linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-15 18:42:46 +02:00

History

Ming Lei bffff9301e scsi: Fix use-after-free commit `bcd8f2e948` upstream. This patch fixes one use-after-free report[1] by KASAN. In __scsi_scan_target(), when a type 31 device is probed, SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned again. Inside the following scsi_report_lun_scan(), one new scsi_device instance is allocated, and scsi_probe_and_add_lun() is called again to probe the target and still see type 31 device, finally __scsi_remove_device() is called to remove & free the device at the end of scsi_probe_and_add_lun(), so cause use-after-free in scsi_report_lun_scan(). And the following SCSI log can be observed: scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36 scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0 scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0) scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0 scsi 0:0:2:0: scsi scan: REPORT LUN scan scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36 scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0 scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104 This patch fixes the issue by moving the putting reference at the end of scsi_report_lun_scan(). [1] KASAN report ================================================================== [ 3.274597] PM: Adding info for serio:serio1 [ 3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304 [ 3.275653] Read of size 4 by task kworker/u10:0/27 [ 3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121 [ 3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 3.276797] Workqueue: events_unbound async_run_entry_fn [ 3.277083] ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80 [ 3.277532] ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930 [ 3.277989] ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165 [ 3.278436] Call Trace: [ 3.278528] [<ffffffff94bbc6c1>] dump_stack+0x65/0x84 [ 3.278797] [<ffffffff9459fec1>] kasan_object_err+0x21/0x70 [ 3.279063] device: 'psaux': device_add [ 3.279616] [<ffffffff945a0165>] kasan_report_error+0x205/0x500 [ 3.279651] PM: Adding info for No Bus:psaux [ 3.280202] [<ffffffff944ecd22>] ? kfree_const+0x22/0x30 [ 3.280486] [<ffffffff94bc2dc9>] ? kobject_release+0x119/0x370 [ 3.280805] [<ffffffff945a0543>] __asan_report_load4_noabort+0x43/0x50 [ 3.281170] [<ffffffff9507e1f7>] ? __scsi_scan_target+0xd87/0xdf0 [ 3.281506] [<ffffffff9507e1f7>] __scsi_scan_target+0xd87/0xdf0 [ 3.281848] [<ffffffff9507d470>] ? scsi_add_device+0x30/0x30 [ 3.282156] [<ffffffff94f7f660>] ? pm_runtime_autosuspend_expiration+0x60/0x60 [ 3.282570] [<ffffffff956ddb07>] ? _raw_spin_lock+0x17/0x40 [ 3.282880] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.283200] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.283563] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.283882] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.284173] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.284492] [<ffffffff941a8954>] ? pwq_dec_nr_in_flight+0x124/0x2a0 [ 3.284876] [<ffffffff941d1770>] ? preempt_count_add+0x130/0x160 [ 3.285207] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.285526] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.285844] [<ffffffff941aa810>] ? process_one_work+0x12d0/0x12d0 [ 3.286182] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.286443] [<ffffffff940855cd>] ? __switch_to+0x88d/0x1430 [ 3.286745] [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0 [ 3.287085] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.287368] [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0 [ 3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048 [ 3.288064] Allocated: [ 3.288147] PID = 27 [ 3.288218] [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50 [ 3.288531] [<ffffffff9459f246>] save_stack+0x46/0xd0 [ 3.288806] [<ffffffff9459f4bd>] kasan_kmalloc+0xad/0xe0 [ 3.289098] [<ffffffff9459c07e>] __kmalloc+0x13e/0x250 [ 3.289378] [<ffffffff95078e5a>] scsi_alloc_sdev+0xea/0xcf0 [ 3.289701] [<ffffffff9507de76>] __scsi_scan_target+0xa06/0xdf0 [ 3.290034] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.290362] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.290724] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.291055] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.291354] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.291695] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.292022] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.292325] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.292594] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.292886] Freed: [ 3.292945] PID = 27 [ 3.293016] [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50 [ 3.293327] [<ffffffff9459f246>] save_stack+0x46/0xd0 [ 3.293600] [<ffffffff9459fa61>] kasan_slab_free+0x71/0xb0 [ 3.293916] [<ffffffff9459bac2>] kfree+0xa2/0x1f0 [ 3.294168] [<ffffffff9508158a>] scsi_device_dev_release_usercontext+0x50a/0x730 [ 3.294598] [<ffffffff941ace9a>] execute_in_process_context+0xda/0x130 [ 3.294974] [<ffffffff9508107c>] scsi_device_dev_release+0x1c/0x20 [ 3.295322] [<ffffffff94f566f6>] device_release+0x76/0x1e0 [ 3.295626] [<ffffffff94bc2db7>] kobject_release+0x107/0x370 [ 3.295942] [<ffffffff94bc29ce>] kobject_put+0x4e/0xa0 [ 3.296222] [<ffffffff94f56e17>] put_device+0x17/0x20 [ 3.296497] [<ffffffff9505201c>] scsi_device_put+0x7c/0xa0 [ 3.296801] [<ffffffff9507e1bc>] __scsi_scan_target+0xd4c/0xdf0 [ 3.297132] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.297458] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.297829] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.298156] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.298453] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.298777] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.299105] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.299408] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.299676] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.299967] Memory state around the buggy address: [ 3.300209] ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.300608] ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.300986] >ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.301408] ^ [ 3.301550] ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 3.301987] ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3.302396] ================================================================== Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Ming Lei <tom.leiming@gmail.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2016-10-28 03:01:31 -04:00
..
accessibility
acpi	ACPICA: acpi_get_sleep_type_data: Reduce warnings	2016-10-07 15:23:48 +02:00
amba
android	drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE	2016-03-03 15:07:10 -08:00
ata	libata: LITE-ON CX1-JB256-HP needs lower max_sectors	2016-08-10 11:49:29 +02:00
atm
auxdisplay
base	platform: don't return 0 from platform_get_irq[_byname]() on error	2016-10-28 03:01:26 -04:00
bcma	x86/quirks: Add early quirk to reset Apple AirPort card	2016-08-10 11:49:24 +02:00
block	nbd: ratelimit error msgs after socket close	2016-05-11 11:21:10 +02:00
bluetooth	Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]	2016-09-15 08:27:49 +02:00
bus	bus: arm-ccn: Fix XP watchpoint settings bitmask	2016-09-24 10:07:40 +02:00
cdrom
char	tpm_crb: fix crb_req_canceled behavior	2016-10-16 17:36:15 +02:00
clk	clk: imx6: initialize GPU clocks	2016-10-28 03:01:26 -04:00
clocksource	clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function	2016-09-24 10:07:35 +02:00
connector	connector: bump skb->users before callback invocation	2016-01-04 21:46:45 -05:00
cpufreq	cpufreq: intel_pstate: Fix unsafe HWP MSR access	2016-10-28 03:01:26 -04:00
cpuidle	ARM: cpuidle: Fix error return code	2016-10-16 17:36:15 +02:00
crypto	crypto: vmx - Fix memory corruption caused by p8_ghash	2016-10-22 12:26:56 +02:00
dca
devfreq
dio
dma	dmaengine: at_xdmac: fix to pass correct device identity to free_irq()	2016-10-07 15:23:46 +02:00
dma-buf
edac	EDAC: Increment correct counter in edac_inc_ue_error()	2016-09-07 08:32:41 +02:00
eisa
extcon	extcon: max77843: Use correct size for reading the interrupt register	2016-05-04 14:48:54 -07:00
firewire
firmware	efi: Expose non-blocking set_variable() wrapper to efivars	2016-05-04 14:48:49 -07:00
fmc
fpga
gpio	gpio: mpc8xxx: Correct irq handler function	2016-10-28 03:01:25 -04:00
gpu	drm/radeon/si/dpm: add workaround for for Jet parts	2016-10-07 15:23:40 +02:00
hid	HID: core: prevent out-of-bound readings	2016-09-15 08:27:48 +02:00
hsi
hv	drivers:hv: Lock access to hyperv_mmio resource tree	2016-09-15 08:27:50 +02:00
hwmon	hwmon: (adt7411) set bit 3 in CFG1 register	2016-10-07 15:23:42 +02:00
hwspinlock	drivers/hwspinlock: fix race between radix tree insertion and lookup	2016-02-25 12:01:23 -08:00
hwtracing	intel_th: Fix a deadlock in modprobing	2016-08-10 11:49:30 +02:00
i2c	i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended	2016-09-30 10:18:38 +02:00
ide
idle	intel_idle: Support for Intel Xeon Phi Processor x200 Product Family	2016-09-15 08:27:46 +02:00
iio	include/linux/kernel.h: change abs() macro so it uses consistent return type	2016-09-30 10:18:33 +02:00
infiniband	IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV	2016-10-07 15:23:47 +02:00
input	Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled	2016-10-28 03:01:31 -04:00
iommu	Add braces to avoid "ambiguous ‘else’" compiler warnings	2016-09-30 10:18:35 +02:00
ipack
irqchip	irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning	2016-10-07 15:23:42 +02:00
isdn
leds
lguest
lightnvm	lightnvm: put bio before return	2016-09-24 10:07:35 +02:00
macintosh
mailbox
mcb	mcb: Fixed bar number assignment for the gdd	2016-06-01 12:15:53 -07:00
md	dm crypt: fix crash on exit	2016-10-28 03:01:28 -04:00
media	cx231xx: fix GPIOs for Pixelview SBTVD hybrid	2016-10-28 03:01:30 -04:00
memory	memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing	2016-07-27 09:47:35 -07:00
memstick
message
mfd	mfd: wm8350-i2c: Make sure the i2c regmap functions are compiled	2016-10-16 17:36:14 +02:00
misc	mei: me: add kaby point device ids	2016-10-28 03:01:25 -04:00
mmc	mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted error	2016-10-28 03:01:26 -04:00
mtd	ubi: Deal with interrupted erasures in WL	2016-10-28 03:01:28 -04:00
net	rtlwifi: Fix missing country code for Great Britain	2016-10-28 03:01:26 -04:00
nfc	NFC: fdp: Detect errors from fdp_nci_create_conn()	2016-10-07 15:23:44 +02:00
ntb
nubus
nvdimm	libnvdimm, pfn: fix uuid validation	2016-04-20 15:41:54 +09:00
nvme	nvme: Call pci_disable_device on the error path.	2016-09-15 08:27:51 +02:00
nvmem	nvmem: mxs-ocotp: fix buffer overflow in read	2016-05-11 11:21:21 +02:00
of	of: fix reference counting in of_graph_get_endpoint_by_regs	2016-09-07 08:32:41 +02:00
oprofile
parisc
parport
pci	PCI: Mark Atheros AR9580 to avoid bus reset	2016-10-28 03:01:26 -04:00
pcmcia	pcmcia: db1xxx_ss: fix last irq_to_gpio user	2016-04-20 15:42:09 +09:00
perf	drivers/perf: arm_pmu: Fix leak in error path	2016-10-07 15:23:41 +02:00
phy	phy: core: fix wrong err handle for phy_power_on	2016-03-03 15:07:28 -08:00
pinctrl	pinctrl: uniphier: fix .pin_dbg_show() callback	2016-10-07 15:23:41 +02:00
platform	mfd: cros_ec: Add cros_ec_cmd_xfer_status() helper	2016-09-07 08:32:43 +02:00
pnp	PNP: Add Broadwell to Intel MCH size workaround	2016-08-16 09:30:48 +02:00
power	power: supply: max17042_battery: fix model download bug.	2016-09-30 10:18:39 +02:00
powercap
pps	pps: do not crash when failed to register	2016-08-10 11:49:25 +02:00
ps3
ptp
pwm	pwm: Mark all devices as "might sleep"	2016-09-30 10:18:37 +02:00
rapidio
ras
regulator	regulator: tps65910: Work around silicon erratum SWCZ010	2016-10-28 03:01:25 -04:00
remoteproc	remoteproc: Fix potential race condition in rproc_add	2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc	rtc: s3c: Add s3c_rtc_{enable/disable}_clk in s3c_rtc_setfreq()	2016-08-20 18:09:27 +02:00
s390	scsi: zfcp: spin_lock_irqsave() is not nestable	2016-10-28 03:01:29 -04:00
sbus
scsi	scsi: Fix use-after-free	2016-10-28 03:01:31 -04:00
sfi
sh	drivers: sh: Restore legacy clock domain on SuperH platforms	2016-03-09 15:34:49 -08:00
sn
soc	soc: qcom/spm: shut up uninitialized variable warning	2016-09-24 10:07:42 +02:00
spi	spi: sh-msiof: Avoid invalid clock generator parameters	2016-10-07 15:23:42 +02:00
spmi
ssb
staging	Staging: fbtft: Fix bug in fbtft-core	2016-10-07 15:23:47 +02:00
target	target: Fix ordered task CHECK_CONDITION early exception handling	2016-08-20 18:09:26 +02:00
tc
thermal	thermal: cpu_cooling: fix improper order during initialization	2016-07-27 09:47:29 -07:00
thunderbolt	thunderbolt: Fix double free of drom buffer	2016-06-01 12:15:53 -07:00
tty	serial: 8250_dw: Check the data->pclk when get apb_pclk	2016-10-22 12:26:54 +02:00
uio
usb	Revert "usbtmc: convert to devm_kzalloc"	2016-10-07 15:23:47 +02:00
uwb
vfio	vfio/pci: Fix NULL pointer oops in error interrupt setup handling	2016-09-07 08:32:37 +02:00
vhost	vhost/scsi: fix reuse of &vq->iov[out] in response	2016-09-15 08:27:53 +02:00
video	fbdev/efifb: Fix 16 color palette entry calculation	2016-10-28 03:01:29 -04:00
virt
virtio	virtio: fix memory leak in virtqueue_add()	2016-09-07 08:32:36 +02:00
vlynq
vme
w1	w1:omap_hdq: fix regression	2016-08-20 18:09:22 +02:00
watchdog	watchdog: rc32434_wdt: fix ioctl error handling	2016-04-12 09:08:54 -07:00
xen	xenbus: don't bail early from xenbus_dev_request_and_reply()	2016-08-10 11:49:26 +02:00
zorro
Kconfig
Makefile