From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63D6D15CAE for ; Tue, 8 Nov 2022 14:01:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B748AC433D6; Tue, 8 Nov 2022 14:01:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1667916119; bh=N3UOjv83K1NG4QJv42MB/rhQscliIwrIK2Vp7z5gNt8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MLHs2NW2cuQ48c6+YAn1bKbnUXi1GsltAwzSwn0YjhsLyuqkHtc7ntfBrBkn3YPWE Jl7lz4Kk8vKcnx/B2TorzMHdB9K+F/JktPXm4Zf5ajI3D1w+XWiCSpF7tQz7WcsH+V DOuQWWLgOUVNDRQhWfa00/Sao86gs9wlfWCOssbM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Alexander Egorenkov , Vineeth Vijayan , Peter Oberparleiter , Vasily Gorbik , Sasha Levin Subject: [PATCH 5.15 068/144] s390/cio: fix out-of-bounds access on cio_ignore free Date: Tue, 8 Nov 2022 14:39:05 +0100 Message-Id: <20221108133348.154344678@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108133345.346704162@linuxfoundation.org> References: <20221108133345.346704162@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Peter Oberparleiter [ Upstream commit 1b6074112742f65ece71b0f299ca5a6a887d2db6 ] The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as: echo free >/proc/cio_ignore Since an I/O device scan might interfer with running I/Os, commit 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") introduced an optimization to exclude online devices from the scan. The newly added check for online devices incorrectly assumes that an I/O-subchannel's drvdata points to a struct io_subchannel_private. For devices that are bound to a non-default I/O subchannel driver, such as the vfio_ccw driver, this results in an out-of-bounds read access during each scan. Fix this by changing the scan logic to rely on a driver-independent online indication. For this we can use struct subchannel->config.ena, which is the driver's requested subchannel-enabled state. Since I/Os can only be started on enabled subchannels, this matches the intent of the original optimization of not scanning devices where I/O might be running. Fixes: 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") Fixes: 0c3812c347bf ("s390/cio: derive cdev information only for IO-subchannels") Cc: # v5.15 Reported-by: Alexander Egorenkov Reviewed-by: Vineeth Vijayan Signed-off-by: Peter Oberparleiter Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin --- drivers/s390/cio/css.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index ce9e7517430f..2ba9e0135565 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -792,13 +792,9 @@ static int __unset_online(struct device *dev, void *data) { struct idset *set = data; struct subchannel *sch = to_subchannel(dev); - struct ccw_device *cdev; - if (sch->st == SUBCHANNEL_TYPE_IO) { - cdev = sch_get_cdev(sch); - if (cdev && cdev->online) - idset_sch_del(set, sch->schid); - } + if (sch->st == SUBCHANNEL_TYPE_IO && sch->config.ena) + idset_sch_del(set, sch->schid); return 0; } -- 2.35.1