From patchwork Mon Jan 28 18:05:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manish Chopra X-Patchwork-Id: 1032115 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=marvell.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43pHfV306xz9s3q for ; Tue, 29 Jan 2019 05:07:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726945AbfA1SHo (ORCPT ); Mon, 28 Jan 2019 13:07:44 -0500 Received: from mail-eopbgr680057.outbound.protection.outlook.com ([40.107.68.57]:64791 "EHLO NAM04-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727050AbfA1SHn (ORCPT ); Mon, 28 Jan 2019 13:07:43 -0500 Received: from BYAPR07CA0030.namprd07.prod.outlook.com (2603:10b6:a02:bc::43) by MWHPR07MB2911.namprd07.prod.outlook.com (2603:10b6:300:1f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.16; Mon, 28 Jan 2019 18:07:40 +0000 Received: from BY2NAM05FT031.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::206) by BYAPR07CA0030.outlook.office365.com (2603:10b6:a02:bc::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1558.16 via Frontend Transport; Mon, 28 Jan 2019 18:07:40 +0000 Authentication-Results: spf=temperror (sender IP is 199.233.58.38) smtp.mailfrom=marvell.com; vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=temperror action=none header.from=marvell.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of marvell.com: DNS Timeout) Received: from CAEXCH02.caveonetworks.com (199.233.58.38) by BY2NAM05FT031.mail.protection.outlook.com (10.152.100.168) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.20.1580.2 via Frontend Transport; Mon, 28 Jan 2019 18:07:39 +0000 Received: from dut1171.mv.qlogic.com (10.112.88.18) by CAEXCH02.caveonetworks.com (10.67.98.110) with Microsoft SMTP Server (TLS) id 14.2.347.0; Mon, 28 Jan 2019 10:05:27 -0800 Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1]) by dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id x0SI5Q48009959; Mon, 28 Jan 2019 10:05:26 -0800 Received: (from root@localhost) by dut1171.mv.qlogic.com (8.14.7/8.14.7/Submit) id x0SI5QAA009958; Mon, 28 Jan 2019 10:05:26 -0800 From: Manish Chopra To: CC: , , Subject: [PATCH net 5/5] qed: Fix stack out of bounds bug Date: Mon, 28 Jan 2019 10:05:08 -0800 Message-ID: <20190128180508.9902-6-manishc@marvell.com> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20190128180508.9902-1-manishc@marvell.com> References: <20190128180508.9902-1-manishc@marvell.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Matching-Connectors: 131931724599611350; (abac79dc-c90b-41ba-8033-08d666125e47); (abac79dc-c90b-41ba-8033-08d666125e47) X-Forefront-Antispam-Report: CIP:199.233.58.38; IPV:CAL; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(376002)(346002)(136003)(396003)(2980300002)(199004)(189003)(51234002)(54906003)(336012)(2906002)(8936002)(446003)(105606002)(2351001)(80596001)(26005)(50226002)(42186006)(69596002)(53936002)(36756003)(316002)(81156014)(16586007)(2616005)(305945005)(11346002)(51416003)(36906005)(81166006)(126002)(8676002)(106466001)(63350400001)(63370400001)(76176011)(97736004)(14444005)(86362001)(87636003)(26826003)(107886003)(486006)(4326008)(47776003)(6862004)(68736007)(6666004)(1076003)(50466002)(48376002)(356004)(476003)(498600001)(505234006); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR07MB2911; H:CAEXCH02.caveonetworks.com; FPR:; SPF:TempError; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT031; 1:46+4EnLBwqs2knUI6C7NVzqdz9xwWAKAaNg0aDR3gq5N8OKilrq079rtonc+RFRqEBq7czXMQj47wQVIELAgKOY9lDHzHkEY9dsdWKAu4kUb0rdQL7iLGbUqANNsmp9RhWoFnwVZhTG/OucVlNy/RdwjhISWCpNsTZw4WCRzLDw= X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 228d5182-b2b7-4950-b249-08d6854b7dbf X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(5600110)(711020)(4605077)(2017052603328); SRVR:MWHPR07MB2911; X-Microsoft-Exchange-Diagnostics: 1; MWHPR07MB2911; 3:DL0olFq03y89IBF9T1/EyKRmxV1S8wh7m72rkPVxkGXb/3ImgXpE+lHDOlccEAJMkyvKXnOvi3DOh5UZ8us+tk4gQvAJWKuNV34AaZu7+s4DblNQW/n4xeJJZ2ZY/LdEfEGTPapZhIKjWikLUozy9Dthy2mQtN/CGF3LNYT9GxCNV4eBjusqPDY+LNvAKh3XxP/CIfbzy8V1kXCqeVXuYHJAyDRcY5gCv3ijegnkKNNMyk5t81cHwLeWhj6GUkXmmb5XBkD0xOgl7XxVldFp6XaQ+w2jfGmklEg6ZLoqwKDsqdrX2nfSzvrdC2t19sxp+6dH7x+xG3tnOgNo32Mu7kImrH72fWCrsnHs46I/c7BLL6S1Yuo+Q2GGI8uztiqp; 25:Hj5xO/OogGxg+VKtS3bySz5t050sktCooQT31CFkUwyLc5h9mRNn9GH7KkCuftF20Md2hbFDcLGd6NVRmKe+rLZswU4xRiqD+HrCymzHuF4XC3g0xUlBW0Xpp7FL430jMX8zr0xzkxf4LTG5LstGmLiC4vD3kOYaVIFBBpJxiRcdwlgOJrcftFbGTt150zQNmz/j8C5c/7iUj9Jf630FAg5D36UpunNMXYsbvxM00w7NX0DxNuTGNijLMrp4UvUAO3ZPT4uArL5zQOjZlo730ZGePV67iV47gn8RVDp8L0qrlokxMZRi2nNRibAffyfpAM0JfAZuFsr+sRlv512kxg== X-MS-TrafficTypeDiagnostic: MWHPR07MB2911: X-Microsoft-Exchange-Diagnostics: 1; MWHPR07MB2911; 31:G5vDWoL39jeFzi3lYZv+Xj7OIvfj2lzJ418KnxKDTSN6rj+Xx7QFOS0PDLtJujrTv4B2CnfWfaSKbMLX1pr+iP1XathXoFU2qaMI/NT/ia9Lo22OpYDQMTiKzXpbBoflUk38WT94H32R1h2Mk3D+tGRC9I2EIiVlyW2AcVk55g+0C7ME4tnzRfeBTFyeW3+nBifxf6L6yuqpvC5Q9CLWTKfNKR+tZd8vV4k1UsxN2Qw=; 4:tRkIDPIKIBBjqDPDvs3iSlyhx2n+AaRtyGms/zVA6wX9lUUuVFurKd0NnDoBIDiFgHuV+M9b289wJ7TY2c3mKLVEMnCReqqzhzn74xppE9W+ntePg7eOhl0cP4CkKECSRxxEfxDFNu1XJBvuyYJxQH3YBA9+JE+Y+XMJtVBsLk37tRVo6Hu2gLAWEuDyBWZZiylfZ3wOwvizJX8dbPMPR0SL1o4QmChf9IuTIHmLgQ13Yjo5KBki8YCd2FRccFdt7E/qIwIwpB/5YO4spFHeG+J6EaFQWIMrk68OhZ37FVo= X-Microsoft-Antispam-PRVS: X-Forefront-PRVS: 0931CB1479 X-Microsoft-Exchange-Diagnostics: 1; MWHPR07MB2911; 23:2lkXg3sKctrGK5vEMwryYihVshLSSOR0kOV2D7wx9dJpQVSJW3w6yC32bHd3JVA9w6G8hz+Y3dmwn6ZAK+k3fzvy6UAsh72RgisySOqrMvP3VdH6AC4Ie1gwkB5sF8j1DmSSA4wrSYHckOT7j6YpDnbtN4TFnL4cUalCKVPOFZkBZLUOzCIO+n9CKOnb3bwfPZAEwcgaoFKzy0VcR8hKF/fIWHtwQMRIvpSL/H+WLxlKJRA0gbiru+7B4KIr1uKHw2/guLVBu8AVTiq+wlN1U89q7vKO8yoQPclGZHj+HY8GNqILb2dkAgTBMKpQioRXzb3mTYL4FB4GZiMpQjB+uxtXypMo+DkGvLWtZsF/9g0Kw6L/r6u/FekOwl84Nz6junCnBVgthh9SKfIQz3CHRKmaAhiX1OJYQHfIKF6wLU2dBhvpNji/UlJrxKIHb10yLOK5BrowX8MWrdsB+FgfUfza5WA2HTe2U3EaG90iSYTPBpBqVw2j94zyrxR8UkcEpgki7F+9EiJTVwzcjo2SqZYiPj7ykIgGg26W94i8QvNuqCXuS9cm/48pHKtF+hh6925t6UmZsw/E9M4YZHDchzf95hmbBN8tImBVKg96KxII92o0UsjPlU4kp9Q/KYaL08NvCOIQknYNtEL0CpQijSKEZrR0RErsHeq/Wql6kZ25XhrpQ08pb3BKcMQoWyjmuNvKyPX4zqOD0DsQQLomXSSe7o8hED8Mrnx4CUPnIA664FGKJaQtEDbbICNHqaFIghmxhBvQRsSKFRZsUIYjbRHfumgraSjMteQi05D7ADTZ4F5SMtaPBR0e1Qeg7x3Mb+fDWGGvWFHey+rRwK+EXrh2VHaIAAHeFkIvWfeWJtMVbvqsj5UNgjy6MOH0CIvPnQL+lymkheyLhWIzjaiChs+I9KQhPPqOZlStS9pNuLVBNl49+1A1D6lgIPvXtjnnrdv7QjptUTboR+DUvf7xjDBIbteMlpL3D+IhHrJNpwdUqVi46szdT/4Rn8tM9LKxVHptGpsR62nhcTEjTYoDO+er80XBxnU/3y8QPr+Gil0P7/P7NIZasoFmKV8RHSxAx2oUnybiJ7P8CkaQpQtngZN/oOxXwVlBYJCMo5JcgX6je8jac0fARSfJtqoX2SOwCz1wuHujLwxQNBuF5cvn7bbfBcJZPQGcmy18L7mR9kafZZPxpytbwnaIEjYlzFsptT9uczs/pNqaMLz4m+Bw2t9YBd6y3nB3fn6QdHXrBKIxYXiSjZ0feyy3wf+gngpP X-Microsoft-Antispam-Message-Info: jzivlbyicOmvpFZiNIYmD2i706nadaYo1TUbttYMRM5xwf8+jsU4MZO0izVaRTTcT8DLS3GDXSvVEZWGrt8Vfi+JnphdrMmSvFzLx1hLFaoqrOAwpeqRir2eI0TU41COjUsiqQVBbp5ucUn2yhlgmmIeANaLVJXkCMiz2wRIHOjce5KtkoTdhVucOFBo5/3r1mX6UeXMRKDJxbDm0Z7Pvbceno5zfrXsmK2cmVS8v3n1k+DwtqLwScXY70E0C3rq5R49gBX2YmMIC8/ohl14K9NaNLxCb6cD2oipfAwp20FKVN2sMrnGl1eBlCb9S7gfOmRLQeNRxNJtkTyLqcGxZzNT/H+BzWp/MFJ4iUOd3GD6GK6dGGwKqaCGf45QAmpWAG5StAUg/K2HzfBO2zZ2RrTEBVaLGbWfDDQEAV925Lw= X-Microsoft-Exchange-Diagnostics: 1; MWHPR07MB2911; 6:em2jWWbuJiu2sMY4D+m8ckB+8WSkhU/m45VgiMIU5bw7bm05s5eVoNu+zKHt1E+ESDE0fUejC0sLreAq0nc8r4HXF/lVsYOIx0hGi9c+QA2W7/bBUHOcq4PjUqx/ckNNE+yNoLPIu3hnjk6JqhAsCFkze7FFW+vklzvjKUTbKLo069yTVEPFJ3nQdOvbTYdoBrKJ4yW2ayxcXQebbyOdEfipVYpBx+DO+d2nF+N+Gm8yb2SZev9Ugk+VeRkUarNfiMj8tnnubOkr3L5J6pFZS+mEslLdX9SbAlPzZm6S93qrnUxaLkzvpuPWvOhx/oR8aSIf9wlIyzAMK3+i3jP3pXgi5wslvGAZ+A2eqIFNo56vTwEPmvAtVZQniNpKTe77X7ZGkP+4HUs2J7q4Jo5+nySDHw+NjA99dQ87JTUZUDJ4E4gbl2hazPg+Mfhd4mPqKzGtfLSe18y+kQMvcatfIg==; 5:oZNmfb1av9Ce7crP1x5JL4Dbju21RbFUYUH9HMl83NuN8vH5N2/SyT1xH6mv3fb4SV3zHt2d5VoifsfqQwkyW0FGJRc7FvftFiimMU3riRPW91/xMfVfpj2sRFb/a43/rsw2Imh7Hl87b+cKv9G9pyBZAtuGf+H1oD3yxbDNv2Hz5lSjEI6XmEEheEk369mW0815Sg+KUrh76Wdd5ZVCJg==; 7:ZdsiLSlySWqCyuaTNmZpFuST/Jk8cBWdZgCEJ9z7DQYtYC1OcWVobQ7X/648Hy0eXUO45EM6dDA7QMKHq7t63koF74lKPNQUosl3YTIXM9itV3CnvkTfHFAVCZAftpQG5ZaiZpuL0lW4nMuHyHBYkA== X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2019 18:07:39.5438 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 228d5182-b2b7-4950-b249-08d6854b7dbf X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[199.233.58.38]; Helo=[CAEXCH02.caveonetworks.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR07MB2911 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org KASAN reported following bug in qed_init_qm_get_idx_from_flags due to inappropriate casting of "pq_flags". Fix the type of "pq_flags". [ 196.624707] BUG: KASAN: stack-out-of-bounds in qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed] [ 196.624712] Read of size 8 at addr ffff809b00bc7360 by task kworker/0:9/1712 [ 196.624714] [ 196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted 4.18.0-60.el8.aarch64+debug #1 [ 196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024 09/26/2018 [ 196.624733] Workqueue: events work_for_cpu_fn [ 196.624738] Call trace: [ 196.624742] dump_backtrace+0x0/0x2f8 [ 196.624745] show_stack+0x24/0x30 [ 196.624749] dump_stack+0xe0/0x11c [ 196.624755] print_address_description+0x68/0x260 [ 196.624759] kasan_report+0x178/0x340 [ 196.624762] __asan_report_load_n_noabort+0x38/0x48 [ 196.624786] qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed] [ 196.624808] qed_init_qm_info+0xec0/0x2200 [qed] [ 196.624830] qed_resc_alloc+0x284/0x7e8 [qed] [ 196.624853] qed_slowpath_start+0x6cc/0x1ae8 [qed] [ 196.624864] __qede_probe.isra.10+0x1cc/0x12c0 [qede] [ 196.624874] qede_probe+0x78/0xf0 [qede] [ 196.624879] local_pci_probe+0xc4/0x180 [ 196.624882] work_for_cpu_fn+0x54/0x98 [ 196.624885] process_one_work+0x758/0x1900 [ 196.624888] worker_thread+0x4e0/0xd18 [ 196.624892] kthread+0x2c8/0x350 [ 196.624897] ret_from_fork+0x10/0x18 [ 196.624899] [ 196.624902] Allocated by task 2: [ 196.624906] kasan_kmalloc.part.1+0x40/0x108 [ 196.624909] kasan_kmalloc+0xb4/0xc8 [ 196.624913] kasan_slab_alloc+0x14/0x20 [ 196.624916] kmem_cache_alloc_node+0x1dc/0x480 [ 196.624921] copy_process.isra.1.part.2+0x1d8/0x4a98 [ 196.624924] _do_fork+0x150/0xfa0 [ 196.624926] kernel_thread+0x48/0x58 [ 196.624930] kthreadd+0x3a4/0x5a0 [ 196.624932] ret_from_fork+0x10/0x18 [ 196.624934] [ 196.624937] Freed by task 0: [ 196.624938] (stack is not available) [ 196.624940] [ 196.624943] The buggy address belongs to the object at ffff809b00bc0000 [ 196.624943] which belongs to the cache thread_stack of size 32768 [ 196.624946] The buggy address is located 29536 bytes inside of [ 196.624946] 32768-byte region [ffff809b00bc0000, ffff809b00bc8000) [ 196.624948] The buggy address belongs to the page: [ 196.624952] page:ffff7fe026c02e00 count:1 mapcount:0 mapping:ffff809b4001c000 index:0x0 compound_mapcount: 0 [ 196.624960] flags: 0xfffff8000008100(slab|head) [ 196.624967] raw: 0fffff8000008100 dead000000000100 dead000000000200 ffff809b4001c000 [ 196.624970] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 196.624973] page dumped because: kasan: bad access detected [ 196.624974] [ 196.624976] Memory state around the buggy address: [ 196.624980] ffff809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.624983] ffff809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.624985] >ffff809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 [ 196.624988] ^ [ 196.624990] ffff809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.624993] ffff809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.624995] ================================================================== Signed-off-by: Manish Chopra Signed-off-by: Ariel Elior --- drivers/net/ethernet/qlogic/qed/qed_dev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c index 8f65514..2ecaaaa 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_dev.c +++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c @@ -795,19 +795,19 @@ static void qed_init_qm_pq(struct qed_hwfn *p_hwfn, /* get pq index according to PQ_FLAGS */ static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn, - u32 pq_flags) + unsigned long pq_flags) { struct qed_qm_info *qm_info = &p_hwfn->qm_info; /* Can't have multiple flags set here */ - if (bitmap_weight((unsigned long *)&pq_flags, + if (bitmap_weight(&pq_flags, sizeof(pq_flags) * BITS_PER_BYTE) > 1) { - DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags); + DP_ERR(p_hwfn, "requested multiple pq flags 0x%lx\n", pq_flags); goto err; } if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) { - DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags); + DP_ERR(p_hwfn, "pq flag 0x%lx is not set\n", pq_flags); goto err; }