| From 98487ac6081b96377fdb1bd87cadebf843c04230 Mon Sep 17 00:00:00 2001 |
| From: Manish Chopra <manishc@marvell.com> |
| Date: Mon, 28 Jan 2019 10:05:08 -0800 |
| Subject: qed: Fix stack out of bounds bug |
| |
| [ Upstream commit ffb057f98928aa099b08e419bbe5afc26ec9f448 ] |
| |
| KASAN reported following bug in qed_init_qm_get_idx_from_flags |
| due to inappropriate casting of "pq_flags". Fix the type of "pq_flags". |
| |
| [ 196.624707] BUG: KASAN: stack-out-of-bounds in qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed] |
| [ 196.624712] Read of size 8 at addr ffff809b00bc7360 by task kworker/0:9/1712 |
| [ 196.624714] |
| [ 196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted 4.18.0-60.el8.aarch64+debug #1 |
| [ 196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024 09/26/2018 |
| [ 196.624733] Workqueue: events work_for_cpu_fn |
| [ 196.624738] Call trace: |
| [ 196.624742] dump_backtrace+0x0/0x2f8 |
| [ 196.624745] show_stack+0x24/0x30 |
| [ 196.624749] dump_stack+0xe0/0x11c |
| [ 196.624755] print_address_description+0x68/0x260 |
| [ 196.624759] kasan_report+0x178/0x340 |
| [ 196.624762] __asan_report_load_n_noabort+0x38/0x48 |
| [ 196.624786] qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed] |
| [ 196.624808] qed_init_qm_info+0xec0/0x2200 [qed] |
| [ 196.624830] qed_resc_alloc+0x284/0x7e8 [qed] |
| [ 196.624853] qed_slowpath_start+0x6cc/0x1ae8 [qed] |
| [ 196.624864] __qede_probe.isra.10+0x1cc/0x12c0 [qede] |
| [ 196.624874] qede_probe+0x78/0xf0 [qede] |
| [ 196.624879] local_pci_probe+0xc4/0x180 |
| [ 196.624882] work_for_cpu_fn+0x54/0x98 |
| [ 196.624885] process_one_work+0x758/0x1900 |
| [ 196.624888] worker_thread+0x4e0/0xd18 |
| [ 196.624892] kthread+0x2c8/0x350 |
| [ 196.624897] ret_from_fork+0x10/0x18 |
| [ 196.624899] |
| [ 196.624902] Allocated by task 2: |
| [ 196.624906] kasan_kmalloc.part.1+0x40/0x108 |
| [ 196.624909] kasan_kmalloc+0xb4/0xc8 |
| [ 196.624913] kasan_slab_alloc+0x14/0x20 |
| [ 196.624916] kmem_cache_alloc_node+0x1dc/0x480 |
| [ 196.624921] copy_process.isra.1.part.2+0x1d8/0x4a98 |
| [ 196.624924] _do_fork+0x150/0xfa0 |
| [ 196.624926] kernel_thread+0x48/0x58 |
| [ 196.624930] kthreadd+0x3a4/0x5a0 |
| [ 196.624932] ret_from_fork+0x10/0x18 |
| [ 196.624934] |
| [ 196.624937] Freed by task 0: |
| [ 196.624938] (stack is not available) |
| [ 196.624940] |
| [ 196.624943] The buggy address belongs to the object at ffff809b00bc0000 |
| [ 196.624943] which belongs to the cache thread_stack of size 32768 |
| [ 196.624946] The buggy address is located 29536 bytes inside of |
| [ 196.624946] 32768-byte region [ffff809b00bc0000, ffff809b00bc8000) |
| [ 196.624948] The buggy address belongs to the page: |
| [ 196.624952] page:ffff7fe026c02e00 count:1 mapcount:0 mapping:ffff809b4001c000 index:0x0 compound_mapcount: 0 |
| [ 196.624960] flags: 0xfffff8000008100(slab|head) |
| [ 196.624967] raw: 0fffff8000008100 dead000000000100 dead000000000200 ffff809b4001c000 |
| [ 196.624970] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 |
| [ 196.624973] page dumped because: kasan: bad access detected |
| [ 196.624974] |
| [ 196.624976] Memory state around the buggy address: |
| [ 196.624980] ffff809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| [ 196.624983] ffff809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| [ 196.624985] >ffff809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 |
| [ 196.624988] ^ |
| [ 196.624990] ffff809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| [ 196.624993] ffff809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| [ 196.624995] ================================================================== |
| |
| Signed-off-by: Manish Chopra <manishc@marvell.com> |
| Signed-off-by: Ariel Elior <aelior@marvell.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/ethernet/qlogic/qed/qed_dev.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c |
| index 2f69ee9221c6..4dd82a1612aa 100644 |
| --- a/drivers/net/ethernet/qlogic/qed/qed_dev.c |
| +++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c |
| @@ -473,19 +473,19 @@ static void qed_init_qm_pq(struct qed_hwfn *p_hwfn, |
| |
| /* get pq index according to PQ_FLAGS */ |
| static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn, |
| - u32 pq_flags) |
| + unsigned long pq_flags) |
| { |
| struct qed_qm_info *qm_info = &p_hwfn->qm_info; |
| |
| /* Can't have multiple flags set here */ |
| - if (bitmap_weight((unsigned long *)&pq_flags, |
| + if (bitmap_weight(&pq_flags, |
| sizeof(pq_flags) * BITS_PER_BYTE) > 1) { |
| - DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags); |
| + DP_ERR(p_hwfn, "requested multiple pq flags 0x%lx\n", pq_flags); |
| goto err; |
| } |
| |
| if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) { |
| - DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags); |
| + DP_ERR(p_hwfn, "pq flag 0x%lx is not set\n", pq_flags); |
| goto err; |
| } |
| |
| -- |
| 2.19.1 |
| |