1. 14 May, 2019 2 commits
    • YueHaibing's avatar
      scsi: qedi: remove memset/memcpy to nfunc and use func instead · c09581a5
      YueHaibing authored
      KASAN reports this:
      
      BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
      Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
      
      CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xfa/0x1ce lib/dump_stack.c:113
       print_address_description+0x1c4/0x270 mm/kasan/report.c:187
       kasan_report+0x149/0x18d mm/kasan/report.c:317
       memcpy+0x1f/0x50 mm/kasan/common.c:130
       qedi_dbg_err+0xda/0x330 [qedi]
       ? 0xffffffffc12d0000
       qedi_init+0x118/0x1000 [qedi]
       ? 0xffffffffc12d0000
       ? 0xffffffffc12d0000
       ? 0xffffffffc12d0000
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
      RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
      R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
      
      The buggy address belongs to the variable:
       __func__.67584+0x0/0xffffffffffffd520 [qedi]
      
      Memory state around the buggy address:
       ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
       ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
      > ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
                                                                ^
       ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
       ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
      
      Currently the qedi_dbg_* family of functions can overrun the end of the
      source string if it is less than the destination buffer length because of
      the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
      and just use func instead as it is always a null terminated string.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: ace7f46b ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      c09581a5
    • Quinn Tran's avatar
      scsi: qla2xxx: Add cleanup for PCI EEH recovery · 5386a4e6
      Quinn Tran authored
      During EEH error recovery testing it was discovered that driver's reset()
      callback partially frees resources used by driver, leaving some stale
      memory.  After reset() is done and when resume() callback in driver uses
      old data which results into error leaving adapter disabled due to PCIe
      error.
      
      This patch does cleanup for EEH recovery code path and prevents adapter
      from getting disabled.
      Signed-off-by: default avatarQuinn Tran <qutran@marvell.com>
      Signed-off-by: default avatarHimanshu Madhani <hmadhani@marvell.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      5386a4e6
  2. 29 Apr, 2019 38 commits