linux/drivers/infiniband/hw/hfi1
Piotr Stankiewicz 36d842194a IB/hfi1: Fix an out-of-bounds access in get_hw_stats
When running with KASAN, the following trace is produced:

[   62.535888]

==================================================================
[   62.544930] BUG: KASAN: slab-out-of-bounds in
gut_hw_stats+0x122/0x230 [hfi1]
[   62.553856] Write of size 8 at addr ffff88080e8d6330 by task
kworker/0:1/14

[   62.565333] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted
4.19.0-test-build-kasan+ #8
[   62.575087] Hardware name: Intel Corporation S2600KPR/S2600KPR, BIOS
SE5C610.86B.01.01.0019.101220160604 10/12/2016
[   62.587951] Workqueue: events work_for_cpu_fn
[   62.594050] Call Trace:
[   62.598023]  dump_stack+0xc6/0x14c
[   62.603089]  ? dump_stack_print_info.cold.1+0x2f/0x2f
[   62.610041]  ? kmsg_dump_rewind_nolock+0x59/0x59
[   62.616615]  ? get_hw_stats+0x122/0x230 [hfi1]
[   62.622985]  print_address_description+0x6c/0x23c
[   62.629744]  ? get_hw_stats+0x122/0x230 [hfi1]
[   62.636108]  kasan_report.cold.6+0x241/0x308
[   62.642365]  get_hw_stats+0x122/0x230 [hfi1]
[   62.648703]  ? hfi1_alloc_rn+0x40/0x40 [hfi1]
[   62.655088]  ? __kmalloc+0x110/0x240
[   62.660695]  ? hfi1_alloc_rn+0x40/0x40 [hfi1]
[   62.667142]  setup_hw_stats+0xd8/0x430 [ib_core]
[   62.673972]  ? show_hfi+0x50/0x50 [hfi1]
[   62.680026]  ib_device_register_sysfs+0x165/0x180 [ib_core]
[   62.687995]  ib_register_device+0x5a2/0xa10 [ib_core]
[   62.695340]  ? show_hfi+0x50/0x50 [hfi1]
[   62.701421]  ? ib_unregister_device+0x2e0/0x2e0 [ib_core]
[   62.709222]  ? __vmalloc_node_range+0x2d0/0x380
[   62.716131]  ? rvt_driver_mr_init+0x11f/0x2d0 [rdmavt]
[   62.723735]  ? vmalloc_node+0x5c/0x70
[   62.729697]  ? rvt_driver_mr_init+0x11f/0x2d0 [rdmavt]
[   62.737347]  ? rvt_driver_mr_init+0x1f5/0x2d0 [rdmavt]
[   62.744998]  ? __rvt_alloc_mr+0x110/0x110 [rdmavt]
[   62.752315]  ? rvt_rc_error+0x140/0x140 [rdmavt]
[   62.759434]  ? rvt_vma_open+0x30/0x30 [rdmavt]
[   62.766364]  ? mutex_unlock+0x1d/0x40
[   62.772445]  ? kmem_cache_create_usercopy+0x15d/0x230
[   62.780115]  rvt_register_device+0x1f6/0x360 [rdmavt]
[   62.787823]  ? rvt_get_port_immutable+0x180/0x180 [rdmavt]
[   62.796058]  ? __get_txreq+0x400/0x400 [hfi1]
[   62.802969]  ? memcpy+0x34/0x50
[   62.808611]  hfi1_register_ib_device+0xde6/0xeb0 [hfi1]
[   62.816601]  ? hfi1_get_npkeys+0x10/0x10 [hfi1]
[   62.823760]  ? hfi1_init+0x89f/0x9a0 [hfi1]
[   62.830469]  ? hfi1_setup_eagerbufs+0xad0/0xad0 [hfi1]
[   62.838204]  ? pcie_capability_clear_and_set_word+0xcd/0xe0
[   62.846429]  ? pcie_capability_read_word+0xd0/0xd0
[   62.853791]  ? hfi1_pcie_init+0x187/0x4b0 [hfi1]
[   62.860958]  init_one+0x67f/0xae0 [hfi1]
[   62.867301]  ? hfi1_init+0x9a0/0x9a0 [hfi1]
[   62.873876]  ? wait_woken+0x130/0x130
[   62.879860]  ? read_word_at_a_time+0xe/0x20
[   62.886329]  ? strscpy+0x14b/0x280
[   62.891998]  ? hfi1_init+0x9a0/0x9a0 [hfi1]
[   62.898405]  local_pci_probe+0x70/0xd0
[   62.904295]  ? pci_device_shutdown+0x90/0x90
[   62.910833]  work_for_cpu_fn+0x29/0x40
[   62.916750]  process_one_work+0x584/0x960
[   62.922974]  ? rcu_work_rcufn+0x40/0x40
[   62.928991]  ? __schedule+0x396/0xdc0
[   62.934806]  ? __sched_text_start+0x8/0x8
[   62.941020]  ? pick_next_task_fair+0x68b/0xc60
[   62.947674]  ? run_rebalance_domains+0x260/0x260
[   62.954471]  ? __list_add_valid+0x29/0xa0
[   62.960607]  ? move_linked_works+0x1c7/0x230
[   62.967077]  ?
trace_event_raw_event_workqueue_execute_start+0x140/0x140
[   62.976248]  ? mutex_lock+0xa6/0x100
[   62.982029]  ? __mutex_lock_slowpath+0x10/0x10
[   62.988795]  ? __switch_to+0x37a/0x710
[   62.994731]  worker_thread+0x62e/0x9d0
[   63.000602]  ? max_active_store+0xf0/0xf0
[   63.006828]  ? __switch_to_asm+0x40/0x70
[   63.012932]  ? __switch_to_asm+0x34/0x70
[   63.019013]  ? __switch_to_asm+0x40/0x70
[   63.025042]  ? __switch_to_asm+0x34/0x70
[   63.031030]  ? __switch_to_asm+0x40/0x70
[   63.037006]  ? __schedule+0x396/0xdc0
[   63.042660]  ? kmem_cache_alloc_trace+0xf3/0x1f0
[   63.049323]  ? kthread+0x59/0x1d0
[   63.054594]  ? ret_from_fork+0x35/0x40
[   63.060257]  ? __sched_text_start+0x8/0x8
[   63.066212]  ? schedule+0xcf/0x250
[   63.071529]  ? __wake_up_common+0x110/0x350
[   63.077794]  ? __schedule+0xdc0/0xdc0
[   63.083348]  ? wait_woken+0x130/0x130
[   63.088963]  ? finish_task_switch+0x1f1/0x520
[   63.095258]  ? kasan_unpoison_shadow+0x30/0x40
[   63.101792]  ? __init_waitqueue_head+0xa0/0xd0
[   63.108183]  ? replenish_dl_entity.cold.60+0x18/0x18
[   63.115151]  ? _raw_spin_lock_irqsave+0x25/0x50
[   63.121754]  ? max_active_store+0xf0/0xf0
[   63.127753]  kthread+0x1ae/0x1d0
[   63.132894]  ? kthread_bind+0x30/0x30
[   63.138422]  ret_from_fork+0x35/0x40

[   63.146973] Allocated by task 14:
[   63.152077]  kasan_kmalloc+0xbf/0xe0
[   63.157471]  __kmalloc+0x110/0x240
[   63.162804]  init_cntrs+0x34d/0xdf0 [hfi1]
[   63.168883]  hfi1_init_dd+0x29a3/0x2f90 [hfi1]
[   63.175244]  init_one+0x551/0xae0 [hfi1]
[   63.181065]  local_pci_probe+0x70/0xd0
[   63.186759]  work_for_cpu_fn+0x29/0x40
[   63.192310]  process_one_work+0x584/0x960
[   63.198163]  worker_thread+0x62e/0x9d0
[   63.203843]  kthread+0x1ae/0x1d0
[   63.208874]  ret_from_fork+0x35/0x40

[   63.217203] Freed by task 1:
[   63.221844]  __kasan_slab_free+0x12e/0x180
[   63.227844]  kfree+0x92/0x1a0
[   63.232570]  single_release+0x3a/0x60
[   63.238024]  __fput+0x1d9/0x480
[   63.242911]  task_work_run+0x139/0x190
[   63.248440]  exit_to_usermode_loop+0x191/0x1a0
[   63.254814]  do_syscall_64+0x301/0x330
[   63.260283]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[   63.270199] The buggy address belongs to the object at
ffff88080e8d5500
 which belongs to the cache kmalloc-4096 of size 4096
[   63.287247] The buggy address is located 3632 bytes inside of
 4096-byte region [ffff88080e8d5500, ffff88080e8d6500)
[   63.303564] The buggy address belongs to the page:
[   63.310447] page:ffffea00203a3400 count:1 mapcount:0
mapping:ffff88081380e840 index:0x0 compound_mapcount: 0
[   63.323102] flags: 0x2fffff80008100(slab|head)
[   63.329775] raw: 002fffff80008100 0000000000000000 0000000100000001
ffff88081380e840
[   63.340175] raw: 0000000000000000 0000000000070007 00000001ffffffff
0000000000000000
[   63.350564] page dumped because: kasan: bad access detected

[   63.361974] Memory state around the buggy address:
[   63.369137]  ffff88080e8d6200: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
[   63.379082]  ffff88080e8d6280: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
[   63.389032] >ffff88080e8d6300: 00 00 00 00 00 00 fc fc fc fc fc fc fc
fc fc fc
[   63.398944]                                      ^
[   63.406141]  ffff88080e8d6380: fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc
[   63.416109]  ffff88080e8d6400: fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc
[   63.426099]
==================================================================

The trace happens because get_hw_stats() assumes there is room in the
memory allocated in init_cntrs() to accommodate the driver counters.
Unfortunately, that routine only allocated space for the device
counters.

Fix by insuring the allocation has room for the additional driver
counters.

Cc: <Stable@vger.kernel.org> # v4.14+
Fixes: b7481944b0 ("IB/hfi1: Show statistics counters under IB stats interface")
Reviewed-by: Mike Marciniczyn <mike.marciniszyn@intel.com>
Reviewed-by: Mike Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Piotr Stankiewicz <piotr.stankiewicz@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-12-03 16:05:19 -05:00
..
affinity.c IB/hfi1: Make the MSIx resource allocation a bit more flexible 2018-09-01 08:13:38 -04:00
affinity.h IB/{hfi1, rdmavt, qib}: Implement CQ completion vector support 2018-05-09 15:53:30 -04:00
aspm.h IB/hfi1: Convert timers to use timer_setup() 2017-10-18 11:48:19 -04:00
chip_registers.h IB/hfi1: Move UnsupportedVL bits definitions to the correct header 2018-09-26 16:35:48 -06:00
chip.c IB/hfi1: Fix an out-of-bounds access in get_hw_stats 2018-12-03 16:05:19 -05:00
chip.h IB/hfi1: Rework the IRQ API to be more flexible 2018-09-01 08:13:38 -04:00
common.h IB/hfi1: Eliminate allocation while atomic 2017-10-18 10:12:59 -04:00
debugfs.c IB/hfi1: Rework fault injection machinery 2018-05-09 15:53:30 -04:00
debugfs.h RDMA/hfi1: Fix build error with debugfs disabled 2018-05-15 14:24:18 -04:00
device.c infiniband: utilize the new cdev_set_parent function 2017-03-21 06:44:33 +01:00
device.h
driver.c IB/hfi1: Move rhf_offset from devdata to ctxtdata 2018-06-19 11:49:45 -06:00
efivar.c IB/hfi1: Check upper-case EFI variables 2017-02-19 09:18:37 -05:00
efivar.h
eprom.c IB/hfi1: Check eeprom config partition validity 2017-09-27 11:10:36 -04:00
eprom.h
exp_rcv.c IB/hfi1: Cleanup of exp_rcv 2018-05-24 09:39:25 -06:00
exp_rcv.h IB/hfi1: Cleanup of exp_rcv 2018-05-24 09:39:25 -06:00
fault.c IB/hfi1: Rework fault injection machinery 2018-05-09 15:53:30 -04:00
fault.h IB/hfi1: Rework fault injection machinery 2018-05-09 15:53:30 -04:00
file_ops.c IB/hfi1: Move URGENT IRQ enable to hfi1_rcvctrl() 2018-09-01 08:13:38 -04:00
firmware.c IB/hfi1: Fix infinite loop in 8051 command error path 2018-01-05 13:34:55 -05:00
hfi.h IB/hfi1: Fix an out-of-bounds access in get_hw_stats 2018-12-03 16:05:19 -05:00
init.c IB/{hfi1, qib, rdmavt}: Move copy SGE logic into rdmavt 2018-10-03 16:38:28 -06:00
intr.c IB/hfi1: Allow MgmtAllowed on B2B setups 2017-11-13 15:53:56 -05:00
iowait.c IB/hfi1: Add static trace for iowait 2018-09-30 19:21:12 -06:00
iowait.h IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
Kconfig IB/hfi1: Remove HFI1_VERBS_31BIT_PSN option 2017-08-22 14:22:38 -04:00
mad.c IB/hfi1: Error path MAD response size is incorrect 2018-09-30 19:21:11 -06:00
mad.h IB/hfi1: Convert PortXmitWait/PortVLXmitWait counters to flit times 2018-02-01 15:43:30 -07:00
Makefile IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
mmu_rb.c Revert "mm, mmu_notifier: annotate mmu notifiers with blockable invalidate callbacks" 2018-10-26 16:25:19 -07:00
mmu_rb.h IB/hfi1: Don't remove RB entry when not needed. 2017-06-27 16:56:33 -04:00
msix.c IB/hfi1: Rework the IRQ API to be more flexible 2018-09-01 08:13:38 -04:00
msix.h IB/hfi1: Make the MSIx resource allocation a bit more flexible 2018-09-01 08:13:38 -04:00
opa_compat.h IB/hfi1: Document phys port state bits not used in IB 2017-08-22 14:22:37 -04:00
pcie.c First merge window pull request 2018-10-26 07:38:19 -07:00
pio_copy.c
pio.c Merge branch 'for-rc' into rdma.git for-next 2018-10-16 00:01:02 -06:00
pio.h IB/hfi1: Fix destroy_qp hang after a link down 2018-09-20 19:24:51 -06:00
platform.c IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure 2018-05-03 15:24:48 -04:00
platform.h IB/hfi1: Define platform_config_table_limits once 2016-12-11 15:29:42 -05:00
qp.c IB/hfi1: Fix a latency issue for small messages 2018-12-03 16:05:19 -05:00
qp.h IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
qsfp.c IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure 2018-05-03 15:24:48 -04:00
qsfp.h
rc.c IB/{hfi1, qib, rdmavt}: Move send completion logic to rdmavt 2018-10-03 16:38:28 -06:00
ruc.c IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt 2018-10-03 16:38:28 -06:00
sdma_txreq.h
sdma.c IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
sdma.h IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
sysfs.c RDMA/drivers: Use core provided API for registering device attributes 2018-10-17 03:45:01 -06:00
trace_ctxts.h treewide: remove large struct-pass-by-value from tracepoint arguments 2018-03-28 22:55:18 +02:00
trace_dbg.h IB/{hfi1, rdmavt, qib}: Implement CQ completion vector support 2018-05-09 15:53:30 -04:00
trace_ibhdrs.h IB/hfi1: Add 16B Management Packet trace support 2018-05-24 09:39:25 -06:00
trace_iowait.h IB/hfi1: Add static trace for iowait 2018-09-30 19:21:12 -06:00
trace_misc.h IB/hfi1: Add traces for TID operations 2017-06-27 16:58:13 -04:00
trace_mmu.h IB/hif1: Remove static tracing from SDMA hot path 2017-08-28 19:12:27 -04:00
trace_rc.h IB/rdmavt, IB/hfi1: Fix timer migration regressions 2017-04-05 14:45:09 -04:00
trace_rx.h IB/hfi1: Add 16B rcvhdr trace support 2018-02-01 15:43:32 -07:00
trace_tx.h IB/hif1: Remove static tracing from SDMA hot path 2017-08-28 19:12:27 -04:00
trace.c IB/hfi1: Add 16B Management Packet trace support 2018-05-24 09:39:25 -06:00
trace.h IB/hfi1: Add static trace for iowait 2018-09-30 19:21:12 -06:00
uc.c IB/{hfi1, qib, rdmavt}: Move send completion logic to rdmavt 2018-10-03 16:38:28 -06:00
ud.c IB/{hfi1, qib, rdmavt}: Move send completion logic to rdmavt 2018-10-03 16:38:28 -06:00
user_exp_rcv.c IB/hfi1: Rename exp_lock to exp_mutex 2018-06-04 15:25:27 -06:00
user_exp_rcv.h IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h 2017-08-28 19:12:22 -04:00
user_pages.c IB/hfi1: Virtual Network Interface Controller (VNIC) HW support 2017-04-20 15:19:35 -04:00
user_sdma.c Merge branch 'for-rc' into rdma.git for-next 2018-10-16 00:01:02 -06:00
user_sdma.h IB/hfi1: Right size user_sdma sequence numbers and related variables 2018-09-11 10:05:17 -06:00
verbs_txreq.c IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values 2018-06-26 14:35:55 -06:00
verbs_txreq.h IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
verbs.c IB/hfi1: Fix an out-of-bounds access in get_hw_stats 2018-12-03 16:05:19 -05:00
verbs.h IB/{hfi1, qib, rdmavt}: Move send completion logic to rdmavt 2018-10-03 16:38:28 -06:00
vnic_main.c IB/hfi1: Make the MSIx resource allocation a bit more flexible 2018-09-01 08:13:38 -04:00
vnic_sdma.c IB/hfi1: Prepare resource waits for dual leg 2018-09-30 19:21:12 -06:00
vnic.h IB/hfi1: Add support to receive 16B bypass packets 2017-08-22 14:22:37 -04:00