Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
xsigo: Fix use-after-free n xsvbha for srb *sp
assign queue_num value before call complete_cmd_and_callback.
complete_cmd_and_callback() is making srb *sp free using sp_put.
which create use-after-free error in KASAN.
[ 961.350693] ==================================================================
[ 961.359537] BUG: KASAN: use-after-free in vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.368376] Read of size 4 at addr ffff889f852c2898 by task scsi_eh_8/23358
[ 961.377810] CPU: 1 PID: 23358 Comm: scsi_eh_8 Kdump: loaded Not tainted 5.4.17-2136.331.01.35180168kasanreview.8.el7uek.v1.x86_64 #3
[ 961.377812] Hardware name: Oracle Corporation ORACLE SERVER X5-2/ASM,MOTHERBOARD,1U, BIOS 30370100 07/12/2022
[ 961.377813] Call Trace:
[ 961.377822] dump_stack+0x95/0xca
[ 961.377831] ? vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.377838] print_address_description.constprop.7+0x6b/0x3ec
[ 961.377848] ? vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.377857] ? vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.377860] __kasan_report.cold.10+0x37/0x77
[ 961.377870] ? sp_put+0x10/0x60 [xsvhba]
[ 961.377880] ? vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.377882] kasan_report+0x14/0x1f
[ 961.377885] __asan_load4+0x99/0x9f
[ 961.377895] vhba_taskmgmt_flush_ios+0x19c/0x289 [xsvhba]
[ 961.377906] xg_vhba_eh_device_reset+0x1b4/0x23b [xsvhba]
[ 961.377914] scsi_eh_ready_devs+0xa85/0x187e
[ 961.377917] ? scsi_eh_test_devices+0x450/0x445
[ 961.377921] ? __kasan_check_write+0x14/0x1a
[ 961.377925] ? _raw_spin_lock_irqsave+0x8e/0xe5
[ 961.377927] ? scsi_eh_get_sense+0x13e/0x3e1
[ 961.377931] ? __pm_runtime_resume+0x60/0xa6
[ 961.377934] scsi_error_handler+0x843/0xa7d
[ 961.377937] ? scsi_eh_get_sense+0x3f0/0x3e1
[ 961.377940] ? __kasan_check_write+0x14/0x1a
[ 961.377942] ? _raw_spin_lock_irqsave+0x8e/0xe5
[ 961.377950] ? __wake_up_common+0xa9/0x257
[ 961.377952] ? __kasan_check_read+0x11/0x17
[ 961.377957] ? __kthread_parkme+0x90/0xab
[ 961.377959] kthread+0x1c8/0x1e5
[ 961.377962] ? scsi_eh_get_sense+0x3f0/0x3e1
[ 961.377964] ? __kthread_cancel_work+0xa0/0x98
[ 961.377967] ret_from_fork+0x2b/0x36
[ 961.381055] Allocated by task 5054:
[ 961.384947] save_stack+0x21/0x8b
[ 961.384949] __kasan_kmalloc.constprop.12+0xc8/0xcd
[ 961.384951] kasan_kmalloc+0x9/0xf
[ 961.384953] kmem_cache_alloc_trace+0x140/0x33d
[ 961.384963] xg_vhba_queuecommand_lck+0x7ed/0x14f5 [xsvhba]
[ 961.384972] xg_vhba_queuecommand+0x4b/0x80 [xsvhba]
[ 961.384975] scsi_queue_rq+0xca7/0x1252
[ 961.384978] __blk_mq_try_issue_directly+0x250/0x421
[ 961.384981] blk_mq_request_issue_directly+0xab/0x17c
[ 961.384984] blk_insert_cloned_request+0xf0/0x1af
[ 961.385003] dm_mq_queue_rq+0x487/0x7f0 [dm_mod]
[ 961.385005] blk_mq_dispatch_rq_list+0x1bc/0xe77
[ 961.385010] blk_mq_do_dispatch_sched+0x279/0x2ce
[ 961.385012] __blk_mq_sched_dispatch_requests+0x276/0x2fe
[ 961.385015] blk_mq_sched_dispatch_requests+0x85/0xb1
[ 961.385016] __blk_mq_run_hw_queue+0x87/0x1c9
[ 961.385018] blk_mq_run_work_fn+0x3b/0x44
[ 961.385022] process_one_work+0x413/0x81d
[ 961.385024] worker_thread+0x57/0x5ac
[ 961.385025] kthread+0x1c8/0x1e5
[ 961.385028] ret_from_fork+0x2b/0x36
[ 961.388190] Freed by task 23358:
[ 961.391789] save_stack+0x21/0x8b
[ 961.391791] __kasan_slab_free+0x141/0x1c9
[ 961.391793] kasan_slab_free+0xe/0x14
[ 961.391795] kfree+0xb1/0x4e9
[ 961.391804] sp_put+0x4b/0x60 [xsvhba]
[ 961.391813] complete_cmd_and_callback.part.19+0xa5/0x2f4 [xsvhba]
[ 961.391823] vhba_taskmgmt_flush_ios+0x167/0x289 [xsvhba]
[ 961.391832] xg_vhba_eh_device_reset+0x1b4/0x23b [xsvhba]
[ 961.391834] scsi_eh_ready_devs+0xa85/0x187e
[ 961.391837] scsi_error_handler+0x843/0xa7d
[ 961.391838] kthread+0x1c8/0x1e5
[ 961.391840] ret_from_fork+0x2b/0x36
[ 961.395039] The buggy address belongs to the object at ffff889f852c2800
which belongs to the cache kmalloc-512 of size 512
[ 961.409018] The buggy address is located 152 bytes inside of
512-byte region [ffff889f852c2800, ffff889f852c2a00)
[ 961.422123] The buggy address belongs to the page:
[ 961.427474] page:ffffea007e14b000 refcount:1 mapcount:0 mapping:ffff888107c16300 index:0x0 compound_mapcount: 0
[ 961.427477] flags: 0x57ffffc0010200(slab|head)
[ 961.427481] raw: 0057ffffc0010200 dead000000000100 dead000000000122 ffff888107c16300
[ 961.427484] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 961.427484] page dumped because: kasan: bad access detected
[ 961.429148] Memory state around the buggy address:
[ 961.434497] ffff889f852c2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 961.442558] ffff889f852c2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 961.450619] >ffff889f852c2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 961.458680] ^
[ 961.463156] ffff889f852c2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 961.471218] ffff889f852c2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 961.479279] ==================================================================
Orabug: 35180168
Signed-off-by: Alok Tiwari <[email protected]>
Reviewed-by: Joseph Salisbury <[email protected]>
Reviewed-by: Samasth Norway Ananda <[email protected]>
Signed-off-by: Alok Tiwari <[email protected]>- Loading branch information
