On Thu, Jul 09, 2020 at 08:23:19PM +0800, John Garry wrote:
> sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like
> this can be triggered by passing an out-of-range value:
>
> Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
> pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--)
> pc : schedule_resp+0x2a4/0xa70 [scsi_debug]
> lr : schedule_resp+0x52c/0xa70 [scsi_debug]
> sp : ffff800022ab36f0
> x29: ffff800022ab36f0 x28: ffff0023a935a610
> x27: ffff800008e0a648 x26: 0000000000000003
> x25: ffff0023e84f3200 x24: 00000000003d0900
> x23: 0000000000000000 x22: 0000000000000000
> x21: ffff0023be60a320 x20: ffff0023be60b538
> x19: ffff800008e13000 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000
> x15: 0000000000000000 x14: 0000000000000000
> x13: 0000000000000000 x12: 0000000000000000
> x11: 0000000000000000 x10: 0000000000000000
> x9 : 0000000000000001 x8 : 0000000000000000
> x7 : 0000000000000000 x6 : 00000000000000c1
> x5 : 0000020000200000 x4 : dead0000000000ff
> x3 : 0000000000000200 x2 : 0000000000000200
> x1 : ffff800008e13d88 x0 : 0000000000000000
> Call trace:
> schedule_resp+0x2a4/0xa70 [scsi_debug]
> scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug]
> scsi_queue_rq+0x698/0x840
> __blk_mq_try_issue_directly+0x108/0x228
> blk_mq_request_issue_directly+0x58/0x98
> blk_mq_try_issue_list_directly+0x5c/0xf0
> blk_mq_sched_insert_requests+0x18c/0x200
> blk_mq_flush_plug_list+0x11c/0x190
> blk_flush_plug_list+0xdc/0x110
> blk_finish_plug+0x38/0x210
> blkdev_direct_IO+0x450/0x4d8
> generic_file_read_iter+0x84/0x180
> blkdev_read_iter+0x3c/0x50
> aio_read+0xc0/0x170
> io_submit_one+0x5c8/0xc98
> __arm64_sys_io_submit+0x1b0/0x258
> el0_svc_common.constprop.3+0x68/0x170
> do_el0_svc+0x24/0x90
> el0_sync_handler+0x13c/0x1a8
> el0_sync+0x158/0x180
> Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340)
>
> In addition, it should not be less than 1.
>
> So add checks for these, and fail the module init for those cases.
>
> Fixes: c483739430f10 ("scsi_debug: add multiple queue support")
> Acked-by: Douglas Gilbert <dgilbert@xxxxxxxxxxxx>
> Signed-off-by: John Garry <john.garry@xxxxxxxxxx>
> ---
> drivers/scsi/scsi_debug.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 4692f5b6ad13..68534a23866e 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -6613,6 +6613,12 @@ static int __init scsi_debug_init(void)
> pr_err("submit_queues must be 1 or more\n");
> return -EINVAL;
> }
> +
> + if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue <= 0)) {
> + pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE);
> + return -EINVAL;
> + }
> +
> sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue),
> GFP_KERNEL);
> if (sdebug_q_arr == NULL)
> --
> 2.26.2
>
Reviewed-by: Ming Lei <ming.lei@xxxxxxxxxx>
--
Ming
