From patchwork Fri Apr 12 21:33:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Himanshu Madhani X-Patchwork-Id: 10899151 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF6E717E6 for ; Fri, 12 Apr 2019 21:34:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C336728C09 for ; Fri, 12 Apr 2019 21:34:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B633028F24; Fri, 12 Apr 2019 21:34:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,HEXHASH_WORD, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E814328C09 for ; Fri, 12 Apr 2019 21:34:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726936AbfDLVeW (ORCPT ); Fri, 12 Apr 2019 17:34:22 -0400 Received: from mail-eopbgr790087.outbound.protection.outlook.com ([40.107.79.87]:13870 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726898AbfDLVeW (ORCPT ); Fri, 12 Apr 2019 17:34:22 -0400 Received: from DM6PR07CA0004.namprd07.prod.outlook.com (2603:10b6:5:94::17) by MWHPR07MB2960.namprd07.prod.outlook.com (2603:10b6:300:1f::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.13; Fri, 12 Apr 2019 21:34:19 +0000 Received: from DM3NAM05FT008.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::202) by DM6PR07CA0004.outlook.office365.com (2603:10b6:5:94::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1771.15 via Frontend Transport; Fri, 12 Apr 2019 21:34:18 +0000 Authentication-Results: spf=fail (sender IP is 199.233.58.38) smtp.mailfrom=marvell.com; vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=fail action=none header.from=marvell.com; Received-SPF: Fail (protection.outlook.com: domain of marvell.com does not designate 199.233.58.38 as permitted sender) receiver=protection.outlook.com; client-ip=199.233.58.38; helo=CAEXCH02.caveonetworks.com; Received: from CAEXCH02.caveonetworks.com (199.233.58.38) by DM3NAM05FT008.mail.protection.outlook.com (10.152.98.114) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.20.1792.7 via Frontend Transport; Fri, 12 Apr 2019 21:34:18 +0000 Received: from dut1171.mv.qlogic.com (10.112.88.18) by CAEXCH02.caveonetworks.com (10.67.98.110) with Microsoft SMTP Server (TLS) id 14.2.347.0; Fri, 12 Apr 2019 14:33:10 -0700 Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1]) by dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id x3CLXAEO026664; Fri, 12 Apr 2019 14:33:10 -0700 Received: (from root@localhost) by dut1171.mv.qlogic.com (8.14.7/8.14.7/Submit) id x3CLX9iH026663; Fri, 12 Apr 2019 14:33:09 -0700 From: Himanshu Madhani To: , CC: , Subject: [PATCH] qla2xxx: Fix read offset in qla24xx_load_risc_flash() Date: Fri, 12 Apr 2019 14:33:09 -0700 Message-ID: <20190412213309.26621-1-hmadhani@marvell.com> X-Mailer: git-send-email 2.12.0 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Matching-Connectors: 131995784586443267;(abac79dc-c90b-41ba-8033-08d666125e47);(abac79dc-c90b-41ba-8033-08d666125e47) X-Forefront-Antispam-Report: CIP:199.233.58.38;IPV:CAL;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(10009020)(39860400002)(396003)(136003)(376002)(346002)(2980300002)(1110001)(339900001)(189003)(199004)(14444005)(50226002)(42186006)(305945005)(53936002)(80596001)(36756003)(26826003)(36906005)(4326008)(54906003)(81166006)(5660300002)(81156014)(316002)(85426001)(69596002)(8676002)(2906002)(356004)(47776003)(8936002)(5024004)(68736007)(97736004)(106466001)(110136005)(87636003)(336012)(86362001)(76130400001)(51416003)(50466002)(126002)(486006)(476003)(16586007)(26005)(2616005)(498600001)(105606002)(48376002)(1076003)(505234006);DIR:OUT;SFP:1101;SCL:1;SRVR:MWHPR07MB2960;H:CAEXCH02.caveonetworks.com;FPR:;SPF:Fail;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c20ac996-fc8e-48ab-88d6-08d6bf8e9e91 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(5600139)(711020)(4605104)(2017052603328);SRVR:MWHPR07MB2960; X-MS-TrafficTypeDiagnostic: MWHPR07MB2960: X-Microsoft-Antispam-PRVS: X-Forefront-PRVS: 0005B05917 X-Microsoft-Antispam-Message-Info: 17uKQYfuWVUJ2v6iHe4Opy7J3IjLW4nPymrXB2yiqUG4k8cX6mVDxbxhsD2XTMpuI62RmXeok9hNTPVRg3zBN1boFvScZQ9S8JQkibu+Iw5lsBTH9nwFQY6vWhOsvlNMDekGEnrjGddu/P5Nx/d7lI7olM4iW/4LoY+RrHd1vKzGdTXodYEOao3pBKsTI8IqB3w32GL+OZsN0HIqIFRgOBGoZ5yfLec06+KL0/4huNERXkHnIlmfifIkKG95g3TXoTcIqOcYptk6VWMr+6UqOKwubX85KYscxbGrQ/V6mXPBqBXNf6KrI2HHIxaPOskWznK11I0It2091US+Zo8u6EItUYihW8FUC11Vrl4HfK9YdV/p3W7FB1mQge7tZ3Tn844btgv49audR9az6WOtr1jMH8fIxyhE2Z5Qn5pw/dw= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2019 21:34:18.1999 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c20ac996-fc8e-48ab-88d6-08d6bf8e9e91 X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;Ip=[199.233.58.38];Helo=[CAEXCH02.caveonetworks.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR07MB2960 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch fixes regression introduced by commit f8f97b0c5b7f ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path") where flash read/write routine cleanup left out code which resulted into checksum failure leading to use-after-free stack during driver load. Following stack trace is seen in the log file qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 10.01.00.16-k. qla2xxx [0000:00:0b.0]-001d: : Found an ISP2532 irq 11 iobase 0x0000000000f47f03. qla2xxx [0000:00:0b.0]-00cd:8: ISP Firmware failed checksum. qla2xxx [0000:00:0b.0]-00cf:8: Setup chip ****FAILED****. qla2xxx [0000:00:0b.0]-00d6:8: Failed to initialize adapter - Adapter flags 2. ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xd0 Read of size 8 at addr ffff8880ca05a490 by task modprobe/857 CPU: 0 PID: 857 Comm: modprobe Not tainted 5.1.0-rc1-dbg+ #4 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x86/0xca print_address_description+0x6c/0x234 ? __list_del_entry_valid+0x15/0xd0 kasan_report.cold.3+0x1b/0x34 ? __list_del_entry_valid+0x15/0xd0 ? __kmem_cache_shutdown.cold.95+0xf5/0x176 ? __list_del_entry_valid+0x15/0xd0 __asan_load8+0x54/0x90 __list_del_entry_valid+0x15/0xd0 dma_pool_destroy+0x4f/0x260 ? dma_free_attrs+0xb4/0xd0 qla2x00_mem_free+0x529/0xcc0 [qla2xxx] ? kobject_put+0xdb/0x230 qla2x00_probe_one+0x2b5e/0x45f0 [qla2xxx] ? qla2xxx_pci_error_detected+0x210/0x210 [qla2xxx] ? match_held_lock+0x20/0x240 ? find_held_lock+0xca/0xf0 ? mark_held_locks+0x86/0xb0 ? _raw_spin_unlock_irqrestore+0x52/0x60 ? __pm_runtime_resume+0x5b/0xb0 ? lockdep_hardirqs_on+0x185/0x260 ? _raw_spin_unlock_irqrestore+0x52/0x60 ? trace_hardirqs_on+0x24/0x130 ? preempt_count_sub+0x13/0xc0 ? _raw_spin_unlock_irqrestore+0x3d/0x60 pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 ? device_driver_attach+0x90/0x90 driver_probe_device+0x113/0x170 ? device_driver_attach+0x90/0x90 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 ? subsys_dev_iter_exit+0x10/0x10 ? kasan_check_read+0x11/0x20 ? preempt_count_sub+0x13/0xc0 ? _raw_spin_unlock+0x2c/0x50 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 ? 0xffffffffa06c8000 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 ? trace_event_raw_event_initcall_finish+0x150/0x150 ? __kasan_kmalloc.constprop.5+0xc7/0xd0 ? kasan_unpoison_shadow+0x35/0x50 ? kasan_poison_shadow+0x2f/0x40 ? __asan_register_globals+0x5a/0x70 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 ? fsnotify+0x611/0x640 ? module_frob_arch_sections+0x20/0x20 ? kernel_read+0x74/0xa0 ? kasan_check_write+0x14/0x20 ? kernel_read_file+0x25e/0x320 ? do_mmap+0x42c/0x6c0 __do_sys_finit_module+0x133/0x1c0 ? __do_sys_finit_module+0x133/0x1c0 ? __do_sys_init_module+0x210/0x210 ? fput_many+0x1b/0xc0 ? fput+0xe/0x10 ? do_syscall_64+0x14/0x210 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8bd5c03219 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 fc 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff9d11de98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000055ef21596b50 RCX: 00007f8bd5c03219 RDX: 0000000000000000 RSI: 000055ef21596570 RDI: 0000000000000004 RBP: 000055ef21596570 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 R13: 000055ef21596c80 R14: 0000000000040000 R15: 000055ef21596b50 Allocated by task 857: save_stack+0x43/0xd0 __kasan_kmalloc.constprop.5+0xc7/0xd0 kasan_kmalloc+0x9/0x10 kmem_cache_alloc_trace+0x144/0x300 dma_pool_create+0xb5/0x3b0 qla2x00_mem_alloc+0xb98/0x1ad0 [qla2xxx] qla2x00_probe_one+0xe28/0x45f0 [qla2xxx] pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 driver_probe_device+0x113/0x170 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 __do_sys_finit_module+0x133/0x1c0 __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 857: save_stack+0x43/0xd0 __kasan_slab_free+0x139/0x190 kasan_slab_free+0xe/0x10 kfree+0xf0/0x2c0 dma_pool_destroy+0x24c/0x260 qla2x00_mem_free+0x529/0xcc0 [qla2xxx] qla2x00_free_device+0x167/0x1b0 [qla2xxx] qla2x00_probe_one+0x2b28/0x45f0 [qla2xxx] pci_device_probe+0x154/0x1e0 really_probe+0x17d/0x540 driver_probe_device+0x113/0x170 device_driver_attach+0x88/0x90 __driver_attach+0xb5/0x190 bus_for_each_dev+0xf8/0x160 driver_attach+0x26/0x30 bus_add_driver+0x238/0x2f0 driver_register+0xd7/0x150 __pci_register_driver+0xd5/0xe0 qla2x00_module_init+0x208/0x254 [qla2xxx] do_one_initcall+0xc0/0x3c9 do_init_module+0x103/0x330 load_module+0x36df/0x3b70 __do_sys_finit_module+0x133/0x1c0 __x64_sys_finit_module+0x3e/0x50 do_syscall_64+0x72/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880ca05a400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 144 bytes inside of 192-byte region [ffff8880ca05a400, ffff8880ca05a4c0) The buggy address belongs to the page: page:ffffea0003281680 count:1 mapcount:0 mapping:ffff88811bf03380 index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 0000000000000000 0000000c00000001 ffff88811bf03380 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880ca05a380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880ca05a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880ca05a480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880ca05a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880ca05a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== Fixes: f8f97b0c5b7f ("scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path") Reported-by: Bart Van Assche Tested-by: Bart Van Assche Signed-off-by: Himanshu Madhani --- drivers/scsi/qla2xxx/qla_init.c | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index bad88f5fb11d..7d7d5bbb1d34 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -7692,8 +7692,6 @@ qla24xx_load_risc_flash(scsi_qla_host_t *vha, uint32_t *srisc_addr, dcode = fwdt->template; qla24xx_read_flash_data(vha, dcode, faddr, risc_size); - for (i = 0; i < risc_size; i++) - dcode[i] = le32_to_cpu(dcode[i]); if (!qla27xx_fwdt_template_valid(dcode)) { ql_log(ql_log_warn, vha, 0x0165, @@ -7859,22 +7857,11 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr) } fwcode = (void *)blob->fw->data; - dcode = fwcode + 4; + dcode = fwcode; if (qla24xx_risc_firmware_invalid(dcode)) { ql_log(ql_log_fatal, vha, 0x0093, "Unable to verify integrity of firmware image (%zd).\n", blob->fw->size); - return QLA_FUNCTION_FAILED; - } - for (i = 0; i < 4; i++) - dcode[i] = be32_to_cpu(fwcode[i + 4]); - if ((dcode[0] == 0xffffffff && dcode[1] == 0xffffffff && - dcode[2] == 0xffffffff && dcode[3] == 0xffffffff) || - (dcode[0] == 0 && dcode[1] == 0 && dcode[2] == 0 && - dcode[3] == 0)) { - ql_log(ql_log_fatal, vha, 0x0094, - "Unable to verify integrity of firmware image (%zd).\n", - blob->fw->size); ql_log(ql_log_fatal, vha, 0x0095, "Firmware data: %08x %08x %08x %08x.\n", dcode[0], dcode[1], dcode[2], dcode[3]); @@ -7897,7 +7884,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr) dlen = ha->fw_transfer_size >> 2; for (fragment = 0; risc_size; fragment++) { - dlen = (uint32_t)(ha->fw_transfer_size >> 2); if (dlen > risc_size) dlen = risc_size;