linux/drivers/net/ethernet
Ido Schimmel c4317b1167 mlxsw: pci: Fix use-after-free in case of failed devlink reload
In case devlink reload failed, it is possible to trigger a
use-after-free when querying the kernel for device info via 'devlink dev
info' [1].

This happens because as part of the reload error path the PCI command
interface is de-initialized and its mailboxes are freed. When the
devlink '->info_get()' callback is invoked the device is queried via the
command interface and the freed mailboxes are accessed.

Fix this by initializing the command interface once during probe and not
during every reload.

This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
and also allows user space to query the running firmware version (for
example) from the device after a failed reload.

[1]
BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355

CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xf6/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
 memcpy+0x39/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:406 [inline]
 mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
 mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
 mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
 mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
 mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
 mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
 mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
 devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
 devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
 genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
 netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
 genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
 genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
 genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
 netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x150/0x190 net/socket.c:672
 ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
 ___sys_sendmsg+0xff/0x170 net/socket.c:2417
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
 do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a9c8336f65 ("mlxsw: core: Add support for devlink info command")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 14:33:34 -07:00
..
3com treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
8390 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
adaptec treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
aeroflex treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
agere treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
alacritech treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
allwinner treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
alteon treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
altera treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
amazon treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
amd treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
apm
apple treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
aquantia net: atlantic: fix ip dst and ipv6 address filters 2020-07-08 12:29:33 -07:00
arc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
atheros net: alx: fix race condition in alx_remove 2020-06-15 13:20:14 -07:00
aurora
broadcom bnxt_en: fix NULL dereference in case SR-IOV configuration fails 2020-07-10 14:20:03 -07:00
brocade treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cadence net: macb: fix call to pm_runtime in the suspend/resume functions 2020-07-10 14:29:38 -07:00
calxeda
cavium treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
chelsio cxgb4: fix all-mask IP address comparison 2020-07-08 15:43:00 -07:00
cirrus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cisco treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cortina treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
davicom treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
dec treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
dlink treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
emulex treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ezchip treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
faraday treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
freescale net: ethernet: fec: prevent tx starvation under high rx load 2020-07-07 15:25:05 -07:00
fujitsu treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
google
hisilicon net: hns3: fix use-after-free when doing self test 2020-07-06 12:33:28 -07:00
huawei hinic: fix sending mailbox timeout in aeq event work 2020-07-04 17:53:16 -07:00
i825xx treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ibm ibmvnic: continue to init in CRQ reset returns H_CLOSED 2020-06-20 17:28:41 -07:00
intel i40e: fix crash when Rx descriptor count is changed 2020-06-18 22:37:25 -07:00
marvell net: sky2: initialize return of gm_phy_read 2020-07-07 15:23:53 -07:00
mediatek net: ethernet: mtk-star-emac: simplify interrupt handling 2020-06-15 13:30:58 -07:00
mellanox mlxsw: pci: Fix use-after-free in case of failed devlink reload 2020-07-10 14:33:34 -07:00
micrel treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
microchip lan743x: add MODULE_DEVICE_TABLE for module loading alias 2020-06-16 14:01:14 -07:00
moxa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mscc net: mscc: allow offloading timestamping operations to the PHY 2020-05-27 14:54:31 -07:00
myricom treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
natsemi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
neterion net: ethernet: neterion: vxge: fix spelling mistake 2020-06-19 13:06:26 -07:00
netronome net: flow_offload: fix flow_indr_dev_unregister path 2020-06-19 20:12:58 -07:00
ni net: ni: Fix use correct return type for ndo_start_xmit() 2020-05-05 11:39:43 -07:00
nvidia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
nxp net: nxp: Fix use correct return type for ndo_start_xmit() 2020-05-05 11:17:56 -07:00
oki-semi net: ethernet: oki-semi: pch_gbe: fix spelling mistake 2020-06-19 13:09:26 -07:00
packetengines treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pasemi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pensando ionic: centralize queue reset code 2020-07-07 15:50:31 -07:00
qlogic qed: Populate nvm-file attributes while reading nvm config partition. 2020-07-09 12:30:25 -07:00
qualcomm net: rmnet: do not allow to add multiple bridge interfaces 2020-07-04 18:04:55 -07:00
rdc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
realtek r8169: fix firmware not resetting tp->ocp_base 2020-06-20 17:31:26 -07:00
renesas treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
rocker rocker: fix incorrect error handling in dma_rings_init 2020-06-15 13:37:36 -07:00
samsung treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
seeq treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sgi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
silan treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sis treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
smsc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
socionext socionext: account for napi_gro_receive never returning GRO_DROP 2020-06-25 16:16:21 -07:00
stmicro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sun treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
synopsys treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
tehuti treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ti Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
toshiba treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
tundra treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
via treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
wiznet treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xilinx net: axienet: fix spelling mistake in comment "Exteneded" -> "extended" 2020-06-15 13:02:03 -07:00
xircom treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xscale treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
dnet.c net: ethernet: dnet: convert to devm_platform_get_and_ioremap_resource 2020-04-20 12:18:13 -07:00
dnet.h
ec_bhf.c
ethoc.c
fealnx.c
jme.c
jme.h
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
korina.c mm: reorder includes after introduction of linux/pgtable.h 2020-06-09 09:39:13 -07:00
lantiq_etop.c
lantiq_xrx200.c net: lantiq: Fix use correct return type for ndo_start_xmit() 2020-05-06 14:24:06 -07:00
Makefile