From: Qian Cai <cai@lca.pw>
To: Don.Brace@microchip.com
Cc: don.brace@microsemi.com, martin.petersen@oracle.com,
scott.teel@microsemi.com, kevin.barnett@microsemi.com,
esc.storagedev@microsemi.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7
Date: Thu, 28 May 2020 10:38:36 -0400 [thread overview]
Message-ID: <20200528143836.GB2702@lca.pw> (raw)
In-Reply-To: <SN6PR11MB2848B54B5E6152AA4A7BC261E18E0@SN6PR11MB2848.namprd11.prod.outlook.com>
On Thu, May 28, 2020 at 01:46:02PM +0000, Don.Brace@microchip.com wrote:
> Working on this.
> Can you send your configuration?
> ssacli controller all show config detail
https://raw.githubusercontent.com/cailca/linux-mm/master/kcsan.config
# ssacli controller all show
Smart Array P246br in Slot 0 (Embedded) (sn: PDNLU0ALM8F03U)
>
> -----Original Message-----
> From: linux-scsi-owner@vger.kernel.org [mailto:linux-scsi-owner@vger.kernel.org] On Behalf Of Qian Cai
> Sent: Tuesday, May 26, 2020 10:19 AM
> To: Don Brace <don.brace@microsemi.com>
> Cc: Martin K. Petersen <martin.petersen@oracle.com>; Scott Teel <scott.teel@microsemi.com>; Kevin Barnett <kevin.barnett@microsemi.com>; esc.storagedev@microsemi.com; linux-scsi@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7
>
> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
>
> Sorry, adding a missing subject line.
>
> On Tue, May 26, 2020 at 11:14:16AM -0400, Qian Cai wrote:
> > The commit 64ce60cab246 ("hpsa: correct skipping masked peripherals")
> > trigger an UBSAN warning below.
> >
> > When i == 0 in hpsa_update_scsi_devices(),
> >
> > for (i = 0; i < nphysicals + nlogicals + 1; i++) { ...
> > int phys_dev_index = i - (raid_ctlr_position == 0);
> >
> > It ends up calling LUN[-1].
> >
> > &physdev_list->LUN[phys_dev_index]
> >
> > Should there by a test of underflow to set phys_dev_index == 0 in this case?
> >
> > [ 118.395557][ T13] hpsa can't handle SMP requests
> > [ 118.444870][ T13] ================================================================================
> > [ 118.486725][ T13] UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7
> > [ 118.521606][ T13] index -1 is out of range for type 'struct ext_report_lun_entry [1024]'
> > [ 118.559481][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.7.0-rc6-next-20200522+ #3
> > [ 118.598179][ T13] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018
> > [ 118.632882][ T13] Workqueue: events work_for_cpu_fn
> > [ 118.656492][ T13] Call Trace:
> > [ 118.670899][ T13] dump_stack+0x10b/0x17f
> > [ 118.690216][ T13] __ubsan_handle_out_of_bounds+0xd2/0x110
> > [ 118.712593][ T378] bnx2x 0000:41:00.1: 63.008 Gb/s available PCIe bandwidth (8.0 GT/s PCIe x8 link)
> > [ 118.716249][ T13] hpsa_update_scsi_devices+0x28e3/0x2cc0 [hpsa]
> > [ 118.786774][ T13] hpsa_scan_start+0x228/0x260 [hpsa]
> > [ 118.810663][ T13] ? _raw_spin_unlock_irqrestore+0x6a/0x80
> > [ 118.836529][ T13] do_scsi_scan_host+0x8a/0x110
> > [ 118.858104][ T13] scsi_scan_host+0x222/0x280
> > [ 118.879287][ T13] ? hpsa_scsi_do_inquiry+0xcd/0xe0 [hpsa]
> > [ 118.907707][ T13] hpsa_init_one+0x1b79/0x27c0 [hpsa]
> > [ 118.934818][ T13] ? hpsa_find_device_by_sas_rphy+0xd0/0xd0 [hpsa]
> > [ 118.964279][ T13] local_pci_probe+0x82/0xe0
> > [ 118.985405][ T13] ? pci_name+0x70/0x70
> > [ 119.004244][ T13] work_for_cpu_fn+0x3a/0x60
> > [ 119.024672][ T13] process_one_work+0x49f/0x8f0
> > [ 119.046431][ T13] process_scheduled_works+0x72/0xa0
> > [ 119.069906][ T13] worker_thread+0x463/0x5b0
> > [ 119.090347][ T13] kthread+0x21d/0x240
> > [ 119.108531][ T13] ? pr_cont_work+0xa0/0xa0
> > [ 119.128450][ T13] ? __write_once_size+0x30/0x30
> > [ 119.150405][ T13] ret_from_fork+0x27/0x40
prev parent reply other threads:[~2020-05-28 14:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-26 15:14 Qian Cai
2020-05-26 15:19 ` UBSAN: array-index-out-of-bounds in drivers/scsi/hpsa.c:4421:7 Qian Cai
2020-05-28 13:46 ` Don.Brace
2020-05-28 14:38 ` Qian Cai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200528143836.GB2702@lca.pw \
--to=cai@lca.pw \
--cc=Don.Brace@microchip.com \
--cc=don.brace@microsemi.com \
--cc=esc.storagedev@microsemi.com \
--cc=kevin.barnett@microsemi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=scott.teel@microsemi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.