Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/804660/?format=api
{ "id": 804660, "url": "http://patchwork.ozlabs.org/api/patches/804660/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20170822210442.18006-1-jacob.e.keller@intel.com/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170822210442.18006-1-jacob.e.keller@intel.com>", "list_archive_url": null, "date": "2017-08-22T21:04:42", "name": "[v2] i40e/i40evf: fix out-of-bounds read of cpumask", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "0fb64e9e53286a4ecd0475e4603cf0b23e65f417", "submitter": { "id": 9784, "url": "http://patchwork.ozlabs.org/api/people/9784/?format=api", "name": "Jacob Keller", "email": "jacob.e.keller@intel.com" }, "delegate": { "id": 68, "url": "http://patchwork.ozlabs.org/api/users/68/?format=api", "username": "jtkirshe", "first_name": "Jeff", "last_name": "Kirsher", "email": "jeffrey.t.kirsher@intel.com" }, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20170822210442.18006-1-jacob.e.keller@intel.com/mbox/", "series": [], "comments": "http://patchwork.ozlabs.org/api/patches/804660/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/804660/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=osuosl.org\n\t(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;\n\tenvelope-from=intel-wired-lan-bounces@osuosl.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xcNP05L2nz9s8J\n\tfor <incoming@patchwork.ozlabs.org>;\n\tWed, 23 Aug 2017 07:05:08 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id B4A7086265;\n\tTue, 22 Aug 2017 21:05:06 +0000 (UTC)", "from fraxinus.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id a3j6HC4GeZs9; Tue, 22 Aug 2017 21:05:04 +0000 (UTC)", "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id E580886705;\n\tTue, 22 Aug 2017 21:05:02 +0000 (UTC)", "from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\tby ash.osuosl.org (Postfix) with ESMTP id 930701C2AD1\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tTue, 22 Aug 2017 21:05:01 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id 85898866CB\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tTue, 22 Aug 2017 21:05:01 +0000 (UTC)", "from whitealder.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id gtAwhEoOGBHW for <intel-wired-lan@lists.osuosl.org>;\n\tTue, 22 Aug 2017 21:05:00 +0000 (UTC)", "from mga11.intel.com (mga11.intel.com [192.55.52.93])\n\tby whitealder.osuosl.org (Postfix) with ESMTPS id 7196C86714\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tTue, 22 Aug 2017 21:05:00 +0000 (UTC)", "from orsmga001.jf.intel.com ([10.7.209.18])\n\tby fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t22 Aug 2017 14:04:59 -0700", "from jekeller-desk.amr.corp.intel.com (HELO\n\tjekeller-desk.jekeller.internal) ([134.134.177.230])\n\tby orsmga001.jf.intel.com with ESMTP; 22 Aug 2017 14:04:59 -0700" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "domain auto-whitelisted by SQLgrey-1.7.6", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos; i=\"5.41,413,1498546800\"; d=\"scan'208\";\n\ta=\"1165188588\"", "From": "Jacob Keller <jacob.e.keller@intel.com>", "To": "Intel Wired LAN <intel-wired-lan@lists.osuosl.org>", "Date": "Tue, 22 Aug 2017 14:04:42 -0700", "Message-Id": "<20170822210442.18006-1-jacob.e.keller@intel.com>", "X-Mailer": "git-send-email 2.14.1.323.g792488f9a5e1", "Cc": "netdev@vger.kernel.org, stable@vger.kernel.org#4.10+", "Subject": "[Intel-wired-lan] [PATCH v2] i40e/i40evf: fix out-of-bounds read of\n\tcpumask", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.18-1", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n\t<intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "When responding to an affinity hint we directly copied a cpumask value,\nintsead of using cpumask_copy. According to cpumask.h this is not\ncorrect because cpumask_t is only guaranteed to have enough space for\nthe number of CPUs in the system, and may not be as big as we expect.\nThus a direct copy results in an out-of-bound read and potentially\na crash if the pages are aligned just right. This will be easily\ndetected on a kernel with KASAN enabled:\n\nKASAN reports:\n[ 25.242312] BUG: KASAN: slab-out-of-bounds in i40e_irq_affinity_notify+0x30/0x50 [i40e] at addr ffff880462eea960\n[ 25.242315] Read of size 1024 by task kworker/2:1/170\n[ 25.242322] CPU: 2 PID: 170 Comm: kworker/2:1 Not tainted 4.11.0-22.el7a.x86_64 #1\n[ 25.242325] Hardware name: HP ProLiant DL380 Gen9, BIOS P89 05/06/2015\n[ 25.242336] Workqueue: events irq_affinity_notify\n[ 25.242340] Call Trace:\n[ 25.242350] dump_stack+0x63/0x8d\n[ 25.242358] kasan_object_err+0x21/0x70\n[ 25.242364] kasan_report+0x288/0x540\n[ 25.242397] ? i40e_irq_affinity_notify+0x30/0x50 [i40e]\n[ 25.242403] check_memory_region+0x13c/0x1a0\n[ 25.242408] __asan_loadN+0xf/0x20\n[ 25.242440] i40e_irq_affinity_notify+0x30/0x50 [i40e]\n[ 25.242446] irq_affinity_notify+0x1b4/0x230\n[ 25.242452] ? irq_set_affinity_notifier+0x130/0x130\n[ 25.242457] ? kasan_slab_free+0x89/0xc0\n[ 25.242466] process_one_work+0x32f/0x6f0\n[ 25.242472] worker_thread+0x89/0x770\n[ 25.242481] ? pci_mmcfg_check_reserved+0xc0/0xc0\n[ 25.242488] kthread+0x18c/0x1e0\n[ 25.242493] ? process_one_work+0x6f0/0x6f0\n[ 25.242499] ? kthread_create_on_node+0xc0/0xc0\n[ 25.242506] ret_from_fork+0x2c/0x40\n[ 25.242511] Object at ffff880462eea960, in cache kmalloc-8 size: 8\n[ 25.242513] Allocated:\n[ 25.242514] PID = 170\n[ 25.242522] save_stack_trace+0x1b/0x20\n[ 25.242529] save_stack+0x46/0xd0\n[ 25.242533] kasan_kmalloc+0xad/0xe0\n[ 25.242537] __kmalloc_node+0x12c/0x2b0\n[ 25.242542] alloc_cpumask_var_node+0x3c/0x60\n[ 25.242546] alloc_cpumask_var+0xe/0x10\n[ 25.242550] irq_affinity_notify+0x94/0x230\n[ 25.242555] process_one_work+0x32f/0x6f0\n[ 25.242559] worker_thread+0x89/0x770\n[ 25.242564] kthread+0x18c/0x1e0\n[ 25.242568] ret_from_fork+0x2c/0x40\n[ 25.242569] Freed:\n[ 25.242570] PID = 0\n[ 25.242572] (stack is not available)\n[ 25.242573] Memory state around the buggy address:\n[ 25.242578] ffff880462eea800: fc fc 00 fc fc 00 fc fc 00 fc fc 00 fc fc fb fc\n[ 25.242582] ffff880462eea880: fc fb fc fc fb fc fc 00 fc fc 00 fc fc 00 fc fc\n[ 25.242586] >ffff880462eea900: 00 fc fc 00 fc fc 00 fc fc fb fc fc 00 fc fc fc\n[ 25.242588] ^\n[ 25.242592] ffff880462eea980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 25.242596] ffff880462eeaa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 25.242597] ==================================================================\n\nFixes: 96db776a3682 (\"i40e/i40evf: fix interrupt affinity bug\", 2016-09-14)\nSigned-off-by: Jacob Keller <jacob.e.keller@intel.com>\nCc: stable@vger.kernel.org # 4.10+\n---\nThis updates the commit message for the original fix, and indicates that\nit fixes a potential crash, as well as tagged the commit for stable and\nadded a Fixes to indicate which commit this fixes.\n\n drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-\n drivers/net/ethernet/intel/i40evf/i40evf_main.c | 2 +-\n 2 files changed, 2 insertions(+), 2 deletions(-)", "diff": "diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c\nindex 397f1bcaed3e..50a7260b32c2 100644\n--- a/drivers/net/ethernet/intel/i40e/i40e_main.c\n+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c\n@@ -3450,7 +3450,7 @@ static void i40e_irq_affinity_notify(struct irq_affinity_notify *notify,\n \tstruct i40e_q_vector *q_vector =\n \t\tcontainer_of(notify, struct i40e_q_vector, affinity_notify);\n \n-\tq_vector->affinity_mask = *mask;\n+\tcpumask_copy(&q_vector->affinity_mask, mask);\n }\n \n /**\ndiff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c b/drivers/net/ethernet/intel/i40evf/i40evf_main.c\nindex 1ffd55e06a49..87175a14740e 100644\n--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c\n+++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c\n@@ -520,7 +520,7 @@ static void i40evf_irq_affinity_notify(struct irq_affinity_notify *notify,\n \tstruct i40e_q_vector *q_vector =\n \t\tcontainer_of(notify, struct i40e_q_vector, affinity_notify);\n \n-\tq_vector->affinity_mask = *mask;\n+\tcpumask_copy(&q_vector->affinity_mask, mask);\n }\n \n /**\n", "prefixes": [ "v2" ] }