From patchwork Thu Feb 1 18:33:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Madhani, Himanshu" X-Patchwork-Id: 10195857 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7ECF660362 for ; Thu, 1 Feb 2018 18:35:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6676628779 for ; Thu, 1 Feb 2018 18:35:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 58B5828A35; Thu, 1 Feb 2018 18:35:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0957C287AA for ; Thu, 1 Feb 2018 18:35:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752463AbeBASdu (ORCPT ); Thu, 1 Feb 2018 13:33:50 -0500 Received: from mail-co1nam03on0078.outbound.protection.outlook.com ([104.47.40.78]:26720 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751567AbeBASdt (ORCPT ); Thu, 1 Feb 2018 13:33:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hGyPts1gU0Zyb0D2ao+gY/r20rC1+pWi3V2liCEIZI0=; b=EKqXXL1y8T1w/ScLqgYQuPp97QLmP7277dGUjRfpODHxHY2vD5dhVt+otec2XQgHUSMMdofSQctY1KyOjtpWsYKas6KbmfAn7A1cmmfi0UF6/fj0BEFA6XXtVsyFOj13GqC3R1CGZQ+mSN1+kJLid6j0MX3w7C6UbvuWQ9Yr7IQ= Received: from CO2PR07CA0068.namprd07.prod.outlook.com (10.174.192.36) by BY2PR0701MB1942.namprd07.prod.outlook.com (10.163.155.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.14; Thu, 1 Feb 2018 18:33:47 +0000 Received: from BN1BFFO11FD009.protection.gbl (2a01:111:f400:7c10::1:186) by CO2PR07CA0068.outlook.office365.com (2603:10b6:100::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.464.11 via Frontend Transport; Thu, 1 Feb 2018 18:33:47 +0000 Authentication-Results: spf=fail (sender IP is 50.232.66.26) smtp.mailfrom=cavium.com; vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=cavium.com; Received-SPF: Fail (protection.outlook.com: domain of cavium.com does not designate 50.232.66.26 as permitted sender) receiver=protection.outlook.com; client-ip=50.232.66.26; helo=CAEXCH02.caveonetworks.com; Received: from CAEXCH02.caveonetworks.com (50.232.66.26) by BN1BFFO11FD009.mail.protection.outlook.com (10.58.144.72) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.20.444.13 via Frontend Transport; Thu, 1 Feb 2018 18:33:45 +0000 Received: from dut1171.mv.qlogic.com (172.29.51.171) by CAEXCH02.caveonetworks.com (10.17.4.29) with Microsoft SMTP Server id 14.2.347.0; Thu, 1 Feb 2018 10:33:18 -0800 Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1]) by dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id w11IXIk8000629; Thu, 1 Feb 2018 10:33:18 -0800 Received: (from root@localhost) by dut1171.mv.qlogic.com (8.14.7/8.14.7/Submit) id w11IXIav000628; Thu, 1 Feb 2018 10:33:18 -0800 From: Himanshu Madhani To: , CC: , Subject: [PATCH 1/2] qla2xxx: Fix double free bug after firmware timeout Date: Thu, 1 Feb 2018 10:33:17 -0800 Message-ID: <20180201183318.587-2-himanshu.madhani@cavium.com> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20180201183318.587-1-himanshu.madhani@cavium.com> References: <20180201183318.587-1-himanshu.madhani@cavium.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:50.232.66.26; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(346002)(396003)(39860400002)(376002)(39380400002)(2980300002)(1109001)(1110001)(339900001)(199004)(189003)(2906002)(50466002)(4326008)(1076002)(26005)(110136005)(85426001)(42186006)(8676002)(72206003)(8936002)(105606002)(16586007)(50226002)(81156014)(478600001)(106466001)(81166006)(336011)(47776003)(316002)(186003)(87636003)(80596001)(305945005)(69596002)(86362001)(356003)(5660300001)(2950100002)(51416003)(59450400001)(48376002)(54906003)(76176011)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR0701MB1942; H:CAEXCH02.caveonetworks.com; FPR:; SPF:Fail; PTR:50-232-66-26-static.hfc.comcastbusiness.net; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD009; 1:WdYs7wezjDAqbtd8tPA3esOshLVG2MspI3ylWD2FOOtCLte2Ob3ul2rSck5AmK2dJEslpZp4zUSQnq3d0pXFByvfn9OLm8DXGGEnnnLEF1EyjAqwO6fzGKQkqWvmgFAk X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1d11fddf-afd3-43ad-ddbe-08d569a2549e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603307)(7153060); SRVR:BY2PR0701MB1942; X-Microsoft-Exchange-Diagnostics: 1; BY2PR0701MB1942; 3:VP/5HPpsfcy2OGJfOJfSOT7R4+pTeXHzSnWwr/TccToNEgfNhTVWS7GoVqO8ZuGIz2L4eJfg/jemsgXrYP0oWl21EuQm/4DU5k6aW8ooAD9Sg7WQzI/yI5QlR0JW2UEyQWOlPndgM2quscy+GylWPWNSeGFfwDu8+V2sdV0zf2Q8+VIH3yIcFzXL6nVj6hxY9tkvzdVVdDqVcJBf0m3iDLsbGT3i+ExUpFm44DWIj01TjMxVYpaFu82W21x9lAz6pJHfolcvl6nLzjKJM1EuiTKU7iaFV2WP1Eeu85p/fvCKMOVd8UpoyuB6BAR5mjLrsXeXCT2MEK1fGRxiPAleuTeXrq5XHrxorxZEa8rajco=; 25:jSSwuwzITaI2yv5oVR5cnhlgSfiF9AhVkgxWsyRhQNvglo3eRq4ZmLDF9PSEJvYGHQILe0TGVzZsDlex7nb4BfDwoEfAyftba5hIjsRTyuwp64LDFjvQrZ5EKPn/7vIeYdlnkBdpK9ouiceFzXXd9NB4pikm7vb1x5Bsu2kbYdKeIxKrK4RSf0HJHgY8iO5IjSGpdLO9q8JoD4x+0RNOeNv9hYG6kAKIMHzLRUjl5LVnZkbY0y6eiRSC9Ib5Djmp0eRxvYxDO83jY2z6qFS+U147txlh+NnwwXgnnFxoCChtloLt+6ZUKZarffhcQLsMElkx6iNrZ99nbcVx5b+L+w== X-MS-TrafficTypeDiagnostic: BY2PR0701MB1942: X-Microsoft-Exchange-Diagnostics: 1; BY2PR0701MB1942; 31:M62byFcuuNIjJhrJyvKt8hfCVbDRg2izIYSCVxFgi5JZ7D+qAwskZ/B+CrPNHeFXJt/dfzMm1YleJbLlj2GJK+8k2vJn2kmF3UBYnUzV9R9MZznZEBL+6mJTyW2wnX1fRoOLZlJ+kiJXV689/v4tFzqgdGVYTBfeiY8B5wYmvearQHUWZueZJLPcvpb4nkoUcnK0IUlJsXmTcW9Q7WAzg3wI1ahAI/FDAW50pjE3Yuo=; 20:xOG1aY4K9BqJw+BQssMyxVU8jM+43UJypan+m7qTlgRKAZotm/jDSgPSdA0lVldzPBacI7JVPOb3qOKkXuptH0HlNwPQ4NR4t2rIORz7TZl891i+A/nlG2zqFcVD4yAb8MP3DMFazJFM8Ys9f8URjDQorUvz6OmgffMJscSnjSCYc7U7wCoSodl+ij8AQXqQ+cQ1U0GgUx2TkuqiN0MFbiQ7JyJ0C4IpKBcJUVTeum+Ni2osE2w5GCFD0BvUzDEz6lzTIvAKAkZX0Dir7oclIb8WLul7DNOcHdt/U8o2C8yNt9GcXKKybg8KXbnwenShMUs4/A8onaBjxBxXcdJPfbuuE9Zq2OgRYrepngA660zcl1Jxpwh84K3Jex1semLMyWctuX6zSjxUZDZDDSHEzeu/t4RKGzqoFXOVOLT2gRSmZCJ6z8ey7ZaryXsLjjkzlg0BvvBU3jeVtAMt3ZvbqrppyMKe8elOTzT1jWpm9QJy0W51ajtV/6X68cam2wZE X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(17755550239193); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231101)(2400082)(944501161)(10201501046)(3002001)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:BY2PR0701MB1942; BCL:0; PCL:0; RULEID:; SRVR:BY2PR0701MB1942; X-Microsoft-Exchange-Diagnostics: 1; BY2PR0701MB1942; 4:VQN3Yo0MGManiGLHrmgkHxOvDTW5FyP3Qaee8ATcbaTy1hDKQhPaXE4NId/oLF+hOyytx61ZgBtmWfKrCJUmmpVsLEo7oWlpgPc9ofxcXzfpmtqwrNq73Dh68r3/u4VotMUqQ2pnjXav2bsstMfiV9vApfKysHwaBEs9zECgYWyy9BpjgNMmJ/GVM6tr5ug5D92CxABVisFGaM3X16HxizNK3u61N1w6EIS/IAot1JHdtiSxYWP+6crupTm8ivEjzay3OTo8SJPzwUUmDCypgjsiJbqnmmm1GsKGS+5x2CAM8R5g2LabVDiGrQrCYdqN X-Forefront-PRVS: 0570F1F193 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR0701MB1942; 23:NJ3fmCI4I4GHN0/Y6ib6P69d4YP5tNU25H0pCV3?= =?us-ascii?Q?bOSmtsbdhfK1GBPCx1uvVbAnDY8k++sX4EDqP9Y6Tcq4dPpzad/FExyTOvCV?= =?us-ascii?Q?UXor+Bsfs7Hh2di42q3wVfgu8LTWdemfXOxmlsyNA50TSXYOnXOLkMUnhNvz?= =?us-ascii?Q?ume6Q9s+nI1wAU1mD68ApI2P3rkX7YD7BFnwyNIeBpJZWUrGXhEpknP4YlX3?= =?us-ascii?Q?s9DjVRhBYwp4UpT9JOdInTFDx+J59M4KPzfT4Tpeze3OMcfhcA7hxIt0V6lH?= =?us-ascii?Q?eZXHy2xhoH7tzSFf7efwPRZkAbhQYWeHMx4B5twjrFReNZycB0x4hBpNiGbz?= =?us-ascii?Q?JZTQP4gaCYSlZubonCECZpkApFkz75NHsRDP6+xil9ILf1KDH2s+YofKJc6v?= =?us-ascii?Q?YDmXTj3mXRDh/+zF2T23RPpWEDzaWkFTH9wukeQsWvsZvOMGG6MZxSlx9of3?= =?us-ascii?Q?jrCdfgnyp1Ax5oX004depJU061xM7R3SNLMycFcq9gLn8HJ+p0NgW0y+NLHl?= =?us-ascii?Q?0SApU+Zj6+9RKetjsBU47P7lwJPcjeNMj7bf0qRJZ3wxK/VEL6uBcrEZi3fL?= =?us-ascii?Q?ft2l6OJg9ocxnpT76Mzrpw19iGIVdziij1OPyOAR8r1rkb6kvlH3DleEnkZ6?= =?us-ascii?Q?ykrNyNnivzIMAOH8ZGE2o9m9P4WtuFEV05tB/t+o4N+E+NUyYg1hiPlmZsCH?= =?us-ascii?Q?fp3My0CHA4dD7UrmXzSTqrLJSvW2yUv2fYhBKUXSyzn8M5r/HM1c/5nkb/1t?= =?us-ascii?Q?5J14xFxkkfXUB6XS+beIaXMP9rx4ZOAt7nv683sAR2K/TuRZkgtWcYOJ1uVL?= =?us-ascii?Q?jd03vdcNRIRb6HwlXw9fqMJJyBVnW+oCTWcpU8E1Ma7UXcW4mSaapdwjepoy?= =?us-ascii?Q?XwI+MdM3FiQ3U9M8daU7aotUmaQkQo9TUFSBO2WGfRr21OJfhO7rLe/FaZRD?= =?us-ascii?Q?pNzsBt8mtxjq2Cn8BCQv69am9eESEx7bx4CFG5yan4/95P74GX6XSdvRZYFa?= =?us-ascii?Q?s8+Jr1nn9AmrdPx8t34WxqvYVf3gcZ8ZCD8LSgdjuX1OeJlw4MN12M6+ArRZ?= =?us-ascii?Q?Ym+MfBsRbehvRzqkMNZNiSiKOmRdkTgNK2VtEzKCx5IR2HO0u6A=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BY2PR0701MB1942; 6:zugyMVRrXoWTdxE2pvaIsGsBS+p+u6BHNoVaqSzcrOcaasuUQE9hxKV3QO+NlbyBKrWUUHvE5+8Z5NUer1x7oOmVgoc0rCj0UB654iU++H3teVXsHvtQlJq3M4ZAecG6uHePPOgrPU2LY65EkcqfpBD61lYOnXyPJjGWslISrZlQr9CTIjYqlB5BR0CjrkPPPyZxNf1Wl7/oMSYU32QUUCx4al7IPPElorOMtRiHTDAtjOKUHSZK3ht6Ze7Pv/c10RVhFCotG5dVwpO0zFp9b69gzqKxXYr2os8+gAvQQFQrugQvw0bhciQ1HyVPU5w+PYnE7V7x1E1YYBYRoXEobv9hTbb4ypNgo8eeN9MZP9I=; 5:gnLp0Ipx3Cn6sVubeICresYOkMUXonNGPerwzDcp5FOm+VmZyhzF218OcSaaz076ntEtnkaX9sxYwC9R7nMIe/8jy+gCVoPoG2q/cnygefKJQJyrDWw/Ay2g0Ycu/8B/7FxsaM2/ce8/Thl5Pyhm+XPOHWs4slOc4Q49epfzbyU=; 24:afBErp0xC4HzfaXN/IDRGGesGoolh/LFWmMYvJ0+NSpe9Y7Nh5rKJ/eztPUN59tbHr5OMkzIKndo0wfckrtI8WG5sDxmlVbRoyuKrO7R68w=; 7:6MjD8S/58s8TISmNMHLG+Ij88I9GVr2zWF6EFX4DZO+TpzjZyTvF9sMMOclGXyeSVF2CkavoHWbZuMl5Z01/4qUztixfGmqPuSRMadVMdp+SwWgxscGw9rQUA/b/EgWoMZTwoI8enb7G7C2Q69w7YD5JIcDZxqdwCqueFL97RcdPSmRE+/xTvmU/gkNvaw1v+UcL+lTpSbi+kEMgQnh1HWsSP0in77HkoEQ+pYGTOnfYOAq8E3HCAjZMdDuGzSFr SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: cavium.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2018 18:33:45.6721 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1d11fddf-afd3-43ad-ddbe-08d569a2549e X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=711e4ccf-2e9b-4bcf-a551-4094005b6194; Ip=[50.232.66.26]; Helo=[CAEXCH02.caveonetworks.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0701MB1942 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Quinn Tran This patch is based on Max's original patch. When the qla2xxx firmware is unavailable, eventually qla2x00_sp_timeout() is reached, which calls the timeout function and frees the srb_t instance. The timeout function always resolves to qla2x00_async_iocb_timeout(), which invokes another callback function called "done". All of these qla2x00_*_sp_done() callbacks also free the srb_t instance; after returning to qla2x00_sp_timeout(), it is freed again. The fix is to remove the "sp->free(sp)" call from qla2x00_sp_timeout() and add it to those code paths in qla2x00_async_iocb_timeout() which do not already free the object. This is how it looks like with KASAN: BUG: KASAN: use-after-free in qla2x00_sp_timeout+0x228/0x250 Read of size 8 at addr ffff88278147a590 by task swapper/2/0 Allocated by task 1502: save_stack+0x33/0xa0 kasan_kmalloc+0xa0/0xd0 kmem_cache_alloc+0xb8/0x1c0 mempool_alloc+0xd6/0x260 qla24xx_async_gnl+0x3c5/0x1100 Freed by task 0: save_stack+0x33/0xa0 kasan_slab_free+0x72/0xc0 kmem_cache_free+0x75/0x200 qla24xx_async_gnl_sp_done+0x556/0x9e0 qla2x00_async_iocb_timeout+0x1c7/0x420 qla2x00_sp_timeout+0x16d/0x250 call_timer_fn+0x36/0x200 The buggy address belongs to the object at ffff88278147a440 which belongs to the cache qla2xxx_srbs of size 344 The buggy address is located 336 bytes inside of 344-byte region [ffff88278147a440, ffff88278147a598) Reported-by: Max Kellermann Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Cc: Max Kellermann --- drivers/scsi/qla2xxx/qla_init.c | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index aececf664654..2dea1129d396 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -59,8 +59,6 @@ qla2x00_sp_timeout(struct timer_list *t) req->outstanding_cmds[sp->handle] = NULL; iocb = &sp->u.iocb_cmd; iocb->timeout(sp); - if (sp->type != SRB_ELS_DCMD) - sp->free(sp); spin_unlock_irqrestore(&vha->hw->hardware_lock, flags); } @@ -102,7 +100,6 @@ qla2x00_async_iocb_timeout(void *data) srb_t *sp = data; fc_port_t *fcport = sp->fcport; struct srb_iocb *lio = &sp->u.iocb_cmd; - struct event_arg ea; if (fcport) { ql_dbg(ql_dbg_disc, fcport->vha, 0x2071, @@ -117,25 +114,13 @@ qla2x00_async_iocb_timeout(void *data) switch (sp->type) { case SRB_LOGIN_CMD: - if (!fcport) - break; /* Retry as needed. */ lio->u.logio.data[0] = MBS_COMMAND_ERROR; lio->u.logio.data[1] = lio->u.logio.flags & SRB_LOGIN_RETRIED ? QLA_LOGIO_LOGIN_RETRIED : 0; - memset(&ea, 0, sizeof(ea)); - ea.event = FCME_PLOGI_DONE; - ea.fcport = sp->fcport; - ea.data[0] = lio->u.logio.data[0]; - ea.data[1] = lio->u.logio.data[1]; - ea.sp = sp; - qla24xx_handle_plogi_done_event(fcport->vha, &ea); + sp->done(sp, QLA_FUNCTION_TIMEOUT); break; case SRB_LOGOUT_CMD: - if (!fcport) - break; - qlt_logo_completion_handler(fcport, QLA_FUNCTION_TIMEOUT); - break; case SRB_CT_PTHRU_CMD: case SRB_MB_IOCB: case SRB_NACK_PLOGI: @@ -235,12 +220,10 @@ static void qla2x00_async_logout_sp_done(void *ptr, int res) { srb_t *sp = ptr; - struct srb_iocb *lio = &sp->u.iocb_cmd; sp->fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); - if (!test_bit(UNLOADING, &sp->vha->dpc_flags)) - qla2x00_post_async_logout_done_work(sp->vha, sp->fcport, - lio->u.logio.data); + sp->fcport->login_gen++; + qlt_logo_completion_handler(sp->fcport, res); sp->free(sp); }