leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c4317b1167
linux/drivers
History
Ido Schimmel c4317b1167 mlxsw: pci: Fix use-after-free in case of failed devlink reload 
In case devlink reload failed, it is possible to trigger a
use-after-free when querying the kernel for device info via 'devlink dev
info' [1].

This happens because as part of the reload error path the PCI command
interface is de-initialized and its mailboxes are freed. When the
devlink '->info_get()' callback is invoked the device is queried via the
command interface and the freed mailboxes are accessed.

Fix this by initializing the command interface once during probe and not
during every reload.

This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
and also allows user space to query the running firmware version (for
example) from the device after a failed reload.

[1]
BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355

CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xf6/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
 memcpy+0x39/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:406 [inline]
 mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
 mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
 mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
 mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
 mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
 mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
 mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
 devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
 devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
 genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
 netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
 genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
 genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
 genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
 netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x150/0x190 net/socket.c:672
 ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
 ___sys_sendmsg+0xff/0x170 net/socket.c:2417
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
 do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a9c8336f65 ("mlxsw: core: Add support for devlink info command")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 14:33:34 -07:00
..
accessibility treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
acpi libnvdimm for 5.8 2020-06-13 13:04:36 -07:00
amba ARM: tegra: Replace zero-length array with flexible-array 2020-06-15 23:08:28 -05:00
android treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ata libata-5.8-2020-06-19 2020-06-19 13:09:40 -07:00
atm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
auxdisplay treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
base regmap: Fixes for v5.8 2020-06-22 09:46:43 -07:00
bcma
block block-5.8-2020-06-19 2020-06-19 13:11:26 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
cdrom Merge branch 'work.sysctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:05:54 -07:00
char Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
clk treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
clocksource clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
connector treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
counter
cpufreq treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cpuidle - Add the hwmon support on the i.MX SC (Anson Huang) 2020-06-12 14:10:21 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
dax device-dax: add memory via add_memory_driver_managed() 2020-06-04 19:06:23 -07:00
dca
devfreq
dio maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
dma dmaengine: tegra-apb: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
dma-buf treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
edac Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
eisa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
extcon
firewire firewire: ohci: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
firmware firmware: pcdp: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
fpga Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
fsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gnss treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpu Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2020-06-20 19:18:27 -07:00
greybus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hid treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hv hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
hwmon Merge branch 'x86/entry' into ras/core 2020-06-11 15:17:57 +02:00
hwspinlock
hwtracing stm class: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
i2c i2c: smbus: Fix spelling mistake in the comments 2020-06-19 10:09:16 +02:00
i3c
ide treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
idle
iio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
infiniband IB/hfi1: Add atomic triggered sleep/wakeup 2020-06-24 16:13:38 -03:00
input maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
interconnect More power management updates for 5.8-rc1 2020-06-10 14:04:39 -07:00
iommu Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
ipack treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
irqchip clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
isdn treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leds LEDs pull request for 5.8-rc1. 2020-06-04 11:03:45 -07:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mailbox mailbox: qcom: Add ipq6018 apcs compatible 2020-06-10 22:43:57 -05:00
mcb
md bcache: pr_info() format clean up in bcache_device_init() 2020-06-14 16:47:56 -06:00
media media: pwc: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
memory
memstick
message treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mfd mfd: mt6360: Fix register driver NULL pointer by adding driver name 2020-06-16 09:32:43 +01:00
misc maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
mmc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
most
mtd This pull request contains a single change for UBI: 2020-06-10 13:24:40 -07:00
mux
net mlxsw: pci: Fix use-after-free in case of failed devlink reload 2020-07-10 14:33:34 -07:00
nfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-05 20:02:09 -04:00
nubus
nvdimm nvdimm/region: always show the 'align' attribute 2020-06-17 14:08:31 -07:00
nvme Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
nvmem
of of: of_mdio: Correct loop scanning logic 2020-06-19 13:39:00 -07:00
opp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
oprofile oprofile: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
parisc
parport treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pci Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pcmcia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
perf arm64 merge window fixes for -rc1 2020-06-11 12:53:23 -07:00
phy phy: samsung: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
pinctrl pinctrl: single: fix function name in documentation 2020-06-20 22:41:32 +02:00
platform Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pnp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
power power supply and reset changes for the v5.8 series 2020-06-10 11:28:35 -07:00
powercap Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pps treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ps3
ptp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pwm pwm: Add missing "CONFIG_" prefix 2020-06-04 19:09:28 +02:00
rapidio rapidio: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
ras
regulator regulator: mt6358: Remove BROKEN dependency 2020-06-17 13:01:19 +01:00
remoteproc remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
reset Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
rpmsg remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
rtc RTC for 5.8 2020-06-07 16:11:23 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-25 18:27:40 -07:00
sbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
scsi scsi: Wire up ata_scsi_dma_need_drain for SAS HBA drivers 2020-06-15 23:40:43 -04:00
sfi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sh
siox
slimbus
soc soc: ti: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
soundwire
spi spi: Fixes for v5.8 2020-06-22 09:49:59 -07:00
spmi
ssb
staging Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
target Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
tc
tee mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thermal - Add the hwmon support on the i.MX SC (Anson Huang) 2020-06-12 14:10:21 -07:00
thunderbolt USB/PHY driver updates for 5.8-rc1 2020-06-07 09:42:16 -07:00
tty treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
uio
usb Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
vdpa vdpa: fix typos in the comments for __vdpa_alloc_device() 2020-06-22 12:34:21 -04:00
vfio kernel: better document the use_mm/unuse_mm API contract 2020-06-10 19:14:18 -07:00
vhost tools/virtio: Add --reset 2020-06-22 12:34:21 -04:00
video Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2020-06-20 19:18:27 -07:00
virt treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
virtio virtio-mem: add memory via add_memory_driver_managed() 2020-06-22 12:34:21 -04:00
visorbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vlynq
vme treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
w1 w1: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
watchdog treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xen The X86 entry, exception and interrupt code rework 2020-06-13 10:05:47 -07:00
zorro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig
Makefile