Cover Letter Detail
Show a cover letter.
GET /api/covers/1003353/?format=api
{ "id": 1003353, "url": "http://patchwork.ozlabs.org/api/covers/1003353/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/cover/20181123161028.22633-1-khorenko@virtuozzo.com/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20181123161028.22633-1-khorenko@virtuozzo.com>", "list_archive_url": null, "date": "2018-11-23T16:10:27", "name": "[0/1] drivers/i40iw: out of bound access in i40iw_net_event()", "submitter": { "id": 74595, "url": "http://patchwork.ozlabs.org/api/people/74595/?format=api", "name": "Konstantin Khorenko", "email": "khorenko@virtuozzo.com" }, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/cover/20181123161028.22633-1-khorenko@virtuozzo.com/mbox/", "series": [ { "id": 78072, "url": "http://patchwork.ozlabs.org/api/series/78072/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=78072", "date": "2018-11-23T16:10:27", "name": "drivers/i40iw: out of bound access in i40iw_net_event()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/78072/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/1003353/comments/", "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=osuosl.org\n\t(client-ip=140.211.166.133; helo=hemlock.osuosl.org;\n\tenvelope-from=intel-wired-lan-bounces@osuosl.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dmarc=fail (p=none dis=none)\n\theader.from=virtuozzo.com" ], "Received": [ "from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 433Yyy0kxZz9s1c\n\tfor <incoming@patchwork.ozlabs.org>;\n\tTue, 27 Nov 2018 04:37:46 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id 829C4874AA;\n\tMon, 26 Nov 2018 17:37:44 +0000 (UTC)", "from hemlock.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id bZb8I8iT6e1d; Mon, 26 Nov 2018 17:37:43 +0000 (UTC)", "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id 3F8AD874D3;\n\tMon, 26 Nov 2018 17:37:42 +0000 (UTC)", "from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\tby ash.osuosl.org (Postfix) with ESMTP id CF4631BF3AA\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 23 Nov 2018 16:50:51 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id CC4DE88E37\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 23 Nov 2018 16:50:51 +0000 (UTC)", "from hemlock.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id y-NGcVx1++dh for <intel-wired-lan@lists.osuosl.org>;\n\tFri, 23 Nov 2018 16:50:49 +0000 (UTC)", "from relay.sw.ru (relay.sw.ru [185.231.240.75])\n\tby hemlock.osuosl.org (Postfix) with ESMTPS id 79BEC88E33\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 23 Nov 2018 16:50:49 +0000 (UTC)", "from [10.94.4.83] (helo=finist-ce7.sw.ru)\n\tby relay.sw.ru with esmtp (Exim 4.91)\n\t(envelope-from <khorenko@virtuozzo.com>)\n\tid 1gQE2I-0003fC-CB; Fri, 23 Nov 2018 19:10:30 +0300" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "from auto-whitelisted by SQLgrey-1.7.6", "From": "Konstantin Khorenko <khorenko@virtuozzo.com>", "To": "Jeff Kirsher <jeffrey.t.kirsher@intel.com>", "Date": "Fri, 23 Nov 2018 19:10:27 +0300", "Message-Id": "<20181123161028.22633-1-khorenko@virtuozzo.com>", "X-Mailer": "git-send-email 2.15.1", "X-Mailman-Approved-At": "Mon, 26 Nov 2018 17:37:41 +0000", "Subject": "[Intel-wired-lan] [PATCH 0/1] drivers/i40iw: out of bound access in\n\ti40iw_net_event()", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n\t<intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "Cc": "netdev@vger.kernel.org, intel-wired-lan@lists.osuosl.org,\n\tlinux-kernel@vger.kernel.org,\n\tKonstantin Khorenko <khorenko@virtuozzo.com>, \n\t\"David S . Miller\" <davem@davemloft.net>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "Running debug kernel on a node with infiniband card, got a KASan complain:\n\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in i40iw_copy_ip_ntohl+0x1c0/0x220\n Read of size 4 at addr ffff88852d477380 by task swapper/6/0\n\n CPU: 6 PID: 0 Comm: swapper/6 Not tainted 4.20.0-rc3-00087-gc8ce94b8fe53-dirty #15\n Hardware name: DEPO Computers Super Server/X10DRL-i, BIOS 2.0b 05/05/2017\n Call Trace:\n <IRQ>\n dump_stack+0x92/0xeb\n print_address_description+0x6a/0x280\n kasan_report+0x260/0x380\n i40iw_copy_ip_ntohl+0x1c0/0x220\n i40iw_net_event+0x150/0x200\n notifier_call_chain+0x90/0x160\n atomic_notifier_call_chain+0x6c/0x100\n neigh_update+0x82f/0x15c0\n neigh_event_ns+0x4c/0xe0\n arp_process+0x1733/0x1f60\n __netif_receive_skb_one_core+0xe6/0x150\n netif_receive_skb_internal+0xe5/0x4c0\n napi_gro_receive+0x2d1/0x3b0\n i40e_clean_rx_irq+0x9a5/0x2eb0\n i40e_napi_poll+0x11fd/0x2410\n net_rx_action+0x62f/0xbf0\n __do_softirq+0x256/0x9de\n irq_exit+0x29b/0x2d0\n do_IRQ+0x87/0x1a0\n common_interrupt+0xf/0xf\n\n Allocated by task 0:\n kasan_kmalloc+0xa0/0xd0\n __kmalloc+0x177/0x390\n __neigh_create+0x1e3/0x1820\n neigh_event_ns+0x6b/0xe0\n arp_process+0x1733/0x1f60\n __netif_receive_skb_one_core+0xe6/0x150\n netif_receive_skb_internal+0xe5/0x4c0\n napi_gro_receive+0x2d1/0x3b0\n i40e_clean_rx_irq+0x9a5/0x2eb0\n i40e_napi_poll+0x11fd/0x2410\n net_rx_action+0x62f/0xbf0\n __do_softirq+0x256/0x9de\n\n Freed by task 0:\n (stack is not available)\n\n The buggy address belongs to the object at ffff88852d477080\n to the cache kmalloc-1k of size 1024\n The buggy address is located 768 bytes inside of 1024-byte region [ffff88852d477080, ffff88852d477480)\n The buggy address belongs to the page:\n page:ffffea0014b51c00 count:1 mapcount:0 mapping:ffff888107c0ea00 index:0x0 compound_mapcount: 0\n flags: 0x17ffffc0010200(slab|head)\n raw: 0017ffffc0010200 dead000000000100 dead000000000200 ffff888107c0ea00\n raw: 0000000000000000 00000000801c001c 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff88852d477280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88852d477300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff88852d477380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff88852d477400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88852d477480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ==================================================================\n\nThe complain is valid:\n\ni40iw_net_event() reads unconditionally 16 bytes from neigh->primary_key\nwhile the memory allocated for \"neighbour\" struct is evaluated in neigh_alloc() as\n\n tbl->entry_size + dev->neigh_priv_len\n\nwhere \"dev\" is a net_device.\n\nBut the driver does not setup dev->neigh_priv_len and we read beyond the neigh\nentry allocated memory, so the patch in the next mail fixes this.\n\n\n\n\nMore debug details:\n\ncrash> list net_device.dev_list -H 0xffffffffa908ec88 -s net_device.name -s net_device.neigh_priv_len\nffff88065a92a200\n name = \"lo\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880642340000\n name = \"eno1\\000\\000\\071:00.0\\000\\000\\000\"\n neigh_priv_len = 0\nffff88064aa6a200\n name = \"enp6s0f0\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880641180000\n name = \"eno2\\000\\000a:00.0\\000\\000\\000\"\n neigh_priv_len = 0\nffff88063e8fd500\n name = \"enp6s0f1\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880031400000\n name = \"ens11f0\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff88063c800000\n name = \"ens11f1\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff8808ff4ea100\n name = \"bond0\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff88101e334400\n name = \"ib0\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 200\n=========================================\ncrash> list i40iw_handler.list -H i40iw_handlers\nffff88004bbc0000 ldev.netdev == 0xffff88063e8fd500\nstruct net_device {\n name = \"enp6s0f1\\000\\000\\000\\000\\000\\000\\000\",\n\nffff881049120000 ldev.netdev == 0xffff88064aa6a200\nstruct net_device {\n name = \"enp6s0f0\\000\\000\\000\\000\\000\\000\\000\",\n=========================================\nnet_device allocation stack:\n\nalloc_netdev_mqs\n alloc_etherdev_mq\n i40e_config_netdev\n i40e_vsi_setup\n i40e_setup_pf_switch\n i40e_probe\n\n=========================================\nAfter the patch:\n\ncrash> list net_device.dev_list -H 0xffffffff92a19b48 -s net_device.name -s net_device.neigh_priv_len\nffff88065a2dc400\n name = \"lo\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff8808fb6dc200\n name = \"bond0\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880652600000\n name = \"ens11f0\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880651a00000\n name = \"ens11f1\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 0\nffff880651454000\n name = \"eno1\\000\\000\\071:00.0\\000\\000\\000\"\n neigh_priv_len = 0\nffff880651550000\n name = \"eno2\\000\\000a:00.0\\000\\000\\000\"\n neigh_priv_len = 0\nffff8806515cc400\n name = \"enp6s0f0\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 16\nffff880650932200\n name = \"enp6s0f1\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 16\nffff880642903300\n name = \"ib0\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\"\n neigh_priv_len = 200\n\n=========================================\n\nKonstantin Khorenko (1):\n drivers/net/i40e: define proper net_device::neigh_priv_len\n\n drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++\n 1 file changed, 3 insertions(+)" }