Re: [PATCH] mpt3sas: Don't overreach ioc->reply_post[] during initialization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/18/2016 01:45 PM, Calvin Owens wrote:

In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull
a pointer out of successive elements of ioc->reply_post[] for each entry
in that list if RDPQ is enabled.

Since the code pulls the pointer for the next iteration at the bottom of
the loop, it triggers the a KASAN dump on the final iteration:

     BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0
     Read of size 8 by task modprobe/305
     <snip>
     Call Trace:
      [<ffffffff81dfc591>] dump_stack+0x4d/0x6c
      [<ffffffff814c9689>] print_trailer+0xf9/0x150
      [<ffffffff814ceda4>] object_err+0x34/0x40
      [<ffffffff814d1231>] kasan_report_error+0x221/0x530
      [<ffffffff814d1673>] __asan_report_load8_noabort+0x43/0x50
      [<ffffffffa0043637>] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas]
      [<ffffffffa0049a51>] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas]
      [<ffffffffa0053c93>] _scsih_probe+0xeb3/0x16b0 [mpt3sas]
      [<ffffffff81ebd047>] local_pci_probe+0xc7/0x170
      [<ffffffff81ebf2cf>] pci_device_probe+0x20f/0x290
      [<ffffffff820d50cd>] really_probe+0x17d/0x600
      [<ffffffff820d56a3>] __driver_attach+0x153/0x190
      [<ffffffff820cffac>] bus_for_each_dev+0x11c/0x1a0
      [<ffffffff820d421d>] driver_attach+0x3d/0x50
      [<ffffffff820d378a>] bus_add_driver+0x44a/0x5f0
      [<ffffffff820d666c>] driver_register+0x18c/0x3b0
      [<ffffffff81ebcb76>] __pci_register_driver+0x156/0x200
      [<ffffffffa00c8135>] _mpt3sas_init+0x135/0x1000 [mpt3sas]
      [<ffffffff81000423>] do_one_initcall+0x113/0x2b0
      [<ffffffff813caa5a>] do_init_module+0x1d0/0x4d8
      [<ffffffff81273909>] load_module+0x6729/0x8dc0
      [<ffffffff81276123>] SYSC_init_module+0x183/0x1a0
      [<ffffffff8127625e>] SyS_init_module+0xe/0x10
      [<ffffffff828fe7d7>] entry_SYSCALL_64_fastpath+0x12/0x6a

Fix this by pulling the value at the beginning of the loop.

Signed-off-by: Calvin Owens <calvinowens@xxxxxx>


Looks good to me.

Reviewed-by: Jens Axboe <axboe@xxxxxx>

--
Jens Axboe

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux