From 62c789270c0b1ed5598c6b87c53b6908cd3c6eb5 Mon Sep 17 00:00:00 2001
From: Zqiang <qiang.zhang@windriver.com>
Date: Wed, 12 Aug 2020 16:55:01 +0800
Subject: [PATCH 1/2] libnvdimm: KASAN: global-out-of-bounds Read in
 internal_create_group

Because the last member of the "nvdimm_firmware_attributes" array
was not assigned a null ptr, when traversal of "grp->attrs" array
is out of bounds in "create_files" func.

func:
	create_files:
		->for (i = 0, attr = grp->attrs; *attr && !error; i++, attr++)
			->....

BUG: KASAN: global-out-of-bounds in create_files fs/sysfs/group.c:43 [inline]
BUG: KASAN: global-out-of-bounds in internal_create_group+0x9d8/0xb20
fs/sysfs/group.c:149
Read of size 8 at addr ffffffff8a2e4cf0 by task kworker/u17:10/959

CPU: 2 PID: 959 Comm: kworker/u17:10 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: events_unbound async_run_entry_fn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 create_files fs/sysfs/group.c:43 [inline]
 internal_create_group+0x9d8/0xb20 fs/sysfs/group.c:149
 internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:189
 internal_create_groups fs/sysfs/group.c:185 [inline]
 sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:215
 device_add_groups drivers/base/core.c:2024 [inline]
 device_add_attrs drivers/base/core.c:2178 [inline]
 device_add+0x7fd/0x1c40 drivers/base/core.c:2881
 nd_async_device_register+0x12/0x80 drivers/nvdimm/bus.c:506
 async_run_entry_fn+0x121/0x530 kernel/async.c:123
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the variable:
 nvdimm_firmware_attributes+0x10/0x40

Link: https://lore.kernel.org/r/20200812085501.30963-1-qiang.zhang@windriver.com
Link: https://lore.kernel.org/r/20200814150509.225615-1-vaibhav@linux.ibm.com
Fixes: 48001ea50d17f ("PM, libnvdimm: Add runtime firmware activation support")
Reported-by: syzbot+1cf0ffe61aecf46f588f@syzkaller.appspotmail.com
Reported-by: Sandipan Das <sandipan@linux.ibm.com>
Reported-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
---
 drivers/nvdimm/dimm_devs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvdimm/dimm_devs.c b/drivers/nvdimm/dimm_devs.c
index 61374def5155..b59032e0859b 100644
--- a/drivers/nvdimm/dimm_devs.c
+++ b/drivers/nvdimm/dimm_devs.c
@@ -529,6 +529,7 @@ static DEVICE_ATTR_ADMIN_RW(activate);
 static struct attribute *nvdimm_firmware_attributes[] = {
 	&dev_attr_activate.attr,
 	&dev_attr_result.attr,
+	NULL,
 };
 
 static umode_t nvdimm_firmware_visible(struct kobject *kobj, struct attribute *a, int n)

From c2affe920b0e0669650943ac086215cf6519be34 Mon Sep 17 00:00:00 2001
From: Adrian Huang <ahuang12@lenovo.com>
Date: Wed, 19 Aug 2020 23:42:36 +0800
Subject: [PATCH 2/2] dax: do not print error message for non-persistent memory
 block device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 231609785cbf ("dax: print error message by pr_info()
in __generic_fsdax_supported()") happens to print the following
error message during booting when the non-persistent memory block
devices are configured by device mapper. Those error messages are
caused by the variable 'dax_dev' is NULL. Users might be confused
with those error messages since they do not use the persistent
memory device. Moreover, users might scare about "what's wrong
with my disks" because they see the 'error' and 'failed' keywords.

  # dmesg | grep fail
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdk3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)
  sdb3: error: dax access failed (-95)

  # lsblk
  NAME            MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
  sda               8:0    0   1.1T  0 disk
  ├─sda1            8:1    0   156M  0 part
  ├─sda2            8:2    0    40G  0 part
  └─sda3            8:3    0   1.1T  0 part
  sdb               8:16   0   1.1T  0 disk
  ├─sdb1            8:17   0   600M  0 part
  ├─sdb2            8:18   0     1G  0 part
  └─sdb3            8:19   0   1.1T  0 part
    ├─rhel00-swap 254:3    0     4G  0 lvm
    ├─rhel00-home 254:4    0     1T  0 lvm
    └─rhel00-root 254:5    0    50G  0 lvm
  sdc               8:32   0   1.1T  0 disk
  sdd               8:48   0   1.1T  0 disk
  sde               8:64   0   1.1T  0 disk
  sdf               8:80   0   1.1T  0 disk
  sdg               8:96   0   1.1T  0 disk
  sdh               8:112  0   3.3T  0 disk
  ├─sdh1            8:113  0   500M  0 part /boot/efi
  ├─sdh2            8:114  0    40G  0 part /
  ├─sdh3            8:115  0   2.9T  0 part /home
  └─sdh4            8:116  0 314.6G  0 part [SWAP]
  sdi               8:128  0   1.1T  0 disk
  sdj               8:144  0   3.3T  0 disk
  ├─sdj1            8:145  0   512M  0 part
  └─sdj2            8:146  0   3.3T  0 part
  sdk               8:160  0 119.2G  0 disk
  ├─sdk1            8:161  0   200M  0 part
  ├─sdk2            8:162  0     1G  0 part
  └─sdk3            8:163  0   118G  0 part
    ├─rhel-swap   254:0    0     4G  0 lvm
    ├─rhel-home   254:1    0    64G  0 lvm
    └─rhel-root   254:2    0    50G  0 lvm
  sdl               8:176  0 119.2G  0 disk

The call path is shown as follows:
  dm_table_determine_type
    dm_table_supports_dax
     device_supports_dax
       generic_fsdax_supported
        __generic_fsdax_supported

With the disk configuration listing from the command 'lsblk',
the member 'dev->dax_dev' of the block devices 'sdb3' and 'sdk3'
(configured by device mapper) is NULL in function
generic_fsdax_supported() because the member is configured in
function open_table_device().

To prevent the confusing error messages in this scenario (this is
normal behavior), just print those error messages by pr_debug()
by checking if dax_dev is NULL and the block device does not support
DAX.

Link: https://lore.kernel.org/r/20200819154236.24191-1-adrianhuang0701@gmail.com
Fixes: 231609785cbf ("dax: print error message by pr_info() in __generic_fsdax_supported()")
Cc: Coly Li <colyli@suse.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Acked-by: Coly Li <colyli@suse.de>
Signed-off-by: Adrian Huang <ahuang12@lenovo.com>
Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
---
 drivers/dax/super.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/dax/super.c b/drivers/dax/super.c
index c82cbcb64202..32642634c1bb 100644
--- a/drivers/dax/super.c
+++ b/drivers/dax/super.c
@@ -100,6 +100,12 @@ bool __generic_fsdax_supported(struct dax_device *dax_dev,
 		return false;
 	}
 
+	if (!dax_dev && !bdev_dax_supported(bdev, blocksize)) {
+		pr_debug("%s: error: dax unsupported by block device\n",
+				bdevname(bdev, buf));
+		return false;
+	}
+
 	id = dax_read_lock();
 	len = dax_direct_access(dax_dev, pgoff, 1, &kaddr, &pfn);
 	len2 = dax_direct_access(dax_dev, pgoff_end, 1, &end_kaddr, &end_pfn);