forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/net/ethernet
History
Aya Levin 5f884e0c2e net/mlx5: Fix slab-out-of-bounds while reading resource dump menu 
[ Upstream commit 7ba2d9d8de ]

Resource dump menu may span over more than a single page, support it.
Otherwise, menu read may result in a memory access violation: reading
outside of the allocated page.
Note that page format of the first menu page contains menu headers while
the proceeding menu pages contain only records.

The KASAN logs are as follows:
BUG: KASAN: slab-out-of-bounds in strcmp+0x9b/0xb0
Read of size 1 at addr ffff88812b2e1fd0 by task systemd-udevd/496

CPU: 5 PID: 496 Comm: systemd-udevd Tainted: G    B  5.16.0_for_upstream_debug_2022_01_10_23_12 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x57/0x7d
 print_address_description.constprop.0+0x1f/0x140
 ? strcmp+0x9b/0xb0
 ? strcmp+0x9b/0xb0
 kasan_report.cold+0x83/0xdf
 ? strcmp+0x9b/0xb0
 strcmp+0x9b/0xb0
 mlx5_rsc_dump_init+0x4ab/0x780 [mlx5_core]
 ? mlx5_rsc_dump_destroy+0x80/0x80 [mlx5_core]
 ? lockdep_hardirqs_on_prepare+0x286/0x400
 ? raw_spin_unlock_irqrestore+0x47/0x50
 ? aomic_notifier_chain_register+0x32/0x40
 mlx5_load+0x104/0x2e0 [mlx5_core]
 mlx5_init_one+0x41b/0x610 [mlx5_core]
 ....
The buggy address belongs to the object at ffff88812b2e0000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 4048 bytes to the right of
 4096-byte region [ffff88812b2e0000, ffff88812b2e1000)
The buggy address belongs to the page:
page:000000009d69807a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812b2e6000 pfn:0x12b2e0
head:000000009d69807a order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 0000000000000000 dead000000000001 ffff888100043040
raw: ffff88812b2e6000 0000000080040000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88812b2e1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812b2e1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812b2e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff88812b2e2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812b2e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 12206b1723 ("net/mlx5: Add support for resource dump")
Signed-off-by: Aya Levin <ayal@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-12 12:25:43 +02:00
..
3com
8390 net:mcf8390: Use platform_get_irq() to get the interrupt 2022-04-08 14:39:48 +02:00
adaptec
aeroflex net: ethernet: aeroflex: fix UAF in greth_of_remove 2021-07-14 16:56:24 +02:00
agere
alacritech
allwinner
alteon
altera net: altera: set a couple error code in probe() 2021-12-14 11:32:43 +01:00
amazon net: ena: Fix error handling when calculating max IO queues number 2022-01-11 15:25:01 +01:00
amd net: amd-xgbe: disable interrupts during pci removal 2022-02-16 12:54:26 +01:00
apm drivers: net: xgene: Fix regression in CRC stripping 2022-03-28 09:57:09 +02:00
apple
aquantia net: atlantic: invert deep par in pm functions, preventing null derefs 2022-04-27 13:53:55 +02:00
arc net: arc: select CRC32 2021-10-20 11:45:03 +02:00
atheros net: ag71xx: Fix a potential double free in error handling paths 2022-01-05 12:40:31 +01:00
aurora
broadcom bnxt_en: Fix unnecessary dropping of RX packets 2022-05-12 12:25:42 +02:00
brocade
cadence net: macb: Restart tx only if queue pointer is lagging 2022-04-27 13:53:54 +02:00
calxeda
cavium cavium: Fix return values of the probe function 2021-11-18 14:03:41 +01:00
chelsio net: chelsio: cxgb3: check the return value of pci_find_capability() 2022-03-08 19:09:37 +01:00
cirrus
cisco ethernet:enic: Fix a use after free bug in enic_hard_start_xmit 2021-05-19 10:13:06 +02:00
cortina net: gemini: allow any RGMII interface mode 2022-01-27 10:54:20 +01:00
davicom
dec net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-12-08 09:03:20 +01:00
dlink
emulex Revert "be2net: disable bh with spin_lock in be_process_mcc" 2021-07-14 16:56:29 +02:00
ezchip net: ethernet: ezchip: fix error handling 2021-07-14 16:56:24 +02:00
faraday net: ftgmac100: add missing error return code in ftgmac100_probe() 2021-07-14 16:56:16 +02:00
freescale net: fec: add missing of_node_put() in fec_enet_init_stop_mode() 2022-05-09 09:05:05 +02:00
fujitsu net: fujitsu: fix potential null-ptr-deref 2021-06-03 09:00:40 +02:00
google gve: fix the wrong AdminQ buffer queue index check 2022-02-08 18:30:39 +01:00
hisilicon net: hns3: add return value for mailbox handling in PF 2022-05-09 09:05:04 +02:00
huawei hinic: fix bug of wq out of bound access 2022-05-12 12:25:41 +02:00
i825xx lib82596: Fix IRQ check in sni_82596_probe 2022-01-27 10:54:36 +01:00
ibm Revert "ibmvnic: Add ethtool private flag for driver-defined queue limits" 2022-05-09 09:05:06 +02:00
intel ixgbe: ensure IPsec VF<->PF compatibility 2022-05-09 09:05:05 +02:00
marvell octeontx2-pf: Forward error codes to VF 2022-02-01 17:25:45 +01:00
mediatek net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init() 2022-05-12 12:25:40 +02:00
mellanox net/mlx5: Fix slab-out-of-bounds while reading resource dump menu 2022-05-12 12:25:43 +02:00
micrel Revert "net: micrel: fix KS8851_MLL Kconfig" 2022-04-27 13:53:58 +02:00
microchip lan743x: fix deadlock in lan743x_phy_link_status_change() 2021-12-01 09:19:06 +01:00
moxa net: moxa: fix UAF in moxart_mac_probe 2021-07-25 14:36:19 +02:00
mscc net: mscc: ocelot: fix backwards compatibility with single-chain tc-flower offload 2022-03-23 09:13:28 +01:00
myricom myri10ge: fix an incorrect free for skb in myri10ge_sw_tso 2022-04-20 09:23:23 +02:00
natsemi natsemi: xtensa: fix section mismatch warnings 2021-12-08 09:03:23 +01:00
neterion ethernet: s2io: fix setting mac address during resume 2021-10-20 11:45:04 +02:00
netronome nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() 2022-03-02 11:42:50 +01:00
ni
nvidia
nxp net: ethernet: lpc_eth: Handle error for clk_enable 2022-03-16 14:15:58 +01:00
oki-semi net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() 2021-07-19 09:44:37 +02:00
packetengines
pasemi
pensando ionic: fix type complaint in ionic_dev_cmd_clean() 2022-04-08 14:40:13 +02:00
qlogic qede: confirm skb is allocated before using 2022-04-13 21:01:06 +02:00
qualcomm net: qualcomm: fix QCA7000 checksum handling 2021-09-15 09:50:46 +02:00
rdc r6040: Restore MDIO clock frequency after MAC reset 2021-09-22 12:27:57 +02:00
realtek r8169: Add device 10ec:8162 to driver r8169 2021-11-18 14:03:43 +01:00
renesas net: renesas: sh_eth: Fix freeing wrong tx descriptor 2021-09-22 12:28:06 +02:00
rocker rocker: fix a sleeping in atomic bug 2022-01-27 10:54:01 +01:00
samsung net: sxgbe: fix return value of __setup handler 2022-03-08 19:09:35 +01:00
seeq
sfc sfc: Do not free an empty page_ring 2022-04-13 21:01:05 +02:00
sgi net: sgi: ioc3-eth: check return value after calling platform_get_resource() 2021-07-19 09:44:49 +02:00
silan
sis sis900: Fix missing pci_disable_device() in probe and remove 2021-08-04 12:46:44 +02:00
smsc smsc911x: allow using IRQ0 2022-05-12 12:25:42 +02:00
socionext
stmicro net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux() 2022-05-12 12:25:40 +02:00
sun ethernet: sun: Free the coherent when failing in probing 2022-04-08 14:39:47 +02:00
synopsys
tehuti
ti net: cpsw: add missing of_node_put() in cpsw_probe_dt() 2022-05-12 12:25:40 +02:00
toshiba
tundra
via
wiznet net: w5100: check return value after calling platform_get_resource() 2021-09-18 13:40:35 +02:00
xilinx net: emaclite: Add error handling for of_address_to_resource() 2022-05-12 12:25:41 +02:00
xircom
xscale
dnet.c
dnet.h
ec_bhf.c net: ethernet: fix potential use-after-free in ec_bhf_remove 2021-06-23 14:42:47 +02:00
ethoc.c
fealnx.c
jme.c
jme.h
Kconfig net: korina: select CRC32 2021-10-20 11:45:03 +02:00
korina.c
lantiq_etop.c
lantiq_xrx200.c net: lantiq_xrx200: fix statistics of received bytes 2022-01-05 12:40:31 +01:00
Makefile