From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA66B7E for ; Wed, 2 Nov 2022 02:43:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB7E9C433C1; Wed, 2 Nov 2022 02:43:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1667357022; bh=B6T3udP1xuHRUwOetjuRpOW65wP3XOTrZTFLS5o+t24=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kjSSlmzDXC6VBjwqRH6l0GZ2W5LXZ1QSxbkfqFz+2xqsI12eR0ckv9PDix15VEdlF elL1TLsypQZqyZKSw7I1iKkKfMlFRR8vshl+qsh4zotPY5Hf7jL3NhXxYa7okNs9Hw Mjkx/OnL8vQd1XTTI1KA0XP+lo5VyyqiDVS857+Q= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Alexander Egorenkov , Vineeth Vijayan , Peter Oberparleiter , Vasily Gorbik Subject: [PATCH 6.0 100/240] s390/cio: fix out-of-bounds access on cio_ignore free Date: Wed, 2 Nov 2022 03:31:15 +0100 Message-Id: <20221102022113.655137701@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221102022111.398283374@linuxfoundation.org> References: <20221102022111.398283374@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Peter Oberparleiter commit 1b6074112742f65ece71b0f299ca5a6a887d2db6 upstream. The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as: echo free >/proc/cio_ignore Since an I/O device scan might interfer with running I/Os, commit 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") introduced an optimization to exclude online devices from the scan. The newly added check for online devices incorrectly assumes that an I/O-subchannel's drvdata points to a struct io_subchannel_private. For devices that are bound to a non-default I/O subchannel driver, such as the vfio_ccw driver, this results in an out-of-bounds read access during each scan. Fix this by changing the scan logic to rely on a driver-independent online indication. For this we can use struct subchannel->config.ena, which is the driver's requested subchannel-enabled state. Since I/Os can only be started on enabled subchannels, this matches the intent of the original optimization of not scanning devices where I/O might be running. Fixes: 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") Fixes: 0c3812c347bf ("s390/cio: derive cdev information only for IO-subchannels") Cc: # v5.15 Reported-by: Alexander Egorenkov Reviewed-by: Vineeth Vijayan Signed-off-by: Peter Oberparleiter Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman --- drivers/s390/cio/css.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -753,13 +753,9 @@ static int __unset_online(struct device { struct idset *set = data; struct subchannel *sch = to_subchannel(dev); - struct ccw_device *cdev; - if (sch->st == SUBCHANNEL_TYPE_IO) { - cdev = sch_get_cdev(sch); - if (cdev && cdev->online) - idset_sch_del(set, sch->schid); - } + if (sch->st == SUBCHANNEL_TYPE_IO && sch->config.ena) + idset_sch_del(set, sch->schid); return 0; }