From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Manish Chopra <manishc@marvell.com>,
Ariel Elior <aelior@marvell.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.20 47/72] qed: Fix stack out of bounds bug
Date: Sat, 23 Feb 2019 16:03:57 -0500 [thread overview]
Message-ID: <20190223210422.199966-47-sashal@kernel.org> (raw)
In-Reply-To: <20190223210422.199966-1-sashal@kernel.org>
From: Manish Chopra <manishc@marvell.com>
[ Upstream commit ffb057f98928aa099b08e419bbe5afc26ec9f448 ]
KASAN reported following bug in qed_init_qm_get_idx_from_flags
due to inappropriate casting of "pq_flags". Fix the type of "pq_flags".
[ 196.624707] BUG: KASAN: stack-out-of-bounds in qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
[ 196.624712] Read of size 8 at addr ffff809b00bc7360 by task kworker/0:9/1712
[ 196.624714]
[ 196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted 4.18.0-60.el8.aarch64+debug #1
[ 196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024 09/26/2018
[ 196.624733] Workqueue: events work_for_cpu_fn
[ 196.624738] Call trace:
[ 196.624742] dump_backtrace+0x0/0x2f8
[ 196.624745] show_stack+0x24/0x30
[ 196.624749] dump_stack+0xe0/0x11c
[ 196.624755] print_address_description+0x68/0x260
[ 196.624759] kasan_report+0x178/0x340
[ 196.624762] __asan_report_load_n_noabort+0x38/0x48
[ 196.624786] qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
[ 196.624808] qed_init_qm_info+0xec0/0x2200 [qed]
[ 196.624830] qed_resc_alloc+0x284/0x7e8 [qed]
[ 196.624853] qed_slowpath_start+0x6cc/0x1ae8 [qed]
[ 196.624864] __qede_probe.isra.10+0x1cc/0x12c0 [qede]
[ 196.624874] qede_probe+0x78/0xf0 [qede]
[ 196.624879] local_pci_probe+0xc4/0x180
[ 196.624882] work_for_cpu_fn+0x54/0x98
[ 196.624885] process_one_work+0x758/0x1900
[ 196.624888] worker_thread+0x4e0/0xd18
[ 196.624892] kthread+0x2c8/0x350
[ 196.624897] ret_from_fork+0x10/0x18
[ 196.624899]
[ 196.624902] Allocated by task 2:
[ 196.624906] kasan_kmalloc.part.1+0x40/0x108
[ 196.624909] kasan_kmalloc+0xb4/0xc8
[ 196.624913] kasan_slab_alloc+0x14/0x20
[ 196.624916] kmem_cache_alloc_node+0x1dc/0x480
[ 196.624921] copy_process.isra.1.part.2+0x1d8/0x4a98
[ 196.624924] _do_fork+0x150/0xfa0
[ 196.624926] kernel_thread+0x48/0x58
[ 196.624930] kthreadd+0x3a4/0x5a0
[ 196.624932] ret_from_fork+0x10/0x18
[ 196.624934]
[ 196.624937] Freed by task 0:
[ 196.624938] (stack is not available)
[ 196.624940]
[ 196.624943] The buggy address belongs to the object at ffff809b00bc0000
[ 196.624943] which belongs to the cache thread_stack of size 32768
[ 196.624946] The buggy address is located 29536 bytes inside of
[ 196.624946] 32768-byte region [ffff809b00bc0000, ffff809b00bc8000)
[ 196.624948] The buggy address belongs to the page:
[ 196.624952] page:ffff7fe026c02e00 count:1 mapcount:0 mapping:ffff809b4001c000 index:0x0 compound_mapcount: 0
[ 196.624960] flags: 0xfffff8000008100(slab|head)
[ 196.624967] raw: 0fffff8000008100 dead000000000100 dead000000000200 ffff809b4001c000
[ 196.624970] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 196.624973] page dumped because: kasan: bad access detected
[ 196.624974]
[ 196.624976] Memory state around the buggy address:
[ 196.624980] ffff809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 196.624983] ffff809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 196.624985] >ffff809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
[ 196.624988] ^
[ 196.624990] ffff809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 196.624993] ffff809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 196.624995] ==================================================================
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qed/qed_dev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
index 88a8576ca9cea..f81abed29a764 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
@@ -480,19 +480,19 @@ static void qed_init_qm_pq(struct qed_hwfn *p_hwfn,
/* get pq index according to PQ_FLAGS */
static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
- u32 pq_flags)
+ unsigned long pq_flags)
{
struct qed_qm_info *qm_info = &p_hwfn->qm_info;
/* Can't have multiple flags set here */
- if (bitmap_weight((unsigned long *)&pq_flags,
+ if (bitmap_weight(&pq_flags,
sizeof(pq_flags) * BITS_PER_BYTE) > 1) {
- DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags);
+ DP_ERR(p_hwfn, "requested multiple pq flags 0x%lx\n", pq_flags);
goto err;
}
if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) {
- DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags);
+ DP_ERR(p_hwfn, "pq flag 0x%lx is not set\n", pq_flags);
goto err;
}
--
2.19.1
next prev parent reply other threads:[~2019-02-23 21:31 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-23 21:03 [PATCH AUTOSEL 4.20 01/72] vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 02/72] xfrm: refine validation of template and selector families Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 03/72] xfrm: Make set-mark default behavior backward compatible Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 04/72] perf ordered_events: Fix crash in ordered_events__free Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 05/72] netfilter: nft_compat: use refcnt_t type for nft_xt reference count Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 06/72] netfilter: nft_compat: make lists per netns Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 07/72] netfilter: nft_compat: destroy function must not have side effects Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 08/72] perf script: Fix crash with printing mixed trace point and other events Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 09/72] perf core: Fix perf_proc_update_handler() bug Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 10/72] perf python: Remove -fstack-clash-protection when building with some clang versions Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 11/72] perf tools: Handle TOPOLOGY headers with no CPU Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 12/72] perf script: Fix crash when processing recorded stat data Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 13/72] IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 14/72] iommu/amd: Call free_iova_fast with pfn in map_sg Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 15/72] iommu/amd: Unmap all mapped pages in error path of map_sg Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 16/72] riscv: fixup max_low_pfn with PFN_DOWN Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 17/72] ipvs: Fix signed integer overflow when setsockopt timeout Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 18/72] iommu/amd: Fix IOMMU page flush when detach device from a domain Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 19/72] clk: ti: Fix error handling in ti_clk_parse_divider_data() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 20/72] clk: qcom: gcc: Use active only source for CPUSS clocks Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 21/72] xtensa: SMP: fix ccount_timer_shutdown Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 22/72] RDMA/umem: Add missing initialization of owning_mm Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 23/72] riscv: Adjust mmap base address at a third of task size Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 24/72] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 25/72] selftests: cpu-hotplug: fix case where CPUs offline > CPUs present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 26/72] xtensa: SMP: fix secondary CPU initialization Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 27/72] xtensa: smp_lx200_defconfig: fix vectors clash Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 28/72] xtensa: SMP: mark each possible CPU as present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 29/72] iomap: get/put the page in iomap_page_create/release() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 30/72] iomap: fix a use after free in iomap_dio_rw Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 31/72] xtensa: SMP: limit number of possible CPUs by NR_CPUS Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 32/72] net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 33/72] net: hns: Fix for missing of_node_put() after of_parse_phandle() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 34/72] net: hns: Restart autoneg need return failed when autoneg off Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 35/72] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 36/72] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 37/72] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 38/72] netfilter: nfnetlink_osf: add missing fmatch check Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 39/72] gpio: vf610: Mask all GPIO interrupts Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 40/72] selftests: net: use LDLIBS instead of LDFLAGS Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 41/72] selftests: timers: " Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 42/72] nfs: Fix NULL pointer dereference of dev_name Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 43/72] qed: Fix bug in tx promiscuous mode settings Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 44/72] qed: Fix LACP pdu drops for VFs Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 45/72] qed: Fix VF probe failure while FLR Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 46/72] qed: Fix system crash in ll2 xmit Sasha Levin
2019-02-23 21:03 ` Sasha Levin [this message]
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 48/72] scsi: libfc: free skb when receiving invalid flogi resp Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 49/72] scsi: scsi_debug: fix write_same with virtual_gb problem Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 50/72] scsi: bnx2fc: Fix error handling in probe() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 51/72] scsi: 53c700: pass correct "dev" to dma_alloc_attrs() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 52/72] platform/x86: Fix unmet dependency warning for ACPI_CMPC Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 53/72] platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 54/72] x86/cpu: Add Atom Tremont (Jacobsville) Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 55/72] net: macb: Apply RXUBR workaround only to versions with errata Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 56/72] x86/boot/compressed/64: Set EFER.LME=1 in 32-bit trampoline before returning to long mode Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 57/72] cifs: fix computation for MAX_SMB2_HDR_SIZE Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 58/72] blk-mq: fix a hung issue when fsync Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 59/72] x86/microcode/amd: Don't falsely trick the late loading mechanism Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 60/72] apparmor: Fix warning about unused function apparmor_ipv6_postroute Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 61/72] arm64: kprobe: Always blacklist the KVM world-switch code Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 62/72] apparmor: Fix aa_label_build() error handling for failed merges Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 63/72] x86/kexec: Don't setup EFI info if EFI runtime is not enabled Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 64/72] proc: fix /proc/net/* after setns(2) Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 65/72] x86_64: increase stack size for KASAN_EXTRA Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 66/72] mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Sasha Levin
2019-02-26 12:46 ` Mike Rapoport
2019-03-11 15:21 ` Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 67/72] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 68/72] psi: fix aggregation idle shut-off Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 69/72] lib/test_kmod.c: potential double free in error handling Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 70/72] fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 71/72] autofs: drop dentry reference only when it is never used Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 72/72] autofs: fix error return in autofs_fill_super() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190223210422.199966-47-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aelior@marvell.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=manishc@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).