AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-27 14:55:04 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
f650ef61e0
linux_dsm_epyc7002/drivers
History
Ye Bin f650ef61e0 ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 
BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
drivers/ata/libata-scsi.c:4045
Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621

CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xac/0xee lib/dump_stack.c:118
print_address_description+0x60/0x223 mm/kasan/report.c:253
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f
83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc

Allocated by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__kmalloc+0xf3/0x1e0 mm/slub.c:3749
kmalloc include/linux/slab.h:520 [inline]
load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1370 [inline]
slab_free_freelist_hook mm/slub.c:1397 [inline]
slab_free mm/slub.c:2952 [inline]
kfree+0x8b/0x1a0 mm/slub.c:3904
load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88803b8ccf00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 259 bytes inside of
512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
The buggy address belongs to the page:
page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
index:0xffff88803b8cc780 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
this error.

The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
may not page aligned.
This also looks completely buggy on highmem systems and really needs to use a
kmap_atomic.      --Christoph Hellwig
To address above bugs, Paolo Bonzini advise to simpler to just make a char array
of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
to copy from the sglist into the buffer, and workthere.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-06-04 21:15:27 -06:00
..
accessibility
acpi ACPI updates for 5.8-rc1 2020-06-02 13:25:52 -07:00
amba amba: Initialize dma_parms for amba devices 2020-04-28 17:44:34 +02:00
android Merge 5.6-rc7 into char-misc-next 2020-03-23 07:59:38 +01:00
ata ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-04 21:15:27 -06:00
atm docs: networking: convert iphase.txt to ReST 2020-04-28 14:39:47 -07:00
auxdisplay Merge 5.6-rc7 into char-misc-next 2020-03-23 07:59:38 +01:00
base Merge branch 'akpm' (patches from Andrew) 2020-06-03 20:24:15 -07:00
bcma
block Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus bus: mhi: core: Fix some error return code 2020-05-15 16:32:20 +02:00
cdrom Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
char Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
clk Power management updates for 5.8-rc1 2020-06-02 13:17:23 -07:00
clocksource clocksource/drivers/timer-versatile: Clear OF_POPULATED flag 2020-05-23 00:03:25 +02:00
connector connector/cn_proc: Protect send_msg() with a local lock 2020-05-28 10:31:10 +02:00
counter counter: 104-quad-8: Add lock guards - generic interface 2020-04-19 17:50:00 +01:00
cpufreq MIPS updates for v5.8: 2020-06-03 13:32:21 -07:00
cpuidle cpuidle: Fix three reference count leaks 2020-05-29 18:07:18 +02:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
dax vfs: track per-sb writeback errors and report them to syncfs 2020-06-02 10:59:05 -07:00
dca
devfreq PM / devfreq: Use lockdep asserts instead of manual checks for locked mutex 2020-05-28 18:02:40 +09:00
dio
dma dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' 2020-05-19 22:26:01 +05:30
dma-buf drm pull for 5.8-rc1 2020-06-02 15:04:15 -07:00
edac Merge branches 'edac-i10nm' and 'edac-misc' into edac-updates-for-5.8 2020-06-01 11:39:15 +02:00
eisa .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
extcon Char/Misc driver patches for 5.7-rc1 2020-04-03 13:22:40 -07:00
firewire firewire: switch ioctl_queue_iso to use of copy_from_user() 2020-04-23 10:51:05 -04:00
firmware Merge branch 'uaccess.access_ok' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-01 16:09:43 -07:00
fpga Merge branch 'uaccess.access_ok' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-01 16:09:43 -07:00
fsi
gnss
gpio The generic interrupt departement provides: 2020-06-03 10:05:11 -07:00
gpu media updates for v5.8-rc1 2020-06-03 20:59:38 -07:00
greybus
hid HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock 2020-05-04 11:24:58 +02:00
hsi
hv hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
hwmon hwmon: Add Baikal-T1 PVT sensor driver 2020-05-28 07:59:45 -07:00
hwspinlock hwspinlock: hwspinlock_internal.h: Replace zero-length array with flexible-array member 2020-03-25 22:30:46 -07:00
hwtracing A fair amount of stuff this time around, dominated by yet another massive 2020-06-01 15:45:27 -07:00
i2c Merge branches 'pm-core' and 'pm-sleep' 2020-06-01 15:19:08 +02:00
i3c i3c master: GETMRL's 3rd byte is optional even with BCR_IBI_PAYLOAD 2020-04-16 14:27:46 +02:00
ide ide-cd: rename cdrom_read_tocentry 2020-05-04 10:13:42 -06:00
idle Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2020-03-30 16:40:08 -07:00
iio The generic interrupt departement provides: 2020-06-03 10:05:11 -07:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2020-05-28 12:41:11 -07:00
interconnect interconnect: qcom: Move the static keyword to the front of declaration 2020-04-29 13:11:44 +02:00
iommu iommu: Fix reference count leak in iommu_group_alloc. 2020-05-29 15:27:50 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-15 16:32:20 +02:00
irqchip irqchip: Fix "Loongson HyperTransport Vector support" driver build on all non-MIPS platforms 2020-06-01 09:48:52 +02:00
isdn mISDN: make dmril and dmrim static 2020-04-16 13:52:31 -07:00
leds mailmap: change email for Ricardo Ribalda 2020-05-25 18:59:59 -06:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
mailbox
mcb
md for-5.8/drivers-2020-06-01 2020-06-02 15:37:03 -07:00
media media updates for v5.8-rc1 2020-06-03 20:59:38 -07:00
memory ARM: driver updates 2020-04-03 15:05:35 -07:00
memstick
message scsi: message: fusion: Replace zero-length array with flexible-array member 2020-03-26 22:40:47 -04:00
mfd platform-drivers-x86 for v5.8-1 2020-06-02 12:56:58 -07:00
misc Power management updates for 5.8-rc1 2020-06-02 13:17:23 -07:00
mmc mmc: sdhci-msm: Clear tuning done flag while hs400 tuning 2020-06-01 08:04:40 +02:00
most most: core: use function subsys_initcall() 2020-04-28 15:04:09 +02:00
mtd for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
nfc Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-01 12:00:10 -07:00
ntb pci-v5.7-changes 2020-04-03 14:25:02 -07:00
nubus
nvdimm nvdimm: use bio_{start,end}_io_acct 2020-05-27 05:21:23 -06:00
nvme Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
nvmem nvmem: core: remove nvmem_sysfs_get_groups() 2020-03-25 19:23:49 +01:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-04-25 20:18:53 -07:00
opp opp: Manage empty OPP tables with clk handle 2020-04-13 16:14:55 +05:30
oprofile drivers/oprofile: Open access for CAP_PERFMON privileged process 2020-04-16 12:19:09 -03:00
parisc parisc: Replace setup_irq() by request_irq() 2020-04-05 22:05:23 +02:00
parport sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
pci hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
pcmcia powerpc: add an ioremap_phb helper 2020-06-02 10:59:10 -07:00
perf arm64 updates for 5.8 2020-06-01 15:18:27 -07:00
phy phy: qualcomm: usb-hs-28nm: Prepare clocks in init 2020-04-30 12:10:49 +05:30
pinctrl pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip 2020-05-12 14:29:29 +02:00
platform media updates for v5.8-rc1 2020-06-03 20:59:38 -07:00
pnp PNPBIOS: Replace zero-length array with flexible-array 2020-05-15 18:20:49 +02:00
power Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
powercap powercap: RAPL: remove unused local MSR define 2020-05-25 10:59:29 +02:00
pps
ps3 powerpc/ps3: Remove an unneeded NULL check 2020-04-03 00:09:59 +11:00
ptp ptp_clock: Let the ADJ_OFFSET interface respect the ADJ_NANO flag for PHC devices. 2020-05-25 17:55:17 -07:00
pwm pwm: pca9685: Fix PWM/GPIO inter-operation 2020-04-03 21:41:42 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-23 10:26:31 -07:00
ras
regulator Merge remote-tracking branch 'regulator/for-5.8' into regulator-linus 2020-06-01 13:01:44 +01:00
remoteproc remoteproc fixes for v5.7 2020-04-23 09:28:15 -07:00
reset
rpmsg rpmsg: pull in slab.h 2020-04-17 06:05:29 -04:00
rtc - New Drivers 2020-04-07 19:48:52 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
sbus
scsi hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
sfi
sh
siox
slimbus
soc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
soundwire Char/Misc driver patches for 5.7-rc1 2020-04-03 13:22:40 -07:00
spi Merge remote-tracking branch 'spi/for-5.8' into spi-next 2020-05-30 00:03:53 +01:00
spmi
ssb ssb: scan: fix block comments coding style issues 2020-04-28 12:02:22 +03:00
staging atomisp: avoid warning about unused function 2020-06-03 21:22:46 -07:00
target ipv4: add ip_sock_set_freebind 2020-05-28 11:11:45 -07:00
tc
tee ARM: driver updates 2020-04-03 15:05:35 -07:00
thermal - Convert tsens configuration DT binding to yaml (Rajeshwari) 2020-04-07 20:00:16 -07:00
thunderbolt thunderbolt: Check return value of tb_sw_read() in usb4_switch_op() 2020-04-28 19:00:59 +02:00
tty kgdb patches for 5.8-rc1 2020-06-03 14:57:03 -07:00
uio
usb platform-drivers-x86 for v5.8-1 2020-06-02 12:56:58 -07:00
vdpa vdpasim: remove unused variable 'ret' 2020-05-11 06:44:12 -04:00
vfio vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() 2020-04-23 12:10:01 -06:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
video drm pull for 5.8-rc1 2020-06-02 15:04:15 -07:00
virt
virtio virtio-balloon: Avoid using the word 'report' when referring to free page hinting 2020-04-17 06:05:30 -04:00
visorbus
vlynq
vme
w1
watchdog watchdog: iTCO: fix link error 2020-05-06 15:49:24 +03:00
xen xen: branch for v5.7-rc2 2020-04-17 10:35:17 -07:00
zorro SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
Kconfig virtio: fixes, vdpa 2020-04-08 10:51:53 -07:00
Makefile virtio: fixes, vdpa 2020-04-08 10:51:53 -07:00