lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <164368097302.23346.11566808732978746802.b4-ty@oracle.com>
Date:   Mon, 31 Jan 2022 21:03:21 -0500
From:   "Martin K. Petersen" <martin.petersen@...cle.com>
To:     jinpu.wang@...ud.ionos.com, Ajish.Koshy@...rochip.com,
        jejb@...ux.ibm.com, damien.lemoal@...nsource.wdc.com,
        John Garry <john.garry@...wei.com>
Cc:     "Martin K . Petersen" <martin.petersen@...cle.com>,
        chenxiang66@...ilicon.com, Viswas.G@...rochip.com,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/3] scsi: pm8001: Documentation and use-after-free fixes

On Thu, 27 Jan 2022 21:12:49 +0800, John Garry wrote:

> A few fixes:
> - Remedy make W=1 warning for undescribed param
> - 2x use-after-free fixes for these KASAN warnings:
> 
> TMF timeout:
> 389.780822] ==================================================================
> [  389.780828] BUG: KASAN: use-after-free in mpi_ssp_completion+0xb8/0xd20
> [  389.780845] Read of size 8 at addr ffff0020ccb50268 by task swapper/6/0
> [  389.780851]
> [  389.780854] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 5.17.0-rc1-11819-gb4fa2357aff7 #1077
> [  389.780862] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
> [  389.780867] Call trace:
> [  389.780870]  dump_backtrace.part.0+0x1d4/0x1e0
> [  389.780880]  show_stack+0x1c/0x6c
> [  389.780888]  dump_stack_lvl+0x68/0x84
> [  389.780897]  print_address_description.constprop.0+0x74/0x2d8
> [  389.780905]  kasan_report+0x1e4/0x250
> [  389.780913]  __asan_load8+0x98/0xd4
> [  389.780920]  mpi_ssp_completion+0xb8/0xd20
> [  389.780927]  process_oq+0x7ec/0x3fec
> [  389.780935]  pm80xx_chip_isr+0x74/0xe0
> [  389.780942]  pm8001_tasklet+0x64/0x80
> [  389.780948]  tasklet_action_common.constprop.0+0x1c4/0x1d0
> [  389.780957]  tasklet_action+0x2c/0x40
> [  389.780964]  __do_softirq+0x1b0/0x3f8
> [  389.780969]  __irq_exit_rcu+0x160/0x180
> [  389.780976]  irq_exit_rcu+0x14/0x20
> [  389.780983]  el1_interrupt+0x38/0x80
> [  389.780992]  el1h_64_irq_handler+0x1c/0x2c
> [  389.780998]  el1h_64_irq+0x78/0x7c
> [  389.781004]  arch_local_irq_enable+0xc/0x20
> [  389.781012]  default_idle_call+0x30/0x6c
> [  389.781020]  do_idle+0x2ec/0x370
> [  389.781027]  cpu_startup_entry+0x2c/0x80
> [  389.781034]  secondary_start_kernel+0x240/0x28c
> [  389.781041]  __secondary_switched+0x94/0x98
> [  389.781051]
> [  389.781053] Allocated by task 629:
> [  389.781057]  kasan_save_stack+0x30/0x60
> [  389.781065]  __kasan_slab_alloc+0x70/0x94
> [  389.781071]  kmem_cache_alloc+0x16c/0x2fc
> [  389.781078]  sas_alloc_slow_task+0x38/0x250
> [  389.781086]  pm8001_exec_internal_tmf_task.constprop.0+0xf0/0x430
> [  389.781093]  pm8001_abort_task+0x59c/0x810
> [  389.781100]  sas_scsi_recover_host+0xafc/0x1090
> [  389.781108]  scsi_error_handler+0x138/0x5f0
> [  389.781114]  kthread+0x18c/0x194
> [  389.781123]  ret_from_fork+0x10/0x20
> [  389.781129]
> [  389.781131] Freed by task 629:
> [  389.781134]  kasan_save_stack+0x30/0x60
> [  389.781141]  kasan_set_track+0x30/0x44
> [  389.781147]  kasan_set_free_info+0x2c/0x50
> [  389.781155]  __kasan_slab_free+0xf0/0x140
> [  389.781161]  slab_free_freelist_hook+0x70/0x1f0
> [  389.781167]  kmem_cache_free+0xb4/0x2e0
> [  389.781173]  sas_free_task+0x3c/0x50
> [  389.781179]  pm8001_exec_internal_tmf_task.constprop.0+0x2b4/0x430
> [  389.781186]  pm8001_abort_task+0x59c/0x810
> [  389.781193]  sas_scsi_recover_host+0xafc/0x1090
> [  389.781201]  scsi_error_handler+0x138/0x5f0
> [  389.781207]  kthread+0x18c/0x194
> [  389.781213]  ret_from_fork+0x10/0x20
> 
> [...]

Applied to 5.17/scsi-fixes, thanks!

[1/3] scsi: pm8001: Fix warning for undescribed param in process_one_iomb()
      https://git.kernel.org/mkp/scsi/c/0aed75fd30da
[2/3] scsi: pm8001: Fix use-after-free for aborted TMF sas_task
      https://git.kernel.org/mkp/scsi/c/61f162aa4381
[3/3] scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
      https://git.kernel.org/mkp/scsi/c/df7abcaa1246

-- 
Martin K. Petersen	Oracle Linux Engineering

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ