From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>,
Andrew Bowers <andrewx.bowers@intel.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Sasha Levin <sashal@kernel.org>,
intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 171/205] ice: fix stack leakage
Date: Thu, 16 Jan 2020 11:42:26 -0500 [thread overview]
Message-ID: <20200116164300.6705-171-sashal@kernel.org> (raw)
In-Reply-To: <20200116164300.6705-1-sashal@kernel.org>
From: Jesse Brandeburg <jesse.brandeburg@intel.com>
[ Upstream commit 949375de945f7042df2b6488228a1a2b36e69f35 ]
In the case of an invalid virtchannel request the driver
would return uninitialized data to the VF from the PF stack
which is a bug. Fix by initializing the stack variable
earlier in the function before any return paths can be taken.
Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support")
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
index c0637a0cbfe8..e92a00a61755 100644
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
@@ -1873,8 +1873,8 @@ static int ice_vc_get_stats_msg(struct ice_vf *vf, u8 *msg)
enum virtchnl_status_code v_ret = VIRTCHNL_STATUS_SUCCESS;
struct virtchnl_queue_select *vqs =
(struct virtchnl_queue_select *)msg;
+ struct ice_eth_stats stats = { 0 };
struct ice_pf *pf = vf->pf;
- struct ice_eth_stats stats;
struct ice_vsi *vsi;
if (!test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) {
@@ -1893,7 +1893,6 @@ static int ice_vc_get_stats_msg(struct ice_vf *vf, u8 *msg)
goto error_param;
}
- memset(&stats, 0, sizeof(struct ice_eth_stats));
ice_update_eth_stats(vsi);
stats = vsi->eth_stats;
--
2.20.1
next prev parent reply other threads:[~2020-01-16 19:21 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116164300.6705-1-sashal@kernel.org>
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 008/205] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 018/205] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 022/205] rtw88: fix beaconing mode rsvd_page memory violation issue Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 023/205] rtw88: fix error handling when setup efuse info Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 028/205] net: phy: broadcom: Fix RGMII delays configuration for BCM54210E Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 030/205] dpaa2-eth: Fix minor bug in ethtool stats reporting Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 049/205] net: netsec: Correct dma sync for XDP_TX frames Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 057/205] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 058/205] xprtrdma: Connection becomes unstable after a reconnect Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 059/205] xprtrdma: Fix MR list handling Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 064/205] iwlwifi: mvm: consider ieee80211 station max amsdu value Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 077/205] libbpf: Fix compatibility for kernels without need_wakeup Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 080/205] libbpf: Don't use kernel-side u32 type in xsk.c Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 083/205] SUNRPC: Fix svcauth_gss_proxy_init() Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 084/205] rtw88: fix potential read outside array boundary Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 087/205] dpaa_eth: perform DMA unmapping before read Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 088/205] dpaa_eth: avoid timestamp read on error paths Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 096/205] net: openvswitch: don't unlock mutex when changing the user_features fails Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 102/205] hv_netvsc: flag software created hash value Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 104/205] rt2800: remove errornous duplicate condition Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 107/205] net: neigh: use long type to store jiffies delta Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 108/205] tipc: reduce sensitive to retransmit failures Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 109/205] net: axienet: Fix error return code in axienet_probe() Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 111/205] libbpf: Fix memory leak/double free issue Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 112/205] libbpf: Fix potential overflow issue Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 113/205] libbpf: Fix another potential overflow issue in bpf_prog_linfo Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 114/205] libbpf: Make btf__resolve_size logic always check size error condition Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 121/205] packet: fix data-race in fanout_flow_is_huge() Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 137/205] tipc: update mon's self addr when node addr generated Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 142/205] iwlwifi: mvm: fix support for single antenna diversity Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 148/205] netfilter: nf_tables_offload: release flow_rule on error from commit path Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 149/205] SUNRPC: Fix another issue with MIC buffer space Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 155/205] libbpf: Fix call relocation offset calculation bug Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 159/205] mt76: mt76u: rely on usb_interface instead of usb_dev Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 164/205] bpf: skmsg, fix potential psock NULL pointer dereference Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 165/205] SUNRPC: Fix backchannel latency metrics Sasha Levin
2020-01-16 16:42 ` Sasha Levin [this message]
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 172/205] xdp: Fix cleanup on map free for devmap_hash map type Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 179/205] bpf: Support pre-2.25-binutils objcopy for vmlinux BTF Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 180/205] libbpf: Fix Makefile' libbpf symbol mismatch diagnostic Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 181/205] ath9k: use iowrite32 over __raw_writel Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 183/205] tipc: fix potential memory leak in __tipc_sendmsg() Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 184/205] tipc: fix wrong socket reference counter after tipc_sk_timeout() returns Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 185/205] tipc: fix wrong timeout input for tipc_wait_for_cond() Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 186/205] bpf: Force .BTF section start to zero when dumping from vmlinux Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 188/205] sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 191/205] samples/bpf: Fix broken xdp_rxq_info due to map order assumptions Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 195/205] net/mlx5e: Fix free peer_flow when refcount is 0 Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 197/205] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 201/205] tipc: fix potential hanging after b/rcast changing Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 202/205] tipc: fix retrans failure due to wrong destination Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116164300.6705-171-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrewx.bowers@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jeffrey.t.kirsher@intel.com \
--cc=jesse.brandeburg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).