From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Yunsheng Lin <linyunsheng@huawei.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.18 20/59] net: hns3: Fix for out-of-bounds access when setting pfc back pressure
Date: Wed, 14 Nov 2018 17:22:52 -0500 [thread overview]
Message-ID: <20181114222335.99339-20-sashal@kernel.org> (raw)
In-Reply-To: <20181114222335.99339-1-sashal@kernel.org>
From: Yunsheng Lin <linyunsheng@huawei.com>
[ Upstream commit e8ccbb7d2f53c62e14b889faaa3f6f809b657278 ]
The vport should be initialized to hdev->vport for each bp group,
otherwise it will cause out-of-bounds access and bp setting not
correct problem.
[ 35.254124] BUG: KASAN: slab-out-of-bounds in hclge_pause_setup_hw+0x2a0/0x3f8 [hclge]
[ 35.254126] Read of size 2 at addr ffff803b6651581a by task kworker/0:1/14
[ 35.254132] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.0-rc7-hulk+ #85
[ 35.254133] Hardware name: Huawei D06/D06, BIOS Hisilicon D06 UEFI RC0 - B052 (V0.52) 09/14/2018
[ 35.254141] Workqueue: events work_for_cpu_fn
[ 35.254144] Call trace:
[ 35.254147] dump_backtrace+0x0/0x2f0
[ 35.254149] show_stack+0x24/0x30
[ 35.254154] dump_stack+0x110/0x184
[ 35.254157] print_address_description+0x168/0x2b0
[ 35.254160] kasan_report+0x184/0x310
[ 35.254162] __asan_load2+0x7c/0xa0
[ 35.254170] hclge_pause_setup_hw+0x2a0/0x3f8 [hclge]
[ 35.254177] hclge_tm_init_hw+0x794/0x9f0 [hclge]
[ 35.254184] hclge_tm_schd_init+0x48/0x58 [hclge]
[ 35.254191] hclge_init_ae_dev+0x778/0x1168 [hclge]
[ 35.254196] hnae3_register_ae_dev+0x14c/0x298 [hnae3]
[ 35.254206] hns3_probe+0x88/0xa8 [hns3]
[ 35.254210] local_pci_probe+0x7c/0xf0
[ 35.254212] work_for_cpu_fn+0x34/0x50
[ 35.254214] process_one_work+0x4d4/0xa38
[ 35.254216] worker_thread+0x55c/0x8d8
[ 35.254219] kthread+0x1b0/0x1b8
[ 35.254222] ret_from_fork+0x10/0x1c
[ 35.254224] The buggy address belongs to the page:
[ 35.254228] page:ffff7e00ed994400 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[ 35.273835] flags: 0xfffff8000008000(head)
[ 35.282007] raw: 0fffff8000008000 dead000000000100 dead000000000200 0000000000000000
[ 35.282010] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 35.282012] page dumped because: kasan: bad access detected
[ 35.282014] Memory state around the buggy address:
[ 35.282017] ffff803b66515700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 35.282019] ffff803b66515780: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 35.282021] >ffff803b66515800: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 35.282022] ^
[ 35.282024] ffff803b66515880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 35.282026] ffff803b66515900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 35.282028] ==================================================================
[ 35.282029] Disabling lock debugging due to kernel taint
[ 35.282747] hclge driver initialization finished.
Fixes: 67bf2541f4b9 ("net: hns3: Fixes the back pressure setting when sriov is enabled")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
index f027fceea548..b9a59bcbcc3c 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
@@ -1173,14 +1173,14 @@ static int hclge_pfc_setup_hw(struct hclge_dev *hdev)
*/
static int hclge_bp_setup_hw(struct hclge_dev *hdev, u8 tc)
{
- struct hclge_vport *vport = hdev->vport;
- u32 i, k, qs_bitmap;
- int ret;
+ int i;
for (i = 0; i < HCLGE_BP_GRP_NUM; i++) {
- qs_bitmap = 0;
+ u32 qs_bitmap = 0;
+ int k, ret;
for (k = 0; k < hdev->num_alloc_vport; k++) {
+ struct hclge_vport *vport = &hdev->vport[k];
u16 qs_id = vport->qs_offset + tc;
u8 grp, sub_grp;
@@ -1190,8 +1190,6 @@ static int hclge_bp_setup_hw(struct hclge_dev *hdev, u8 tc)
HCLGE_BP_SUB_GRP_ID_S);
if (i == grp)
qs_bitmap |= (1 << sub_grp);
-
- vport++;
}
ret = hclge_tm_qs_bp_cfg(hdev, tc, i, qs_bitmap);
--
2.17.1
next prev parent reply other threads:[~2018-11-14 22:38 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-14 22:22 [PATCH AUTOSEL 4.18 01/59] s390/vdso: add missing FORCE to build targets Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 02/59] HID: i2c-hid: Add a small delay after sleep command for Raydium touchpanel Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 03/59] Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 04/59] HID: alps: allow incoming reports when only the trackstick is opened Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 05/59] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 06/59] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 07/59] netfilter: ipset: fix ip_set_list allocation failure Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 08/59] s390/mm: fix mis-accounting of pgtable_bytes Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 09/59] s390/mm: Fix ERROR: "__node_distance" undefined! Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 10/59] bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 11/59] usbnet: smsc95xx: disable carrier check while suspending Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 12/59] net: dsa: microchip: initialize mutex before use Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 13/59] net: bcmgenet: protect stop from timeout Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 14/59] net: systemport: Protect " Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 15/59] netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 16/59] netfilter: xt_IDLETIMER: add sysfs filename checking routine Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 17/59] netfilter: ipset: Fix calling ip_set() macro at dumping Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 18/59] netfilter: nft_compat: ebtables 'nat' table is normal chain type Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 19/59] s390/qeth: fix HiperSockets sniffer Sasha Levin
2018-11-14 22:22 ` Sasha Levin [this message]
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 21/59] mlxsw: spectrum: Fix IP2ME CPU policer configuration Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 22/59] hwmon: (ibmpowernv) Remove bogus __init annotations Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 23/59] net: phy: realtek: fix RTL8201F sysfs name Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 24/59] ARM: dts: fsl: Fix improperly quoted stdout-path values Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 25/59] ARM: dts: imx6sx-sdb: Fix enet phy regulator Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 26/59] Revert "drm/exynos/decon5433: implement frame counter" Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 27/59] arm64: dts: renesas: r8a7795: add missing dma-names on hscif2 Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 28/59] clk: fixed-factor: fix of_node_get-put imbalance Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 29/59] mtd: nand: Fix nanddev_pos_next_page() kernel-doc header Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 30/59] lib/raid6: Fix arm64 test build Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 31/59] drm/amd/display: Stop leaking planes Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 32/59] block: Clear kernel memory before copying to user Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 33/59] drm/amd/amdgpu/dm: Fix dm_dp_create_fake_mst_encoder() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 34/59] s390/perf: Change CPUM_CF return code in event init function Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 35/59] ceph: quota: fix null pointer dereference in quota check Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 36/59] clk: meson-gxbb: set fclk_div3 as CLK_IS_CRITICAL Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 37/59] clk: meson: axg: mark fdiv2 and fdiv3 as critical Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 38/59] nvme: make sure ns head inherits underlying device limits Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 39/59] i2c: omap: Enable for ARCH_K3 Sasha Levin
2018-11-15 4:35 ` Vignesh R
2018-11-22 19:31 ` Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 40/59] sched/core: Take the hotplug lock in sched_init_smp() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 41/59] perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 42/59] perf tools: Do not zero sample_id_all for group members Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 43/59] ice: Fix dead device link issue with flow control Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 44/59] ice: Fix the bytecount sent to netdev_tx_sent_queue Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 45/59] i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 46/59] ibmvnic: fix accelerated VLAN handling Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 47/59] qed: Fix memory/entry leak in qed_init_sp_request() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 48/59] qed: Fix blocking/unlimited SPQ entries leak Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 49/59] qed: Fix SPQ entries not returned to pool in error flows Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 50/59] qed: Fix potential memory corruption Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 51/59] net: stmmac: Fix RX packet size > 8191 Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 52/59] net: smsc95xx: Fix MTU range Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 53/59] ext4: missing !bh check in ext4_xattr_inode_write() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 54/59] net: aquantia: fix potential IOMMU fault after driver unbind Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 55/59] net: aquantia: fixed enable unicast on 32 macvlan Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 56/59] net: aquantia: invalid checksumm offload implementation Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 57/59] net: qualcomm: rmnet: Fix incorrect assignment of real_dev Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 58/59] kbuild: deb-pkg: fix too low build version number Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 59/59] net: dsa: mv88e6xxx: Fix clearing of stats counters Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114222335.99339-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linyunsheng@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).