[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108771

Pavel Tikhomirov  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |PATCH_ALREADY_AVAILABLE

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #3 from Pavel Tikhomirov  ---
On 12/10/2015 03:43 AM, James Bottomley wrote:
> On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
>>
>> On 12/08/2015 07:16 PM, James Bottomley wrote:
>>> On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
>>> wrote:
 https://bugzilla.kernel.org/show_bug.cgi?id=108771

 --- Comment #1 from Pavel Tikhomirov  ---
 Aditional info about enclosue(from that node, but older 3.10 based kernel):

 [root@p9 crash]# modprobe sg
 [root@p9 crash]#  sg_map -i
 /dev/sg0  LSI   SAS2X28   0e12
 /dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
 [root@p9 crash]# lsscsi -gs
 [1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0
 -
 [1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1
 3.99TB
 [root@p9 crash]#  sg_ses /dev/sg0
 LSI   SAS2X28   0e12
 Supported diagnostic pages:
 Supported Diagnostic Pages [sdp] [0x0]
 Configuration (SES) [cf] [0x1]
 Enclosure Status/Control (SES) [ec,es] [0x2]
 Element Descriptor (SES) [ed] [0x7]
 Additional Element Status (SES-2) [aes] [0xa]
 Download Microcode (SES-2) [dm] [0xe]
 [root@p9 crash]#  sg_ses /dev/sg1
 LSI  MR9260-4i  2.13
   disk device (not an enclosure)
 Supported diagnostic pages:
>>>
>>> OK, can you give us the contents of pages 1, 2 and 10 with
>>>
>>> sg_ses --page=1 --hex /dev/sg0
>>> sg_ses --page=2 --hex /dev/sg0
>>> sg_ses --page=10 --hex /dev/sg0
>>>
>>> The version of the kernel you do this on doesn't really matter.
>>
>> Here are these pages:
>>
>> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
>> LSI   SAS2X28   0e12
>> Response in hex from diagnostic page: Configuration (SES)
>>00 01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80
>> ...,P...
>>10 00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32LSI
>>SAS2
>>20 58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32X28
>>0e12
>>30 11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13
>> ."3DU...
>>40 03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09
>> 
>>50 18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76
>> Driv
>>60 65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75e
>> SlotsTemperatu
>>70 72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6fre
>> SensorsFansVo
>>80 6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77ltage
>> SensorsPow
>>90 65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6fer
>> SuppliesEnclo
>>a0 73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72sureSAS
>> Expander
>>b0 73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45sSAS
>> ConnectorsE
>>c0 74 68 65 72 6e 65 74 20  70 6f 72 74 73 thernet ports
>
> Wow, that's some crazy enclosure.  The description says it's a single
> primary subenclosure with 9 different element types comprising 12 Device
> slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
> supplies, 1 Enclosure, 1 SAS Expander,  14 SAS connectors, 2
> Communications ports. For 38 total element descriptors
>
>> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
>> LSI   SAS2X28   0e12
>> Response in hex from diagnostic page: Enclosure Status (SES)
>>00 02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00
>> 
>>10 05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00
>> 
>>20 01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00
>> 
>>30 05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00
>> 
>>40 01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50
>> ..,P...P
>>50 05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3
>> ...P
>>60 00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00G.. G..
>> 
>>70 01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00
>> 
>>80 01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00.
>> ... ..
>>90 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ...
>> ... ..
>>a0 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ...
>> ... ..
>>b0 01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00. ...
>> ..
>>c0 00 00 00 00
>
> Given each type has one overall descriptor followed by the individual
> ones, we have 38 + 9 = 47 total descriptors, which is what we see here.
>
>> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
>> LSI   SAS2X28   0e12
>> Response in hex from diagnostic page: Additional Element Status (SES-2)
>>00 0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00
>> ."..
>>10 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>> 

Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[Pavel Tikhomirov]

On 12/10/2015 03:43 AM, James Bottomley wrote:

On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:


On 12/08/2015 07:16 PM, James Bottomley wrote:

On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
wrote:

https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #1 from Pavel Tikhomirov  ---
Aditional info about enclosue(from that node, but older 3.10 based kernel):

[root@p9 crash]# modprobe sg
[root@p9 crash]#  sg_map -i
/dev/sg0  LSI   SAS2X28   0e12
/dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
[root@p9 crash]# lsscsi -gs
[1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0
-
[1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1
3.99TB
[root@p9 crash]#  sg_ses /dev/sg0
LSI   SAS2X28   0e12
Supported diagnostic pages:
Supported Diagnostic Pages [sdp] [0x0]
Configuration (SES) [cf] [0x1]
Enclosure Status/Control (SES) [ec,es] [0x2]
Element Descriptor (SES) [ed] [0x7]
Additional Element Status (SES-2) [aes] [0xa]
Download Microcode (SES-2) [dm] [0xe]
[root@p9 crash]#  sg_ses /dev/sg1
LSI  MR9260-4i  2.13
  disk device (not an enclosure)
Supported diagnostic pages:


OK, can you give us the contents of pages 1, 2 and 10 with

sg_ses --page=1 --hex /dev/sg0
sg_ses --page=2 --hex /dev/sg0
sg_ses --page=10 --hex /dev/sg0

The version of the kernel you do this on doesn't really matter.


Here are these pages:

[root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
LSI   SAS2X28   0e12
Response in hex from diagnostic page: Configuration (SES)
   00 01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80
...,P...
   10 00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32LSI
   SAS2
   20 58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32X28
   0e12
   30 11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13
."3DU...
   40 03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09

   50 18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76
Driv
   60 65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75e
SlotsTemperatu
   70 72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6fre
SensorsFansVo
   80 6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77ltage
SensorsPow
   90 65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6fer
SuppliesEnclo
   a0 73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72sureSAS
Expander
   b0 73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45sSAS
ConnectorsE
   c0 74 68 65 72 6e 65 74 20  70 6f 72 74 73 thernet ports


Wow, that's some crazy enclosure.  The description says it's a single
primary subenclosure with 9 different element types comprising 12 Device
slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
supplies, 1 Enclosure, 1 SAS Expander,  14 SAS connectors, 2
Communications ports. For 38 total element descriptors


[root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
LSI   SAS2X28   0e12
Response in hex from diagnostic page: Enclosure Status (SES)
   00 02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00

   10 05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00

   20 01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00

   30 05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00

   40 01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50
..,P...P
   50 05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3
...P
   60 00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00G.. G..

   70 01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00

   80 01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00.
... ..
   90 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ...
... ..
   a0 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ...
... ..
   b0 01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00. ...
..
   c0 00 00 00 00


Given each type has one overall descriptor followed by the individual
ones, we have 38 + 9 = 47 total descriptors, which is what we see here.


[root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
LSI   SAS2X28   0e12
Response in hex from diagnostic page: Additional Element Status (SES-2)
   00 0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00
."..
   10 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

   20 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 01
."..
   30 01 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00

   40 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

   50 16 22 00 02 01 00 00 02  00 00 00 01 50 03 04 80
."..P...
   60 00 a7 1e bf 50 03 04 80  00 a7 1e ae 00 00 00 00
P...
   70 00 00 00 00 16 22 00 03  01 00 00 03 00 00 00 00
."..
   80 00 00 00 00 00 00 00 00  00 

[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #2 from Pavel Tikhomirov  ---
On 12/08/2015 07:16 PM, James Bottomley wrote:
> On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
> wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=108771
>>
>> --- Comment #1 from Pavel Tikhomirov  ---
>> Aditional info about enclosue(from that node, but older 3.10 based kernel):
>>
>> [root@p9 crash]# modprobe sg
>> [root@p9 crash]#  sg_map -i
>> /dev/sg0  LSI   SAS2X28   0e12
>> /dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
>> [root@p9 crash]# lsscsi -gs
>> [1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0
>> -
>> [1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1
>> 3.99TB
>> [root@p9 crash]#  sg_ses /dev/sg0
>>LSI   SAS2X28   0e12
>> Supported diagnostic pages:
>>Supported Diagnostic Pages [sdp] [0x0]
>>Configuration (SES) [cf] [0x1]
>>Enclosure Status/Control (SES) [ec,es] [0x2]
>>Element Descriptor (SES) [ed] [0x7]
>>Additional Element Status (SES-2) [aes] [0xa]
>>Download Microcode (SES-2) [dm] [0xe]
>> [root@p9 crash]#  sg_ses /dev/sg1
>>LSI  MR9260-4i  2.13
>>  disk device (not an enclosure)
>> Supported diagnostic pages:
>
> OK, can you give us the contents of pages 1, 2 and 10 with
>
> sg_ses --page=1 --hex /dev/sg0
> sg_ses --page=2 --hex /dev/sg0
> sg_ses --page=10 --hex /dev/sg0
>
> The version of the kernel you do this on doesn't really matter.

Here are these pages:

[root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
   LSI   SAS2X28   0e12
Response in hex from diagnostic page: Configuration (SES)
  00 01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80 
...,P...
  10 00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32LSI 
  SAS2
  20 58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32X28 
  0e12
  30 11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13 
."3DU...
  40 03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09 

  50 18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76 
Driv
  60 65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75e 
SlotsTemperatu
  70 72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6fre 
SensorsFansVo
  80 6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77ltage 
SensorsPow
  90 65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6fer 
SuppliesEnclo
  a0 73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72sureSAS 
Expander
  b0 73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45sSAS 
ConnectorsE
  c0 74 68 65 72 6e 65 74 20  70 6f 72 74 73 thernet ports
[root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
   LSI   SAS2X28   0e12
Response in hex from diagnostic page: Enclosure Status (SES)
  00 02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00 

  10 05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00 

  20 01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00 

  30 05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00 

  40 01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50 
..,P...P
  50 05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3 
...P
  60 00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00G.. G.. 

  70 01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 

  80 01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00. 
... ..
  90 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
... ..
  a0 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
... ..
  b0 01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00. ... 
..
  c0 00 00 00 00 
[root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
   LSI   SAS2X28   0e12
Response in hex from diagnostic page: Additional Element Status (SES-2)
  00 0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00 
."..
  10 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

  20 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 01 
."..
  30 01 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00 

  40 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

  50 16 22 00 02 01 00 00 02  00 00 00 01 50 03 04 80 
."..P...
  60 00 a7 1e bf 50 03 04 80  00 a7 1e ae 00 00 00 00 
P...
  70 00 00 00 00 16 22 00 03  01 00 00 03 00 00 00 00 
."..
  80 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

  90 00 00 00 00 00 00 00 00  16 22 00 04 01 00 00 04 
."..
  a0 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

  b0 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 05 
."..
  c0 01 00 00 05 00 00 00 01  50 03 04 80 00 a7 1e bf 
P...
  

Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[Pavel Tikhomirov]

On 12/08/2015 07:16 PM, James Bottomley wrote:

On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
wrote:

https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #1 from Pavel Tikhomirov  ---
Aditional info about enclosue(from that node, but older 3.10 based kernel):

[root@p9 crash]# modprobe sg
[root@p9 crash]#  sg_map -i
/dev/sg0  LSI   SAS2X28   0e12
/dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
[root@p9 crash]# lsscsi -gs
[1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0
-
[1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1
3.99TB
[root@p9 crash]#  sg_ses /dev/sg0
   LSI   SAS2X28   0e12
Supported diagnostic pages:
   Supported Diagnostic Pages [sdp] [0x0]
   Configuration (SES) [cf] [0x1]
   Enclosure Status/Control (SES) [ec,es] [0x2]
   Element Descriptor (SES) [ed] [0x7]
   Additional Element Status (SES-2) [aes] [0xa]
   Download Microcode (SES-2) [dm] [0xe]
[root@p9 crash]#  sg_ses /dev/sg1
   LSI  MR9260-4i  2.13
 disk device (not an enclosure)
Supported diagnostic pages:


OK, can you give us the contents of pages 1, 2 and 10 with

sg_ses --page=1 --hex /dev/sg0
sg_ses --page=2 --hex /dev/sg0
sg_ses --page=10 --hex /dev/sg0

The version of the kernel you do this on doesn't really matter.


Here are these pages:

[root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
  LSI   SAS2X28   0e12
Response in hex from diagnostic page: Configuration (SES)
 00 01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80 
...,P...
 10 00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32LSI 
 SAS2
 20 58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32X28 
 0e12
 30 11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13 
."3DU...
 40 03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09 

 50 18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76 
Driv
 60 65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75e 
SlotsTemperatu
 70 72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6fre 
SensorsFansVo
 80 6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77ltage 
SensorsPow
 90 65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6fer 
SuppliesEnclo
 a0 73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72sureSAS 
Expander
 b0 73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45sSAS 
ConnectorsE

 c0 74 68 65 72 6e 65 74 20  70 6f 72 74 73 thernet ports
[root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
  LSI   SAS2X28   0e12
Response in hex from diagnostic page: Enclosure Status (SES)
 00 02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00 

 10 05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00 

 20 01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00 

 30 05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00 

 40 01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50 
..,P...P
 50 05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3 
...P
 60 00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00G.. G.. 

 70 01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 

 80 01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00. 
... ..
 90 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
... ..
 a0 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
... ..
 b0 01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00. ... 
..

 c0 00 00 00 00 
[root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
  LSI   SAS2X28   0e12
Response in hex from diagnostic page: Additional Element Status (SES-2)
 00 0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00 
."..
 10 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

 20 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 01 
."..
 30 01 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00 

 40 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

 50 16 22 00 02 01 00 00 02  00 00 00 01 50 03 04 80 
."..P...
 60 00 a7 1e bf 50 03 04 80  00 a7 1e ae 00 00 00 00 
P...
 70 00 00 00 00 16 22 00 03  01 00 00 03 00 00 00 00 
."..
 80 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

 90 00 00 00 00 00 00 00 00  16 22 00 04 01 00 00 04 
."..
 a0 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

 b0 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 05 
."..
 c0 01 00 00 05 00 00 00 01  50 03 04 80 00 a7 1e bf 
P...
 d0 50 03 04 80 00 a7 1e b1  00 00 00 00 00 00 00 00 
P...
 e0 16 22 00 06 01 00 00 06  00 00 00 00 00 00 00 00 
."..
 f0 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

 10000 00 00 00 16 22 00 

Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[James Bottomley]

On Wed, 2015-12-09 at 15:35 +0300, Pavel Tikhomirov wrote:
> 
> On 12/08/2015 07:16 PM, James Bottomley wrote:
> > On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
> > wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=108771
> >>
> >> --- Comment #1 from Pavel Tikhomirov  ---
> >> Aditional info about enclosue(from that node, but older 3.10 based kernel):
> >>
> >> [root@p9 crash]# modprobe sg
> >> [root@p9 crash]#  sg_map -i
> >> /dev/sg0  LSI   SAS2X28   0e12
> >> /dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
> >> [root@p9 crash]# lsscsi -gs
> >> [1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0
> >> -
> >> [1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1
> >> 3.99TB
> >> [root@p9 crash]#  sg_ses /dev/sg0
> >>LSI   SAS2X28   0e12
> >> Supported diagnostic pages:
> >>Supported Diagnostic Pages [sdp] [0x0]
> >>Configuration (SES) [cf] [0x1]
> >>Enclosure Status/Control (SES) [ec,es] [0x2]
> >>Element Descriptor (SES) [ed] [0x7]
> >>Additional Element Status (SES-2) [aes] [0xa]
> >>Download Microcode (SES-2) [dm] [0xe]
> >> [root@p9 crash]#  sg_ses /dev/sg1
> >>LSI  MR9260-4i  2.13
> >>  disk device (not an enclosure)
> >> Supported diagnostic pages:
> >
> > OK, can you give us the contents of pages 1, 2 and 10 with
> >
> > sg_ses --page=1 --hex /dev/sg0
> > sg_ses --page=2 --hex /dev/sg0
> > sg_ses --page=10 --hex /dev/sg0
> >
> > The version of the kernel you do this on doesn't really matter.
> 
> Here are these pages:
> 
> [root@p9 ~]# sg_ses --page=1 --hex /dev/sg0
>LSI   SAS2X28   0e12
> Response in hex from diagnostic page: Configuration (SES)
>   00 01 00 00 c9 00 00 00 00  11 00 09 2c 50 03 04 80 
> ...,P...
>   10 00 a7 1e bf 4c 53 49 20  20 20 20 20 53 41 53 32LSI 
>   SAS2
>   20 58 32 38 20 20 20 20 20  20 20 20 20 30 65 31 32X28 
>   0e12
>   30 11 22 33 44 55 00 00 00  17 0c 00 0b 04 01 00 13 
> ."3DU...
>   40 03 03 00 04 12 02 00 0f  02 02 00 0e 0e 01 00 09 
> 
>   50 18 01 00 0d 19 0e 00 0e  11 02 00 0e 44 72 69 76 
> Driv
>   60 65 20 53 6c 6f 74 73 54  65 6d 70 65 72 61 74 75e 
> SlotsTemperatu
>   70 72 65 20 53 65 6e 73 6f  72 73 46 61 6e 73 56 6fre 
> SensorsFansVo
>   80 6c 74 61 67 65 20 53 65  6e 73 6f 72 73 50 6f 77ltage 
> SensorsPow
>   90 65 72 20 53 75 70 70 6c  69 65 73 45 6e 63 6c 6fer 
> SuppliesEnclo
>   a0 73 75 72 65 53 41 53 20  45 78 70 61 6e 64 65 72sureSAS 
> Expander
>   b0 73 53 41 53 20 43 6f 6e  6e 65 63 74 6f 72 73 45sSAS 
> ConnectorsE
>   c0 74 68 65 72 6e 65 74 20  70 6f 72 74 73 thernet ports

Wow, that's some crazy enclosure.  The description says it's a single
primary subenclosure with 9 different element types comprising 12 Device
slots, 1 temperature sensor, 3 fans, 2 voltage sensors, 2 power
supplies, 1 Enclosure, 1 SAS Expander,  14 SAS connectors, 2
Communications ports. For 38 total element descriptors

> [root@p9 ~]# sg_ses --page=2 --hex /dev/sg0
>LSI   SAS2X28   0e12
> Response in hex from diagnostic page: Enclosure Status (SES)
>   00 02 00 00 c0 00 00 00 00  00 00 00 00 05 00 00 00 
> 
>   10 05 00 00 00 01 00 00 00  05 00 00 00 05 00 00 00 
> 
>   20 01 00 00 00 05 00 00 00  05 00 00 00 01 00 00 00 
> 
>   30 05 00 00 00 05 00 00 00  01 00 00 00 00 00 00 00 
> 
>   40 01 00 2c 00 00 00 00 00  05 00 00 50 05 00 00 50 
> ..,P...P
>   50 05 00 00 50 00 00 00 00  01 00 01 f9 01 00 04 b3 
> ...P
>   60 00 00 00 00 47 80 00 20  47 80 00 20 00 00 00 00G.. G.. 
> 
>   70 01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 
> 
>   80 01 11 ff 00 01 11 ff 00  01 20 00 00 01 20 00 00. 
> ... ..
>   90 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
> ... ..
>   a0 01 20 00 00 01 20 00 00  01 20 00 00 01 20 00 00. ... ... 
> ... ..
>   b0 01 20 00 00 01 20 00 00  00 00 00 00 00 00 00 00. ... 
> ..
>   c0 00 00 00 00 

Given each type has one overall descriptor followed by the individual
ones, we have 38 + 9 = 47 total descriptors, which is what we see here.

> [root@p9 ~]# sg_ses --page=10 --hex /dev/sg0
>LSI   SAS2X28   0e12
> Response in hex from diagnostic page: Additional Element Status (SES-2)
>   00 0a 00 01 fc 00 00 00 00  16 22 00 00 01 00 00 00 
> ."..
>   10 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> 
>   20 00 00 00 00 00 00 00 00  00 00 00 00 16 22 00 01 
> ."..
>   30 01 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00 
> 
>   40 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> 
>   50 16 22 00 02 

Re: [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[James Bottomley]

On Mon, 2015-12-07 at 14:01 +, bugzilla-dae...@bugzilla.kernel.org
wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=108771
> 
> --- Comment #1 from Pavel Tikhomirov  ---
> Aditional info about enclosue(from that node, but older 3.10 based kernel):
> 
> [root@p9 crash]# modprobe sg
> [root@p9 crash]#  sg_map -i
> /dev/sg0  LSI   SAS2X28   0e12
> /dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
> [root@p9 crash]# lsscsi -gs
> [1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0  
>  
> -
> [1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1  
> 3.99TB
> [root@p9 crash]#  sg_ses /dev/sg0
>   LSI   SAS2X28   0e12
> Supported diagnostic pages:
>   Supported Diagnostic Pages [sdp] [0x0]
>   Configuration (SES) [cf] [0x1]
>   Enclosure Status/Control (SES) [ec,es] [0x2]
>   Element Descriptor (SES) [ed] [0x7]
>   Additional Element Status (SES-2) [aes] [0xa]
>   Download Microcode (SES-2) [dm] [0xe]
> [root@p9 crash]#  sg_ses /dev/sg1
>   LSI  MR9260-4i  2.13
> disk device (not an enclosure)
> Supported diagnostic pages:

OK, can you give us the contents of pages 1, 2 and 10 with

sg_ses --page=1 --hex /dev/sg0
sg_ses --page=2 --hex /dev/sg0
sg_ses --page=10 --hex /dev/sg0

The version of the kernel you do this on doesn't really matter.

Thanks,

James


--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108771

--- Comment #1 from Pavel Tikhomirov  ---
Aditional info about enclosue(from that node, but older 3.10 based kernel):

[root@p9 crash]# modprobe sg
[root@p9 crash]#  sg_map -i
/dev/sg0  LSI   SAS2X28   0e12
/dev/sg1  /dev/sda  LSI  MR9260-4i  2.13
[root@p9 crash]# lsscsi -gs
[1:0:16:0]   enclosu LSI  SAS2X28  0e12  -  /dev/sg0   
-
[1:2:0:0]diskLSI  MR9260-4i2.13  /dev/sda   /dev/sg1  
3.99TB
[root@p9 crash]#  sg_ses /dev/sg0
  LSI   SAS2X28   0e12
Supported diagnostic pages:
  Supported Diagnostic Pages [sdp] [0x0]
  Configuration (SES) [cf] [0x1]
  Enclosure Status/Control (SES) [ec,es] [0x2]
  Element Descriptor (SES) [ed] [0x7]
  Additional Element Status (SES-2) [aes] [0xa]
  Download Microcode (SES-2) [dm] [0xe]
[root@p9 crash]#  sg_ses /dev/sg1
  LSI  MR9260-4i  2.13
disk device (not an enclosure)
Supported diagnostic pages:

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108771

Pavel Tikhomirov  changed:

   What|Removed |Added

  Component|Other   |SCSI
Product|SCSI Drivers|IO/Storage

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html