From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Oded Gabbay <oded.gabbay@gmail.com>,
Tomer Tayar <ttayar@habana.ai>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.7 08/25] habanalabs: prevent possible out-of-bounds array access
Date: Mon, 27 Jul 2020 19:23:28 -0400 [thread overview]
Message-ID: <20200727232345.717432-8-sashal@kernel.org> (raw)
In-Reply-To: <20200727232345.717432-1-sashal@kernel.org>
From: Oded Gabbay <oded.gabbay@gmail.com>
[ Upstream commit cea7a0449ea3fa4883bf5dc8397f000d6b67d6cd ]
Queue index is received from the user. Therefore, we must validate it
before using it to access the queue props array.
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Reviewed-by: Tomer Tayar <ttayar@habana.ai>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/habanalabs/command_submission.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/habanalabs/command_submission.c b/drivers/misc/habanalabs/command_submission.c
index 409276b6374d7..e7c8e7473226f 100644
--- a/drivers/misc/habanalabs/command_submission.c
+++ b/drivers/misc/habanalabs/command_submission.c
@@ -425,11 +425,19 @@ static int validate_queue_index(struct hl_device *hdev,
struct asic_fixed_properties *asic = &hdev->asic_prop;
struct hw_queue_properties *hw_queue_prop;
+ /* This must be checked here to prevent out-of-bounds access to
+ * hw_queues_props array
+ */
+ if (chunk->queue_index >= HL_MAX_QUEUES) {
+ dev_err(hdev->dev, "Queue index %d is invalid\n",
+ chunk->queue_index);
+ return -EINVAL;
+ }
+
hw_queue_prop = &asic->hw_queues_props[chunk->queue_index];
- if ((chunk->queue_index >= HL_MAX_QUEUES) ||
- (hw_queue_prop->type == QUEUE_TYPE_NA)) {
- dev_err(hdev->dev, "Queue index %d is invalid\n",
+ if (hw_queue_prop->type == QUEUE_TYPE_NA) {
+ dev_err(hdev->dev, "Queue index %d is not applicable\n",
chunk->queue_index);
return -EINVAL;
}
--
2.25.1
next prev parent reply other threads:[~2020-07-27 23:24 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 23:23 [PATCH AUTOSEL 5.7 01/25] mt76: mt7615: fix lmac queue debugsfs entry Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 02/25] iwlwifi: fix crash in iwl_dbg_tlv_alloc_trigger Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 03/25] usb: hso: Fix debug compile warning on sparc32 Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 04/25] selftests: fib_nexthop_multiprefix: fix cleanup() netns deletion Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 05/25] qed: Disable "MFW indication via attention" SPAM every 5 minutes Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 06/25] selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 support Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 07/25] io_uring: always allow drain/link/hardlink/async sqe flags Sasha Levin
2020-07-27 23:23 ` Sasha Levin [this message]
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 09/25] nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 10/25] scsi: core: Run queue in case of I/O resource contention failure Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 11/25] riscv: kasan: use local_tlb_flush_all() to avoid uninitialized __sbi_rfence Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 12/25] parisc: add support for cmpxchg on u8 pointers Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 13/25] net: ethernet: ravb: exit if re-initialization fails in tx timeout Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 14/25] selftest: txtimestamp: fix net ns entry logic Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 15/25] drivers/net/wan/x25_asy: Fix to make it work Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 16/25] Revert "i2c: cadence: Fix the hold bit setting" Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 17/25] i2c: cadence: Clear HOLD bit at correct time in Rx path Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 18/25] x86/unwind/orc: Fix ORC for newly forked tasks Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 19/25] x86/stacktrace: Fix reliable check for empty user task stacks Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 20/25] cxgb4: add missing release on skb in uld_send() Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 21/25] io_uring: missed req_init_async() for IOSQE_ASYNC Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 22/25] xen-netfront: fix potential deadlock in xennet_remove() Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 23/25] RISC-V: Set maximum number of mapped pages correctly Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 24/25] drivers/net/wan: lapb: Corrected the usage of skb_cow Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 25/25] riscv: Parse all memory blocks to remove unusable memory Sasha Levin
2020-07-27 23:23 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727232345.717432-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oded.gabbay@gmail.com \
--cc=stable@vger.kernel.org \
--cc=ttayar@habana.ai \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.