asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/drivers/ata
History
Ye Bin 11e6b68893 ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 
[ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ]

BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
drivers/ata/libata-scsi.c:4045
Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621

CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xac/0xee lib/dump_stack.c:118
print_address_description+0x60/0x223 mm/kasan/report.c:253
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f
83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc

Allocated by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__kmalloc+0xf3/0x1e0 mm/slub.c:3749
kmalloc include/linux/slab.h:520 [inline]
load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1370 [inline]
slab_free_freelist_hook mm/slub.c:1397 [inline]
slab_free mm/slub.c:2952 [inline]
kfree+0x8b/0x1a0 mm/slub.c:3904
load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88803b8ccf00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 259 bytes inside of
512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
The buggy address belongs to the page:
page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
index:0xffff88803b8cc780 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
this error.

The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
may not page aligned.
This also looks completely buggy on highmem systems and really needs to use a
kmap_atomic.      --Christoph Hellwig
To address above bugs, Paolo Bonzini advise to simpler to just make a char array
of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
to copy from the sglist into the buffer, and workthere.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-06-30 23:17:13 -04:00
..
acard-ahci.c libata: convert core and drivers to ->hw_tag usage 2018-05-11 13:10:43 -07:00
ahci.c ahci: Add Intel Comet Lake H RAID PCI ID 2020-04-02 15:28:21 +02:00
ahci.h libata/ahci: Drop PCS quirk for Denverton and beyond 2019-10-05 13:09:52 +02:00
ahci_brcm.c ata: ahci_brcm: BCM7425 AHCI requires AHCI_HFLAG_DELAY_ENGINE 2020-01-09 10:19:01 +01:00
ahci_ceva.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_da850.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_dm816.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_imx.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_mtk.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_mvebu.c ata: ahci: mvebu: do Armada 38x configuration only on relevant SoCs 2019-12-05 09:21:06 +01:00
ahci_octeon.c Delete redundant return value check of platform_get_resource() 2017-03-06 15:40:59 -05:00
ahci_platform.c ata: Disable AHCI ALPM feature for Ampere Computing eMAG SATA 2019-11-20 18:46:06 +01:00
ahci_qoriq.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_seattle.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_st.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_sunxi.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_tegra.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ahci_xgene.c ata: add an extra argument to ahci_platform_get_resources() 2018-08-22 08:08:27 -07:00
ata_generic.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
ata_piix.c ata_piix: constify pci_bits 2018-01-08 06:15:41 -08:00
Kconfig ata: ahci_brcm: Allow using driver or DSL SoCs 2019-11-24 08:19:33 +01:00
libahci.c ahci: Do not export local variable ahci_em_messages 2020-01-27 14:51:07 +01:00
libahci_platform.c ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() 2020-01-09 10:19:01 +01:00
libata-acpi.c ACPI and power management updates for 3.15-rc1 2014-04-01 12:48:54 -07:00
libata-core.c libata: Use per port sync for detach 2020-06-25 15:33:06 +02:00
libata-eh.c libata: don't request sense data on !ZAC ATA devices 2019-07-26 09:14:12 +02:00
libata-pmp.c libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set 2020-04-17 10:48:52 +02:00
libata-scsi.c ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 23:17:13 -04:00
libata-sff.c libata: add SG safety checks in SFF pio transfers 2019-08-29 08:28:45 +02:00
libata-trace.c libata: NCQ encapsulation for ZAC MANAGEMENT OUT 2016-05-09 12:36:46 -04:00
libata-transport.c libata: add refcounting to ata_host 2018-03-13 13:29:10 -07:00
libata-transport.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
libata-zpodd.c libata: zpodd: Fix small read overflow in zpodd_get_mech_type() 2019-08-25 10:47:54 +02:00
libata.h scsi: libsas: dynamically allocate and free ata host 2018-06-19 22:02:25 -04:00
Makefile Merge branch 'for-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2018-04-03 17:42:25 -07:00
pata_acpi.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_ali.c ata: Deprecate pci_get_bus_and_slot() 2018-01-11 17:23:23 -06:00
pata_amd.c cs5536: add support for IDE controller variant 2017-08-11 10:35:07 -07:00
pata_arasan_cf.c pata_arasan_cf: Delete an unnecessary variable initialisation in arasan_cf_probe() 2018-02-18 05:16:35 -08:00
pata_artop.c ata: pata_artop: remove redundant initialization of pio 2017-09-18 20:24:21 -07:00
pata_atiixp.c libata:pata_atiixp: Don't use unconnected secondary port on SB600 2018-01-08 04:02:02 -08:00
pata_atp867x.c ata: mark expected switch fall-throughs 2017-10-23 07:06:09 -07:00
pata_bk3710.c pata_bk3710: clarify license version and use SPDX header 2018-03-01 13:59:03 -08:00
pata_cmd64x.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_cmd640.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_cs5520.c ata: remove deprecated use of pci api 2015-04-08 10:55:05 -04:00
pata_cs5530.c ata: Delete unnecessary checks before the function call "pci_dev_put" 2015-02-03 07:04:44 -05:00
pata_cs5535.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_cs5536.c cs5536: add support for IDE controller variant 2017-08-11 10:35:07 -07:00
pata_cypress.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_efar.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_ep93xx.c ata: ep93xx: Use proper enums for directions 2019-11-24 08:20:10 +01:00
pata_falcon.c pata_falcon: clarify license version and use SPDX header 2018-03-01 13:58:17 -08:00
pata_ftide010.c ata: ftide010: Add a quirk for SQ201 2018-08-27 14:25:54 -06:00
pata_gayle.c ata: add Amiga Gayle PATA controller driver 2018-03-19 07:41:36 -07:00
pata_hpt3x2n.c ata: delete non-required instances of include <linux/init.h> 2014-02-13 16:40:56 -05:00
pata_hpt3x3.c ata: remove deprecated use of pci api 2015-04-08 10:55:05 -04:00
pata_hpt37x.c ata: hpt37x: Convert to use match_string() helper 2018-05-07 08:50:30 -07:00
pata_hpt366.c ata: hpt366: fix incorrect mask when checking at cmd_high_time 2016-07-12 11:02:05 -04:00
pata_icside.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_imx.c Merge branch 'for-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2018-08-24 13:20:33 -07:00
pata_isapnp.c PNP: ata/pata_isapnp: Use module_pnp_driver to register driver 2015-03-18 22:39:17 +01:00
pata_it821x.c pata_it821x: Delete an error message for a failed memory allocation in it821x_firmware_command() 2018-02-18 05:26:07 -08:00
pata_it8213.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_ixp4xx_cf.c ata: pass queued command to ->sff_data_xfer method 2017-01-10 11:11:17 -05:00
pata_jmicron.c PCI: Disable async suspend/resume for JMicron multi-function SATA/AHCI 2015-08-24 15:27:11 -05:00
pata_legacy.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_macio.c pata_macio: Delete an error message for a failed memory allocation in two functions 2018-02-18 05:24:16 -08:00
pata_marvell.c ata: Use IS_ENABLED() instead of checking for built-in or module 2016-05-27 11:27:23 -04:00
pata_mpc52xx.c pata_mpc52xx: Delete an error message for a failed memory allocation in mpc52xx_ata_probe() 2018-02-18 05:23:25 -08:00
pata_mpiix.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_netcell.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_ninja32.c pata_ninja32: Avoid corrupting status flags 2016-08-30 11:59:47 -04:00
pata_ns87410.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_ns87415.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_octeon_cf.c pata_octeon_cf: use of_property_read_{bool|u32}() 2017-08-28 10:44:24 -07:00
pata_of_platform.c ata: constify of_device_id structures 2017-03-06 15:18:01 -05:00
pata_oldpiix.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_opti.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_optidma.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_palmld.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_pcmcia.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_pdc202xx_old.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_pdc2027x.c ata: pata_pdc2027x: Replace mdelay with msleep 2018-01-25 07:28:31 -08:00
pata_piccolo.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_platform.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pata_pxa.c ata: pata_pxa: remove the dmaengine compat need 2018-06-18 21:32:07 +02:00
pata_radisys.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_rb532_cf.c ata: rb532_cf: cut drvdata assignment 2017-05-30 11:54:37 -04:00
pata_rdc.c ata: declare ata_port_info structures as const 2017-06-12 14:06:34 -04:00
pata_rz1000.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_samsung_cf.c headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
pata_sc1200.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_sch.c ata: declare ata_port_info structures as const 2017-06-12 14:06:34 -04:00
pata_serverworks.c pata_serverworks: disable 64-KB DMA transfers on Broadcom OSB4 IDE Controller 2014-10-07 17:10:14 -04:00
pata_sil680.c ata: remove deprecated use of pci api 2015-04-08 10:55:05 -04:00
pata_sis.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_sl82c105.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_triflex.c ata: use CONFIG_PM_SLEEP instead of CONFIG_PM where applicable in host drivers 2014-05-09 22:37:49 -04:00
pata_via.c libata: remove ata_sff_data_xfer_noirq() 2018-07-11 10:45:28 -07:00
pdc_adma.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_dwc_460ex.c libata: convert core and drivers to ->hw_tag usage 2018-05-11 13:10:43 -07:00
sata_fsl.c libata: Fix retrieving of active qcs 2020-01-09 10:19:01 +01:00
sata_gemini.c ata: sata_gemini: Introduce explicit IDE pin control 2017-08-11 10:32:09 -07:00
sata_gemini.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sata_highbank.c libahci: Allow drivers to override stop_engine 2018-04-26 11:25:04 -07:00
sata_inic162x.c ata: declare ata_port_info structures as const 2017-06-12 14:06:34 -04:00
sata_mv.c libata: Fix retrieving of active qcs 2020-01-09 10:19:01 +01:00
sata_nv.c libata: Fix retrieving of active qcs 2020-01-09 10:19:01 +01:00
sata_promise.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_promise.h ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_qstor.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_rcar.c sata_rcar: handle pm_runtime_get_sync failure cases 2020-06-30 23:17:13 -04:00
sata_sil.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_sil24.c Merge branch 'for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2018-06-05 17:01:41 -07:00
sata_sis.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_svw.c ata: Convert to using %pOF instead of full_name 2017-07-18 18:02:36 -04:00
sata_sx4.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_uli.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sata_via.c sata_via: Enable optional hotplug on VT6420 2017-06-26 16:54:53 -04:00
sata_vsc.c ata: update references for libata documentation 2017-05-16 11:25:59 -04:00
sis.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00