[PATCH net] cxgb4: fix out-of-bounds MSI-X info array access

[PATCH net] cxgb4: fix out-of-bounds MSI-X info array access

[Vishal Kulkarni]

When fetching free MSI-X vectors for ULDs, check for the
error code before accessing MSI-X info array. Otherwise,
an out-of-bounds access is attempted, which results in
kernel panic.

Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of
resources for ULD")
Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>
---
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
index 5b60224..399e579 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
@@ -137,13 +137,12 @@ static int uldrx_handler(struct sge_rspq *q, const __be64 *rsp,
 static int alloc_uld_rxqs(struct adapter *adap,
 			  struct sge_uld_rxq_info *rxq_info, bool lro)
 {
-	struct sge *s = &adap->sge;
 	unsigned int nq = rxq_info->nrxq + rxq_info->nciq;
+	int i, err, bmap_idx, msi_idx, que_idx = 0;
 	struct sge_ofld_rxq *q = rxq_info->uldrxq;
 	unsigned short *ids = rxq_info->rspq_id;
-	unsigned int bmap_idx = 0;
+	struct sge *s = &adap->sge;
 	unsigned int per_chan;
-	int i, err, msi_idx, que_idx = 0;
 
 	per_chan = rxq_info->nrxq / adap->params.nports;
 
@@ -161,6 +160,10 @@ static int alloc_uld_rxqs(struct adapter *adap,
 
 		if (msi_idx >= 0) {
 			bmap_idx = get_msix_idx_from_bmap(adap);
+			if (bmap_idx < 0) {
+				err = -ENOSPC;
+				goto freeout;
+			}
 			msi_idx = adap->msix_info_ulds[bmap_idx].idx;
 		}
 		err = t4_sge_alloc_rxq(adap, &q->rspq, false,
-- 
1.8.3.1

Re: [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 6202 bytes --]

Hi Vishal,

I love your patch! Perhaps something to improve:

[auto build test WARNING on net/master]

url:    https://github.com/0day-ci/linux/commits/Vishal-Kulkarni/cxgb4-fix-out-of-bounds-MSI-X-info-array-access/20191001-134119
config: sparc64-allmodconfig (attached as .config)
compiler: sparc64-linux-gcc (GCC) 7.4.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=7.4.0 make.cross ARCH=sparc64 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

Note: it may well be a FALSE warning. FWIW you are at least aware of it now.
http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings

All warnings (new ones prefixed by >>):

   drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c: In function 'cxgb4_register_uld':
>> drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:179:26: warning: 'bmap_idx' may be used uninitialized in this function [-Wmaybe-uninitialized]
       rxq_info->msix_tbl[i] = bmap_idx;
       ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
   drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:141:14: note: 'bmap_idx' was declared here
     int i, err, bmap_idx, msi_idx, que_idx = 0;
                 ^~~~~~~~

vim +/bmap_idx +179 drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c

94cdb8bb993a23 Hariprasad Shenai 2016-08-17  136  
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  137  static int alloc_uld_rxqs(struct adapter *adap,
166e6045cacccb Ganesh Goudar     2016-10-26  138  			  struct sge_uld_rxq_info *rxq_info, bool lro)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  139  {
166e6045cacccb Ganesh Goudar     2016-10-26  140  	unsigned int nq = rxq_info->nrxq + rxq_info->nciq;
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  141  	int i, err, bmap_idx, msi_idx, que_idx = 0;
166e6045cacccb Ganesh Goudar     2016-10-26  142  	struct sge_ofld_rxq *q = rxq_info->uldrxq;
166e6045cacccb Ganesh Goudar     2016-10-26  143  	unsigned short *ids = rxq_info->rspq_id;
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  144  	struct sge *s = &adap->sge;
166e6045cacccb Ganesh Goudar     2016-10-26  145  	unsigned int per_chan;
166e6045cacccb Ganesh Goudar     2016-10-26  146  
166e6045cacccb Ganesh Goudar     2016-10-26  147  	per_chan = rxq_info->nrxq / adap->params.nports;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  148  
80f61f19e542ae Arjun Vynipadath  2019-03-04  149  	if (adap->flags & CXGB4_USING_MSIX)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  150  		msi_idx = 1;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  151  	else
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  152  		msi_idx = -((int)s->intrq.abs_id + 1);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  153  
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  154  	for (i = 0; i < nq; i++, q++) {
166e6045cacccb Ganesh Goudar     2016-10-26  155  		if (i == rxq_info->nrxq) {
166e6045cacccb Ganesh Goudar     2016-10-26  156  			/* start allocation of concentrator queues */
166e6045cacccb Ganesh Goudar     2016-10-26  157  			per_chan = rxq_info->nciq / adap->params.nports;
166e6045cacccb Ganesh Goudar     2016-10-26  158  			que_idx = 0;
166e6045cacccb Ganesh Goudar     2016-10-26  159  		}
166e6045cacccb Ganesh Goudar     2016-10-26  160  
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  161  		if (msi_idx >= 0) {
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  162  			bmap_idx = get_msix_idx_from_bmap(adap);
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  163  			if (bmap_idx < 0) {
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  164  				err = -ENOSPC;
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  165  				goto freeout;
18492f3ba5cfcc Vishal Kulkarni   2019-10-01  166  			}
0fbc81b3ad513f Hariprasad Shenai 2016-09-17  167  			msi_idx = adap->msix_info_ulds[bmap_idx].idx;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  168  		}
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  169  		err = t4_sge_alloc_rxq(adap, &q->rspq, false,
166e6045cacccb Ganesh Goudar     2016-10-26  170  				       adap->port[que_idx++ / per_chan],
0fbc81b3ad513f Hariprasad Shenai 2016-09-17  171  				       msi_idx,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  172  				       q->fl.size ? &q->fl : NULL,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  173  				       uldrx_handler,
0fbc81b3ad513f Hariprasad Shenai 2016-09-17  174  				       lro ? uldrx_flush_handler : NULL,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  175  				       0);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  176  		if (err)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  177  			goto freeout;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  178  		if (msi_idx >= 0)
166e6045cacccb Ganesh Goudar     2016-10-26 @179  			rxq_info->msix_tbl[i] = bmap_idx;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  180  		memset(&q->stats, 0, sizeof(q->stats));
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  181  		if (ids)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  182  			ids[i] = q->rspq.abs_id;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  183  	}
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  184  	return 0;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  185  freeout:
166e6045cacccb Ganesh Goudar     2016-10-26  186  	q = rxq_info->uldrxq;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  187  	for ( ; i; i--, q++) {
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  188  		if (q->rspq.desc)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  189  			free_rspq_fl(adap, &q->rspq,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  190  				     q->fl.size ? &q->fl : NULL);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  191  	}
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  192  	return err;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  193  }
94cdb8bb993a23 Hariprasad Shenai 2016-08-17  194  

:::::: The code at line 179 was first introduced by commit
:::::: 166e6045cacccb3046883a1a4c977f173fec5ccd cxgb4: Fix error handling in alloc_uld_rxqs().

:::::: TO: Ganesh Goudar <ganeshgr@chelsio.com>
:::::: CC: David S. Miller <davem@davemloft.net>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 59094 bytes --]

Re: [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access

[David Miller]

From: Vishal Kulkarni <vishal@chelsio.com>
Date: Tue,  1 Oct 2019 04:07:57 +0530

> When fetching free MSI-X vectors for ULDs, check for the
> error code before accessing MSI-X info array. Otherwise,
> an out-of-bounds access is attempted, which results in
> kernel panic.
> 
> Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of
> resources for ULD")

Please do not split Fixes: tags onto multiple lines.

> Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
> Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>

This patch adds a new warning:

drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c: In function ‘cxgb4_register_uld’:
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:179:26: warning: ‘bmap_idx’ may be used uninitialized in this function [-Wmaybe-uninitialized]
    rxq_info->msix_tbl[i] = bmap_idx;
    ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:141:14: note: ‘bmap_idx’ was declared here
  int i, err, bmap_idx, msi_idx, que_idx = 0;
              ^~~~~~~~