From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hongbo Yao <yaohongbo@huawei.com>, Christoph Hellwig <hch@lst.de>,
Sasha Levin <sashal@kernel.org>,
linux-nvme@lists.infradead.org
Subject: [PATCH AUTOSEL 4.20 22/42] nvme-pci: fix out of bounds access in nvme_cqe_pending
Date: Sat, 9 Feb 2019 13:47:14 -0500 [thread overview]
Message-ID: <20190209184734.125935-22-sashal@kernel.org> (raw)
In-Reply-To: <20190209184734.125935-1-sashal@kernel.org>
From: Hongbo Yao <yaohongbo@huawei.com>
[ Upstream commit dcca1662727220d18fa351097ddff33f95f516c5 ]
There is an out of bounds array access in nvme_cqe_peding().
When enable irq_thread for nvme interrupt, there is racing between the
nvmeq->cq_head updating and reading.
nvmeq->cq_head is updated in nvme_update_cq_head(), if nvmeq->cq_head
equals nvmeq->q_depth and before its value set to zero, nvme_cqe_pending()
uses its value as an array index, the index will be out of bounds.
Signed-off-by: Hongbo Yao <yaohongbo@huawei.com>
[hch: slight coding style update]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 0f45868e8af9..47597046c14f 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -913,9 +913,11 @@ static void nvme_complete_cqes(struct nvme_queue *nvmeq, u16 start, u16 end)
static inline void nvme_update_cq_head(struct nvme_queue *nvmeq)
{
- if (++nvmeq->cq_head == nvmeq->q_depth) {
+ if (nvmeq->cq_head == nvmeq->q_depth - 1) {
nvmeq->cq_head = 0;
nvmeq->cq_phase = !nvmeq->cq_phase;
+ } else {
+ nvmeq->cq_head++;
}
}
--
2.19.1
next prev parent reply other threads:[~2019-02-09 18:56 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-09 18:46 [PATCH AUTOSEL 4.20 01/42] drm/amdgpu/sriov:Correct pfvf exchange logic Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 02/42] ACPI: NUMA: Use correct type for printing addresses on i386-PAE Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 03/42] perf stat: Fix endless wait for child process Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 04/42] perf report: Fix wrong iteration count in --branch-history Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 05/42] perf test shell: Use a fallback to get the pathname in vfs_getname Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 06/42] soc: renesas: r8a774c0-sysc: Fix initialization order of 3DG-{A,B} Sasha Levin
2019-02-09 18:46 ` [PATCH AUTOSEL 4.20 07/42] tools uapi: fix RISC-V 64-bit support Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 08/42] riscv: fix trace_sys_exit hook Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 09/42] cpufreq: check if policy is inactive early in __cpufreq_get() Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 10/42] csky: fixup relocation error with 807 & 860 Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 11/42] csky: fixup CACHEV1 store instruction fast retire Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 12/42] csky: fixup compile error with pte_alloc Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 13/42] irqchip/csky: fixup handle_irq_perbit break irq Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 14/42] drm/amd/powerplay: avoid possible buffer overflow Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 15/42] drm/bridge: tc358767: add bus flags Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 16/42] drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 17/42] drm/bridge: tc358767: fix single lane configuration Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 18/42] drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 19/42] drm/bridge: tc358767: reject modes which require too much BW Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 20/42] drm/bridge: tc358767: fix output H/V syncs Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 21/42] nvme-pci: use the same attributes when freeing host_mem_desc_bufs Sasha Levin
2019-02-09 18:47 ` Sasha Levin [this message]
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 23/42] nvme-multipath: zero out ANA log buffer Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 24/42] nvme: pad fake subsys NQN vid and ssvid with zeros Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 25/42] nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 26/42] drm/amdgpu: fix CPDMA hang in PRT mode for VEGA20 Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 27/42] drm/amdgpu: set WRITE_BURST_LENGTH to 64B to workaround SDMA1 hang Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 28/42] drm/amdgpu: disable system memory page tables for now Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 29/42] ARM: dts: da850-evm: Correct the audio codec regulators Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 30/42] ARM: dts: da850-evm: Correct the sound card name Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 31/42] ARM: dts: da850-lcdk: Correct the audio codec regulators Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 32/42] ARM: dts: da850-lcdk: Correct the sound card name Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 33/42] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 34/42] csky: fixup compile error with CPU 810 Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 35/42] gpio: pl061: handle failed allocations Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 36/42] drm/nouveau: Don't disable polling in fallback mode Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 37/42] drm/nouveau/falcon: avoid touching registers if engine is off Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 38/42] cifs: Limit memory used by lock request calls to a page Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 39/42] CIFS: Fix credits calculation for cancelled requests Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 40/42] CIFS: Move credit processing to mid callbacks for SMB3 Sasha Levin
2019-02-12 1:48 ` Pavel Shilovskiy
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 41/42] CIFS: Fix error paths in writeback code Sasha Levin
2019-02-09 18:47 ` [PATCH AUTOSEL 4.20 42/42] kvm: sev: Fail KVM_SEV_INIT if already initialized Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190209184734.125935-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=stable@vger.kernel.org \
--cc=yaohongbo@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).