[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #3 from Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx> ---
On 12/10/2015 03:43 AM, James Bottomley wrote:
> On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
>>
>> On 12/08/2015 07:16 PM, James Bottomley wrote:
>>> On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
>>> wrote:
>>>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>>>
>>>> --- Comment #1 from Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx> ---
>>>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>>>
>>>> [root@p9 crash]# modprobe sg
>>>> [root@p9 crash]#  sg_map -i
>>>> /dev/sg0  LSI       SAS2X28           0e12
>>>> /dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
>>>> [root@p9 crash]# lsscsi -gs
>>>> [1:0:16:0]   enclosu LSI      SAS2X28          0e12  -          /dev/sg0
>>>> -
>>>> [1:2:0:0]    disk    LSI      MR9260-4i        2.13  /dev/sda   /dev/sg1
>>>> 3.99TB
>>>> [root@p9 crash]#  sg_ses /dev/sg0
>>>>     LSI       SAS2X28           0e12
>>>> Supported diagnostic pages:
>>>>     Supported Diagnostic Pages [sdp] [0x0]
>>>>     Configuration (SES) [cf] [0x1]
>>>>     Enclosure Status/Control (SES) [ec,es] [0x2]
>>>>     Element Descriptor (SES) [ed] [0x7]
>>>>     Additional Element Status (SES-2) [aes] [0xa]
>>>>     Download Microcode (SES-2) [dm] [0xe]
>>>> [root@p9 crash]#  sg_ses /dev/sg1
>>>>     LSI  MR9260-4i  2.13
>>>>       disk device (not an enclosure)
>>>> Supported diagnostic pages:
>>>
>>> OK, can you give us the contents of pages 1, 2 and 10 with
>>>
>>> sg_ses --page=1 --hex /dev/sg0
>>> sg_ses --page=2 --hex /dev/sg0
>>> sg_ses --page=10 --hex /dev/sg0
>>>
>>> The version of the kernel you do this on doesn't really matter.
>>
>> Here are these pages:
>>
>> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
>>     LSI       SAS2X28           0e12
>> Response in hex from diagnostic page: Configuration (SES)
>>    00     01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80
>> ...........,P...
>>    10     00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32    ....LSI
>>    SAS2
>>    20     58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32    X28
>>    0e12
>>    30     11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13
>> ."3DU...........
>>    40     03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09
>> ................
>>    50     18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76
>> ............Driv
>>    60     65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75    e
>> SlotsTemperatu
>>    70     72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6f    re
>> SensorsFansVo
>>    80     6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77    ltage
>> SensorsPow
>>    90     65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6f    er
>> SuppliesEnclo
>>    a0     73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72    sureSAS
>> Expander
>>    b0     73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45    sSAS
>> ConnectorsE
>>    c0     74 68 65 72 6e 65 74 20  70 6f 72 74 73             thernet ports
>
> Wow, that's some crazy enclosure.  The description says it's a single
> primary subenclosure with 9 different element types comprising 12 Device
> slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
> supplies, 1 Enclosure, 1 SAS Expander,  14 SAS connectors, 2
> Communications ports. For 38 total element descriptors
>
>> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
>>     LSI       SAS2X28           0e12
>> Response in hex from diagnostic page: Enclosure Status (SES)
>>    00     02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00
>> ................
>>    10     05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00
>> ................
>>    20     01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00
>> ................
>>    30     05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00
>> ................
>>    40     01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50
>> ..,........P...P
>>    50     05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3
>> ...P............
>>    60     00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00    ....G.. G..
>> ....
>>    70     01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00
>> ................
>>    80     01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00    .........
>> ... ..
>>    90     01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00    . ... ...
>> ... ..
>>    a0     01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00    . ... ...
>> ... ..
>>    b0     01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00    . ...
>> ..........
>>    c0     00 00 00 00
>
> Given each type has one overall descriptor followed by the individual
> ones, we have 38 + 9 = 47 total descriptors, which is what we see here.
>
>> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
>>     LSI       SAS2X28           0e12
>> Response in hex from diagnostic page: Additional Element Status (SES-2)
>>    00     0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00
>> ........."......
>>    10     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    20     00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 01
>> ............."..
>>    30     01 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    40     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    50     16 22 00 02 01 00 00 02  00 00 00 01 50 03 04 80
>> ."..........P...
>>    60     00 a7 1e bf 50 03 04 80  00 a7 1e ae 00 00 00 00
>> ....P...........
>>    70     00 00 00 00 16 22 00 03  01 00 00 03 00 00 00 00
>> ....."..........
>>    80     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    90     00 00 00 00 00 00 00 00  16 22 00 04 01 00 00 04
>> ........."......
>>    a0     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    b0     00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 05
>> ............."..
>>    c0     01 00 00 05 00 00 00 01  50 03 04 80 00 a7 1e bf
>> ........P.......
>>    d0     50 03 04 80 00 a7 1e b1  00 00 00 00 00 00 00 00
>> P...............
>>    e0     16 22 00 06 01 00 00 06  00 00 00 00 00 00 00 00
>> ."..............
>>    f0     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    100    00 00 00 00 16 22 00 07  01 00 00 07 00 00 00 00
>> ....."..........
>>    110    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    120    00 00 00 00 00 00 00 00  16 22 00 08 01 00 00 08
>> ........."......
>>    130    00 00 00 01 50 03 04 80  00 a7 1e bf 50 03 04 80
>> ....P.......P...
>>    140    00 a7 1e b4 00 00 00 00  00 00 00 00 16 22 00 09
>> ............."..
>>    150    01 00 00 09 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    160    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    170    16 22 00 0a 01 00 00 0a  00 00 00 00 00 00 00 00
>> ."..............
>>    180    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> ................
>>    190    00 00 00 00 16 22 00 0b  01 00 00 0b 00 00 00 01
>> ....."..........
>>    1a0    50 03 04 80 00 a7 1e bf  50 03 04 80 00 a7 1e b7
>> P.......P.......
>>    1b0    00 00 00 00 00 00 00 00  16 46 00 15 1c 40 00 00
>> .........F...@..
>>    1c0    50 03 04 80 00 a7 1e bf  00 ff 00 ff 00 ff 00 ff
>> P...............
>>    1d0    01 ff 01 ff 01 ff 01 ff  ff ff ff ff ff ff ff ff
>> ................
>>    1e0    02 00 03 01 04 02 05 03  06 04 07 05 08 06 09 07
>> ................
>>    1f0    0a 08 0b 09 0c 0a 0d 0b  ff ff ff ff ff ff ff ff
>> ................
>
> OK, so this is the problem.  There are 12 Array additional descriptors
> and one for the expander.  The standard says (6.1.13.1) that this is all
> in order, so the problem is that ses.c expects every type to have an
> additional element descriptor and we've just never run across an
> enclosure with non-slot components before.
>
> Does this patch fix it?

It looks yes, I no more able to reproduce the warning from Kasan.

[   22.919261] EDAC sbridge:  Ver: 1.1.1
[   22.921993] iTCO_vendor_support: vendor-support=0
[   22.936523] ses 0:0:16:0: Attached Enclosure device

Tested-by: Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx>

>
> James
>
> ---
>
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 1736935..53ef1cb 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -561,7 +561,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
>   			if (desc_ptr)
>   				desc_ptr += len;
>
> -			if (addl_desc_ptr)
> +			if (addl_desc_ptr &&
> +			    /* only find additional descriptions for specific devices */
> +			    (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
> +			     type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
> +			     type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
> +			     /* these elements are optional */
> +			     type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
> +			     type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
> +			     type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
>   				addl_desc_ptr += addl_desc_ptr[1] + 2;
>
>   		}
> diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
> index 7be22da..a4cf57c 100644
> --- a/include/linux/enclosure.h
> +++ b/include/linux/enclosure.h
> @@ -29,7 +29,11 @@
>   /* A few generic types ... taken from ses-2 */
>   enum enclosure_component_type {
>   	ENCLOSURE_COMPONENT_DEVICE = 0x01,
> +	ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
> +	ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
> +	ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
>   	ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
> +	ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
>   };
>
>   /* ses-2 common element status */
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

-- 
You are receiving this mail because:
You are watching the assignee of the bug.--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux