android_kernel_xiaomi_sm8350/drivers/ata
Ye Bin f7f181582f ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function
[ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ]

BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
drivers/ata/libata-scsi.c:4045
Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621

CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xac/0xee lib/dump_stack.c:118
print_address_description+0x60/0x223 mm/kasan/report.c:253
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f
83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc

Allocated by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__kmalloc+0xf3/0x1e0 mm/slub.c:3749
kmalloc include/linux/slab.h:520 [inline]
load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 12577:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1370 [inline]
slab_free_freelist_hook mm/slub.c:1397 [inline]
slab_free mm/slub.c:2952 [inline]
kfree+0x8b/0x1a0 mm/slub.c:3904
load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
search_binary_handler fs/exec.c:1654 [inline]
search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
exec_binprm fs/exec.c:1696 [inline]
__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88803b8ccf00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 259 bytes inside of
512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
The buggy address belongs to the page:
page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
index:0xffff88803b8cc780 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
this error.

The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
may not page aligned.
This also looks completely buggy on highmem systems and really needs to use a
kmap_atomic.      --Christoph Hellwig
To address above bugs, Paolo Bonzini advise to simpler to just make a char array
of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
to copy from the sglist into the buffer, and workthere.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-06-30 15:37:03 -04:00
..
acard-ahci.c acard_ahci: use dma_set_mask_and_coherent 2019-08-26 13:58:58 -06:00
ahci_brcm.c ata: ahci_brcm: BCM7425 AHCI requires AHCI_HFLAG_DELAY_ENGINE 2020-01-09 10:19:59 +01:00
ahci_ceva.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
ahci_da850.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 45 2019-05-24 17:27:12 +02:00
ahci_dm816.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 45 2019-05-24 17:27:12 +02:00
ahci_imx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
ahci_mtk.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
ahci_mvebu.c
ahci_octeon.c
ahci_platform.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 45 2019-05-24 17:27:12 +02:00
ahci_qoriq.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 45 2019-05-24 17:27:12 +02:00
ahci_seattle.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 235 2019-06-19 17:09:07 +02:00
ahci_st.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ahci_sunxi.c drivers: ata: ahci_sunxi: Increased SATA/AHCI DMA TX/RX FIFOs 2019-07-05 10:17:18 -06:00
ahci_tegra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
ahci_xgene.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
ahci.c ahci: Add Intel Comet Lake H RAID PCI ID 2020-04-01 11:02:17 +02:00
ahci.h libata/ahci: Drop PCS quirk for Denverton and beyond 2019-08-30 20:53:42 -06:00
ata_generic.c
ata_piix.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
Kconfig
libahci_platform.c ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() 2020-01-09 10:19:59 +01:00
libahci.c ahci: Do not export local variable ahci_em_messages 2019-08-30 14:25:57 -06:00
libata-acpi.c
libata-core.c libata: Use per port sync for detach 2020-06-24 17:50:47 +02:00
libata-eh.c libata: don't request sense data on !ZAC ATA devices 2019-06-25 09:22:45 -06:00
libata-pmp.c libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set 2020-04-17 10:50:22 +02:00
libata-scsi.c ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 15:37:03 -04:00
libata-sff.c for-5.4/libata-2019-09-15 2019-09-17 16:54:40 -07:00
libata-trace.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
libata-transport.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 209 2019-05-30 11:29:53 -07:00
libata-transport.h
libata-zpodd.c libata: zpodd: Fix small read overflow in zpodd_get_mech_type() 2019-07-29 16:00:14 -06:00
libata.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
Makefile
pata_acpi.c
pata_ali.c
pata_amd.c
pata_arasan_cf.c
pata_artop.c
pata_atiixp.c
pata_atp867x.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_bk3710.c
pata_buddha.c ata/pata_buddha: Probe via modalias instead of initcall 2019-08-23 06:58:50 -06:00
pata_cmd64x.c
pata_cmd640.c
pata_cs5520.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_cs5530.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pata_cs5535.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pata_cs5536.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pata_cypress.c
pata_efar.c
pata_ep93xx.c
pata_falcon.c
pata_ftide010.c
pata_gayle.c
pata_hpt3x2n.c
pata_hpt3x3.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_hpt37x.c
pata_hpt366.c
pata_icside.c
pata_imx.c
pata_isapnp.c
pata_it821x.c
pata_it8213.c
pata_ixp4xx_cf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pata_jmicron.c
pata_legacy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
pata_macio.c
pata_marvell.c
pata_mpc52xx.c
pata_mpiix.c
pata_netcell.c
pata_ninja32.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_ns87410.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
pata_ns87415.c
pata_octeon_cf.c
pata_of_platform.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pata_oldpiix.c
pata_opti.c
pata_optidma.c
pata_palmld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pata_pcmcia.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
pata_pdc202xx_old.c
pata_pdc2027x.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_piccolo.c
pata_platform.c
pata_pxa.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
pata_radisys.c
pata_rb532_cf.c ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe 2019-08-06 07:44:59 -06:00
pata_rdc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
pata_rz1000.c
pata_samsung_cf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pata_sc1200.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pata_sch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 300 2019-06-05 17:37:00 +02:00
pata_serverworks.c
pata_sil680.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
pata_sis.c
pata_sl82c105.c
pata_triflex.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pata_via.c
pdc_adma.c pdc_adma: use dma_set_mask_and_coherent 2019-08-26 13:58:58 -06:00
sata_dwc_460ex.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sata_fsl.c libata: Fix retrieving of active qcs 2020-01-09 10:19:59 +01:00
sata_gemini.c
sata_gemini.h
sata_highbank.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
sata_inic162x.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_mv.c libata: Fix retrieving of active qcs 2020-01-09 10:19:59 +01:00
sata_nv.c libata: Fix retrieving of active qcs 2020-01-09 10:19:59 +01:00
sata_promise.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_promise.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
sata_qstor.c sata_qstor: use dma_set_mask_and_coherent 2019-08-26 13:58:58 -06:00
sata_rcar.c sata_rcar: handle pm_runtime_get_sync failure cases 2020-06-30 15:37:03 -04:00
sata_sil24.c sata_sil24: use dma_set_mask_and_coherent 2019-08-26 13:58:58 -06:00
sata_sil.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_sis.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
sata_svw.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_sx4.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_uli.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 18 2019-05-21 11:28:46 +02:00
sata_via.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sata_vsc.c libata: switch remaining drivers to use dma_set_mask_and_coherent 2019-08-26 13:58:59 -06:00
sis.h