Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp621178lqh; Fri, 31 May 2024 11:01:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWNPXZo+XAPavAEY1QqHUv8ouHjf4mW0tC5RwTB27+yWG5zK7TFykswZhu3+VxgSz0lOJkqPT1rT0AdIqqjNSn1tE5HzdJnQLJKq5Jerg== X-Google-Smtp-Source: AGHT+IG0Uow4cXcUNq2r5Fpne5e6EWG0Nzp+nBXvYVucQxKO+syAicxXQESJfzQ/Zl1Ua+eQV/10 X-Received: by 2002:a17:906:e948:b0:a68:98fe:f779 with SMTP id a640c23a62f3a-a6898fef87emr65275166b.43.1717178483904; Fri, 31 May 2024 11:01:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717178483; cv=pass; d=google.com; s=arc-20160816; b=l8Ky7EvSbLK0gQppbPqK9MKNNzJlCPwNoQmqWeNZSAuguS/n50j30X73x2emEUb4Vt vKD+Q0WwWoNbwciq5uNDseQNFVjZ1JAuCs176Jv4/NR3FNmr8fCYEtXqJJYd+Ya4VqVW amSnQapDPpQeQJvTL2YiEvh4GG6ScYXIKIerNrm/d5m5XEYP0GFZY7tOZsOZ20Skh6OA Qy0s3oa0pCeJ/HutrAK2H+riva1EX8ssid9zsmNYYKVl+qwox8jnklyYzPjssDUAzbqM 3QPoJI8u0EIRGl3IhcrqiDFxCuozQ9OhcmO2I5e23FqHhn6A4UJUzP9zaNqW8GRWtbbT xJ7g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=NLstpYo8ImkDRhndA7onVdU+VCFInAIg26uWhetlb/4=; fh=xZlZbnKKkwhKYeNZbXYqoAEYu7YkmdPYvOuBnek5Q40=; b=JOJE2SWyVteJgWNxLvZl4BcpfzeFL0pR91H0nSECzfgLyc4Iy67AFXIB2BzWwjUhxo 8IV2oneS1ou6W7PjjU0ryHJ0yV55rYGDDPwYJ3RcZVjz0jDBlmmrZinYuUqCV+uj0LKB 1juEZZYmuP8FswmFZenXXs3NuVsJR93o/uJx0tBE6BnJvfx429HsBi9LRE/9CTsU3Mws 34shzIGQ+fg3LMb6rKyoMmAensnmNJbRpBT2ifu36uRm95/IvmgUmG8Lce4GqtJx8RVY rlNsufLD5tML4H1/vog4qKsOgfwmEfVK/zp+bjzqIAKK2pNihU/p0cEz02NIgjlGQyD2 4s2w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-197279-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-197279-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a67e6f02e39si113826166b.123.2024.05.31.11.01.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 11:01:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-197279-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-197279-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-197279-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 9F79B1F26D0A for ; Fri, 31 May 2024 18:01:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D571B17C9EB; Fri, 31 May 2024 18:01:15 +0000 (UTC) Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD95B52F6A; Fri, 31 May 2024 18:01:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717178475; cv=none; b=m9R10sqBiKZxCnrHlDsGnd2V5P+KtuxXwqigqUVifNb+1WZ+6W4S8yF7LYSiker4Atk49NWy8JQ3L1qrD0/E+Y60keGUs6xqF5L1oiWsFqILDiDespNlJd01F9QTTyX9gfoOHvddR/4WZ5VEgD9HYWN4+xPi6YaYtqRv1JiHmuc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717178475; c=relaxed/simple; bh=tao2gQx02AeKmIGyjONY5RmwcqU8wLfetOD0u4K3fTs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BxwXcizAZgGQmPaoXMSoMHWMT4GbtLFXJl4wntL2v80FFBXHMMIszVtMcYNcHM/66Rz+UNjibpK2gURCkBs6k70/NM8T+UfOZFQgfPXfdbp3ukuR4dc8W5TusE0RGIETRWH3OqwTMPwFLTK+CMgsVJ6BLZ+QP3NXWMzwe2ARBRc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-a689ad8d1f6so43957566b.2; Fri, 31 May 2024 11:01:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717178472; x=1717783272; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NLstpYo8ImkDRhndA7onVdU+VCFInAIg26uWhetlb/4=; b=qd50BoiellVvY9Tk518r8zO5FBNhXkhwT4/vG3zo9ti1vGS2maj5CX9n4Dj4VN+26N SNvL/aeZ3dFWGKGtEvKemJAvdWQWWZ3L0sGNTpPQkfhu48TnnGqY3SpNRM/bi9emCbC4 sJfdIyDA4TC9Fke4vk91sqqD0PGr5AdWHrADw4+zN5F8gclHWcTh+uPm9l8SfqGeycpp 79QOaWvUKk3YvEiO2//NgPfRAWROKTkN+2NpSjkdlFrA1ZshUvRragW2GbR1CBr3/4mQ Irrpz9OR6U+SA8PbYDQKKpokLdrt/cFdIFEfda1P7cYWnidkJI7uf9Nwij94zzac6cBl Fq6g== X-Forwarded-Encrypted: i=1; AJvYcCXdRjO5sJc350rCUygN0bbS1vHWZCP0XMZz4kKnAWrVz+YJLGTt4vlOMjx/th8s9yKHClrwDxBv3fqjB080uVx7c1MBzg916/woPtzxPv21hY/7MBO9rWYny3ffob2rj3vGYu975eNcfw== X-Gm-Message-State: AOJu0YxEWg41A9FxbtBiF3baWWsi6ww502ONDm0kcMt7naGrOy/sWLAi GMR3tIotiYb+N0ZOo70RbZora5swHQpGZUHCifV6vEAxllVaNlpMU86Neg== X-Received: by 2002:a17:906:b0d2:b0:a5a:88ff:fe81 with SMTP id a640c23a62f3a-a6820136cd7mr180720766b.20.1717178471779; Fri, 31 May 2024 11:01:11 -0700 (PDT) Received: from localhost (fwdproxy-lla-001.fbsv.net. [2a03:2880:30ff:1::face:b00c]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a6848423bc9sm86641566b.147.2024.05.31.11.01.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 11:01:11 -0700 (PDT) From: Breno Leitao To: Sathya Prakash , Sreekanth Reddy , Suganath Prabu Subramani , "James E.J. Bottomley" , "Martin K. Petersen" Cc: leit@meta.com, Keith Busch , MPT-FusionLinux.pdl@broadcom.com (open list:LSILOGIC MPT FUSION DRIVERS (FC/SAS/SPI)), linux-scsi@vger.kernel.org (open list:LSILOGIC MPT FUSION DRIVERS (FC/SAS/SPI)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] mpt3sas: Avoid test/set_bit() operating in non-allocated memory Date: Fri, 31 May 2024 11:00:54 -0700 Message-ID: <20240531180055.950704-1-leitao@debian.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ Suggested-by: Keith Busch Signed-off-by: Breno Leitao --- drivers/scsi/mpt3sas/mpt3sas_base.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 258647fc6bdd..fe9f4a4175d1 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -8512,6 +8512,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pd_handles_sz++; + /* pd_handles_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory touch + * may occur + */ + ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long)); + ioc->pd_handles = kzalloc(ioc->pd_handles_sz, GFP_KERNEL); if (!ioc->pd_handles) { @@ -8529,6 +8535,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pend_os_device_add_sz++; + + /* pend_os_device_add_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory may occur + */ + ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz, + sizeof(unsigned long)); ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz, GFP_KERNEL); if (!ioc->pend_os_device_add) { -- 2.43.0