rpms / kmod-redhat-qla2xxx

Clone
Source Code
GIT

Blame SOURCES/0076-scsi-scsi-qla2xxx-Fix-read-offset-in-qla24xx_load_ri.patch

c7 c7-rt
  1.   c7
  2.   SOURCES
  3.   0076-scsi-scsi-qla2xxx-Fix-read-offset-in-qla24xx_load_ri.patch
Blob History Raw
3c6e85 
From 035ffe68fc976c04a594d4e9dd9c36b22043760c Mon Sep 17 00:00:00 2001
3c6e85 
From: Himanshu Madhani <hmadhani@redhat.com>
3c6e85 
Date: Thu, 1 Aug 2019 15:55:36 -0400
3c6e85 
Subject: [PATCH 076/124] [scsi] scsi: qla2xxx: Fix read offset in
3c6e85 
 qla24xx_load_risc_flash()
3c6e85
3c6e85 
Message-id: <20190801155618.12650-77-hmadhani@redhat.com>
3c6e85 
Patchwork-id: 267872
3c6e85 
O-Subject: [RHEL 7.8 e-stor PATCH 076/118] scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash()
3c6e85 
Bugzilla: 1729270
3c6e85 
RH-Acked-by: Jarod Wilson <jarod@redhat.com>
3c6e85 
RH-Acked-by: Tony Camuso <tcamuso@redhat.com>
3c6e85
3c6e85 
From: Himanshu Madhani <hmadhani@marvell.com>
3c6e85
3c6e85 
Bugzilla 1729270
3c6e85
3c6e85 
This patch fixes regression introduced by commit f8f97b0c5b7f ("scsi:
3c6e85 
qla2xxx: Cleanups for NVRAM/Flash read/write path") where flash read/write
3c6e85 
routine cleanup left out code which resulted into checksum failure leading
3c6e85 
to use-after-free stack during driver load.
3c6e85
3c6e85 
Following stack trace is seen in the log file
3c6e85
3c6e85 
qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 10.01.00.16-k.
3c6e85 
qla2xxx [0000:00:0b.0]-001d: : Found an ISP2532 irq 11 iobase 0x0000000000f47f03.
3c6e85 
qla2xxx [0000:00:0b.0]-00cd:8: ISP Firmware failed checksum.
3c6e85 
qla2xxx [0000:00:0b.0]-00cf:8: Setup chip ****FAILED****.
3c6e85 
qla2xxx [0000:00:0b.0]-00d6:8: Failed to initialize adapter - Adapter flags 2.
3c6e85 
==================================================================
3c6e85 
BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xd0
3c6e85 
Read of size 8 at addr ffff8880ca05a490 by task modprobe/857
3c6e85
3c6e85 
CPU: 0 PID: 857 Comm: modprobe Not tainted 5.1.0-rc1-dbg+ #4
3c6e85 
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
3c6e85 
Call Trace:
3c6e85 
  dump_stack+0x86/0xca
3c6e85 
  print_address_description+0x6c/0x234
3c6e85 
  ? __list_del_entry_valid+0x15/0xd0
3c6e85 
  kasan_report.cold.3+0x1b/0x34
3c6e85 
  ? __list_del_entry_valid+0x15/0xd0
3c6e85 
  ? __kmem_cache_shutdown.cold.95+0xf5/0x176
3c6e85 
  ? __list_del_entry_valid+0x15/0xd0
3c6e85 
  __asan_load8+0x54/0x90
3c6e85 
  __list_del_entry_valid+0x15/0xd0
3c6e85 
  dma_pool_destroy+0x4f/0x260
3c6e85 
  ? dma_free_attrs+0xb4/0xd0
3c6e85 
  qla2x00_mem_free+0x529/0xcc0 [qla2xxx]
3c6e85 
  ? kobject_put+0xdb/0x230
3c6e85 
  qla2x00_probe_one+0x2b5e/0x45f0 [qla2xxx]
3c6e85 
  ? qla2xxx_pci_error_detected+0x210/0x210 [qla2xxx]
3c6e85 
  ? match_held_lock+0x20/0x240
3c6e85 
  ? find_held_lock+0xca/0xf0
3c6e85 
  ? mark_held_locks+0x86/0xb0
3c6e85 
  ? _raw_spin_unlock_irqrestore+0x52/0x60
3c6e85 
  ? __pm_runtime_resume+0x5b/0xb0
3c6e85 
  ? lockdep_hardirqs_on+0x185/0x260
3c6e85 
  ? _raw_spin_unlock_irqrestore+0x52/0x60
3c6e85 
  ? trace_hardirqs_on+0x24/0x130
3c6e85 
  ? preempt_count_sub+0x13/0xc0
3c6e85 
  ? _raw_spin_unlock_irqrestore+0x3d/0x60
3c6e85 
  pci_device_probe+0x154/0x1e0
3c6e85 
  really_probe+0x17d/0x540
3c6e85 
  ? device_driver_attach+0x90/0x90
3c6e85 
  driver_probe_device+0x113/0x170
3c6e85 
  ? device_driver_attach+0x90/0x90
3c6e85 
  device_driver_attach+0x88/0x90
3c6e85 
  __driver_attach+0xb5/0x190
3c6e85 
  bus_for_each_dev+0xf8/0x160
3c6e85 
  ? subsys_dev_iter_exit+0x10/0x10
3c6e85 
  ? kasan_check_read+0x11/0x20
3c6e85 
  ? preempt_count_sub+0x13/0xc0
3c6e85 
  ? _raw_spin_unlock+0x2c/0x50
3c6e85 
  driver_attach+0x26/0x30
3c6e85 
  bus_add_driver+0x238/0x2f0
3c6e85 
  driver_register+0xd7/0x150
3c6e85 
  __pci_register_driver+0xd5/0xe0
3c6e85 
  ? 0xffffffffa06c8000
3c6e85 
  qla2x00_module_init+0x208/0x254 [qla2xxx]
3c6e85 
  do_one_initcall+0xc0/0x3c9
3c6e85 
  ? trace_event_raw_event_initcall_finish+0x150/0x150
3c6e85 
  ? __kasan_kmalloc.constprop.5+0xc7/0xd0
3c6e85 
  ? kasan_unpoison_shadow+0x35/0x50
3c6e85 
  ? kasan_poison_shadow+0x2f/0x40
3c6e85 
  ? __asan_register_globals+0x5a/0x70
3c6e85 
  do_init_module+0x103/0x330
3c6e85 
  load_module+0x36df/0x3b70
3c6e85 
  ? fsnotify+0x611/0x640
3c6e85 
  ? module_frob_arch_sections+0x20/0x20
3c6e85 
  ? kernel_read+0x74/0xa0
3c6e85 
  ? kasan_check_write+0x14/0x20
3c6e85 
  ? kernel_read_file+0x25e/0x320
3c6e85 
  ? do_mmap+0x42c/0x6c0
3c6e85 
  __do_sys_finit_module+0x133/0x1c0
3c6e85 
  ? __do_sys_finit_module+0x133/0x1c0
3c6e85 
  ? __do_sys_init_module+0x210/0x210
3c6e85 
  ? fput_many+0x1b/0xc0
3c6e85 
  ? fput+0xe/0x10
3c6e85 
  ? do_syscall_64+0x14/0x210
3c6e85 
  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
3c6e85 
  __x64_sys_finit_module+0x3e/0x50
3c6e85 
  do_syscall_64+0x72/0x210
3c6e85 
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
3c6e85 
RIP: 0033:0x7f8bd5c03219
3c6e85 
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 fc 0c 00 f7 d8 64 89 01 48
3c6e85 
RSP: 002b:00007fff9d11de98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
3c6e85 
RAX: ffffffffffffffda RBX: 000055ef21596b50 RCX: 00007f8bd5c03219
3c6e85 
RDX: 0000000000000000 RSI: 000055ef21596570 RDI: 0000000000000004
3c6e85 
RBP: 000055ef21596570 R08: 0000000000000000 R09: 0000000000000000
3c6e85 
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
3c6e85 
R13: 000055ef21596c80 R14: 0000000000040000 R15: 000055ef21596b50
3c6e85
3c6e85 
Allocated by task 857:
3c6e85 
  save_stack+0x43/0xd0
3c6e85 
  __kasan_kmalloc.constprop.5+0xc7/0xd0
3c6e85 
  kasan_kmalloc+0x9/0x10
3c6e85 
  kmem_cache_alloc_trace+0x144/0x300
3c6e85 
  dma_pool_create+0xb5/0x3b0
3c6e85 
  qla2x00_mem_alloc+0xb98/0x1ad0 [qla2xxx]
3c6e85 
  qla2x00_probe_one+0xe28/0x45f0 [qla2xxx]
3c6e85 
  pci_device_probe+0x154/0x1e0
3c6e85 
  really_probe+0x17d/0x540
3c6e85 
  driver_probe_device+0x113/0x170
3c6e85 
  device_driver_attach+0x88/0x90
3c6e85 
  __driver_attach+0xb5/0x190
3c6e85 
  bus_for_each_dev+0xf8/0x160
3c6e85 
  driver_attach+0x26/0x30
3c6e85 
  bus_add_driver+0x238/0x2f0
3c6e85 
  driver_register+0xd7/0x150
3c6e85 
  __pci_register_driver+0xd5/0xe0
3c6e85 
  qla2x00_module_init+0x208/0x254 [qla2xxx]
3c6e85 
  do_one_initcall+0xc0/0x3c9
3c6e85 
  do_init_module+0x103/0x330
3c6e85 
  load_module+0x36df/0x3b70
3c6e85 
  __do_sys_finit_module+0x133/0x1c0
3c6e85 
  __x64_sys_finit_module+0x3e/0x50
3c6e85 
  do_syscall_64+0x72/0x210
3c6e85 
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
3c6e85
3c6e85 
Freed by task 857:
3c6e85 
  save_stack+0x43/0xd0
3c6e85 
  __kasan_slab_free+0x139/0x190
3c6e85 
  kasan_slab_free+0xe/0x10
3c6e85 
  kfree+0xf0/0x2c0
3c6e85 
  dma_pool_destroy+0x24c/0x260
3c6e85 
  qla2x00_mem_free+0x529/0xcc0 [qla2xxx]
3c6e85 
  qla2x00_free_device+0x167/0x1b0 [qla2xxx]
3c6e85 
  qla2x00_probe_one+0x2b28/0x45f0 [qla2xxx]
3c6e85 
  pci_device_probe+0x154/0x1e0
3c6e85 
  really_probe+0x17d/0x540
3c6e85 
  driver_probe_device+0x113/0x170
3c6e85 
  device_driver_attach+0x88/0x90
3c6e85 
  __driver_attach+0xb5/0x190
3c6e85 
  bus_for_each_dev+0xf8/0x160
3c6e85 
  driver_attach+0x26/0x30
3c6e85 
  bus_add_driver+0x238/0x2f0
3c6e85 
  driver_register+0xd7/0x150
3c6e85 
  __pci_register_driver+0xd5/0xe0
3c6e85 
  qla2x00_module_init+0x208/0x254 [qla2xxx]
3c6e85 
  do_one_initcall+0xc0/0x3c9
3c6e85 
  do_init_module+0x103/0x330
3c6e85 
  load_module+0x36df/0x3b70
3c6e85 
  __do_sys_finit_module+0x133/0x1c0
3c6e85 
  __x64_sys_finit_module+0x3e/0x50
3c6e85 
  do_syscall_64+0x72/0x210
3c6e85 
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
3c6e85
3c6e85 
The buggy address belongs to the object at ffff8880ca05a400
3c6e85 
  which belongs to the cache kmalloc-192 of size 192
3c6e85 
The buggy address is located 144 bytes inside of
3c6e85 
  192-byte region [ffff8880ca05a400, ffff8880ca05a4c0)
3c6e85 
The buggy address belongs to the page:
3c6e85 
page:ffffea0003281680 count:1 mapcount:0 mapping:ffff88811bf03380 index:0x0 compound_mapcount: 0
3c6e85 
flags: 0x4000000000010200(slab|head)
3c6e85 
raw: 4000000000010200 0000000000000000 0000000c00000001 ffff88811bf03380
3c6e85 
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
3c6e85 
page dumped because: kasan: bad access detected
3c6e85
3c6e85 
Memory state around the buggy address:
3c6e85 
  ffff8880ca05a380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
3c6e85 
  ffff8880ca05a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
3c6e85 
>ffff8880ca05a480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
3c6e85 
                          ^
3c6e85 
  ffff8880ca05a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3c6e85 
  ffff8880ca05a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
3c6e85 
==================================================================
3c6e85
3c6e85 
Fixes: f8f97b0c5b7f ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path")
3c6e85 
Reported-by: Bart Van Assche <bvanassche@acm.org>
3c6e85 
Tested-by: Bart Van Assche <bvanassche@acm.org>
3c6e85 
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
3c6e85 
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
3c6e85 
(cherry picked from commit 1710ac17547ac8b5c44fbd74de41dee3fe26ee81)
3c6e85 
Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>
3c6e85 
Signed-off-by: Jan Stancek <jstancek@redhat.com>
3c6e85
3c6e85 
Conflicts:
3c6e85 
	drivers/scsi/qla2xxx/qla_init.c
3c6e85 
---
3c6e85 
 drivers/scsi/qla2xxx/qla_init.c | 16 +---------------
3c6e85 
 1 file changed, 1 insertion(+), 15 deletions(-)
3c6e85
3c6e85 
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
3c6e85 
index 15085251f59f..0e8826599c65 100644
3c6e85 
--- a/drivers/scsi/qla2xxx/qla_init.c
3c6e85 
+++ b/drivers/scsi/qla2xxx/qla_init.c
3c6e85 
@@ -7727,8 +7727,6 @@ qla24xx_load_risc_flash(scsi_qla_host_t *vha, uint32_t *srisc_addr,
3c6e85
3c6e85 
 		dcode = fwdt->template;
3c6e85 
 		qla24xx_read_flash_data(vha, dcode, faddr, risc_size);
3c6e85 
-		for (i = 0; i < risc_size; i++)
3c6e85 
-			dcode[i] = le32_to_cpu(dcode[i]);
3c6e85
3c6e85 
 		if (!qla27xx_fwdt_template_valid(dcode)) {
3c6e85 
 			ql_log(ql_log_warn, vha, 0x0165,
3c6e85 
@@ -7894,22 +7892,11 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr)
3c6e85 
 	}
3c6e85
3c6e85 
 	fwcode = (void *)blob->fw->data;
3c6e85 
-	dcode = fwcode + 4;
3c6e85 
+	dcode = fwcode;
3c6e85 
 	if (qla24xx_risc_firmware_invalid(dcode)) {
3c6e85 
 		ql_log(ql_log_fatal, vha, 0x0093,
3c6e85 
 		    "Unable to verify integrity of firmware image (%Zd).\n",
3c6e85 
 		    blob->fw->size);
3c6e85 
-		return QLA_FUNCTION_FAILED;
3c6e85 
-	}
3c6e85 
-	for (i = 0; i < 4; i++)
3c6e85 
-		dcode[i] = be32_to_cpu(fwcode[i + 4]);
3c6e85 
-	if ((dcode[0] == 0xffffffff && dcode[1] == 0xffffffff &&
3c6e85 
-	    dcode[2] == 0xffffffff && dcode[3] == 0xffffffff) ||
3c6e85 
-	    (dcode[0] == 0 && dcode[1] == 0 && dcode[2] == 0 &&
3c6e85 
-		dcode[3] == 0)) {
3c6e85 
-		ql_log(ql_log_fatal, vha, 0x0094,
3c6e85 
-		    "Unable to verify integrity of firmware image (%Zd).\n",
3c6e85 
-		    blob->fw->size);
3c6e85 
 		ql_log(ql_log_fatal, vha, 0x0095,
3c6e85 
 		    "Firmware data: %08x %08x %08x %08x.\n",
3c6e85 
 		    dcode[0], dcode[1], dcode[2], dcode[3]);
3c6e85 
@@ -7932,7 +7919,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr)
3c6e85
3c6e85 
 		dlen = ha->fw_transfer_size >> 2;
3c6e85 
 		for (fragment = 0; risc_size; fragment++) {
3c6e85 
-			dlen = (uint32_t)(ha->fw_transfer_size >> 2);
3c6e85 
 			if (dlen > risc_size)
3c6e85 
 				dlen = risc_size;
3c6e85
3c6e85 
--
3c6e85 
2.13.6
3c6e85

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation