linux

iv/linux

History

Ming Lei bcd8f2e948 scsi: Fix use-after-free This patch fixes one use-after-free report[1] by KASAN. In __scsi_scan_target(), when a type 31 device is probed, SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned again. Inside the following scsi_report_lun_scan(), one new scsi_device instance is allocated, and scsi_probe_and_add_lun() is called again to probe the target and still see type 31 device, finally __scsi_remove_device() is called to remove & free the device at the end of scsi_probe_and_add_lun(), so cause use-after-free in scsi_report_lun_scan(). And the following SCSI log can be observed: scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36 scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0 scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0) scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0 scsi 0:0:2:0: scsi scan: REPORT LUN scan scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36 scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0 scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104 This patch fixes the issue by moving the putting reference at the end of scsi_report_lun_scan(). [1] KASAN report ================================================================== [ 3.274597] PM: Adding info for serio:serio1 [ 3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304 [ 3.275653] Read of size 4 by task kworker/u10:0/27 [ 3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121 [ 3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 3.276797] Workqueue: events_unbound async_run_entry_fn [ 3.277083] ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80 [ 3.277532] ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930 [ 3.277989] ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165 [ 3.278436] Call Trace: [ 3.278528] [<ffffffff94bbc6c1>] dump_stack+0x65/0x84 [ 3.278797] [<ffffffff9459fec1>] kasan_object_err+0x21/0x70 [ 3.279063] device: 'psaux': device_add [ 3.279616] [<ffffffff945a0165>] kasan_report_error+0x205/0x500 [ 3.279651] PM: Adding info for No Bus:psaux [ 3.280202] [<ffffffff944ecd22>] ? kfree_const+0x22/0x30 [ 3.280486] [<ffffffff94bc2dc9>] ? kobject_release+0x119/0x370 [ 3.280805] [<ffffffff945a0543>] __asan_report_load4_noabort+0x43/0x50 [ 3.281170] [<ffffffff9507e1f7>] ? __scsi_scan_target+0xd87/0xdf0 [ 3.281506] [<ffffffff9507e1f7>] __scsi_scan_target+0xd87/0xdf0 [ 3.281848] [<ffffffff9507d470>] ? scsi_add_device+0x30/0x30 [ 3.282156] [<ffffffff94f7f660>] ? pm_runtime_autosuspend_expiration+0x60/0x60 [ 3.282570] [<ffffffff956ddb07>] ? _raw_spin_lock+0x17/0x40 [ 3.282880] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.283200] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.283563] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.283882] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.284173] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.284492] [<ffffffff941a8954>] ? pwq_dec_nr_in_flight+0x124/0x2a0 [ 3.284876] [<ffffffff941d1770>] ? preempt_count_add+0x130/0x160 [ 3.285207] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.285526] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.285844] [<ffffffff941aa810>] ? process_one_work+0x12d0/0x12d0 [ 3.286182] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.286443] [<ffffffff940855cd>] ? __switch_to+0x88d/0x1430 [ 3.286745] [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0 [ 3.287085] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.287368] [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0 [ 3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048 [ 3.288064] Allocated: [ 3.288147] PID = 27 [ 3.288218] [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50 [ 3.288531] [<ffffffff9459f246>] save_stack+0x46/0xd0 [ 3.288806] [<ffffffff9459f4bd>] kasan_kmalloc+0xad/0xe0 [ 3.289098] [<ffffffff9459c07e>] __kmalloc+0x13e/0x250 [ 3.289378] [<ffffffff95078e5a>] scsi_alloc_sdev+0xea/0xcf0 [ 3.289701] [<ffffffff9507de76>] __scsi_scan_target+0xa06/0xdf0 [ 3.290034] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.290362] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.290724] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.291055] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.291354] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.291695] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.292022] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.292325] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.292594] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.292886] Freed: [ 3.292945] PID = 27 [ 3.293016] [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50 [ 3.293327] [<ffffffff9459f246>] save_stack+0x46/0xd0 [ 3.293600] [<ffffffff9459fa61>] kasan_slab_free+0x71/0xb0 [ 3.293916] [<ffffffff9459bac2>] kfree+0xa2/0x1f0 [ 3.294168] [<ffffffff9508158a>] scsi_device_dev_release_usercontext+0x50a/0x730 [ 3.294598] [<ffffffff941ace9a>] execute_in_process_context+0xda/0x130 [ 3.294974] [<ffffffff9508107c>] scsi_device_dev_release+0x1c/0x20 [ 3.295322] [<ffffffff94f566f6>] device_release+0x76/0x1e0 [ 3.295626] [<ffffffff94bc2db7>] kobject_release+0x107/0x370 [ 3.295942] [<ffffffff94bc29ce>] kobject_put+0x4e/0xa0 [ 3.296222] [<ffffffff94f56e17>] put_device+0x17/0x20 [ 3.296497] [<ffffffff9505201c>] scsi_device_put+0x7c/0xa0 [ 3.296801] [<ffffffff9507e1bc>] __scsi_scan_target+0xd4c/0xdf0 [ 3.297132] [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160 [ 3.297458] [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0 [ 3.297829] [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250 [ 3.298156] [<ffffffff9507efc1>] do_scan_async+0x41/0x450 [ 3.298453] [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610 [ 3.298777] [<ffffffff941a9a84>] process_one_work+0x544/0x12d0 [ 3.299105] [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0 [ 3.299408] [<ffffffff941bb365>] kthread+0x1c5/0x260 [ 3.299676] [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40 [ 3.299967] Memory state around the buggy address: [ 3.300209] ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.300608] ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.300986] >ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3.301408] ^ [ 3.301550] ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 3.301987] ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3.302396] ================================================================== Cc: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Ming Lei <tom.leiming@gmail.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>		2016-10-11 18:00:20 -04:00
..
accessibility
acpi	nmi_backtrace: generate one-line reports for idle cpus	2016-10-07 18:46:30 -07:00
amba
android
ata
atm	atm: iphase: fix newline escape and minor tweak to source formatting	2016-09-15 19:15:55 -04:00
auxdisplay
base	memory-hotplug: fix store_mem_state() return value	2016-10-07 18:46:28 -07:00
bcma
block	The big ticket item here is support for rbd exclusive-lock feature,	2016-10-10 13:52:05 -07:00
bluetooth	Bluetooth: btusb: Fix atheros firmware download error	2016-10-07 09:46:56 +02:00
bus	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
cdrom
char	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
clk	ARM: SoC: late DT updates for v4.9	2016-10-07 21:34:49 -07:00
clocksource	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
connector
cpufreq	Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm	2016-10-06 07:59:37 -07:00
cpuidle	nmi_backtrace: generate one-line reports for idle cpus	2016-10-07 18:46:30 -07:00
crypto	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2016-10-10 14:04:16 -07:00
dax
dca
devfreq	PM / devfreq: rk3399_dmc: Remove explictly regulator_put call in .remove	2016-09-19 13:36:20 +02:00
dio
dma	dmaengine updates for 4.8-rc1	2016-10-06 17:13:54 -07:00
dma-buf
edac	* Altera Arria10 enablement of NAND, DMA, USB, QSPI and SD-MMC FIFO	2016-10-04 12:06:26 -07:00
eisa
extcon	Merge branch 'next' into resolution	2016-09-15 16:45:20 +05:30
firewire
firmware	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
fmc
fpga
gpio	Merge branch 'i2c/for-4.9' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux	2016-10-07 14:12:21 -07:00
gpu	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 13:04:49 -07:00
hid	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid	2016-10-07 11:58:38 -07:00
hsi
hv	Drivers: hv: get rid of id in struct vmbus_channel	2016-09-27 12:35:49 +02:00
hwmon	hwmon updates for v4.9	2016-10-04 10:56:14 -07:00
hwspinlock
hwtracing
i2c	Merge branch 'i2c/for-4.9' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux	2016-10-07 14:12:21 -07:00
ide
idle	nmi_backtrace: generate one-line reports for idle cpus	2016-10-07 18:46:30 -07:00
iio	Staging/IIO patches for 4.9-rc1	2016-10-05 14:50:51 -07:00
infiniband	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
input	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input	2016-10-07 09:12:19 -07:00
iommu	KVM updates for v4.9-rc1	2016-10-06 10:49:01 -07:00
ipack
irqchip	Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2016-10-10 10:24:41 -07:00
isdn
leds	leds: triggers: Check return value of kobject_uevent_env()	2016-09-20 10:22:10 +02:00
lguest
lightnvm	Merge branch 'for-4.9/block' of git://git.kernel.dk/linux-block	2016-10-07 14:42:05 -07:00
macintosh	powerpc: Remove all usages of NO_IRQ	2016-09-20 20:57:12 +10:00
mailbox	Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration	2016-10-06 17:36:53 -07:00
mcb	mcb: Add a dma_device to mcb_device	2016-09-27 12:33:47 +02:00
md	Merge branch 'for-4.9/block-irq' of git://git.kernel.dk/linux-block	2016-10-09 17:29:33 -07:00
media	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
memory	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
memstick
message	scsi: fusion: Fix error return code in mptfc_probe()	2016-09-14 14:26:19 -04:00
mfd	- Core Frameworks	2016-10-07 08:35:35 -07:00
misc	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
mmc	USB/PHY/EXTCON patches for 4.9-rc1	2016-10-03 20:17:35 -07:00
mtd	This pull request contains:	2016-10-11 10:49:44 -07:00
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2016-10-11 08:10:19 -07:00
nfc
ntb
nubus
nvdimm	libnvdimm, region: fix flush hint table thinko	2016-09-24 11:45:38 -07:00
nvme	Merge branch 'for-4.9/block-irq' of git://git.kernel.dk/linux-block	2016-10-09 17:29:33 -07:00
nvmem	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
of	MTD updates for 4.9-rc1	2016-10-10 17:39:51 -07:00
oprofile	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
parisc
parport
pci	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2016-10-10 14:04:16 -07:00
pcmcia	pcmcia: soc_common: add driver-data pointer	2016-09-22 09:39:16 +01:00
perf	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
phy	phy-twl4030-usb: initialize charging-related stuff via pm_runtime	2016-09-14 10:59:12 +05:30
pinctrl	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
platform	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
pnp
power	power supply and reset changes for the v4.9 series	2016-10-06 18:21:15 -07:00
powercap
pps
ps3	powerpc: Remove all usages of NO_IRQ	2016-09-20 20:57:12 +10:00
ptp	ptp: Fix resource leak in case of error	2016-10-03 21:54:10 -04:00
pwm
rapidio	rapidio/rio_cm: avoid GFP_KERNEL in atomic context	2016-09-19 15:36:17 -07:00
ras
regulator	- Core Frameworks	2016-10-07 08:35:35 -07:00
remoteproc	rpmsg updates for v4.9	2016-10-06 17:03:49 -07:00
reset
rpmsg
rtc	Merge branches 'ib-mfd-gpio-4.9', 'ib-mfd-gpio-regulator-4.9', 'ib-mfd-input-4.9', 'ib-mfd-regulator-4.9', 'ib-mfd-regulator-4.9.1', 'ib-mfd-regulator-rtc-4.9', 'ib-mfd-regulator-rtc-4.9-1' and 'ib-mfd-rtc-4.9' into ibs-for-mfd-merged	2016-10-04 15:47:01 +01:00
s390	SCSI misc on 20161006	2016-10-07 09:28:53 -07:00
sbus
scsi	scsi: Fix use-after-free	2016-10-11 18:00:20 -04:00
sfi
sh
sn
soc	ARM: SoC driver updates for v4.9	2016-10-07 21:23:40 -07:00
spi	Merge remote-tracking branches 'spi/topic/ti-qspi', 'spi/topic/tools', 'spi/topic/txx9' and 'spi/topic/xlp' into spi-next	2016-09-30 09:14:22 -07:00
spmi	spmi: pmic-arb: Return an error code if sanity check fails	2016-09-27 12:43:34 +02:00
ssb
staging	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
target	chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's	2016-09-19 01:37:32 -04:00
tc
thermal
thunderbolt
tty	Merge branch 'printk-cleanups'	2016-10-10 09:29:50 -07:00
uio
usb	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2016-10-10 20:16:43 -07:00
uwb
vfio	vfio_pci: use pci_alloc_irq_vectors	2016-09-29 13:36:38 -06:00
vhost
video	backlight: pwm_bl: Handle gpio that can sleep	2016-10-06 09:27:26 +01:00
virt
virtio
vlynq
vme	vme: fake: remove unexpected unlock in fake_master_set()	2016-09-27 12:43:35 +02:00
w1
watchdog	USB/PHY/EXTCON patches for 4.9-rc1	2016-10-03 20:17:35 -07:00
xen	xen: features and fixes for 4.9-rc0	2016-10-06 11:19:10 -07:00
zorro
Kconfig
Makefile	clk: probe common clock drivers earlier	2016-09-23 13:00:04 +02:00