On 5/22/20 12:35 PM, Suganath Prabu S wrote:
> For non RDPQ mode, Driver allocates a single contiguous block of
> memory pool for all reply descriptor post queues and passes down a
> single address in the ReplyDescriptorPostQueueAddress field of the IOC
> Init Request Message to the firmware. So reply_post queue will have
> only one entry which holds the address of this single contiguous block
> of memory pool.
>
> So while allocating the reply descriptor post queue pool driver should
> loop for only one time in non-RDPQ mode. But due to a bug in below
> patch driver is looping for ioc->reply_queue_count number of times
> even though reply_post queue's queue depth is only one in non-RDPQ
> mode. This leads to 'BUG: KASAN: use-after-free in
> base_alloc_rdpq_dma_pool'.
>
> commit 8012209eb26b7819385a6ec6eae4b1d0a0dbe585 ("scsi: mpt3sas:
> Handle RDPQ DMA allocation in same 4G region")
>
> Fix is to loop over only one time while allocating the memory for the
> reply descriptor post queue in non-RDPQ mode
>
> Reported-by: Tomas Henzl <thenzl@xxxxxxxxxx>
> Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@xxxxxxxxxxxx>
I've tested it and this patch fixes the problem
Reviewed-by: Tomas Henzl <thenzl@xxxxxxxxxx>
