From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
Vaibhav Jain <vaibhav@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org,
"Aneesh Kumar K . V" <aneesh.kumar@linux.ibm.com>
Subject: [PATCH AUTOSEL 5.4 010/134] powerpc/papr_scm: Fix an off-by-one check in papr_scm_meta_{get, set}
Date: Wed, 11 Dec 2019 10:09:46 -0500 [thread overview]
Message-ID: <20191211151150.19073-10-sashal@kernel.org> (raw)
In-Reply-To: <20191211151150.19073-1-sashal@kernel.org>
From: Vaibhav Jain <vaibhav@linux.ibm.com>
[ Upstream commit 612ee81b9461475b5a5612c2e8d71559dd3c7920 ]
A validation check to prevent out of bounds read/write inside
functions papr_scm_meta_{get,set}() is off-by-one that prevent reads
and writes to the last byte of the label area.
This bug manifests as a failure to probe a dimm when libnvdimm is
unable to read the entire config-area as advertised by
ND_CMD_GET_CONFIG_SIZE. This usually happens when there are large
number of namespaces created in the region backed by the dimm and the
label-index spans max possible config-area. An error of the form below
usually reported in the kernel logs:
[ 255.293912] nvdimm: probe of nmem0 failed with error -22
The patch fixes these validation checks there by letting libnvdimm
access the entire config-area.
Fixes: 53e80bd042773('powerpc/nvdimm: Add support for multibyte read/write for metadata')
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190927062002.3169-1-vaibhav@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/papr_scm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c
index 61883291defc3..ee07d0718bf1a 100644
--- a/arch/powerpc/platforms/pseries/papr_scm.c
+++ b/arch/powerpc/platforms/pseries/papr_scm.c
@@ -152,7 +152,7 @@ static int papr_scm_meta_get(struct papr_scm_priv *p,
int len, read;
int64_t ret;
- if ((hdr->in_offset + hdr->in_length) >= p->metadata_size)
+ if ((hdr->in_offset + hdr->in_length) > p->metadata_size)
return -EINVAL;
for (len = hdr->in_length; len; len -= read) {
@@ -206,7 +206,7 @@ static int papr_scm_meta_set(struct papr_scm_priv *p,
__be64 data_be;
int64_t ret;
- if ((hdr->in_offset + hdr->in_length) >= p->metadata_size)
+ if ((hdr->in_offset + hdr->in_length) > p->metadata_size)
return -EINVAL;
for (len = hdr->in_length; len; len -= wrote) {
--
2.20.1
next parent reply other threads:[~2019-12-11 15:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191211151150.19073-1-sashal@kernel.org>
2019-12-11 15:09 ` Sasha Levin [this message]
2019-12-11 15:09 ` [PATCH AUTOSEL 5.4 023/134] powerpc/pseries: Mark accumulate_stolen_time() as notrace Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 024/134] powerpc/pseries: Don't fail hash page table insert for bolted mapping Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 027/134] powerpc/tools: Don't quote $objdump in scripts Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 039/134] powerpc/security/book3s64: Report L1TF status in sysfs Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 040/134] powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 065/134] powerpc/pseries/cmm: Implement release() function for sysfs device Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 069/134] powerpc/security: Fix wrong message when RFI Flush is disable Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 070/134] powerpc/eeh: differentiate duplicate detection message Sasha Levin
2019-12-11 15:10 ` [PATCH AUTOSEL 5.4 071/134] powerpc/book3s/mm: Update Oops message to print the correct translation in use Sasha Levin
2019-12-11 15:11 ` [PATCH AUTOSEL 5.4 088/134] powerpc/fixmap: Use __fix_to_virt() instead of fix_to_virt() Sasha Levin
2019-12-11 15:11 ` [PATCH AUTOSEL 5.4 111/134] powerpc: Don't add -mabi= flags when building with Clang Sasha Levin
2019-12-11 15:11 ` [PATCH AUTOSEL 5.4 125/134] libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191211151150.19073-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=stable@vger.kernel.org \
--cc=vaibhav@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).