From patchwork Fri Jan 27 06:34:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shinichiro Kawasaki X-Patchwork-Id: 647934 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFEBCC38142 for ; Fri, 27 Jan 2023 06:35:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231772AbjA0GfK (ORCPT ); Fri, 27 Jan 2023 01:35:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231561AbjA0GfI (ORCPT ); Fri, 27 Jan 2023 01:35:08 -0500 Received: from esa6.hgst.iphmx.com (esa6.hgst.iphmx.com [216.71.154.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 776A339CF1 for ; Thu, 26 Jan 2023 22:35:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1674801304; x=1706337304; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UVFgoFejI+9PS5zEpnPsfzexNoDtD4C02Q20JO63kw4=; b=f+xy+S30iRy29mFAHpR9IgGd55a0kU+uQF+8yZpVT0gzMiS0aT7oZjES 6DQMeBfNHp4tX87A8uHgOboIT8sHJVObuX0OrIUqpGpP92quUTupWvTYD lOaTy06piHXNvILIRojF7q0eU72LXviMLamVhlV2btuVa7vMLqXYmdd7S waQX9JKWvVk8pohQDmY12OBgdpJBO210te44F4lMnMNi4QWRYlaaxNReU cEEFrb0sc3oJUelK2SMNG+/JIIdV6ExS0M29E/JufNFyJDgjMKtAQ+BgG +xyLKmYmeUfdwOO+eSkpBEoIXana4mViznfKC9xOlf/GNyj0OWwiIDyAp Q==; X-IronPort-AV: E=Sophos;i="5.97,250,1669046400"; d="scan'208";a="221934997" Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com) ([199.255.45.15]) by ob1.hgst.iphmx.com with ESMTP; 27 Jan 2023 14:35:04 +0800 IronPort-SDR: dvInHzjvQfn+RVsOUZPABi4OCvaTaWHp38h9fahM1BI8itwES+CMwTfe+cP9F1nxrjBrHwMNaw glzAPn5+2WX9ZxwHUQQzhNwsgGObynml2DqhJlf5VOTGXGtp4dkFJPl4ywN0oIfJgicpAtnTjy 4f6nr5lVWMC1PlWQwJlHm2+HewXKpaJ+hvS6FVGM2WAzCao7iTmqmh0/Yi7bMDAyrkZqmxRSLg fYDRqeREJ95Z3fDnasYiY/36GrsRVzsO4tJWoxC6Y+/6tmUiPOo40QqEVEqfeIwE/b8pxy0Xzq vCQ= Received: from uls-op-cesaip01.wdc.com ([10.248.3.36]) by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jan 2023 21:46:48 -0800 IronPort-SDR: x2ugXV3YimJ2ssO8VYVxTHIk/euR9587CLhvDm+zhTJVwQ8U3a47HQt+TlJKmc7ITFnlcrR7Hj /OKZbmhzAKqsGoMptcVw5M0lNC9MfGBRaltYWBBv2lchEL/BuEPnbVneFTBW7eipFhYjr7JxKM xckHilfz3Rex5lEnuvqlvdr1wHbwOgL1K8yGAmDVrJa/nCJkso81irotug3FCvV/e8tcse6Mf4 lEISd7JqLaVYcx8k4Wu4/b0BY/lZskBe8ausPBaVNb62sm7twoKnuZfA68OhuKP3Unc374oRpD I7U= WDCIronportException: Internal Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com) ([10.149.52.207]) by uls-op-cesaip01.wdc.com with ESMTP; 26 Jan 2023 22:35:03 -0800 From: Shin'ichiro Kawasaki To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com Cc: Sathya Prakash Veerichetty , Kashyap Desai , Sumit Saxena , Sreekanth Reddy , "Martin K . Petersen" , Damien Le Moal , Shin'ichiro Kawasaki Subject: [PATCH v4 1/5] scsi: mpi3mr: fix calculation of valid entry length in alltgt_info Date: Fri, 27 Jan 2023 15:34:56 +0900 Message-Id: <20230127063500.1278068-2-shinichiro.kawasaki@wdc.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> References: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org The function mpi3mr_get_all_tgt_info calculates valid entry length in alltgt_info whose type is pointer to struct mpi3mr_device_map_info. However, the calculation assumes that the struct would have size of u32. This results in wrong entry length. Fix the calculation to use the size of *alltgt_info in place of u32. Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki --- drivers/scsi/mpi3mr/mpi3mr_app.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 9baac224b213..49916ae617e5 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -346,7 +346,8 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, memcpy(&alltgt_info->num_devices, &num_devices, sizeof(num_devices)); - usr_entrylen = (job->request_payload.payload_len - sizeof(u32)) / sizeof(*devmap_info); + usr_entrylen = (job->request_payload.payload_len - sizeof(*alltgt_info)) + / sizeof(*devmap_info); usr_entrylen *= sizeof(*devmap_info); min_entrylen = min(usr_entrylen, kern_entrylen); if (min_entrylen && (!memcpy(&alltgt_info->dmi, devmap_info, min_entrylen))) { From patchwork Fri Jan 27 06:34:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shinichiro Kawasaki X-Patchwork-Id: 648389 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8641BC54EAA for ; Fri, 27 Jan 2023 06:35:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231769AbjA0GfJ (ORCPT ); Fri, 27 Jan 2023 01:35:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230225AbjA0GfI (ORCPT ); Fri, 27 Jan 2023 01:35:08 -0500 Received: from esa6.hgst.iphmx.com (esa6.hgst.iphmx.com [216.71.154.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0181C3A593 for ; Thu, 26 Jan 2023 22:35:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1674801306; x=1706337306; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=v5Xt+po7LZdWIuZYCJrdn2EF5CVXD3fPWmy8X37nPy8=; b=EYL+/3WAcJO000IvcCVnq4AndGUtQ7gzwmCZeb0SSYZmiS2N/MKqROag 4kPxnxjbICE8xa7wNO2WXF7L7KEfJ3mruKe21WQYANAFxfYPRTi8g4981 VOMLxQfu+/y/7DyDI+TrbB4OsvwmQljkHgLZh/vQjFZH/DWKEEcZ+yUt7 HBQxoD+PWIHHE61tFPkzyqvI0/lkcTvux9UKGyFF6RJOeQvtd3eaKvhr9 ByPf7SRO7kB1Kv87oxDhh34ISlRNoAhSEF2lG59W8cbexfC/MoZ9TKNhE 8165TwzFKNquSgc3cjMQpdgQeUFtx00LyIaNAZYtL2JkTcT10Z1cU47ap w==; X-IronPort-AV: E=Sophos;i="5.97,250,1669046400"; d="scan'208";a="221934999" Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com) ([199.255.45.15]) by ob1.hgst.iphmx.com with ESMTP; 27 Jan 2023 14:35:05 +0800 IronPort-SDR: DvKJdEEkFMD0wPvzTA+2mMA6h0zyYRA3e9fS7gYs4hqMYpqughdrcdCZqmEM0L72Et5qx1u+05 kxBBX99Xvh6idIP2RNa4ta9JlFxjjMeSRNQt+QrUh0wiWGTJEXtTutD/PiN4EcNpoomAm/N7W2 RlmhaRcz/gvpJRf0aQP1MPbCqzmspPCqktT2AvQE4pal7UIUguxavrp7knYKTjwXIY6SFbr7M1 Mea84sWxUoaVBqnLdXkfaAls/w7xW/dCbmHMQTNTCzCFeN7LQ3aqT5Ut7kzsJWMpsIbGDS5iq9 eck= Received: from uls-op-cesaip01.wdc.com ([10.248.3.36]) by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jan 2023 21:46:50 -0800 IronPort-SDR: AReLcv8HXiiDW4bb1/WJcms5nI8pc1KMKiOFHwgwLzIXktOg6iZViNOiC4FL3MDycr8tBX+XP5 uoTdSGZi62a00oiyYl8K5AfxKwg6WVwbuFwChPL4CZ3h06RozgSxb/QUefKu5WGn3ukRL/mU/j cu9gBXJ5CYpiulaN2JiXPxrgx/wQfdmkoRsN5WjQjbMLeUhCCU5AyEm5QTZi/IPd9qLo2Ch3X9 rpVhMzKZaXFINHgWfrIVvgxZpWpxhfwZMhc8SxQiGjL00wZFtWF6VoOES3xejaazf1CZYR3y/S pCI= WDCIronportException: Internal Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com) ([10.149.52.207]) by uls-op-cesaip01.wdc.com with ESMTP; 26 Jan 2023 22:35:04 -0800 From: Shin'ichiro Kawasaki To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com Cc: Sathya Prakash Veerichetty , Kashyap Desai , Sumit Saxena , Sreekanth Reddy , "Martin K . Petersen" , Damien Le Moal , Shin'ichiro Kawasaki Subject: [PATCH v4 2/5] scsi: mpi3mr: fix alltgt_info copy size Date: Fri, 27 Jan 2023 15:34:57 +0900 Message-Id: <20230127063500.1278068-3-shinichiro.kawasaki@wdc.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> References: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds the valid entry length in alltgt_info. However, it does not refer min_entrylen when it calls sg_copy_from_buffer to copy the valid entries from alltgt_info to job->request_payload. Instead, it specifies the payload length which is larger than the alltgt_info size, then it causes "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct length referring the calculated min_entrylen. Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki --- drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 49916ae617e5..7fb9505723cf 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -359,7 +359,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, sg_copy_from_buffer(job->request_payload.sg_list, job->request_payload.sg_cnt, - alltgt_info, job->request_payload.payload_len); + alltgt_info, sizeof(*alltgt_info) + min_entrylen); rval = 0; out: kfree(alltgt_info); From patchwork Fri Jan 27 06:34:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shinichiro Kawasaki X-Patchwork-Id: 648388 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7490EC61DA3 for ; Fri, 27 Jan 2023 06:35:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231776AbjA0GfL (ORCPT ); Fri, 27 Jan 2023 01:35:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229531AbjA0GfJ (ORCPT ); Fri, 27 Jan 2023 01:35:09 -0500 Received: from esa6.hgst.iphmx.com (esa6.hgst.iphmx.com [216.71.154.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F17F53A85C for ; Thu, 26 Jan 2023 22:35:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1674801307; x=1706337307; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6z5ctcjnBNrXYoTY5bxKJZMMqRISGbPVFI9tVKD/VVQ=; b=jxCN0cuJTBT8UdncRjQmEHETAwohm/T1p1Z3zPd/O9Oui7IMYbzMkPDu PBKjrUvd0FQ54v3S+CsWx/OLbsiB2NqFR9KmY8lWReoePWoHDmf1atTUr UMGZCNTiD0zbGYIQqzNcIMl++y20tnPHrvgpKSAEOiW7EwBkDcBxoYp7u 2PcXLI7SHf3GB3lF87kle6nDQF1Omze1166BlhOle6dYqzZUWLemigkiu kcR4VlfThYkiXaAq2BLMoV1uS1aUI6Hn6LHZgrEK69fLwi8F0CeQDLJlx tgE07f8JWuoOv3ZzEjJG9cASuaL/l7SGElzoVBoTSKtzKwdiOQi1zSQJ/ g==; X-IronPort-AV: E=Sophos;i="5.97,250,1669046400"; d="scan'208";a="221935002" Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com) ([199.255.45.15]) by ob1.hgst.iphmx.com with ESMTP; 27 Jan 2023 14:35:07 +0800 IronPort-SDR: wKG2AGfOM5QZNjWBLsssGAjQ3BUqadWx8Tfcp+X+Iw8PHiN4k6Qy8GBFNFBolAxFpUaf6HDSoG yqh1z2lYlYl0oAcFs4Lma8dJPX+fEarR/2AdGUr+kWoGLZltCJpBxD/+CiWBWTjMzNBYkGKBoh A0B2/0RYbq046em4UetVFqknDYO00pNmOOF51QQSPlZQZwHZWuEImg/9o3AqB0mP08fqnPNvOz K4XEzObXMSgC3VoWFxw87ztui1lK1RyHv97ndFffAncsajOnhEuMh4J8h98Z6OYljjuPsDHaxJ c3s= Received: from uls-op-cesaip01.wdc.com ([10.248.3.36]) by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jan 2023 21:46:52 -0800 IronPort-SDR: a3dmu5K/0R1deAXWtWZEJZ4Be8lCG/mrH1nGC05RODRvGM9OHT7GWHyW2mjmJyKzmJMw5Km4cW /7sJciz9U4iXpbOZ2kFTi+lO9f3mTqiJG6huMXSjM8LlfKz/7lBEeZ9trHxHrim7/MYIcbk/cu NpdjqZrjixR8DURAzh4b0eK2k/CQ5kT1L5sZgzV5QCXZN4RD3ONuvuFeT9MOwEqAX0pgrGXyap //SzYVpcr/pSzQQU4+xT4x3hzm8IkjdEhoL/O3GC4zFoWyHvzorTunKwfraSi4jt/JwRPsBKCG sNo= WDCIronportException: Internal Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com) ([10.149.52.207]) by uls-op-cesaip01.wdc.com with ESMTP; 26 Jan 2023 22:35:06 -0800 From: Shin'ichiro Kawasaki To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com Cc: Sathya Prakash Veerichetty , Kashyap Desai , Sumit Saxena , Sreekanth Reddy , "Martin K . Petersen" , Damien Le Moal , Shin'ichiro Kawasaki Subject: [PATCH v4 3/5] scsi: mpi3mr: remove unnecessary memcpy Date: Fri, 27 Jan 2023 15:34:58 +0900 Message-Id: <20230127063500.1278068-4-shinichiro.kawasaki@wdc.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> References: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org In the function mpi3mr_get_all_tgt_info, devmap_info points to alltgt_info->dmi then there is no need to memcpy data from devmap_info to alltgt_info->dmi. Remove the unnecessary memcpy. This also allows to remove the local variable 'rval' and the goto label 'out'. Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki --- drivers/scsi/mpi3mr/mpi3mr_app.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 7fb9505723cf..3b4ae044f4c0 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -293,7 +293,6 @@ static long mpi3mr_bsg_pel_enable(struct mpi3mr_ioc *mrioc, static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, struct bsg_job *job) { - long rval = -EINVAL; u16 num_devices = 0, i = 0, size; unsigned long flags; struct mpi3mr_tgt_dev *tgtdev; @@ -304,7 +303,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, if (job->request_payload.payload_len < sizeof(u32)) { dprint_bsg_err(mrioc, "%s: invalid size argument\n", __func__); - return rval; + return -EINVAL; } spin_lock_irqsave(&mrioc->tgtdev_lock, flags); @@ -350,20 +349,12 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, / sizeof(*devmap_info); usr_entrylen *= sizeof(*devmap_info); min_entrylen = min(usr_entrylen, kern_entrylen); - if (min_entrylen && (!memcpy(&alltgt_info->dmi, devmap_info, min_entrylen))) { - dprint_bsg_err(mrioc, "%s:%d: device map info copy failed\n", - __func__, __LINE__); - rval = -EFAULT; - goto out; - } sg_copy_from_buffer(job->request_payload.sg_list, job->request_payload.sg_cnt, alltgt_info, sizeof(*alltgt_info) + min_entrylen); - rval = 0; -out: kfree(alltgt_info); - return rval; + return 0; } /** * mpi3mr_get_change_count - Get topology change count From patchwork Fri Jan 27 06:34:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shinichiro Kawasaki X-Patchwork-Id: 648387 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56AFCC54EAA for ; Fri, 27 Jan 2023 06:35:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231781AbjA0GfO (ORCPT ); Fri, 27 Jan 2023 01:35:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231774AbjA0GfK (ORCPT ); Fri, 27 Jan 2023 01:35:10 -0500 Received: from esa6.hgst.iphmx.com (esa6.hgst.iphmx.com [216.71.154.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3007339BA2 for ; Thu, 26 Jan 2023 22:35:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1674801309; x=1706337309; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=lCAN8eSFTNovsAnnVv6NKR3w/EzTHchXk7tErIquuL8=; b=rZ55Tqm57LuY29KWaE5XOPlognhT/PCd3UyBB9eu6LY+J1yYYgaGI42G I19SNrmXz7SFq5anxRLAOmW4iskLy23W0lAm9hUViChHd06MPzFFvDc77 /NiH4XDnzoktzx6drGvdb58Jv0BM0n1h4Y9d5H26MGwgt5Ky7ti2bAtd/ mnPZ5K07vgaP7+NB/wWOhjUgyi3vs4Dx8PDw2QTEX5mWefr4tvVt2+XhL N+Ec5weFERb4yddvzLXb74jx6YC48eb5jEa9mNfsYLsE2z1yvb4SmqO3X 5A7OBNA69vOptRzQPMnRLi5OxRd7mHhB3svkk+Q9LKFE5pPpt2WCukrdQ Q==; X-IronPort-AV: E=Sophos;i="5.97,250,1669046400"; d="scan'208";a="221935006" Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com) ([199.255.45.15]) by ob1.hgst.iphmx.com with ESMTP; 27 Jan 2023 14:35:08 +0800 IronPort-SDR: gQYeDElVcRZ+DU0V9bkEWo5eZFOZS7WqPFAgJsLXs4dz8IW4v8eGGTLtmJd8pPFcmQBOqcMMy3 EaOB62TYIXewA8NvBTV3wWuR+3RlIMfy8CuW7nypYTRQBwqoUpm8KcrE5otocgmzTD1KC1umvO tHrYKKLFMcOEqwJ+oFdmZY2oxlFET1J1HwU6oyQF1S/JYnzCkb0KzQrRu1KBKVGAlQb5NDjuA4 lx7fGRgyeYHwxsLhQkZiIl5i2nwfkW83JF2SIjFJIjX3Wg0NwAHzfF/wm+UfGGv9iPTB9lEaZH FnE= Received: from uls-op-cesaip01.wdc.com ([10.248.3.36]) by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jan 2023 21:46:53 -0800 IronPort-SDR: C8a1xxb8mWKDQ1FYZ/q+a+HsPxbWC1QniprqZI/vnu5AxIMF/h1BN+BEPmbf4ijQqwU37l+oSg vVB/Fzi7UJLAj61R0+1u3QmzfplkwpTXaMNczfaVwMgQQgQRn9g1oS+uqsEtrTUkBgPF4VqCS5 U9/zZtW+qYRNX55cU0JV6J0DIRtfSchQMJUtyDLTbWtFDct/G+bAOqQed6mEbBsRMtBOgechjO Fk5aIcPAJrkV3LqlpQUrhvETBJN0BT7CIHnGYbvwHHd7EZahxDe/GbMicTepysGXp4UkCrvGkx N24= WDCIronportException: Internal Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com) ([10.149.52.207]) by uls-op-cesaip01.wdc.com with ESMTP; 26 Jan 2023 22:35:08 -0800 From: Shin'ichiro Kawasaki To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com Cc: Sathya Prakash Veerichetty , Kashyap Desai , Sumit Saxena , Sreekanth Reddy , "Martin K . Petersen" , Damien Le Moal , Shin'ichiro Kawasaki Subject: [PATCH v4 4/5] scsi: mpi3mr: use number of bits to manage bitmap sizes Date: Fri, 27 Jan 2023 15:34:59 +0900 Message-Id: <20230127063500.1278068-5-shinichiro.kawasaki@wdc.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> References: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using byte as unit. However, bitmap helper functions assume that bitmaps are allocated using unsigned long as unit. This gap causes memory access beyond the bitmap sizes and results in "BUG: KASAN: slab-out-of-bounds". The BUG was observed at firmware download to eHBA-9600. Call trace indicated that the out-of-bounds access happened in find_first_zero_bit called from mpi3mr_send_event_ack for miroc->evtack_cmds_bitmap. To fix the BUG, do not use bytes to manage bitmap sizes. Instead, use number of bits, and call bitmap helper functions which take number of bits as arguments. For memory allocation, call bitmap_zalloc instead of kzalloc. For zero clear, call bitmap_clear instead of memset. For resize, call bitmap_zalloc and bitmap_copy instead of krealloc. Remove three fields for bitmap byte sizes in struct scmd_priv, which are no longer required. Replace the field dev_handle_bitmap_sz with dev_handle_bitmap_bits to keep number of bits of removepend_bitmap across resize. Fixes: c5758fc72b92 ("scsi: mpi3mr: Gracefully handle online FW update operation") Fixes: e844adb1fbdc ("scsi: mpi3mr: Implement SCSI error handler hooks") Fixes: c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") Fixes: 824a156633df ("scsi: mpi3mr: Base driver code") Reviewed-by: Damien Le Moal Signed-off-by: Shin'ichiro Kawasaki --- drivers/scsi/mpi3mr/mpi3mr.h | 10 +---- drivers/scsi/mpi3mr/mpi3mr_fw.c | 68 ++++++++++++++------------------- 2 files changed, 30 insertions(+), 48 deletions(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h index def4c5e15cd8..8a438f248a82 100644 --- a/drivers/scsi/mpi3mr/mpi3mr.h +++ b/drivers/scsi/mpi3mr/mpi3mr.h @@ -955,19 +955,16 @@ struct scmd_priv { * @chain_buf_count: Chain buffer count * @chain_buf_pool: Chain buffer pool * @chain_sgl_list: Chain SGL list - * @chain_bitmap_sz: Chain buffer allocator bitmap size * @chain_bitmap: Chain buffer allocator bitmap * @chain_buf_lock: Chain buffer list lock * @bsg_cmds: Command tracker for BSG command * @host_tm_cmds: Command tracker for task management commands * @dev_rmhs_cmds: Command tracker for device removal commands * @evtack_cmds: Command tracker for event ack commands - * @devrem_bitmap_sz: Device removal bitmap size * @devrem_bitmap: Device removal bitmap - * @dev_handle_bitmap_sz: Device handle bitmap size + * @dev_handle_bitmap_bits: Number of bits in device handle bitmap * @removepend_bitmap: Remove pending bitmap * @delayed_rmhs_list: Delayed device removal list - * @evtack_cmds_bitmap_sz: Event Ack bitmap size * @evtack_cmds_bitmap: Event Ack bitmap * @delayed_evtack_cmds_list: Delayed event acknowledgment list * @ts_update_counter: Timestamp update counter @@ -1128,7 +1125,6 @@ struct mpi3mr_ioc { u32 chain_buf_count; struct dma_pool *chain_buf_pool; struct chain_element *chain_sgl_list; - u16 chain_bitmap_sz; void *chain_bitmap; spinlock_t chain_buf_lock; @@ -1136,12 +1132,10 @@ struct mpi3mr_ioc { struct mpi3mr_drv_cmd host_tm_cmds; struct mpi3mr_drv_cmd dev_rmhs_cmds[MPI3MR_NUM_DEVRMCMD]; struct mpi3mr_drv_cmd evtack_cmds[MPI3MR_NUM_EVTACKCMD]; - u16 devrem_bitmap_sz; void *devrem_bitmap; - u16 dev_handle_bitmap_sz; + u16 dev_handle_bitmap_bits; void *removepend_bitmap; struct list_head delayed_rmhs_list; - u16 evtack_cmds_bitmap_sz; void *evtack_cmds_bitmap; struct list_head delayed_evtack_cmds_list; diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c index 286a44506578..d25cd0382e20 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_fw.c +++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c @@ -1128,7 +1128,6 @@ static int mpi3mr_issue_and_process_mur(struct mpi3mr_ioc *mrioc, static int mpi3mr_revalidate_factsdata(struct mpi3mr_ioc *mrioc) { - u16 dev_handle_bitmap_sz; void *removepend_bitmap; if (mrioc->facts.reply_sz > mrioc->reply_sz) { @@ -1160,25 +1159,24 @@ mpi3mr_revalidate_factsdata(struct mpi3mr_ioc *mrioc) "\tcontroller while sas transport support is enabled at the\n" "\tdriver, please reboot the system or reload the driver\n"); - dev_handle_bitmap_sz = mrioc->facts.max_devhandle / 8; - if (mrioc->facts.max_devhandle % 8) - dev_handle_bitmap_sz++; - if (dev_handle_bitmap_sz > mrioc->dev_handle_bitmap_sz) { - removepend_bitmap = krealloc(mrioc->removepend_bitmap, - dev_handle_bitmap_sz, GFP_KERNEL); + if (mrioc->facts.max_devhandle > mrioc->dev_handle_bitmap_bits) { + removepend_bitmap = bitmap_zalloc(mrioc->facts.max_devhandle, + GFP_KERNEL); if (!removepend_bitmap) { ioc_err(mrioc, - "failed to increase removepend_bitmap sz from: %d to %d\n", - mrioc->dev_handle_bitmap_sz, dev_handle_bitmap_sz); + "failed to increase removepend_bitmap bits from %d to %d\n", + mrioc->dev_handle_bitmap_bits, + mrioc->facts.max_devhandle); return -EPERM; } - memset(removepend_bitmap + mrioc->dev_handle_bitmap_sz, 0, - dev_handle_bitmap_sz - mrioc->dev_handle_bitmap_sz); + bitmap_copy(removepend_bitmap, mrioc->removepend_bitmap, + mrioc->dev_handle_bitmap_bits); mrioc->removepend_bitmap = removepend_bitmap; ioc_info(mrioc, - "increased dev_handle_bitmap_sz from %d to %d\n", - mrioc->dev_handle_bitmap_sz, dev_handle_bitmap_sz); - mrioc->dev_handle_bitmap_sz = dev_handle_bitmap_sz; + "increased bits of dev_handle_bitmap from %d to %d\n", + mrioc->dev_handle_bitmap_bits, + mrioc->facts.max_devhandle); + mrioc->dev_handle_bitmap_bits = mrioc->facts.max_devhandle; } return 0; @@ -2957,27 +2955,18 @@ static int mpi3mr_alloc_reply_sense_bufs(struct mpi3mr_ioc *mrioc) if (!mrioc->pel_abort_cmd.reply) goto out_failed; - mrioc->dev_handle_bitmap_sz = mrioc->facts.max_devhandle / 8; - if (mrioc->facts.max_devhandle % 8) - mrioc->dev_handle_bitmap_sz++; - mrioc->removepend_bitmap = kzalloc(mrioc->dev_handle_bitmap_sz, - GFP_KERNEL); + mrioc->dev_handle_bitmap_bits = mrioc->facts.max_devhandle; + mrioc->removepend_bitmap = bitmap_zalloc(mrioc->dev_handle_bitmap_bits, + GFP_KERNEL); if (!mrioc->removepend_bitmap) goto out_failed; - mrioc->devrem_bitmap_sz = MPI3MR_NUM_DEVRMCMD / 8; - if (MPI3MR_NUM_DEVRMCMD % 8) - mrioc->devrem_bitmap_sz++; - mrioc->devrem_bitmap = kzalloc(mrioc->devrem_bitmap_sz, - GFP_KERNEL); + mrioc->devrem_bitmap = bitmap_zalloc(MPI3MR_NUM_DEVRMCMD, GFP_KERNEL); if (!mrioc->devrem_bitmap) goto out_failed; - mrioc->evtack_cmds_bitmap_sz = MPI3MR_NUM_EVTACKCMD / 8; - if (MPI3MR_NUM_EVTACKCMD % 8) - mrioc->evtack_cmds_bitmap_sz++; - mrioc->evtack_cmds_bitmap = kzalloc(mrioc->evtack_cmds_bitmap_sz, - GFP_KERNEL); + mrioc->evtack_cmds_bitmap = bitmap_zalloc(MPI3MR_NUM_EVTACKCMD, + GFP_KERNEL); if (!mrioc->evtack_cmds_bitmap) goto out_failed; @@ -3415,10 +3404,7 @@ static int mpi3mr_alloc_chain_bufs(struct mpi3mr_ioc *mrioc) if (!mrioc->chain_sgl_list[i].addr) goto out_failed; } - mrioc->chain_bitmap_sz = num_chains / 8; - if (num_chains % 8) - mrioc->chain_bitmap_sz++; - mrioc->chain_bitmap = kzalloc(mrioc->chain_bitmap_sz, GFP_KERNEL); + mrioc->chain_bitmap = bitmap_zalloc(num_chains, GFP_KERNEL); if (!mrioc->chain_bitmap) goto out_failed; return retval; @@ -4189,10 +4175,11 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc) for (i = 0; i < MPI3MR_NUM_EVTACKCMD; i++) memset(mrioc->evtack_cmds[i].reply, 0, sizeof(*mrioc->evtack_cmds[i].reply)); - memset(mrioc->removepend_bitmap, 0, mrioc->dev_handle_bitmap_sz); - memset(mrioc->devrem_bitmap, 0, mrioc->devrem_bitmap_sz); - memset(mrioc->evtack_cmds_bitmap, 0, - mrioc->evtack_cmds_bitmap_sz); + bitmap_clear(mrioc->removepend_bitmap, 0, + mrioc->dev_handle_bitmap_bits); + bitmap_clear(mrioc->devrem_bitmap, 0, MPI3MR_NUM_DEVRMCMD); + bitmap_clear(mrioc->evtack_cmds_bitmap, 0, + MPI3MR_NUM_EVTACKCMD); } for (i = 0; i < mrioc->num_queues; i++) { @@ -4886,9 +4873,10 @@ int mpi3mr_soft_reset_handler(struct mpi3mr_ioc *mrioc, mpi3mr_flush_delayed_cmd_lists(mrioc); mpi3mr_flush_drv_cmds(mrioc); - memset(mrioc->devrem_bitmap, 0, mrioc->devrem_bitmap_sz); - memset(mrioc->removepend_bitmap, 0, mrioc->dev_handle_bitmap_sz); - memset(mrioc->evtack_cmds_bitmap, 0, mrioc->evtack_cmds_bitmap_sz); + bitmap_clear(mrioc->devrem_bitmap, 0, MPI3MR_NUM_DEVRMCMD); + bitmap_clear(mrioc->removepend_bitmap, 0, + mrioc->dev_handle_bitmap_bits); + bitmap_clear(mrioc->evtack_cmds_bitmap, 0, MPI3MR_NUM_EVTACKCMD); mpi3mr_flush_host_io(mrioc); mpi3mr_cleanup_fwevt_list(mrioc); mpi3mr_invalidate_devhandles(mrioc); From patchwork Fri Jan 27 06:35:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shinichiro Kawasaki X-Patchwork-Id: 647933 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D250CC61DA7 for ; Fri, 27 Jan 2023 06:35:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231777AbjA0GfN (ORCPT ); Fri, 27 Jan 2023 01:35:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231561AbjA0GfL (ORCPT ); Fri, 27 Jan 2023 01:35:11 -0500 Received: from esa6.hgst.iphmx.com (esa6.hgst.iphmx.com [216.71.154.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BDA93EC7F for ; Thu, 26 Jan 2023 22:35:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1674801310; x=1706337310; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wwgi/uZojQdoU960vU0INDs+Sie4OQagy/lnzIu0eXg=; b=I596feJ0DBOO1jEBT6Tr/PmRgpcsy+XQJNpJkUU/M7GyEKdbPqdPQHtP dvRqusxvEqpj+gT8IxCTGHOIinWOU3LNHBQtps57HGiL4va6s0xvx8ojg 3xqd3NoOW6s7JFrfTgGuWU4+y0TQhFm+t+faandnIcpkasrpxlKc/X8O+ Bcktq63t9T2IVjLCrV4utaTKaZLScVU92icxQ4xreOFeYyMXPAyIyHt7F k0Vxx05GGj7brEzA0DmKanW8EOEgwCGT0DCT5AUPt6I33DYYrs5DJ65lL 6iFNG4St915q/zSFZoRs+t9IBpwMuyV9r8uIAAJ0bBUkxPzpHNGdK+DmY w==; X-IronPort-AV: E=Sophos;i="5.97,250,1669046400"; d="scan'208";a="221935012" Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com) ([199.255.45.15]) by ob1.hgst.iphmx.com with ESMTP; 27 Jan 2023 14:35:10 +0800 IronPort-SDR: 87VKGEYBWfjGTEtxghsRrmXCQXq4qkxFkNQDzbcCCN0zibrx7G+tyZOHX7dXiTunF3rt430hP2 wIRHqaXTnGqvZj2y5hbz5YiI2B1YEkNe9gvfW6+QU9xb/QppGRQoyY6gBZBgHMFWpP/9qlO3xB WTBVP4KK9hZwHm6oq69PiP2trhM07+7zC/F/sAyemcIJNGzc8JYI9PF634v6eP8+8lxQfeynWC 1oqO9bDyGrSe+T8efolQ6IcGwJ9UC3qwmwSXnFwy5eksSKqU7C9iy4OMHL82CG2CYz1RbV1lqj wG4= Received: from uls-op-cesaip01.wdc.com ([10.248.3.36]) by uls-op-cesaep02.wdc.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jan 2023 21:46:55 -0800 IronPort-SDR: 6gGTvNOfHm0/xgerVNeuAmvS1UzmIRk+U5oqIz/Cj/59klTRKxDtQ2f1K6glpEYt8pACc1cFuF I7AKUK1+fjXc0E+/I1VJCRKcFnLVMpIpk1SfwJZLEMTUuUpy0uQpRo480CAHJgEJOvlyZHnE1S HYHal2ANWVVr0/qFcxHoAmbGuOdL8XXXV8yvrOa8HeIYD8y3J3jiF0V87B8H1WpGXchs8hdGys b2B94n4Mnz7OvK//F5IFfJ0psZ4JOjLi6pVijO4SmaCrP8fFjFoiqXctXXEDXYEA3etv2+UTH0 TKI= WDCIronportException: Internal Received: from shindev.dhcp.fujisawa.hgst.com (HELO shindev.fujisawa.hgst.com) ([10.149.52.207]) by uls-op-cesaip01.wdc.com with ESMTP; 26 Jan 2023 22:35:09 -0800 From: Shin'ichiro Kawasaki To: linux-scsi@vger.kernel.org, mpi3mr-linuxdrv.pdl@broadcom.com Cc: Sathya Prakash Veerichetty , Kashyap Desai , Sumit Saxena , Sreekanth Reddy , "Martin K . Petersen" , Damien Le Moal , Shin'ichiro Kawasaki Subject: [PATCH v4 5/5] scsi: mpi3mr: fix missing mrioc->evtack_cmds initialization Date: Fri, 27 Jan 2023 15:35:00 +0900 Message-Id: <20230127063500.1278068-6-shinichiro.kawasaki@wdc.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> References: <20230127063500.1278068-1-shinichiro.kawasaki@wdc.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org The commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") introduced an array mrioc->evtack_cmds. But initialization of the array elements was missed. They are just zero cleared. The function mpi3mr_complete_evt_ack refers host_tag field of the elements. Due to zero value of the host_tag field, the functions calls clear_bit for mrico->evtack_cmds_bitmap with wrong bit index. This results in memory access to invalid address and "BUG: KASAN: use-after-free". This BUG was observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add the missing initialization of mrioc->evtack_cmds. Fixes: c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") Cc: stable@vger.kernel.org Reviewed-by: Damien Le Moal Acked-by: Sathya Prakash Veerichetty Signed-off-by: Shin'ichiro Kawasaki --- drivers/scsi/mpi3mr/mpi3mr_os.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c index 3306de7170f6..6eaeba41072c 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_os.c +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c @@ -4952,6 +4952,10 @@ mpi3mr_probe(struct pci_dev *pdev, const struct pci_device_id *id) mpi3mr_init_drv_cmd(&mrioc->dev_rmhs_cmds[i], MPI3MR_HOSTTAG_DEVRMCMD_MIN + i); + for (i = 0; i < MPI3MR_NUM_EVTACKCMD; i++) + mpi3mr_init_drv_cmd(&mrioc->evtack_cmds[i], + MPI3MR_HOSTTAG_EVTACKCMD_MIN + i); + if (pdev->revision) mrioc->enable_segqueue = true;