Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2472747pxu;
        Sat, 28 Nov 2020 15:32:11 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyx797QZ7tM8K+So43JwDpIsQ3qriZMhk7kzeNnwvLOcIEs/LW2WZdeAkHH99CKG0rYHA7y
X-Received: by 2002:a50:9518:: with SMTP id u24mr14858977eda.124.1606606331750;
        Sat, 28 Nov 2020 15:32:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606606331; cv=none;
        d=google.com; s=arc-20160816;
        b=l2NsZgXMTsMPHOCElHfvosYAUPDVW18NqIOOf43B1jowXg/QwWZ4xwj0oKMNqVBmuE
         /6IMVRbIhkGRxHsQ/EKz6JF5X1oFHWgPlcN2ywqfvJSCyPu9pyHmZW3/rDV0BUT1c8kW
         f29jlZvDgQpo0EhumTqOQ8lgOvUBG82s+4XP5mhEHrolaMwiJq3DpbJdMqSXRi7YpFFM
         fpFNypWSwu+zJ0YsC/M0K59nMlg+3JmB9OB8o6XsyEZ+ve8ALLL6x9NdqLeH4keo4JWL
         GynuSwxft7DgGpNcqkiC5qhPO1+D9Liee63MHQGrKpFC6YBkhG5JkO8vk/sdTEgqDYdP
         dUaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:reply-to:from:subject
         :message-id:dkim-signature;
        bh=bCG8G51Iyk2zmq31048W8a7dnAA9tSi/D4nkld4h+Y4=;
        b=A8SQrAGL765lnIym51DYbFQ7qRpUEa3+4pqktYDw2Zf9x81EVLFaFONMLpNtiixxQW
         aD5L+sDf4sA3ULDsCM+UqS8thdejAnTo+iOadn49aJUWJV1iDam86900FpG2g6x35S7i
         3ic86ALnHflS9dGJYjnztHtffjdioUyNBZKnW6bKdH/saWRl/236JGWWpmpB3FQ11BqR
         OVPSICZuYyRdGk9ux+tzbB1w0ECZrBGsOvyxLbBecUGuP6vsk62CkuggJrMAymDgpuOM
         C46YAiQtvVCuiOQjAx4sUR1d9VJuzP2LwccsBtTMfYEcPQtK0MEOCUsN2AvkClkCmBzj
         NEqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=FzrKYdy6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id yd6si5447006ejb.595.2020.11.28.15.31.48;
        Sat, 28 Nov 2020 15:32:11 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=FzrKYdy6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727748AbgK1X2K (ORCPT <rfc822;vinadhy@gmail.com> + 99 others);
        Sat, 28 Nov 2020 18:28:10 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:28958 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1725989AbgK1X2K (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 28 Nov 2020 18:28:10 -0500
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0ASN1XG5082691;
        Sat, 28 Nov 2020 18:27:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject :
 from : reply-to : to : cc : date : in-reply-to : references : content-type
 : mime-version : content-transfer-encoding; s=pp1;
 bh=bCG8G51Iyk2zmq31048W8a7dnAA9tSi/D4nkld4h+Y4=;
 b=FzrKYdy6CY28etVmfrzYxyhMiNZ6WKS07WBmHEMwBx9126W0fzmGl1bOgN4uQ+DCaLg+
 +Xzy12rw6bRfymYxdnzf3+UwT7dsFooGMEwicM+2fI78fv6rh9V2lFGibGGQIRBZglyR
 NJXdTAWttoo7ufcldHC9YGkjl3w7PQOC7I9qD0K75MTw1Uu/hG8Y887P1+i8OGzzXMT4
 Lw5qtAxjqfeYEvD/nINdfq6adO9dtxHEkdN9OAfg/26bD6p2onpoAju5QW9/m+e8o2s7
 Vi4zDpkw4IpfpbHACRmplTkf2RGrpr08sQm02RHSS3stuRGfJOQxoDY/RQAJ3gG9xnAW /g== 
Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186])
        by mx0b-001b2d01.pphosted.com with ESMTP id 353xvv1b6m-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Sat, 28 Nov 2020 18:27:24 -0500
Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1])
        by ppma03wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0ASNROUT012005;
        Sat, 28 Nov 2020 23:27:24 GMT
Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20])
        by ppma03wdc.us.ibm.com with ESMTP id 353e68d5jk-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Sat, 28 Nov 2020 23:27:24 +0000
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
        by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0ASNRNcr49283466
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Sat, 28 Nov 2020 23:27:23 GMT
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 8F50F7805E;
        Sat, 28 Nov 2020 23:27:23 +0000 (GMT)
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 6BD1B7805C;
        Sat, 28 Nov 2020 23:27:22 +0000 (GMT)
Received: from jarvis.int.hansenpartnership.com (unknown [9.80.201.242])
        by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
        Sat, 28 Nov 2020 23:27:22 +0000 (GMT)
Message-ID: <c5deac044ac409e32d9ad9968ce0dcbc996bfc7a.camel@linux.ibm.com>
Subject: Re: [PATCH] scsi: ses: Fix crash caused by kfree an invalid pointer
From:   James Bottomley <jejb@linux.ibm.com>
Reply-To: jejb@linux.ibm.com
To:     Ding Hui <dinghui@sangfor.com.cn>, martin.petersen@oracle.com
Cc:     linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
        stable <stable@vger.kernel.org>
Date:   Sat, 28 Nov 2020 15:27:21 -0800
In-Reply-To: <20201128122302.9490-1-dinghui@sangfor.com.cn>
References: <20201128122302.9490-1-dinghui@sangfor.com.cn>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.4 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737
 definitions=2020-11-28_17:2020-11-26,2020-11-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999
 lowpriorityscore=0 impostorscore=0 bulkscore=0 suspectscore=4
 priorityscore=1501 mlxscore=0 malwarescore=0 phishscore=0 clxscore=1011
 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2009150000 definitions=main-2011280144
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 2020-11-28 at 20:23 +0800, Ding Hui wrote:
> We can get a crash when disconnecting the iSCSI session,
> the call trace like this:
> 
>   [ffff00002a00fb70] kfree at ffff00000830e224
>   [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4
>   [ffff00002a00fbd0] device_del at ffff0000086b6a98
>   [ffff00002a00fc50] device_unregister at ffff0000086b6d58
>   [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c
>   [ffff00002a00fca0] scsi_remove_device at ffff000008706134
>   [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4
>   [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0
>   [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4
>   [ffff00002a00fdb0] process_one_work at ffff00000810f35c
>   [ffff00002a00fe00] worker_thread at ffff00000810f648
>   [ffff00002a00fe70] kthread at ffff000008116e98
> 
> In ses_intf_add, components count could be 0, and kcalloc 0 size
> scomp,
> but not saved in edev->component[i].scratch
> 
> In this situation, edev->component[0].scratch is an invalid pointer,
> when kfree it in ses_intf_remove_enclosure, a crash like above would
> happen
> The call trace also could be other random cases when kfree cannot
> catch
> the invalid pointer
> 
> We should not use edev->component[] array when the components count
> is 0
> We also need check index when use edev->component[] array in
> ses_enclosure_data_process
> 
> Tested-by: Zeng Zhicong <timmyzeng@163.com>
> Cc: stable <stable@vger.kernel.org> # 2.6.25+
> Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>

This doesn't really look to be the right thing to do: an enclosure
which has no component can't usefully be controlled by the driver since
there's nothing for it to do, so what we should do in this situation is
refuse to attach like the proposed patch below.

It does seem a bit odd that someone would build an enclosure that
doesn't enclose anything, so would you mind running

sg_ses -e 

on it and reporting back what it shows?  It's possible there's another
type that the enclosure device should be tracking.

Regards,

James

---8>8>8><8<8<8--------
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH] scsi: ses: don't attach if enclosure has no components

An enclosure with no components can't usefully be operated by the
driver (since effectively it has nothing to manage), so report the
problem and don't attach.  Not attaching also fixes an oops which
could occur if the driver tries to manage a zero component enclosure.

Reported-by: Ding Hui <dinghui@sangfor.com.cn>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 drivers/scsi/ses.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index c2afba2a5414..9624298b9c89 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -690,6 +690,11 @@ static int ses_intf_add(struct device *cdev,
 		    type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE)
 			components += type_ptr[1];
 	}
+	if (components == 0) {
+		sdev_printk(KERN_ERR, sdev, "enclosure has no enumerated components\n");
+		goto err_free;
+	}
+
 	ses_dev->page1 = buf;
 	ses_dev->page1_len = len;
 	buf = NULL;
-- 
2.26.2