Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp195398imm;
        Fri, 3 Aug 2018 01:49:16 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpce/X7X0Pds1WSzGOchO5W+EAjPvcExE3fzkfXU/8y1x0aZRHJd8wCrWdDhIrWfpvmBTAwd
X-Received: by 2002:a62:a3d1:: with SMTP id q78-v6mr3391491pfl.5.1533286156803;
        Fri, 03 Aug 2018 01:49:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533286156; cv=none;
        d=google.com; s=arc-20160816;
        b=q37VHKBOIvFtBexE65P9Oxlov6OGjHGfD7o7gPMNDxMsCyK2zm6RlBqI8EUFXZwG9d
         h4IP5NOSoVfQdaLJGLTqRmO5HxMXBJVuR6Pm83snODLQY0Nu76sLIrSz60930P7Ex5tV
         zcbXrc9LX1VbiXJxfndpyDkPn6MAcx+0KkFxCkDNIGHc6EL2Yj0gHjC15PU8vKLDT3QV
         I0fymzuOs9s0rhB+tzzIXBGDDTfX5ZA1o8ADGEm2cCIzl4hVV0zw+3k2nvBb2Oz2hlXq
         J4RM885Qy/RjZmTd+ErsCI86EZPr7TV/s6oVZJ0bMFc1w2FIiLvj+BJC8psXsStrYf4Z
         9MDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:date:message-id:subject:from:to:cc
         :arc-authentication-results;
        bh=YRMQuoQ2mDH8ROdQIA/gdFTTa9AXjjPaOUhwyZrmmgE=;
        b=rRjuhgHmcIpDMBzhafU16zTJr7+V2BnqrqNq4f/zJXqNG4T6GNCGX8+JUZ1ulBriAm
         rDk+NFxS5hiJxgjQZgchXzJo79w98a5Gwdqr9IKKE/N0l95hOsvqq8UKXUhmA5ReXqkt
         D5tZ0C6WT0pMUFgxN2G+2i+U5puWqnSvC3xomze0BX7wmcQ2J9w3Vj5vUdyyFexnWPzM
         eXfplHkIdqJsgAGDnyWxqsaw1p2EwxGxYsi34qB01FbNMXp0tFLYFt7LtXNQELsh18BY
         zvFNl0u8kXO53a03K4+ADLDbhGXjxDChoPZomHxiiwgJaODOaQZjUT54PaQkr5aVlm/o
         qrVw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p84-v6si4801086pfl.17.2018.08.03.01.49.02;
        Fri, 03 Aug 2018 01:49:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732269AbeHCKn1 (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Fri, 3 Aug 2018 06:43:27 -0400
Received: from szxga07-in.huawei.com ([45.249.212.35]:44145 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1729814AbeHCKn1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Aug 2018 06:43:27 -0400
Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id 96755956AD688;
        Fri,  3 Aug 2018 16:47:59 +0800 (CST)
Received: from [127.0.0.1] (10.177.97.93) by DGGEMS411-HUB.china.huawei.com
 (10.3.19.211) with Microsoft SMTP Server id 14.3.399.0; Fri, 3 Aug 2018
 16:47:51 +0800
CC:     <gaowanlong@huawei.com>,
        "wencongyang (A)" <wencongyang2@huawei.com>,
        "Wanghui (John)" <john.wanghui@huawei.com>,
        guijianfeng <guijianfeng@huawei.com>, <lipengfei58@huawei.com>,
        qiaonuohan <qiaonuohan@huawei.com>
To:     "Martin K. Petersen" <martin.petersen@oracle.com>,
        <linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
From:   Wanlong Gao <gaowanlong@huawei.com>
Subject: [bug report] memory corruption panic caused by SG_IO ioctl()
Message-ID: <a44201bc-d8d1-6d19-645e-07687ef4bc9e@huawei.com>
Date:   Fri, 3 Aug 2018 16:46:57 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.177.97.93]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=windows-1252">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
    </p>
    <p>
      <meta name="ProgId" content="OneNote.File">
      <meta name="Generator" content="Microsoft OneNote 15">
      <p style="margin:0in;font-family:Calibri"><span
          style="font-size:10.0pt" lang="en-US">Hi </span><span
          style="font-size:10.5pt" lang="zh-CN">Martin</span><span
          style="font-size:10.5pt" lang="en-US"> and all folks,</span></p>
      <p style="margin:0in;font-family:Calibri"><span
          style="font-size:10.5pt" lang="en-US"><br>
        </span></p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt">Recently
        we find a
        kernel panic with memory corruption caused by SG_IO ioctl(), and
        it can be
        easily reproduced by running following reproducer about minutes,<span
          style="mso-spacerun:yes">? </span>any idea?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt">Thanks,</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt">Wanlong</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"><br>
      </p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"><br>
      </p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">C
        reproducer:</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">//
        autogenerated by syzkaller (<a
          href="http://github.com/google/syzkaller">http://github.com/google/syzkaller</a>)</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#define
        _GNU_SOURCE </p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;endian.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;sys/syscall.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;unistd.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;fcntl.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;stdio.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;string.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;sys/stat.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;stdint.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">#include
        &lt;string.h&gt;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">static
        uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">{</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">if (a0 == 0xc || a0 == 0xb) {</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">char buf[128];</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char"
        : "block", (uint8_t)a1, (uint8_t)a2);</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">return open(buf, O_RDWR, 0);</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">} else {</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">char buf[1024];</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">char* hash;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">strncpy(buf,
        (char*)a0, sizeof(buf) - 1);</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">buf[sizeof(buf) - 1] = 0;</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">while ((hash = strchr(buf, '#'))) {</p>
      <p
style="margin:0in;margin-left:1.125in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*hash = '0' + (char)(a1 % 10);</p>
      <p
style="margin:0in;margin-left:1.125in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">a1 /= 10;</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">return open(buf, a2, 0);</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">static
        void execute_one();</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">extern
        unsigned long long procid;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">void
        loop()</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">{</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">while (1) {</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">execute_one();</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">uint64_t
        r[1] = {0xffffffffffffffff};</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">void
        execute_one()</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">{</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">long res = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">memcpy((void*)0x20000040,
        "/dev/sg#", 9);</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">res = syz_open_dev(0x20000040, 0, 0);</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">if (res != -1)</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">r[0] = res;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002c0
        = 0x53;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002c4
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002c8
        = 0xd;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002c9
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint16_t*)0x200002ca
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002cc
        = 0x95;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint64_t*)0x200002d0
        = 0x20000080;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint64_t*)0x200002d8
        = 0x20000000;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">memcpy((void*)0x20000000,
        "\x08\xf0\xa8\x77\xd3\xbe\x87\x5d\xda\x65\x79\x3f\xc7", 13);</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint64_t*)0x200002e0
        = 0x20000180;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002e8
        = 0x8001;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002ec
        = 0x10024;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x200002f0
        = -1;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint64_t*)0x200002f4
        = 0x20000280;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002fc
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002fd
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002fe
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint8_t*)0x200002ff
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint16_t*)0x20000300
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint16_t*)0x20000302
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x20000304
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x20000308
        = 0;</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">*(uint32_t*)0x2000030c
        = 0;</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">syscall(__NR_ioctl, r[0], 0x2285, 0x200002c0);</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">?</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">int
        main()</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">{</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32,
        -1, 0);</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">for (;;) {</p>
      <p
style="margin:0in;margin-left:.75in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">loop();</p>
      <p
style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt"
        lang="zh-CN">}</p>
      <p style="margin:0in;font-family:Calibri;font-size:10.5pt">?</p>
    </p>
  </body>
</html>