Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp237162lqt;
        Thu, 6 Jun 2024 01:57:17 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVGIjPAox7JdbpCsCUNC8wMXyeupc2pmPtAms/OhTVkzlDIHrAa7VGzQc36wAeClShTh5hJGrq4cA3IGLc3a/oCF55eQhwvn7cEoslYZA==
X-Google-Smtp-Source: AGHT+IEWze0XdbFHkLhwUDTG4+uiNj9UiDg+xUH0QD+RvI4u8PUoMcOauWaLHKa97niUWLVPx24D
X-Received: by 2002:a17:903:1ca:b0:1f6:6ef0:dae9 with SMTP id d9443c01a7336-1f6a5a6bdf1mr50076345ad.42.1717664237538;
        Thu, 06 Jun 2024 01:57:17 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1717664237; cv=pass;
        d=google.com; s=arc-20160816;
        b=ELoHMWSfArWjiLJCnG7sR9hd+0UOFP+RJSKqYlLBh7NlLE8mN5Th7iZGQtsiQgya4r
         E4FpgShM/ScUo0q4Gpf2p4Da2UOHuy7P+ybVZ1LkrxFXFNE/MIU4PzF6lIYftjxlxWeA
         znYjqIm/lfGi3bsooM7QxI+4a6PJdJ3cMACs7Q+hwTjvUkhrL/atPKG1H030Cj5scrqD
         MkzuKrMZssAt0ADwjSScF+p8fTVwkfqB4ViaPD3SClQt5dpLf1DIOs7qO/C5givrKDnP
         cw5UKf+ptB/UFoFtfUqqozchv+jQ7e5ZGOxTefT5PjNjRRzAZV+0lD2Y+zBI3Lv1D7W/
         bVtg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:accept-language
         :in-reply-to:references:message-id:date:thread-index:thread-topic
         :subject:cc:to:from;
        bh=0jjgx/s33SGjgVSNN8Fx6P6sz7CvJSJmcKkGDiiXxoc=;
        fh=BXVUQ8FY8OwPnbo9lj7kGhNT3B3bEbRkLbY12nekTjo=;
        b=pFqKx/oqj/ZXU467NXTvsCaFzY1iwK9KCs8kr0eV6MH1uM74KOSUqdGtSAY9jErt3l
         tlseW5/M6+tiBDKQtrZMF+v21J/SY8NlGJFs+cf0/pb/BoZiSpk6i5C55W8Dqw8nqSVF
         3QxV4LcDjEq6lSDLkpn75FXuRyoxaFfEutTl4g8ZTb4xgRzmKMeGwj8fGUZZ7s11+a8D
         cUABZUhqFZ5Ek/oN8Y3DYkMimKqaHPrMkANEQftaiUAzCj7mkPGeRL0Pqb2eGshFZ4ES
         0+ETNU7vBeRllsal4YX1e3zbY/3i+8haboXyA5YSu9pTdI/nf7/hXtcKAiQeUSPfUC7u
         LX3Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com);
       spf=pass (google.com: domain of linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Return-Path: <linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id d9443c01a7336-1f6bd7614aesi8094365ad.26.2024.06.06.01.57.16
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 06 Jun 2024 01:57:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com);
       spf=pass (google.com: domain of linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-203866-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 536F0B25104
	for <linux.lists.archive@gmail.com>; Thu,  6 Jun 2024 08:48:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5219F130497;
	Thu,  6 Jun 2024 08:47:56 +0000 (UTC)
Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.86.151])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 616E313C3F9
	for <linux-kernel@vger.kernel.org>; Thu,  6 Jun 2024 08:47:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.58.86.151
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1717663675; cv=none; b=RhhtGKFOi6y7+O4GLhdufCZseK3hNKRMsYtKyB8gkcniJ8ydiBANclr7+V/sh1nnQdHlKRMMifHUctVQWlwPlY7P29jt3kDRAWGjxf0YOLPvsSXD76F1j0UOStS3GOVKmDJqR5iIn7wh5Er+P4hcteIxVlGyIY4aICk93WDlNZg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1717663675; c=relaxed/simple;
	bh=5SCALM9/pCCYNvxyrEIe9yl/FOdRJs0JUlO3rA77C4w=;
	h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To:
	 MIME-Version:Content-Type; b=QkPIZlTuXKcttjgwug1MEXxf20FuzjrtrLzI5DIllIlMZzBIZ7Z+tFXRtG+uXvUezAkMzH2r9BHdWjbfvp0AIR3rWfz0feX8i6FBQKBCYFRtheFAQze5+8gRbidmr9c2thEZyYJtMEa9WB9OC5BiRDmkMh50Piivjjeoimu2D1U=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM; spf=pass smtp.mailfrom=aculab.com; arc=none smtp.client-ip=185.58.86.151
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aculab.com
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by
 relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 uk-mta-235-hxMZyz40PyK1pBTMtYucjg-1; Thu, 06 Jun 2024 09:47:45 +0100
X-MC-Unique: hxMZyz40PyK1pBTMtYucjg-1
Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com
 (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Thu, 6 Jun
 2024 09:47:11 +0100
Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi
 id 15.00.1497.048; Thu, 6 Jun 2024 09:47:11 +0100
From: David Laight <David.Laight@ACULAB.COM>
To: 'Breno Leitao' <leitao@debian.org>, Sathya Prakash
	<sathya.prakash@broadcom.com>, Sreekanth Reddy
	<sreekanth.reddy@broadcom.com>, Suganath Prabu Subramani
	<suganath-prabu.subramani@broadcom.com>, "James E.J. Bottomley"
	<James.Bottomley@HansenPartnership.com>, "Martin K. Petersen"
	<martin.petersen@oracle.com>, Chaitra P B <chaitra.basappa@broadcom.com>
CC: "leit@meta.com" <leit@meta.com>, "stable@vger.kernel.org"
	<stable@vger.kernel.org>, Keith Busch <kbusch@kernel.org>, "open
 list:LSILOGIC MPT FUSION DRIVERS (FC/SAS/SPI)"
	<MPT-FusionLinux.pdl@broadcom.com>, "open list:LSILOGIC MPT FUSION DRIVERS
 (FC/SAS/SPI)" <linux-scsi@vger.kernel.org>, open list
	<linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v2] mpt3sas: Avoid test/set_bit() operating in
 non-allocated memory
Thread-Topic: [PATCH v2] mpt3sas: Avoid test/set_bit() operating in
 non-allocated memory
Thread-Index: AQHatyYXo+PuMyVExkerpGT7XDYd+bG6bGDA
Date: Thu, 6 Jun 2024 08:47:11 +0000
Message-ID: <f5bfddf9ec23402498df688e98f6bb29@AcuMS.aculab.com>
References: <20240605085530.499432-1-leitao@debian.org>
In-Reply-To: <20240605085530.499432-1-leitao@debian.org>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

From: Breno Leitao <leitao@debian.org>
> Sent: 05 June 2024 09:55
>=20
> There is a potential out-of-bounds access when using test_bit() on a
> single word. The test_bit() and set_bit() functions operate on long
> values, and when testing or setting a single word, they can exceed the
> word boundary. KASAN detects this issue and produces a dump:
>=20
> =09 BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0
> (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrume=
nted-atomic.h:29
> drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
>=20
> =09 Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
>=20
> For full log, please look at [1].
>=20
> Make the allocation at least the size of sizeof(unsigned long) so that
> set_bit() and test_bit() have sufficient room for read/write operations
> without overwriting unallocated memory.
>=20
...
> @@ -8512,6 +8512,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc)
>  =09ioc->pd_handles_sz =3D (ioc->facts.MaxDevHandle / 8);
>  =09if (ioc->facts.MaxDevHandle % 8)
>  =09=09ioc->pd_handles_sz++;
> +=09/* pd_handles_sz should have, at least, the minimal room
> +=09 * for set_bit()/test_bit(), otherwise out-of-memory touch
> +=09 * may occur
> +=09 */
> +=09ioc->pd_handles_sz =3D ALIGN(ioc->pd_handles_sz, sizeof(unsigned long=
));
> +
>  =09ioc->pd_handles =3D kzalloc(ioc->pd_handles_sz,
>  =09    GFP_KERNEL);

That is entirely stupid code.
IIRC there is a BITMAP_SIZE() that does ((x) + 63u) & ~63)/8
(on 64bit systems).

=09David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1=
PT, UK
Registration No: 1397386 (Wales)