lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b74287a.3728.182f7a604b3.Coremail.15815827059@163.com>
Date:   Thu, 1 Sep 2022 14:03:48 +0800 (CST)
From:   huhai <15815827059@....com>
To:     "Sathya Prakash Veerichetty" <sathya.prakash@...adcom.com>
Cc:     jejb@...ux.ibm.com,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        "Sreekanth Reddy" <sreekanth.reddy@...adcom.com>,
        "Suganath Prabu Subramani" <suganath-prabu.subramani@...adcom.com>,
        PDL-MPT-FUSIONLINUX <MPT-FusionLinux.pdl@...adcom.com>,
        linux-scsi <linux-scsi@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        huhai <huhai@...inos.cn>, stable@...r.kernel.org,
        "Jackie Liu" <liuyun01@...inos.cn>
Subject: Re:Re: [PATCH] scsi: mpt3sas: Fix NULL pointer crash due to missing
 check device hostdata


At 2022-09-01 13:08:14, "Sathya Prakash Veerichetty" <sathya.prakash@...adcom.com> wrote:
>The patch could be improved to clear the ata_cmd_pending bit for the
>cases !sas_device_priv_data->sas_target and
>sas_device_priv_data->sas_target->deleted before returning

>DID_NO_CONNECT to retain the current functionality.

Hi, 

Maybe my commit information is not clear enough,This patch is fixed NULL pointer crash
duto to "struct MPT3SAS_DEVICE *priv = scmd->device->hostdata;"  got a NULL pointer, and
when "clear_bit(0, &priv->ata_command_pending);" is called, kernel will panic. 

Thanks

>
>
>On Wed, Aug 31, 2022 at 7:11 PM huhai <15815827059@....com> wrote:
>>
>> Friendly ping.
>>
>>
>> At 2022-08-25 17:26:45, "huhai" <15815827059@....com> wrote:
>> >From: huhai <huhai@...inos.cn>
>> >
>> >If _scsih_io_done() is called with scmd->device->hostdata=NULL, it can lead
>> >to the following panic:
>> >
>> >  BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
>> >  PGD 4547a4067 P4D 4547a4067 PUD 0
>> >  Oops: 0002 [#1] SMP NOPTI
>> >  CPU: 62 PID: 0 Comm: swapper/62 Kdump: loaded Not tainted 4.19.90-24.4.v2101.ky10.x86_64 #1
>> >  Hardware name: Storage Server/65N32-US, BIOS SQL1041217 05/30/2022
>> >  RIP: 0010:_scsih_set_satl_pending+0x2d/0x50 [mpt3sas]
>> >  Code: 00 00 48 8b 87 60 01 00 00 0f b6 10 80 fa a1 74 09 31 c0 80 fa 85 74 02 f3 c3 48 8b 47 38 40 84 f6 48 8b 80 98 00 00 00 75 08 <f0> 80 60 18 fe 31 c0 c3 f0 48 0f ba 68 18 00 0f 92 c0 0f b6 c0 c3
>> >  RSP: 0018:ffff8ec22fc03e00 EFLAGS: 00010046
>> >  RAX: 0000000000000000 RBX: ffff8eba1b072518 RCX: 0000000000000001
>> >  RDX: 0000000000000085 RSI: 0000000000000000 RDI: ffff8eba1b072518
>> >  RBP: 0000000000000dbd R08: 0000000000000000 R09: 0000000000029700
>> >  R10: ffff8ec22fc03f80 R11: 0000000000000000 R12: ffff8ebe2d3609e8
>> >  R13: ffff8ebe2a72b600 R14: ffff8eca472707e0 R15: 0000000000000020
>> >  FS:  0000000000000000(0000) GS:ffff8ec22fc00000(0000) knlGS:0000000000000000
>> >  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> >  CR2: 0000000000000018 CR3: 000000046e5f6000 CR4: 00000000003406e0
>> >  Call Trace:
>> >   <IRQ>
>> >   _scsih_io_done+0x4a/0x9f0 [mpt3sas]
>> >   _base_interrupt+0x23f/0xe10 [mpt3sas]
>> >   __handle_irq_event_percpu+0x40/0x190
>> >   handle_irq_event_percpu+0x30/0x70
>> >   handle_irq_event+0x36/0x60
>> >   handle_edge_irq+0x7e/0x190
>> >   handle_irq+0xa8/0x110
>> >   do_IRQ+0x49/0xe0
>> >
>> >Fix it by move scmd->device->hostdata check before _scsih_set_satl_pending
>> >called.
>> >
>> >Other changes:
>> >- It looks clear to move get mpi_reply to near its check.
>> >
>> >Fixes: ffb584565894 ("scsi: mpt3sas: fix hang on ata passthrough commands")
>> >Cc: <stable@...r.kernel.org> # v4.9+
>> >Co-developed-by: Jackie Liu <liuyun01@...inos.cn>
>> >Signed-off-by: Jackie Liu <liuyun01@...inos.cn>
>> >Signed-off-by: huhai <huhai@...inos.cn>
>> >---
>> > drivers/scsi/mpt3sas/mpt3sas_scsih.c | 15 +++++++--------
>> > 1 file changed, 7 insertions(+), 8 deletions(-)
>> >
>> >diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
>> >index def37a7e5980..85f5749a0421 100644
>> >--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
>> >+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
>> >@@ -5704,27 +5704,26 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
>> >       struct MPT3SAS_DEVICE *sas_device_priv_data;
>> >       u32 response_code = 0;
>> >
>> >-      mpi_reply = mpt3sas_base_get_reply_virt_addr(ioc, reply);
>> >-
>> >       scmd = mpt3sas_scsih_scsi_lookup_get(ioc, smid);
>> >       if (scmd == NULL)
>> >               return 1;
>> >
>> >+      sas_device_priv_data = scmd->device->hostdata;
>> >+      if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
>> >+           sas_device_priv_data->sas_target->deleted) {
>> >+              scmd->result = DID_NO_CONNECT << 16;
>> >+              goto out;
>> >+      }
>> >       _scsih_set_satl_pending(scmd, false);
>> >
>> >       mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
>> >
>> >+      mpi_reply = mpt3sas_base_get_reply_virt_addr(ioc, reply);
>> >       if (mpi_reply == NULL) {
>> >               scmd->result = DID_OK << 16;
>> >               goto out;
>> >       }
>> >
>> >-      sas_device_priv_data = scmd->device->hostdata;
>> >-      if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
>> >-           sas_device_priv_data->sas_target->deleted) {
>> >-              scmd->result = DID_NO_CONNECT << 16;
>> >-              goto out;
>> >-      }
>> >       ioc_status = le16_to_cpu(mpi_reply->IOCStatus);
>> >
>> >       /*
>> >--
>> >2.27.0
>> >
>> >
>> >No virus found
>> >               Checked by Hillstone Network AntiVirus
>
>-- 
>This electronic communication and the information and any files transmitted 
>with it, or attached to it, are confidential and are intended solely for 
>the use of the individual or entity to whom it is addressed and may contain 
>information that is confidential, legally privileged, protected by privacy 
>laws, or otherwise restricted from disclosure to anyone else. If you are 
>not the intended recipient or the person responsible for delivering the 
>e-mail to the intended recipient, you are hereby notified that any use, 
>copying, distributing, dissemination, forwarding, printing, or copying of 
>this e-mail is strictly prohibited. If you received this e-mail in error, 
>please return the e-mail to the sender, delete it from your computer, and 
>destroy any printed copy of it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ