[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK8P3a0_WORgd4Wvd3n+59oR=-rrESwg_MgpDJN4xPo_e6ir5Q@mail.gmail.com>
Date: Sun, 3 Jan 2021 17:26:29 +0100
From: Arnd Bergmann <arnd@...nel.org>
To: Phil Oester <kernel@...uxace.com>
Cc: Arnd Bergmann <arnd@...db.de>,
Kashyap Desai <kashyap.desai@...adcom.com>,
Sumit Saxena <sumit.saxena@...adcom.com>,
Shivasharan S <shivasharan.srikanteshwara@...adcom.com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Christoph Hellwig <hch@...radead.org>,
"# 3.4.x" <stable@...r.kernel.org>,
Anand Lodnoor <anand.lodnoor@...adcom.com>,
Chandrakanth Patil <chandrakanth.patil@...adcom.com>,
Hannes Reinecke <hare@...e.de>, megaraidlinux.pdl@...adcom.com,
linux-scsi <linux-scsi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets
On Thu, Dec 31, 2020 at 1:15 AM Phil Oester <kernel@...uxace.com> wrote:
>
> On Tue, Sep 08, 2020 at 11:36:22PM +0200, Arnd Bergmann wrote:
> > It sounds unwise to let user space pass an unchecked 32-bit
> > offset into a kernel structure in an ioctl. This is an unsigned
> > variable, so checking the upper bound for the size of the structure
> > it points into is sufficient to avoid data corruption, but as
> > the pointer might also be unaligned, it has to be written carefully
> > as well.
> >
> > While I stumbled over this problem by reading the code, I did not
> > continue checking the function for further problems like it.
>
> Sorry for replying to an ancient thread, but this patch just recently
> made it into 5.10.3 and has caused unintended consequences. On Dell
> servers with PERC RAID controllers, booting 5.10.3+ with this patch
> causes a PCI parity error. Specifically:
>
> Event Message: A PCI parity error was detected on a component at bus 0 device 5 function 0.
> Severity: Critical
> Message ID: PCI1308
>
> I reverted this single patch and the errors went away.
>
> Thoughts?
Thank you for the report and bisecting the issue, and sorry this broke
your system!
Fortunately, the patch is fairly small, so there are only a limited number
of things that could go wrong. I haven't tried to analyze that message,
but I have two ideas:
a) The added ioc->sense_off check gets triggered and the code relies
on the data being written outside of the structure
b) the address actually needs to always be written as a 64-bit value
regardless of the instance->consistent_mask_64bit flag, as the
driver did before. This looked like it was done in error.
Can you try the patch below instead of the revert and see if that
resolves the regression, and if it triggers the warning message I
add?
Arnd
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c
b/drivers/scsi/megaraid/megaraid_sas_base.c
index 6e4bf05c6d77..248063a4148b 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -8194,8 +8194,7 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
/* make sure the pointer is part of the frame */
if (ioc->sense_off >
(sizeof(union megasas_frame) - sizeof(__le64))) {
- error = -EINVAL;
- goto out;
+ pr_warn("possible out of bounds access offset
%d\n", ioc->sense_off);
}
sense = dma_alloc_coherent(&instance->pdev->dev, ioc->sense_len,
@@ -8209,7 +8208,7 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
if (instance->consistent_mask_64bit)
put_unaligned_le64(sense_handle, sense_ptr);
else
- put_unaligned_le32(sense_handle, sense_ptr);
+ put_unaligned_le64(sense_handle, sense_ptr);
}
/*
Powered by blists - more mailing lists