From patchwork Thu Dec 10 00:43:37 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 7813911 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 28746BEEE1 for ; Thu, 10 Dec 2015 00:43:43 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0AB412052C for ; Thu, 10 Dec 2015 00:43:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B56C42054B for ; Thu, 10 Dec 2015 00:43:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751448AbbLJAnk (ORCPT ); Wed, 9 Dec 2015 19:43:40 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:56948 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751151AbbLJAnj (ORCPT ); Wed, 9 Dec 2015 19:43:39 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 9B9B48EE0CD; Wed, 9 Dec 2015 16:43:38 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77U0kNxFdsLg; Wed, 9 Dec 2015 16:43:38 -0800 (PST) Received: from [153.66.254.242] (unknown [184.11.141.41]) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 0B3D48EE0CC; Wed, 9 Dec 2015 16:43:38 -0800 (PST) Message-ID: <1449708217.12548.12.camel@HansenPartnership.com> Subject: Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 From: James Bottomley To: Pavel Tikhomirov Cc: bugzilla-daemon@bugzilla.kernel.org, linux-scsi@vger.kernel.org Date: Wed, 09 Dec 2015 16:43:37 -0800 In-Reply-To: <56681FF9.8050100@virtuozzo.com> References: <1449591386.2219.5.camel@HansenPartnership.com> <56681FF9.8050100@virtuozzo.com> X-Mailer: Evolution 3.12.11 Mime-Version: 1.0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote: > > On 12/08/2015 07:16 PM, James Bottomley wrote: > > On Mon, 2015-12-07 at 14:01 +0000, bugzilla-daemon@bugzilla.kernel.org > > wrote: > >> https://bugzilla.kernel.org/show_bug.cgi?id=108771 > >> > >> --- Comment #1 from Pavel Tikhomirov --- > >> Aditional info about enclosue(from that node, but older 3.10 based kernel): > >> > >> [root@p9 crash]# modprobe sg > >> [root@p9 crash]# sg_map -i > >> /dev/sg0 LSI SAS2X28 0e12 > >> /dev/sg1 /dev/sda LSI MR9260-4i 2.13 > >> [root@p9 crash]# lsscsi -gs > >> [1:0:16:0] enclosu LSI SAS2X28 0e12 - /dev/sg0 > >> - > >> [1:2:0:0] disk LSI MR9260-4i 2.13 /dev/sda /dev/sg1 > >> 3.99TB > >> [root@p9 crash]# sg_ses /dev/sg0 > >> LSI SAS2X28 0e12 > >> Supported diagnostic pages: > >> Supported Diagnostic Pages [sdp] [0x0] > >> Configuration (SES) [cf] [0x1] > >> Enclosure Status/Control (SES) [ec,es] [0x2] > >> Element Descriptor (SES) [ed] [0x7] > >> Additional Element Status (SES-2) [aes] [0xa] > >> Download Microcode (SES-2) [dm] [0xe] > >> [root@p9 crash]# sg_ses /dev/sg1 > >> LSI MR9260-4i 2.13 > >> disk device (not an enclosure) > >> Supported diagnostic pages: > > > > OK, can you give us the contents of pages 1, 2 and 10 with > > > > sg_ses --page=1 --hex /dev/sg0 > > sg_ses --page=2 --hex /dev/sg0 > > sg_ses --page=10 --hex /dev/sg0 > > > > The version of the kernel you do this on doesn't really matter. > > Here are these pages: > > [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0 > LSI SAS2X28 0e12 > Response in hex from diagnostic page: Configuration (SES) > 00 01 00 00 c9 00 00 00 00 11 00 09 2c 50 03 04 80 > ...........,P... > 10 00 a7 1e bf 4c 53 49 20 20 20 20 20 53 41 53 32 ....LSI > SAS2 > 20 58 32 38 20 20 20 20 20 20 20 20 20 30 65 31 32 X28 > 0e12 > 30 11 22 33 44 55 00 00 00 17 0c 00 0b 04 01 00 13 > ."3DU........... > 40 03 03 00 04 12 02 00 0f 02 02 00 0e 0e 01 00 09 > ................ > 50 18 01 00 0d 19 0e 00 0e 11 02 00 0e 44 72 69 76 > ............Driv > 60 65 20 53 6c 6f 74 73 54 65 6d 70 65 72 61 74 75 e > SlotsTemperatu > 70 72 65 20 53 65 6e 73 6f 72 73 46 61 6e 73 56 6f re > SensorsFansVo > 80 6c 74 61 67 65 20 53 65 6e 73 6f 72 73 50 6f 77 ltage > SensorsPow > 90 65 72 20 53 75 70 70 6c 69 65 73 45 6e 63 6c 6f er > SuppliesEnclo > a0 73 75 72 65 53 41 53 20 45 78 70 61 6e 64 65 72 sureSAS > Expander > b0 73 53 41 53 20 43 6f 6e 6e 65 63 74 6f 72 73 45 sSAS > ConnectorsE > c0 74 68 65 72 6e 65 74 20 70 6f 72 74 73 thernet ports Wow, that's some crazy enclosure. The description says it's a single primary subenclosure with 9 different element types comprising 12 Device slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power supplies, 1 Enclosure, 1 SAS Expander, 14 SAS connectors, 2 Communications ports. For 38 total element descriptors > [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0 > LSI SAS2X28 0e12 > Response in hex from diagnostic page: Enclosure Status (SES) > 00 02 00 00 c0 00 00 00 00 00 00 00 00 05 00 00 00 > ................ > 10 05 00 00 00 01 00 00 00 05 00 00 00 05 00 00 00 > ................ > 20 01 00 00 00 05 00 00 00 05 00 00 00 01 00 00 00 > ................ > 30 05 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 > ................ > 40 01 00 2c 00 00 00 00 00 05 00 00 50 05 00 00 50 > ..,........P...P > 50 05 00 00 50 00 00 00 00 01 00 01 f9 01 00 04 b3 > ...P............ > 60 00 00 00 00 47 80 00 20 47 80 00 20 00 00 00 00 ....G.. G.. > .... > 70 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 > ................ > 80 01 11 ff 00 01 11 ff 00 01 20 00 00 01 20 00 00 ......... > ... .. > 90 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ... > ... .. > a0 01 20 00 00 01 20 00 00 01 20 00 00 01 20 00 00 . ... ... > ... .. > b0 01 20 00 00 01 20 00 00 00 00 00 00 00 00 00 00 . ... > .......... > c0 00 00 00 00 Given each type has one overall descriptor followed by the individual ones, we have 38 + 9 = 47 total descriptors, which is what we see here. > [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0 > LSI SAS2X28 0e12 > Response in hex from diagnostic page: Additional Element Status (SES-2) > 00 0a 00 01 fc 00 00 00 00 16 22 00 00 01 00 00 00 > ........."...... > 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 20 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 01 > .............".. > 30 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 50 16 22 00 02 01 00 00 02 00 00 00 01 50 03 04 80 > ."..........P... > 60 00 a7 1e bf 50 03 04 80 00 a7 1e ae 00 00 00 00 > ....P........... > 70 00 00 00 00 16 22 00 03 01 00 00 03 00 00 00 00 > .....".......... > 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 90 00 00 00 00 00 00 00 00 16 22 00 04 01 00 00 04 > ........."...... > a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > b0 00 00 00 00 00 00 00 00 00 00 00 00 16 22 00 05 > .............".. > c0 01 00 00 05 00 00 00 01 50 03 04 80 00 a7 1e bf > ........P....... > d0 50 03 04 80 00 a7 1e b1 00 00 00 00 00 00 00 00 > P............... > e0 16 22 00 06 01 00 00 06 00 00 00 00 00 00 00 00 > .".............. > f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 100 00 00 00 00 16 22 00 07 01 00 00 07 00 00 00 00 > .....".......... > 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 120 00 00 00 00 00 00 00 00 16 22 00 08 01 00 00 08 > ........."...... > 130 00 00 00 01 50 03 04 80 00 a7 1e bf 50 03 04 80 > ....P.......P... > 140 00 a7 1e b4 00 00 00 00 00 00 00 00 16 22 00 09 > .............".. > 150 01 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 170 16 22 00 0a 01 00 00 0a 00 00 00 00 00 00 00 00 > .".............. > 180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 190 00 00 00 00 16 22 00 0b 01 00 00 0b 00 00 00 01 > .....".......... > 1a0 50 03 04 80 00 a7 1e bf 50 03 04 80 00 a7 1e b7 > P.......P....... > 1b0 00 00 00 00 00 00 00 00 16 46 00 15 1c 40 00 00 > .........F...@.. > 1c0 50 03 04 80 00 a7 1e bf 00 ff 00 ff 00 ff 00 ff > P............... > 1d0 01 ff 01 ff 01 ff 01 ff ff ff ff ff ff ff ff ff > ................ > 1e0 02 00 03 01 04 02 05 03 06 04 07 05 08 06 09 07 > ................ > 1f0 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff > ................ OK, so this is the problem. There are 12 Array additional descriptors and one for the expander. The standard says (6.1.13.1) that this is all in order, so the problem is that ses.c expects every type to have an additional element descriptor and we've just never run across an enclosure with non-slot components before. Does this patch fix it? James Tested-by: Pavel Tikhomirov --- -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index 1736935..53ef1cb 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -561,7 +561,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, if (desc_ptr) desc_ptr += len; - if (addl_desc_ptr) + if (addl_desc_ptr && + /* only find additional descriptions for specific devices */ + (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || + type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || + type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || + /* these elements are optional */ + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || + type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) addl_desc_ptr += addl_desc_ptr[1] + 2; } diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h index 7be22da..a4cf57c 100644 --- a/include/linux/enclosure.h +++ b/include/linux/enclosure.h @@ -29,7 +29,11 @@ /* A few generic types ... taken from ses-2 */ enum enclosure_component_type { ENCLOSURE_COMPONENT_DEVICE = 0x01, + ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, + ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, + ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, + ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, }; /* ses-2 common element status */