| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jan 2022 21:03:21 -0500
From: "Martin K. Petersen" <martin.petersen@...cle.com>
To: jinpu.wang@...ud.ionos.com, Ajish.Koshy@...rochip.com,
jejb@...ux.ibm.com, damien.lemoal@...nsource.wdc.com,
John Garry <john.garry@...wei.com>
Cc: "Martin K . Petersen" <martin.petersen@...cle.com>,
chenxiang66@...ilicon.com, Viswas.G@...rochip.com,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/3] scsi: pm8001: Documentation and use-after-free fixes
On Thu, 27 Jan 2022 21:12:49 +0800, John Garry wrote:
> A few fixes:
> - Remedy make W=1 warning for undescribed param
> - 2x use-after-free fixes for these KASAN warnings:
>
> TMF timeout:
> 389.780822] ==================================================================
> [ 389.780828] BUG: KASAN: use-after-free in mpi_ssp_completion+0xb8/0xd20
> [ 389.780845] Read of size 8 at addr ffff0020ccb50268 by task swapper/6/0
> [ 389.780851]
> [ 389.780854] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 5.17.0-rc1-11819-gb4fa2357aff7 #1077
> [ 389.780862] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
> [ 389.780867] Call trace:
> [ 389.780870] dump_backtrace.part.0+0x1d4/0x1e0
> [ 389.780880] show_stack+0x1c/0x6c
> [ 389.780888] dump_stack_lvl+0x68/0x84
> [ 389.780897] print_address_description.constprop.0+0x74/0x2d8
> [ 389.780905] kasan_report+0x1e4/0x250
> [ 389.780913] __asan_load8+0x98/0xd4
> [ 389.780920] mpi_ssp_completion+0xb8/0xd20
> [ 389.780927] process_oq+0x7ec/0x3fec
> [ 389.780935] pm80xx_chip_isr+0x74/0xe0
> [ 389.780942] pm8001_tasklet+0x64/0x80
> [ 389.780948] tasklet_action_common.constprop.0+0x1c4/0x1d0
> [ 389.780957] tasklet_action+0x2c/0x40
> [ 389.780964] __do_softirq+0x1b0/0x3f8
> [ 389.780969] __irq_exit_rcu+0x160/0x180
> [ 389.780976] irq_exit_rcu+0x14/0x20
> [ 389.780983] el1_interrupt+0x38/0x80
> [ 389.780992] el1h_64_irq_handler+0x1c/0x2c
> [ 389.780998] el1h_64_irq+0x78/0x7c
> [ 389.781004] arch_local_irq_enable+0xc/0x20
> [ 389.781012] default_idle_call+0x30/0x6c
> [ 389.781020] do_idle+0x2ec/0x370
> [ 389.781027] cpu_startup_entry+0x2c/0x80
> [ 389.781034] secondary_start_kernel+0x240/0x28c
> [ 389.781041] __secondary_switched+0x94/0x98
> [ 389.781051]
> [ 389.781053] Allocated by task 629:
> [ 389.781057] kasan_save_stack+0x30/0x60
> [ 389.781065] __kasan_slab_alloc+0x70/0x94
> [ 389.781071] kmem_cache_alloc+0x16c/0x2fc
> [ 389.781078] sas_alloc_slow_task+0x38/0x250
> [ 389.781086] pm8001_exec_internal_tmf_task.constprop.0+0xf0/0x430
> [ 389.781093] pm8001_abort_task+0x59c/0x810
> [ 389.781100] sas_scsi_recover_host+0xafc/0x1090
> [ 389.781108] scsi_error_handler+0x138/0x5f0
> [ 389.781114] kthread+0x18c/0x194
> [ 389.781123] ret_from_fork+0x10/0x20
> [ 389.781129]
> [ 389.781131] Freed by task 629:
> [ 389.781134] kasan_save_stack+0x30/0x60
> [ 389.781141] kasan_set_track+0x30/0x44
> [ 389.781147] kasan_set_free_info+0x2c/0x50
> [ 389.781155] __kasan_slab_free+0xf0/0x140
> [ 389.781161] slab_free_freelist_hook+0x70/0x1f0
> [ 389.781167] kmem_cache_free+0xb4/0x2e0
> [ 389.781173] sas_free_task+0x3c/0x50
> [ 389.781179] pm8001_exec_internal_tmf_task.constprop.0+0x2b4/0x430
> [ 389.781186] pm8001_abort_task+0x59c/0x810
> [ 389.781193] sas_scsi_recover_host+0xafc/0x1090
> [ 389.781201] scsi_error_handler+0x138/0x5f0
> [ 389.781207] kthread+0x18c/0x194
> [ 389.781213] ret_from_fork+0x10/0x20
>
> [...]
Applied to 5.17/scsi-fixes, thanks!
[1/3] scsi: pm8001: Fix warning for undescribed param in process_one_iomb()
https://git.kernel.org/mkp/scsi/c/0aed75fd30da
[2/3] scsi: pm8001: Fix use-after-free for aborted TMF sas_task
https://git.kernel.org/mkp/scsi/c/61f162aa4381
[3/3] scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
https://git.kernel.org/mkp/scsi/c/df7abcaa1246
--
Martin K. Petersen Oracle Linux Engineering
Powered by blists - more mailing lists