[sas-1126]scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

Bug #1853992 reported by Fred Kimmy on 2019-11-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kunpeng920
Undecided
Unassigned
Ubuntu-18.04
Undecided
Ike Panhc
Ubuntu-18.04-hwe
Undecided
Ike Panhc
Ubuntu-19.04
Undecided
Ike Panhc
Ubuntu-19.10
Undecided
Ike Panhc
Ubuntu-20.04
Undecided
Unassigned
Upstream-kernel
Undecided
Unassigned
linux (Ubuntu)
Status tracked in Focal
Bionic
Undecided
Ike Panhc
Disco
Undecided
Ike Panhc
Eoan
Undecided
Ike Panhc
Focal
Undecided
Unassigned

Bug Description

[Impact]
Potential NULL-pointer dereference.

[Test Case]
No known test case, but the issue is clear from code reading.

[Fix]
445ee2de112a scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

[Regression Risk]
Patch restricted to hisi_sas driver.

[Bug Description]
sas kasan test will produce this out bounds in sas module

[Steps to Reproduce]
1) enbale this kasn
2)
3)

[Actual Results]
30293.504016] sas: ata464: end_device-2:2:6: dev error handler
[30293.504041] sas: ata465: end_device-2:2:7: dev error handler
[30293.504059] sas: ata466: end_device-2:2:8: dev error handler
[30293.538746] ==================================================================
[30293.550672] BUG: KASAN: slab-out-of-bounds in hisi_sas_debug_I_T_nexus_reset+0xcc/0x250
[30293.558642] Read of size 8 at addr ffffb72e47233540 by task kworker/u193:3/79165
[30293.566004]
[30293.567498] CPU: 14 PID: 79165 Comm: kworker/u193:3 Tainted: G B O 5.1.0-rc1-g7a3fab8-dirty #1
[30293.577196] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B010.01 06/21/2019
[30293.586037] Workqueue: events_unbound async_run_entry_fn
[30293.591331] Call trace:
[30293.593770] dump_backtrace+0x0/0x1f8
[30293.597419] show_stack+0x14/0x20
[30293.600726] dump_stack+0xc4/0xfc
[30293.604032] print_address_description+0x60/0x258
[30293.608716] kasan_report+0x164/0x1b8
[30293.612366] __asan_load8+0x84/0xa8
[30293.615842] hisi_sas_debug_I_T_nexus_reset+0xcc/0x250
[30293.620961] hisi_sas_I_T_nexus_reset+0xc4/0x170
[30293.625562] sas_ata_hard_reset+0x88/0x178
[30293.629646] ata_do_reset.constprop.6+0x80/0x90
[30293.634160] ata_eh_reset+0x71c/0x10e8
[30293.637897] ata_eh_recover+0x3d0/0x1a80
[30293.641804] ata_do_eh+0x50/0xd0
[30293.645020] ata_std_error_handler+0x78/0xa8
[30293.649273] ata_scsi_port_error_handler+0x288/0x930
[30293.654216] async_sas_ata_eh+0x68/0x90
[30293.658040] async_run_entry_fn+0x7c/0x1c0
[30293.662121] process_one_work+0x3c0/0x878
[30293.666115] worker_thread+0x70/0x670
[30293.669762] kthread+0x1b0/0x1b8
[30293.672978] ret_from_fork+0x10/0x18
[30293.676541]
[30293.678027] Allocated by task 16690:
[30293.681593] __kasan_kmalloc.isra.0+0xd4/0x188
[30293.686018] kasan_kmalloc+0xc/0x18
[30293.689496] __kmalloc_node_track_caller+0x5c/0x98
[30293.694270] devm_kmalloc+0x44/0xb8
[30293.697746] hisi_sas_v3_probe+0x2ec/0x698
[30293.701828] local_pci_probe+0x74/0xf0
[30293.705562] work_for_cpu_fn+0x2c/0x48
[30293.709300] process_one_work+0x3c0/0x878
[30293.713294] worker_thread+0x400/0x670
[30293.717027] kthread+0x1b0/0x1b8
[30293.720241] ret_from_fork+0x10/0x18
[30293.723801]
[30293.725287] Freed by task 16227:
[30293.728503] __kasan_slab_free+0x108/0x210
[30293.732583] kasan_slab_free+0x10/0x18
[30293.736318] kfree+0x74/0x150
[30293.739276] devres_free+0x34/0x48
[30293.742665] devres_release+0x38/0x60
[30293.746313] devm_pinctrl_put+0x34/0x58
[30293.750136] pinctrl_bind_pins+0x164/0x248
[30293.754214] really_probe+0xc0/0x3b0
[30293.757777] driver_probe_device+0x70/0x138
[30293.761944] __device_attach_driver+0xc0/0xe0
[30293.766285] bus_for_each_drv+0xcc/0x150
[30293.770194] __device_attach+0x154/0x1c0
[30293.774101] device_initial_probe+0x10/0x18
[30293.778270] bus_probe_device+0xec/0x100
[30293.782178] device_add+0x5f8/0x9b8
[30293.785658] scsi_sysfs_add_sdev+0xa4/0x310
[30293.789825] scsi_probe_and_add_lun+0xe60/0x1240
[30293.794425] __scsi_scan_target+0x1ac/0x780
[30293.798591] scsi_scan_target+0x134/0x140
[30293.802586] sas_rphy_add+0x1fc/0x2c8
[30293.806234] sas_probe_devices+0x10c/0x1e8
[30293.810313] sas_discover_domain+0x754/0x998
[30293.814567] process_one_work+0x3c0/0x878
[30293.818560] worker_thread+0x70/0x670
[30293.822207] kthread+0x1b0/0x1b8
[30293.825423] ret_from_fork+0x10/0x18
[30293.828983]
[30293.830473] The buggy address belongs to the object at ffffb72e47233480
[30293.830473] which belongs to the cache kmalloc-256 of size 256
[30293.842934] The buggy address is located 192 bytes inside of
[30293.842934] 256-byte region [ffffb72e47233480, ffffb72e47233580)
[30293.854617] The buggy address belongs to the page:
[30293.859388] page:ffff7edcb91c8cc0 count:1 mapcount:0 mapping:ffff972e5f000200 index:0x0
[30293.867360] flags: 0xdfffe00000000200(slab)
[30293.871533] raw: dfffe00000000200 ffff7edcb915ca48 ffff7edcb93fdc08 ffff972e5f000200

[Expected Results]

[Reproducibility]

[Additional information]
(Firmware version, kernel version, affected hardware, etc. if required):

[Resolution]

scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

Ike Panhc (ikepanhc) on 2019-12-26
Changed in linux (Ubuntu Eoan):
assignee: nobody → Ike Panhc (ikepanhc)
status: New → In Progress
Changed in linux (Ubuntu Disco):
assignee: nobody → Ike Panhc (ikepanhc)
status: New → In Progress
Changed in linux (Ubuntu Bionic):
assignee: nobody → Ike Panhc (ikepanhc)
status: New → In Progress

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1853992

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Ike Panhc (ikepanhc) on 2019-12-26
Changed in linux (Ubuntu Focal):
status: Incomplete → Fix Released
Changed in kunpeng920:
status: New → In Progress
Ike Panhc (ikepanhc) on 2019-12-26
description: updated
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Ike Panhc (ikepanhc) wrote :

Thanks. Ubuntu-5.0.0-40.44 works for me.

tags: added: verification-done-disco
removed: verification-needed-disco
Launchpad Janitor (janitor) wrote :
Download full text (22.6 KiB)

This bug was fixed in the package linux - 5.0.0-40.44

---------------
linux (5.0.0-40.44) disco; urgency=medium

  * disco/linux: 5.0.0-40.44 -proposed tracker (LP: #1859724)

  * use-after-free in i915_ppgtt_close (LP: #1859522) // CVE-2020-7053
    - SAUCE: drm/i915: Fix use-after-free when destroying GEM context

  * CVE-2019-14615
    - drm/i915/gen9: Clear residual context state on context switch

  * System hang with kernel traces while entering reboot process on a Disco
    ARM64 moonshot node (LP: #1859582)
    - Revert "RDMA/cm: Fix memory leak in cm_add/remove_one"

linux (5.0.0-39.43) disco; urgency=medium

  * disco/linux: 5.0.0-39.43 -proposed tracker (LP: #1858547)

  * [Regression] usb usb2-port2: Cannot enable. Maybe the USB cable is bad?
    (LP: #1856608)
    - SAUCE: Revert "usb: handle warm-reset port requests on hub resume"

  * PAN is broken for execute-only user mappings on ARMv8 (LP: #1858815)
    - arm64: Revert support for execute-only user mappings

  * Fix unusable USB hub on Dell TB16 after S3 (LP: #1855312)
    - SAUCE: USB: core: Make port power cycle a seperate helper function
    - SAUCE: USB: core: Attempt power cycle port when it's in eSS.Disabled state

  * [sas-1126]scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()
    (LP: #1853992)
    - scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

  * [sas-1126]scsi: hisi_sas: Assign NCQ tag for all NCQ commands (LP: #1853995)
    - scsi: hisi_sas: Assign NCQ tag for all NCQ commands

  * [sas-1126]scsi: hisi_sas: Fix the conflict between device gone and host
    reset (LP: #1853997)
    - scsi: hisi_sas: Fix the conflict between device gone and host reset

  * scsi: hisi_sas: Check sas_port before using it (LP: #1855952)
    - scsi: hisi_sas: Check sas_port before using it

  * CVE-2019-18885
    - btrfs: refactor btrfs_find_device() take fs_devices as argument
    - btrfs: merge btrfs_find_device and find_device

  * Integrate Intel SGX driver into linux-azure (LP: #1844245)
    - [Packaging] Add systemd service to load intel_sgx

  * [SRU][B/OEM-B/OEM-OSP1/D/E/F] Add LG I2C touchscreen multitouch support
    (LP: #1857541)
    - SAUCE: HID: multitouch: Add LG MELF0410 I2C touchscreen support

  * cifs: DFS Caching feature causing problems traversing multi-tier DFS setups
    (LP: #1854887)
    - cifs: Fix retrieval of DFS referrals in cifs_mount()

  * qede driver causes 100% CPU load (LP: #1855409)
    - qede: Handle infinite driver spinning for Tx timestamp.

  * [roce-1126]RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
    (LP: #1853989)
    - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
    - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver

  * [roce-1126]RDMA/hns: Fixs hw access invalid dma memory error (LP: #1853990)
    - RDMA/hns: Fixs hw access invalid dma memory error

  * [hns-1126]net: hns3: revert to old channel when setting new channel num fail
    (LP: #1853983)
    - net: hns3: revert to old channel when setting new channel num fail

  * [hns-1126]net: hns3: fix port setting handle for fibre port
    (LP: #1853984)
    - net: hns3: fix port setting handle for fibre...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Ike Panhc (ikepanhc) wrote :

Both 4.15.0-87.87 and 5.3.0-40.32 work fine for me. Thanks.

tags: added: verification-done-bionic verification-done-eoan
removed: verification-needed-bionic verification-needed-eoan
Changed in kunpeng920:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (78.1 KiB)

This bug was fixed in the package linux - 5.3.0-40.32

---------------
linux (5.3.0-40.32) eoan; urgency=medium

  * eoan/linux: 5.3.0-40.32 -proposed tracker (LP: #1861214)

  * No sof soundcard for 'ASoC: CODEC DAI intel-hdmi-hifi1 not registered' after
    modprobe sof (LP: #1860248)
    - ASoC: SOF: Intel: fix HDA codec driver probe with multiple controllers

  * ocfs2-tools is causing kernel panics in Ubuntu Focal (Ubuntu-5.4.0-9.12)
    (LP: #1852122)
    - ocfs2: fix the crash due to call ocfs2_get_dlm_debug once less

  * QAT drivers for C3XXX and C62X not included as modules (LP: #1845959)
    - [Config] CRYPTO_DEV_QAT_C3XXX=m, CRYPTO_DEV_QAT_C62X=m and
      CRYPTO_DEV_QAT_DH895xCC=m

  * Eoan update: upstream stable patchset 2020-01-24 (LP: #1860816)
    - scsi: lpfc: Fix discovery failures when target device connectivity bounces
    - scsi: mpt3sas: Fix clear pending bit in ioctl status
    - scsi: lpfc: Fix locking on mailbox command completion
    - Input: atmel_mxt_ts - disable IRQ across suspend
    - f2fs: fix to update time in lazytime mode
    - iommu: rockchip: Free domain on .domain_free
    - iommu/tegra-smmu: Fix page tables in > 4 GiB memory
    - dmaengine: xilinx_dma: Clear desc_pendingcount in xilinx_dma_reset
    - scsi: target: compare full CHAP_A Algorithm strings
    - scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices
    - scsi: csiostor: Don't enable IRQs too early
    - scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec()
    - powerpc/pseries: Mark accumulate_stolen_time() as notrace
    - powerpc/pseries: Don't fail hash page table insert for bolted mapping
    - powerpc/tools: Don't quote $objdump in scripts
    - dma-debug: add a schedule point in debug_dma_dump_mappings()
    - leds: lm3692x: Handle failure to probe the regulator
    - clocksource/drivers/asm9260: Add a check for of_clk_get
    - clocksource/drivers/timer-of: Use unique device name instead of timer
    - powerpc/security/book3s64: Report L1TF status in sysfs
    - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning
    - ext4: update direct I/O read lock pattern for IOCB_NOWAIT
    - ext4: iomap that extends beyond EOF should be marked dirty
    - jbd2: Fix statistics for the number of logged blocks
    - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6)
    - scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow
    - f2fs: fix to update dir's i_pino during cross_rename
    - clk: qcom: Allow constant ratio freq tables for rcg
    - clk: clk-gpio: propagate rate change to parent
    - irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary
    - irqchip: ingenic: Error out if IRQ domain creation failed
    - fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long
    - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
    - PCI: rpaphp: Fix up pointer to first drc-info entry
    - scsi: ufs: fix potential bug which ends in system hang
    - powerpc/pseries/cmm: Implement release() function for sysfs device
    - PCI: rpaphp: Don't rely on firmware feature to imply drc-info support
    - PCI: rpaphp: Annotate and corr...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (79.8 KiB)

This bug was fixed in the package linux - 4.15.0-88.88

---------------
linux (4.15.0-88.88) bionic; urgency=medium

  * bionic/linux: 4.15.0-88.88 -proposed tracker (LP: #1862824)

  * Segmentation fault (kernel oops) with memory-hotplug in
    ubuntu_kernel_selftests on Bionic kernel (LP: #1862312)
    - Revert "mm/memory_hotplug: fix online/offline_pages called w.o.
      mem_hotplug_lock"
    - mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock

linux (4.15.0-87.87) bionic; urgency=medium

  * bionic/linux: 4.15.0-87.87 -proposed tracker (LP: #1861165)

  * Bionic update: upstream stable patchset 2020-01-22 (LP: #1860602)
    - scsi: lpfc: Fix discovery failures when target device connectivity bounces
    - scsi: mpt3sas: Fix clear pending bit in ioctl status
    - scsi: lpfc: Fix locking on mailbox command completion
    - Input: atmel_mxt_ts - disable IRQ across suspend
    - iommu/tegra-smmu: Fix page tables in > 4 GiB memory
    - scsi: target: compare full CHAP_A Algorithm strings
    - scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices
    - scsi: csiostor: Don't enable IRQs too early
    - powerpc/pseries: Mark accumulate_stolen_time() as notrace
    - powerpc/pseries: Don't fail hash page table insert for bolted mapping
    - powerpc/tools: Don't quote $objdump in scripts
    - dma-debug: add a schedule point in debug_dma_dump_mappings()
    - clocksource/drivers/asm9260: Add a check for of_clk_get
    - powerpc/security/book3s64: Report L1TF status in sysfs
    - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning
    - ext4: update direct I/O read lock pattern for IOCB_NOWAIT
    - jbd2: Fix statistics for the number of logged blocks
    - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6)
    - scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow
    - f2fs: fix to update dir's i_pino during cross_rename
    - clk: qcom: Allow constant ratio freq tables for rcg
    - irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary
    - irqchip: ingenic: Error out if IRQ domain creation failed
    - fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long
    - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
    - scsi: ufs: fix potential bug which ends in system hang
    - powerpc/pseries/cmm: Implement release() function for sysfs device
    - powerpc/security: Fix wrong message when RFI Flush is disable
    - scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE
    - clk: pxa: fix one of the pxa RTC clocks
    - bcache: at least try to shrink 1 node in bch_mca_scan()
    - HID: logitech-hidpp: Silence intermittent get_battery_capacity errors
    - libnvdimm/btt: fix variable 'rc' set but not used
    - HID: Improve Windows Precision Touchpad detection.
    - scsi: pm80xx: Fix for SATA device discovery
    - scsi: ufs: Fix error handing during hibern8 enter
    - scsi: scsi_debug: num_tgts must be >= 0
    - scsi: NCR5380: Add disconnect_mask module parameter
    - scsi: iscsi: Don't send data to unbound connection
    - scsi: target: iscsi: Wait for all commands to finish before freeing a
...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers