github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
64e3e16dbc
linux/drivers
History
Aya Levin 5f884e0c2e net/mlx5: Fix slab-out-of-bounds while reading resource dump menu 
[ Upstream commit 7ba2d9d8de ]

Resource dump menu may span over more than a single page, support it.
Otherwise, menu read may result in a memory access violation: reading
outside of the allocated page.
Note that page format of the first menu page contains menu headers while
the proceeding menu pages contain only records.

The KASAN logs are as follows:
BUG: KASAN: slab-out-of-bounds in strcmp+0x9b/0xb0
Read of size 1 at addr ffff88812b2e1fd0 by task systemd-udevd/496

CPU: 5 PID: 496 Comm: systemd-udevd Tainted: G    B  5.16.0_for_upstream_debug_2022_01_10_23_12 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x57/0x7d
 print_address_description.constprop.0+0x1f/0x140
 ? strcmp+0x9b/0xb0
 ? strcmp+0x9b/0xb0
 kasan_report.cold+0x83/0xdf
 ? strcmp+0x9b/0xb0
 strcmp+0x9b/0xb0
 mlx5_rsc_dump_init+0x4ab/0x780 [mlx5_core]
 ? mlx5_rsc_dump_destroy+0x80/0x80 [mlx5_core]
 ? lockdep_hardirqs_on_prepare+0x286/0x400
 ? raw_spin_unlock_irqrestore+0x47/0x50
 ? aomic_notifier_chain_register+0x32/0x40
 mlx5_load+0x104/0x2e0 [mlx5_core]
 mlx5_init_one+0x41b/0x610 [mlx5_core]
 ....
The buggy address belongs to the object at ffff88812b2e0000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 4048 bytes to the right of
 4096-byte region [ffff88812b2e0000, ffff88812b2e1000)
The buggy address belongs to the page:
page:000000009d69807a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812b2e6000 pfn:0x12b2e0
head:000000009d69807a order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 0000000000000000 dead000000000001 ffff888100043040
raw: ffff88812b2e6000 0000000080040000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88812b2e1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812b2e1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812b2e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff88812b2e2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812b2e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 12206b1723 ("net/mlx5: Add support for resource dump")
Signed-off-by: Aya Levin <ayal@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-12 12:25:43 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:54:30 +01:00
acpi ACPI: processor idle: Check for architectural support for LPI 2022-04-20 09:23:09 +02:00
amba amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
android
ata ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-27 13:53:54 +02:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:13:27 +01:00
auxdisplay
base arch_topology: Do not set llc_sibling if llc_id is invalid 2022-05-09 09:04:59 +02:00
bcma
block floppy: disable FDRAWCMD by default 2022-05-09 09:04:56 +02:00
bluetooth Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt 2022-04-08 14:40:22 +02:00
bus bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() 2022-05-09 09:05:04 +02:00
cdrom
char virtio_console: eliminate anonymous module_init & module_exit 2022-04-13 21:01:02 +02:00
clk clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() 2022-05-09 09:05:04 +02:00
clocksource clocksource: acpi_pm: fix return value of __setup handler 2022-04-08 14:40:03 +02:00
connector
counter counter: stm32-lptimer-cnt: remove iio counter abi 2022-01-27 10:54:08 +01:00
cpufreq cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe 2022-05-09 09:05:03 +02:00
cpuidle
crypto crypto: ccree - Fix use after free in cc_cipher_exit() 2022-04-08 14:40:02 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:40:16 +02:00
dca
devfreq
dio
dma dma: at_xdmac: fix a missing check on list iterator 2022-04-27 13:53:55 +02:00
dma-buf udmabuf: validate ubuf->pagecount 2022-04-08 14:40:12 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-04-27 13:53:54 +02:00
eisa
extcon
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:25:32 +02:00
firmware firmware: arm_scmi: Fix sorting of retrieved clock rates 2022-04-20 09:23:10 +02:00
fpga
fsi fsi: Aspeed: Fix a potential double free 2022-04-08 14:40:23 +02:00
gnss
gpio gpio: pca953x: fix irq_stat not updated when irq is disabled (irq_mask not set) 2022-05-12 12:25:37 +02:00
gpu drm/amd/display: Avoid reading audio pattern past AUDIO_CHANNELS_COUNT 2022-05-12 12:25:31 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:39:50 +02:00
hid HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports 2022-04-08 14:40:15 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 10:54:12 +01:00
hv Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer 2022-04-20 09:23:20 +02:00
hwmon hwmon: (adt7470) Fix warning on module removal 2022-05-12 12:25:37 +02:00
hwspinlock
hwtracing amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
i2c i2c: pasemi: Wait for write xfers to finish 2022-04-20 09:23:30 +02:00
i3c
ide
idle
iio iio:imu:bmi160: disable regulator in error path 2022-05-09 09:05:00 +02:00
infiniband RDMA/siw: Fix a condition race issue in MPA request processing 2022-05-12 12:25:39 +02:00
input amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
interconnect
iommu iommu/vt-d: Calculate mask for non-aligned flushes 2022-05-12 12:25:30 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-13 21:01:11 +02:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:15:57 +01:00
leds
lightnvm lightnvm: disable the subsystem 2022-05-09 09:04:56 +02:00
macintosh
mailbox mailbox: imx: fix wakeup failure from freeze mode 2022-04-08 14:40:41 +02:00
mcb
md dm: fix mempool NULL pointer race when completing IO 2022-04-27 13:53:47 +02:00
media media: rockchip/rga: do proper error checking in probe 2022-04-20 09:23:10 +02:00
memory memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode 2022-05-09 09:05:02 +02:00
memstick
message
mfd mfd: asic3: Add missing iounmap() on error asic3_mfd_probe 2022-04-08 14:40:23 +02:00
misc kgdbts: fix return value of __setup handler 2022-04-08 14:40:28 +02:00
mmc mmc: core: Set HS clock speed before sending HS CMD13 2022-05-12 12:25:30 +02:00
most
mtd mtd: rawnand: Fix return value check of wait_for_completion_timeout 2022-05-09 09:05:02 +02:00
mux
net net/mlx5: Fix slab-out-of-bounds while reading resource dump menu 2022-05-12 12:25:43 +02:00
nfc nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 2022-05-12 12:25:36 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:09:32 +01:00
nubus
nvdimm nvdimm/region: Fix default alignment for small regions 2022-04-08 14:40:26 +02:00
nvme nvme-pci: disable namespace identifiers for Qemu controllers 2022-04-27 13:53:54 +02:00
nvmem nvmem: core: set size for sysfs bin file 2022-01-27 10:54:22 +01:00
of of: base: Improve argument length mismatch error 2022-01-27 10:54:28 +01:00
opp
oprofile
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-04-13 21:01:03 +02:00
parport
pci PCI: endpoint: Fix misused goto label 2022-04-13 21:00:59 +02:00
pcmcia
perf arm_pmu: Validate single/group leader events 2022-04-27 13:53:55 +02:00
phy phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe 2022-05-09 09:05:01 +02:00
pinctrl pinctrl: pistachio: fix use of irq_of_parse_and_map() 2022-05-09 09:05:03 +02:00
platform platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative 2022-04-27 13:53:53 +02:00
pnp
power power: supply: axp288-charger: Set Vhold to 4.4V 2022-04-13 21:00:57 +02:00
powercap
pps
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 21:00:55 +02:00
pwm pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() 2022-04-08 14:40:23 +02:00
rapidio
ras
regulator regulator: wm8994: Add an off-on delay for WM8994 variant 2022-04-20 09:23:22 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region 2022-04-08 14:40:26 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 13:53:52 +02:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:25:43 +01:00
rtc rtc: wm8350: Handle error for wm8350_register_irq 2022-04-13 21:00:54 +02:00
s390 s390/dasd: Fix read inconsistency for ESE DASD devices 2022-05-12 12:25:34 +02:00
sbus
scsi scsi: qedi: Fix failed disconnect handling 2022-04-27 13:53:54 +02:00
sfi
sh
siox
slimbus
soc soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe 2022-04-08 14:40:07 +02:00
soundwire soundwire: intel: fix wrong register name in intel_shim_wake 2022-04-08 14:40:24 +02:00
spi spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller 2022-04-27 13:53:57 +02:00
spmi
ssb
staging staging: ion: Prevent incorrect reference counting behavour 2022-04-27 13:53:57 +02:00
target scsi: target: tcmu: Fix possible page UAF 2022-04-20 09:23:21 +02:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:42:47 +01:00
thermal thermal: int340x: Fix attr.show callback prototype 2022-05-09 09:05:07 +02:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 10:54:14 +01:00
tty tty: n_gsm: fix software flow control handling 2022-05-09 09:05:08 +02:00
uio
usb USB: Fix xhci event ring dequeue pointer ERDP update issue 2022-05-09 09:05:00 +02:00
vdpa vdpa/mlx5: should verify CTRL_VQ feature exists for MQ 2022-04-08 14:39:47 +02:00
vfio amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
vhost tuntap: add sanity checks about msg_controllen in sendmsg 2022-04-13 21:00:59 +02:00
video video: fbdev: udlfb: properly check endpoint type 2022-05-09 09:05:00 +02:00
virt
virtio virtio: acknowledge all features before access 2022-03-16 14:16:02 +01:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 21:01:01 +02:00
watchdog watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function 2022-04-08 14:40:41 +02:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 12:11:54 +01:00
zorro
Kconfig
Makefile