Ido Schimmel 6a882fb723 mlxsw: pci: Fix use-after-free in case of failed devlink reload ... [ Upstream commit c4317b1167 ] In case devlink reload failed, it is possible to trigger a use-after-free when querying the kernel for device info via 'devlink dev info' [1]. This happens because as part of the reload error path the PCI command interface is de-initialized and its mailboxes are freed. When the devlink '->info_get()' callback is invoked the device is queried via the command interface and the freed mailboxes are accessed. Fix this by initializing the command interface once during probe and not during every reload. This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c') and also allows user space to query the running firmware version (for example) from the device after a failed reload. [1] BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline] BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355 CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xf6/0x16e lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 memcpy+0x39/0x60 mm/kasan/common.c:106 memcpy include/linux/string.h:406 [inline] mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335 mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline] mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline] mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985 mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline] mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090 devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588 devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648 genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575 netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245 __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353 genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638 genl_family_rcv_msg net/netlink/genetlink.c:733 [inline] genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753 netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469 genl_rcv+0x24/0x40 net/netlink/genetlink.c:764 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0x150/0x190 net/socket.c:672 ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363 ___sys_sendmsg+0xff/0x170 net/socket.c:2417 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450 do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: a9c8336f65 ("mlxsw: core: Add support for devlink info command") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Reviewed-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>		2020-07-16 08:16:42 +02:00
..
appletalk	…
arcnet	drivers: net: Fix Kconfig indentation	2019-09-26 08:56:17 +02:00
bonding	bonding: Fix reference count leak in bond_sysfs_slave_add.	2020-06-03 08:21:38 +02:00
caif	…
can	slcan: Don't transmit uninitialized stack data in padding	2020-04-13 10:48:05 +02:00
dsa	net: dsa: microchip: set the correct number of ports	2020-07-16 08:16:38 +02:00
ethernet	mlxsw: pci: Fix use-after-free in case of failed devlink reload	2020-07-16 08:16:42 +02:00
fddi	…
fjes	fjes: fix missed check in fjes_acpi_add	2019-12-31 16:41:14 +01:00
hamradio	yam: fix possible memory leak in yam_init_driver	2020-06-24 17:50:18 +02:00
hippi	…
hyperv	hv_netvsc: Fix unwanted wakeup in netvsc_attach()	2020-03-05 16:43:46 +01:00
ieee802154	Merge tag 'ieee802154-for-davem-2019-09-28' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan	2019-09-30 17:14:45 -07:00
ipvlan	ipvlan: don't deref eth hdr before checking it's set	2020-03-18 07:17:39 +01:00
netdevsim	netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init()	2020-02-11 04:35:06 -08:00
phy	net: phy: Check harder for errors in get_phy_id()	2020-06-30 15:36:46 -04:00
plip	…
ppp	pppoe: only process PADT targeted at local interfaces	2020-05-20 08:20:09 +02:00
slip	slip: not call free_netdev before rtnl_unlock in slip_open	2020-03-21 08:11:53 +01:00
team	team: fix hang in team_mode_get()	2020-04-29 16:33:09 +02:00
usb	smsc95xx: avoid memory leak in smsc95xx_bind	2020-07-16 08:16:39 +02:00
vmxnet3	net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss()	2020-06-22 09:30:57 +02:00
wan	wan: ixp4xx_hss: fix compile-testing on 64-bit	2020-02-24 08:36:46 +01:00
wimax	wimax/i2400m: Fix potential urb refcnt leak	2020-05-10 10:31:26 +02:00
wireless	b43_legacy: Fix connection problem with WPA3	2020-06-22 09:31:19 +02:00
xen-netback	xen/netback: fix error path of xenvif_connect_data()	2019-10-19 11:43:29 -07:00
Kconfig	net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build	2020-04-01 11:02:18 +02:00
LICENSE.SRC	…
Makefile	…
Space.c	…
dummy.c	…
eql.c	…
geneve.c	geneve: allow changing DF behavior after creation	2020-06-30 15:36:43 -04:00
gtp.c	gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()	2020-05-27 17:46:33 +02:00
ifb.c	net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build	2020-04-01 11:02:18 +02:00
loopback.c	…
macsec.c	net: macsec: preserve ingress frame ordering	2020-05-14 07:58:21 +02:00
macvlan.c	macvlan: Skip loopback packets in RX handler	2020-06-22 09:31:09 +02:00
macvtap.c	…
mdio.c	…
mii.c	…
net_failover.c	net_failover: fixed rollback in net_failover_open()	2020-06-17 16:40:19 +02:00
netconsole.c	…
nlmon.c	…
ntb_netdev.c	…
rionet.c	…
sb1000.c	…
sungem_phy.c	…
tap.c	net: tap: clean up an indentation issue	2019-09-27 20:58:35 +02:00
thunderbolt.c	…
tun.c	tun: correct header offsets in napi frags mode	2020-06-17 16:40:20 +02:00
veth.c	veth: Adjust hard_start offset on redirect XDP frames	2020-06-22 09:31:06 +02:00
virtio_net.c	virtio_net: fix lockdep warning on 32 bit	2020-05-20 08:20:10 +02:00
vrf.c	vrf: Check skb for XFRM_TRANSFORMED flag	2020-04-29 16:33:11 +02:00
vsockmon.c	…
vxlan.c	vxlan: Avoid infinite loop when suppressing NS messages with invalid options	2020-06-17 16:40:20 +02:00
xen-netfront.c	xen-netfront: do not use ~0U as error return value for xennet_fill_frags()	2019-10-01 21:49:51 -04:00