
|
|
|
3c6e85 |
CPU: 0 PID: 857 Comm: modprobe Not tainted 5.1.0-rc1-dbg+ #4
|
|
|
3c6e85 |
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
|
|
|
3c6e85 |
Call Trace:
|
|
|
3c6e85 |
dump_stack+0x86/0xca
|
|
|
3c6e85 |
print_address_description+0x6c/0x234
|
|
|
3c6e85 |
? __list_del_entry_valid+0x15/0xd0
|
|
|
3c6e85 |
kasan_report.cold.3+0x1b/0x34
|
|
|
3c6e85 |
? __list_del_entry_valid+0x15/0xd0
|
|
|
3c6e85 |
? __kmem_cache_shutdown.cold.95+0xf5/0x176
|
|
|
3c6e85 |
? __list_del_entry_valid+0x15/0xd0
|
|
|
3c6e85 |
__asan_load8+0x54/0x90
|
|
|
3c6e85 |
__list_del_entry_valid+0x15/0xd0
|
|
|
3c6e85 |
dma_pool_destroy+0x4f/0x260
|
|
|
3c6e85 |
? dma_free_attrs+0xb4/0xd0
|
|
|
3c6e85 |
qla2x00_mem_free+0x529/0xcc0 [qla2xxx]
|
|
|
3c6e85 |
? kobject_put+0xdb/0x230
|
|
|
3c6e85 |
qla2x00_probe_one+0x2b5e/0x45f0 [qla2xxx]
|
|
|
3c6e85 |
? qla2xxx_pci_error_detected+0x210/0x210 [qla2xxx]
|
|
|
3c6e85 |
? match_held_lock+0x20/0x240
|
|
|
3c6e85 |
? find_held_lock+0xca/0xf0
|
|
|
3c6e85 |
? mark_held_locks+0x86/0xb0
|
|
|
3c6e85 |
? _raw_spin_unlock_irqrestore+0x52/0x60
|
|
|
3c6e85 |
? __pm_runtime_resume+0x5b/0xb0
|
|
|
3c6e85 |
? lockdep_hardirqs_on+0x185/0x260
|
|
|
3c6e85 |
? _raw_spin_unlock_irqrestore+0x52/0x60
|
|
|
3c6e85 |
? trace_hardirqs_on+0x24/0x130
|
|
|
3c6e85 |
? preempt_count_sub+0x13/0xc0
|
|
|
3c6e85 |
? _raw_spin_unlock_irqrestore+0x3d/0x60
|
|
|
3c6e85 |
pci_device_probe+0x154/0x1e0
|
|
|
3c6e85 |
really_probe+0x17d/0x540
|
|
|
3c6e85 |
? device_driver_attach+0x90/0x90
|
|
|
3c6e85 |
driver_probe_device+0x113/0x170
|
|
|
3c6e85 |
? device_driver_attach+0x90/0x90
|
|
|
3c6e85 |
device_driver_attach+0x88/0x90
|
|
|
3c6e85 |
__driver_attach+0xb5/0x190
|
|
|
3c6e85 |
bus_for_each_dev+0xf8/0x160
|
|
|
3c6e85 |
? subsys_dev_iter_exit+0x10/0x10
|
|
|
3c6e85 |
? kasan_check_read+0x11/0x20
|
|
|
3c6e85 |
? preempt_count_sub+0x13/0xc0
|
|
|
3c6e85 |
? _raw_spin_unlock+0x2c/0x50
|
|
|
3c6e85 |
driver_attach+0x26/0x30
|
|
|
3c6e85 |
bus_add_driver+0x238/0x2f0
|
|
|
3c6e85 |
driver_register+0xd7/0x150
|
|
|
3c6e85 |
__pci_register_driver+0xd5/0xe0
|
|
|
3c6e85 |
? 0xffffffffa06c8000
|
|
|
3c6e85 |
qla2x00_module_init+0x208/0x254 [qla2xxx]
|
|
|
3c6e85 |
do_one_initcall+0xc0/0x3c9
|
|
|
3c6e85 |
? trace_event_raw_event_initcall_finish+0x150/0x150
|
|
|
3c6e85 |
? __kasan_kmalloc.constprop.5+0xc7/0xd0
|
|
|
3c6e85 |
? kasan_unpoison_shadow+0x35/0x50
|
|
|
3c6e85 |
? kasan_poison_shadow+0x2f/0x40
|
|
|
3c6e85 |
? __asan_register_globals+0x5a/0x70
|
|
|
3c6e85 |
do_init_module+0x103/0x330
|
|
|
3c6e85 |
load_module+0x36df/0x3b70
|
|
|
3c6e85 |
? fsnotify+0x611/0x640
|
|
|
3c6e85 |
? module_frob_arch_sections+0x20/0x20
|
|
|
3c6e85 |
? kernel_read+0x74/0xa0
|
|
|
3c6e85 |
? kasan_check_write+0x14/0x20
|
|
|
3c6e85 |
? kernel_read_file+0x25e/0x320
|
|
|
3c6e85 |
? do_mmap+0x42c/0x6c0
|
|
|
3c6e85 |
__do_sys_finit_module+0x133/0x1c0
|
|
|
3c6e85 |
? __do_sys_finit_module+0x133/0x1c0
|
|
|
3c6e85 |
? __do_sys_init_module+0x210/0x210
|
|
|
3c6e85 |
? fput_many+0x1b/0xc0
|
|
|
3c6e85 |
? fput+0xe/0x10
|
|
|
3c6e85 |
? do_syscall_64+0x14/0x210
|
|
|
3c6e85 |
? entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
|
|
3c6e85 |
__x64_sys_finit_module+0x3e/0x50
|
|
|
3c6e85 |
do_syscall_64+0x72/0x210
|
|
|
3c6e85 |
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
|
|
3c6e85 |
RIP: 0033:0x7f8bd5c03219
|
|
|
3c6e85 |
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 fc 0c 00 f7 d8 64 89 01 48
|
|
|
3c6e85 |
RSP: 002b:00007fff9d11de98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
|
|
|
3c6e85 |
RAX: ffffffffffffffda RBX: 000055ef21596b50 RCX: 00007f8bd5c03219
|
|
|
3c6e85 |
RDX: 0000000000000000 RSI: 000055ef21596570 RDI: 0000000000000004
|
|
|
3c6e85 |
RBP: 000055ef21596570 R08: 0000000000000000 R09: 0000000000000000
|
|
|
3c6e85 |
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
|
|
|
3c6e85 |
R13: 000055ef21596c80 R14: 0000000000040000 R15: 000055ef21596b50
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Allocated by task 857:
|
|
|
3c6e85 |
save_stack+0x43/0xd0
|
|
|
3c6e85 |
__kasan_kmalloc.constprop.5+0xc7/0xd0
|
|
|
3c6e85 |
kasan_kmalloc+0x9/0x10
|
|
|
3c6e85 |
kmem_cache_alloc_trace+0x144/0x300
|
|
|
3c6e85 |
dma_pool_create+0xb5/0x3b0
|
|
|
3c6e85 |
qla2x00_mem_alloc+0xb98/0x1ad0 [qla2xxx]
|
|
|
3c6e85 |
qla2x00_probe_one+0xe28/0x45f0 [qla2xxx]
|
|
|
3c6e85 |
pci_device_probe+0x154/0x1e0
|
|
|
3c6e85 |
really_probe+0x17d/0x540
|
|
|
3c6e85 |
driver_probe_device+0x113/0x170
|
|
|
3c6e85 |
device_driver_attach+0x88/0x90
|
|
|
3c6e85 |
__driver_attach+0xb5/0x190
|
|
|
3c6e85 |
bus_for_each_dev+0xf8/0x160
|
|
|
3c6e85 |
driver_attach+0x26/0x30
|
|
|
3c6e85 |
bus_add_driver+0x238/0x2f0
|
|
|
3c6e85 |
driver_register+0xd7/0x150
|
|
|
3c6e85 |
__pci_register_driver+0xd5/0xe0
|
|
|
3c6e85 |
qla2x00_module_init+0x208/0x254 [qla2xxx]
|
|
|
3c6e85 |
do_one_initcall+0xc0/0x3c9
|
|
|
3c6e85 |
do_init_module+0x103/0x330
|
|
|
3c6e85 |
load_module+0x36df/0x3b70
|
|
|
3c6e85 |
__do_sys_finit_module+0x133/0x1c0
|
|
|
3c6e85 |
__x64_sys_finit_module+0x3e/0x50
|
|
|
3c6e85 |
do_syscall_64+0x72/0x210
|
|
|
3c6e85 |
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Freed by task 857:
|
|
|
3c6e85 |
save_stack+0x43/0xd0
|
|
|
3c6e85 |
__kasan_slab_free+0x139/0x190
|
|
|
3c6e85 |
kasan_slab_free+0xe/0x10
|
|
|
3c6e85 |
kfree+0xf0/0x2c0
|
|
|
3c6e85 |
dma_pool_destroy+0x24c/0x260
|
|
|
3c6e85 |
qla2x00_mem_free+0x529/0xcc0 [qla2xxx]
|
|
|
3c6e85 |
qla2x00_free_device+0x167/0x1b0 [qla2xxx]
|
|
|
3c6e85 |
qla2x00_probe_one+0x2b28/0x45f0 [qla2xxx]
|
|
|
3c6e85 |
pci_device_probe+0x154/0x1e0
|
|
|
3c6e85 |
really_probe+0x17d/0x540
|
|
|
3c6e85 |
driver_probe_device+0x113/0x170
|
|
|
3c6e85 |
device_driver_attach+0x88/0x90
|
|
|
3c6e85 |
__driver_attach+0xb5/0x190
|
|
|
3c6e85 |
bus_for_each_dev+0xf8/0x160
|
|
|
3c6e85 |
driver_attach+0x26/0x30
|
|
|
3c6e85 |
bus_add_driver+0x238/0x2f0
|
|
|
3c6e85 |
driver_register+0xd7/0x150
|
|
|
3c6e85 |
__pci_register_driver+0xd5/0xe0
|
|
|
3c6e85 |
qla2x00_module_init+0x208/0x254 [qla2xxx]
|
|
|
3c6e85 |
do_one_initcall+0xc0/0x3c9
|
|
|
3c6e85 |
do_init_module+0x103/0x330
|
|
|
3c6e85 |
load_module+0x36df/0x3b70
|
|
|
3c6e85 |
__do_sys_finit_module+0x133/0x1c0
|
|
|
3c6e85 |
__x64_sys_finit_module+0x3e/0x50
|
|
|
3c6e85 |
do_syscall_64+0x72/0x210
|
|
|
3c6e85 |
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
|
|
3c6e85 |
|
|
|
3c6e85 |
The buggy address belongs to the object at ffff8880ca05a400
|
|
|
3c6e85 |
which belongs to the cache kmalloc-192 of size 192
|
|
|
3c6e85 |
The buggy address is located 144 bytes inside of
|
|
|
3c6e85 |
192-byte region [ffff8880ca05a400, ffff8880ca05a4c0)
|
|
|
3c6e85 |
The buggy address belongs to the page:
|
|
|
3c6e85 |
page:ffffea0003281680 count:1 mapcount:0 mapping:ffff88811bf03380 index:0x0 compound_mapcount: 0
|
|
|
3c6e85 |
flags: 0x4000000000010200(slab|head)
|
|
|
3c6e85 |
raw: 4000000000010200 0000000000000000 0000000c00000001 ffff88811bf03380
|
|
|
3c6e85 |
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
|
|
|
3c6e85 |
page dumped because: kasan: bad access detected
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Memory state around the buggy address:
|
|
|
3c6e85 |
ffff8880ca05a380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
|
|
|
3c6e85 |
ffff8880ca05a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
|
|
3c6e85 |
>ffff8880ca05a480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
|
|
|
3c6e85 |
^
|
|
|
3c6e85 |
ffff8880ca05a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|
|
3c6e85 |
ffff8880ca05a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
|
|
|
3c6e85 |
==================================================================
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Fixes: f8f97b0c5b7f ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path")
|
|
|
3c6e85 |
Reported-by: Bart Van Assche <bvanassche@acm.org>
|
|
|
3c6e85 |
Tested-by: Bart Van Assche <bvanassche@acm.org>
|
|
|
3c6e85 |
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
|
|
|
3c6e85 |
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
|
3c6e85 |
(cherry picked from commit 1710ac17547ac8b5c44fbd74de41dee3fe26ee81)
|
|
|
3c6e85 |
Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>
|
|
|
3c6e85 |
Signed-off-by: Jan Stancek <jstancek@redhat.com>
|
|
|
3c6e85 |
|
|
|
3c6e85 |
Conflicts:
|
|
|
3c6e85 |
drivers/scsi/qla2xxx/qla_init.c
|
|
|
3c6e85 |
---
|
|
|
3c6e85 |
drivers/scsi/qla2xxx/qla_init.c | 16 +---------------
|
|
|
3c6e85 |
1 file changed, 1 insertion(+), 15 deletions(-)
|
|
|
3c6e85 |
|
|
|
3c6e85 |
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
|
|
|
3c6e85 |
index 15085251f59f..0e8826599c65 100644
|
|
|
3c6e85 |
--- a/drivers/scsi/qla2xxx/qla_init.c
|
|
|
3c6e85 |
+++ b/drivers/scsi/qla2xxx/qla_init.c
|
|
|
3c6e85 |
@@ -7727,8 +7727,6 @@ qla24xx_load_risc_flash(scsi_qla_host_t *vha, uint32_t *srisc_addr,
|
|
|
3c6e85 |
|
|
|
3c6e85 |
dcode = fwdt->template;
|
|
|
3c6e85 |
qla24xx_read_flash_data(vha, dcode, faddr, risc_size);
|
|
|
3c6e85 |
- for (i = 0; i < risc_size; i++)
|
|
|
3c6e85 |
- dcode[i] = le32_to_cpu(dcode[i]);
|
|
|
3c6e85 |
|
|
|
3c6e85 |
if (!qla27xx_fwdt_template_valid(dcode)) {
|
|
|
3c6e85 |
ql_log(ql_log_warn, vha, 0x0165,
|
|
|
3c6e85 |
@@ -7894,22 +7892,11 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr)
|
|
|
3c6e85 |
}
|
|
|
3c6e85 |
|
|
|
3c6e85 |
fwcode = (void *)blob->fw->data;
|
|
|
3c6e85 |
- dcode = fwcode + 4;
|
|
|
3c6e85 |
+ dcode = fwcode;
|
|
|
3c6e85 |
if (qla24xx_risc_firmware_invalid(dcode)) {
|
|
|
3c6e85 |
ql_log(ql_log_fatal, vha, 0x0093,
|
|
|
3c6e85 |
"Unable to verify integrity of firmware image (%Zd).\n",
|
|
|
3c6e85 |
blob->fw->size);
|
|
|
3c6e85 |
- return QLA_FUNCTION_FAILED;
|
|
|
3c6e85 |
- }
|
|
|
3c6e85 |
- for (i = 0; i < 4; i++)
|
|
|
3c6e85 |
- dcode[i] = be32_to_cpu(fwcode[i + 4]);
|
|
|
3c6e85 |
- if ((dcode[0] == 0xffffffff && dcode[1] == 0xffffffff &&
|
|
|
3c6e85 |
- dcode[2] == 0xffffffff && dcode[3] == 0xffffffff) ||
|
|
|
3c6e85 |
- (dcode[0] == 0 && dcode[1] == 0 && dcode[2] == 0 &&
|
|
|
3c6e85 |
- dcode[3] == 0)) {
|
|
|
3c6e85 |
- ql_log(ql_log_fatal, vha, 0x0094,
|
|
|
3c6e85 |
- "Unable to verify integrity of firmware image (%Zd).\n",
|
|
|
3c6e85 |
- blob->fw->size);
|
|
|
3c6e85 |
ql_log(ql_log_fatal, vha, 0x0095,
|
|
|
3c6e85 |
"Firmware data: %08x %08x %08x %08x.\n",
|
|
|
3c6e85 |
dcode[0], dcode[1], dcode[2], dcode[3]);
|
|
|
3c6e85 |
@@ -7932,7 +7919,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr)
|
|
|
3c6e85 |
|
|
|
3c6e85 |
dlen = ha->fw_transfer_size >> 2;
|
|
|
3c6e85 |
for (fragment = 0; risc_size; fragment++) {
|
|
|
3c6e85 |
- dlen = (uint32_t)(ha->fw_transfer_size >> 2);
|
|
|
3c6e85 |
if (dlen > risc_size)
|
|
|
3c6e85 |
dlen = risc_size;
|
|
|
3c6e85 |
|
|
|
3c6e85 |
--
|
|
|
3c6e85 |
2.13.6
|
|
|
3c6e85 |
|