linux-uconsole

History

Aya Levin 5f884e0c2e net/mlx5: Fix slab-out-of-bounds while reading resource dump menu [ Upstream commit `7ba2d9d8de` ] Resource dump menu may span over more than a single page, support it. Otherwise, menu read may result in a memory access violation: reading outside of the allocated page. Note that page format of the first menu page contains menu headers while the proceeding menu pages contain only records. The KASAN logs are as follows: BUG: KASAN: slab-out-of-bounds in strcmp+0x9b/0xb0 Read of size 1 at addr ffff88812b2e1fd0 by task systemd-udevd/496 CPU: 5 PID: 496 Comm: systemd-udevd Tainted: G B 5.16.0_for_upstream_debug_2022_01_10_23_12 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1f/0x140 ? strcmp+0x9b/0xb0 ? strcmp+0x9b/0xb0 kasan_report.cold+0x83/0xdf ? strcmp+0x9b/0xb0 strcmp+0x9b/0xb0 mlx5_rsc_dump_init+0x4ab/0x780 [mlx5_core] ? mlx5_rsc_dump_destroy+0x80/0x80 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x286/0x400 ? raw_spin_unlock_irqrestore+0x47/0x50 ? aomic_notifier_chain_register+0x32/0x40 mlx5_load+0x104/0x2e0 [mlx5_core] mlx5_init_one+0x41b/0x610 [mlx5_core] .... The buggy address belongs to the object at ffff88812b2e0000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 4048 bytes to the right of 4096-byte region [ffff88812b2e0000, ffff88812b2e1000) The buggy address belongs to the page: page:000000009d69807a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812b2e6000 pfn:0x12b2e0 head:000000009d69807a order:3 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab\|head\|zone=2) raw: 8000000000010200 0000000000000000 dead000000000001 ffff888100043040 raw: ffff88812b2e6000 0000000080040000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88812b2e1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88812b2e1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88812b2e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88812b2e2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88812b2e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: `12206b1723` ("net/mlx5: Add support for resource dump") Signed-off-by: Aya Levin <ayal@nvidia.com> Reviewed-by: Moshe Shemesh <moshe@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-05-12 12:25:43 +02:00
..
appletalk
arcnet	net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()	2022-03-08 19:09:35 +01:00
bonding	bonding: fix data-races around agg_select_timer	2022-02-23 12:01:02 +01:00
caif
can	can: grcan: only use the NAPI poll budget for RX	2022-05-12 12:25:36 +02:00
dsa	net: dsa: mt7530: add missing of_node_put() in mt7530_setup()	2022-05-12 12:25:40 +02:00
ethernet	net/mlx5: Fix slab-out-of-bounds while reading resource dump menu	2022-05-12 12:25:43 +02:00
fddi
fjes	fjes: Check for error irq	2021-12-29 12:25:57 +01:00
hamradio	hamradio: remove needs_free_netdev to avoid UAF	2022-04-20 09:23:09 +02:00
hippi	drivers: net: hippi: Fix deadlock in rr_close()	2022-05-09 09:05:06 +02:00
hyperv	hv_netvsc: Add check for kvmalloc_array	2022-03-23 09:13:28 +01:00
ieee802154	net: ieee802154: ca8210: Fix lifs/sifs periods	2022-02-23 12:01:02 +01:00
ipa	net: ipa: prevent concurrent replenish	2022-02-05 12:37:55 +01:00
ipvlan
mdio	net: mdio: Alphabetically sort header inclusion	2022-04-20 09:23:12 +02:00
netdevsim	netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc	2021-12-22 09:30:55 +01:00
pcs
phy	net: phy: marvell10g: fix return value on error	2022-05-09 09:05:05 +02:00
plip
ppp	ppp: ensure minimum packet size in ppp_write()	2022-01-27 10:54:01 +01:00
slip	drivers: net: slip: fix NPD bug in sl_tx_timeout()	2022-04-20 09:23:24 +02:00
team
usb	net: usb: aqc111: Fix out-of-bounds accesses in RX fixup	2022-04-20 09:23:23 +02:00
vmxnet3	vmxnet3: do not stop tx queues after netif_device_detach()	2021-11-18 14:03:43 +01:00
wan
wimax
wireguard	wireguard: device: check for metadata_dst with skb_valid_dst()	2022-05-09 09:05:03 +02:00
wireless	brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant	2022-04-27 13:53:53 +02:00
xen-netback	Revert "xen-netback: Check for hotplug-status existence before watching"	2022-03-16 14:16:00 +01:00
bareudp.c	bareudp: use ipv6_mod_enabled to check if IPv6 enabled	2022-04-08 14:40:22 +02:00
dummy.c
eql.c
geneve.c
gtp.c
ifb.c	ifb: fix building without CONFIG_NET_CLS_ACT	2021-11-18 14:03:49 +01:00
Kconfig	ifb: Depend on netfilter alternatively to tc	2021-11-18 14:03:46 +01:00
LICENSE.SRC
loopback.c
macsec.c	net: macsec: Verify that send_sci is on when setting Tx sci explicitly	2022-02-08 18:30:38 +01:00
macvlan.c
macvtap.c	macvtap: advertise link netns via netlink	2022-04-13 21:00:59 +02:00
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c	tuntap: add sanity checks about msg_controllen in sendmsg	2022-04-13 21:00:59 +02:00
thunderbolt.c
tun.c	tuntap: add sanity checks about msg_controllen in sendmsg	2022-04-13 21:00:59 +02:00
veth.c	veth: Ensure eth header is in skb's linear part	2022-04-20 09:23:11 +02:00
virtio_net.c
vrf.c	vrf: don't run conntrack on vrf with !dflt qdisc	2021-12-14 11:32:36 +01:00
vsockmon.c
vxlan.c	vxlan: fix error return code in vxlan_fdb_append	2022-04-27 13:53:53 +02:00
xen-netfront.c	xen/netfront: react properly to failing gnttab_end_foreign_access_ref()	2022-03-11 12:11:55 +01:00