From patchwork Mon Mar 29 08:52:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nilesh Javali X-Patchwork-Id: 411112 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FB85C433E0 for ; Mon, 29 Mar 2021 08:56:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F03C161920 for ; Mon, 29 Mar 2021 08:56:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236527AbhC2Izm (ORCPT ); Mon, 29 Mar 2021 04:55:42 -0400 Received: from mx0a-0016f401.pphosted.com ([67.231.148.174]:52346 "EHLO mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S234770AbhC2Iy6 (ORCPT ); Mon, 29 Mar 2021 04:54:58 -0400 Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12T8sf3q008972; Mon, 29 Mar 2021 01:54:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=pfpt0220; bh=9w808tsyg6z1Mzmxhkog8m88XZFfBOrnVVFLWdOEM1g=; b=I794dIQ9uKZA84/xBvL4+OZdLRAOJC/YtWddj8DVkAcLLJtsjJLlK0zAariO49IgrtEi iDv1HmRwIhgWYfGtr0+g/DGmgbeIzPlsrXZ0697ZN03uDQzR4YN/1EbGU9u53zAzCg1a rZI/C5LFS2e4+hn//hdlpgsNWF4ZDSkvIdDe6c20Gqr+MWA/JxjetwhhHahC++AFlnRp BRZSLwW310YCq9IB8ZE5iA7h+VBCalUvT/zGnGlJ61RKewnrJaxOyRySueblEo0MPpXS pRUhqIadrZW5ptHP2oB7Svt2oJOUT74z7jc21/lr+wF6yiKCi/zDeuA57wQGrM2/u2EV 2A== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 37k63b8vgb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 29 Mar 2021 01:54:56 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 29 Mar 2021 01:54:55 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Mon, 29 Mar 2021 01:54:54 -0700 Received: from dut1171.mv.qlogic.com (unknown [10.112.88.18]) by maili.marvell.com (Postfix) with ESMTP id B46493F7040; Mon, 29 Mar 2021 01:54:54 -0700 (PDT) Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1]) by dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id 12T8ssvK004447; Mon, 29 Mar 2021 01:54:54 -0700 Received: (from root@localhost) by dut1171.mv.qlogic.com (8.14.7/8.14.7/Submit) id 12T8ssJW004438; Mon, 29 Mar 2021 01:54:54 -0700 From: Nilesh Javali To: CC: , , Subject: [PATCH v2 05/12] qla2xxx: Fix use after free in bsg Date: Mon, 29 Mar 2021 01:52:22 -0700 Message-ID: <20210329085229.4367-6-njavali@marvell.com> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20210329085229.4367-1-njavali@marvell.com> References: <20210329085229.4367-1-njavali@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 6fTIRaXzt1ousWeLcji5r6Vs-7tsGk0T X-Proofpoint-GUID: 6fTIRaXzt1ousWeLcji5r6Vs-7tsGk0T X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-29_04:2021-03-26,2021-03-29 signatures=0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org From: Quinn Tran On bsg command completion, bsg_job_done was called while qla driver continue to access the bsg_job buffer. The bsg_job_done can free up resources and reuse by other task, qla continue access of the same resource can read garbage data. localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80 localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0 localhost kernel: localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump: loaded Tainted: G OE --------- - - 4.18.0-193.el8.x86_64+debug #1 localhost kernel: Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016 localhost kernel: Call Trace: localhost kernel: localhost kernel: dump_stack+0x9a/0xf0 localhost kernel: print_address_description.cold.3+0x9/0x23b localhost kernel: kasan_report.cold.4+0x65/0x95 localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0 localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx] Signed-off-by: Quinn Tran Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani --- drivers/scsi/qla2xxx/qla_bsg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c index bee8cf9f8123..d021e51344f5 100644 --- a/drivers/scsi/qla2xxx/qla_bsg.c +++ b/drivers/scsi/qla2xxx/qla_bsg.c @@ -25,10 +25,11 @@ void qla2x00_bsg_job_done(srb_t *sp, int res) struct bsg_job *bsg_job = sp->u.bsg_job; struct fc_bsg_reply *bsg_reply = bsg_job->reply; + sp->free(sp); + bsg_reply->result = res; bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); - sp->free(sp); } void qla2x00_bsg_sp_free(srb_t *sp)