* [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access
@ 2019-09-30 22:37 Vishal Kulkarni
2019-10-01 6:33 ` kbuild test robot
2019-10-02 1:38 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Vishal Kulkarni @ 2019-09-30 22:37 UTC (permalink / raw)
To: netdev, davem; +Cc: nirranjan, indranil, Vishal Kulkarni, Shahjada Abul Husain
When fetching free MSI-X vectors for ULDs, check for the
error code before accessing MSI-X info array. Otherwise,
an out-of-bounds access is attempted, which results in
kernel panic.
Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of
resources for ULD")
Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
index 5b60224..399e579 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
@@ -137,13 +137,12 @@ static int uldrx_handler(struct sge_rspq *q, const __be64 *rsp,
static int alloc_uld_rxqs(struct adapter *adap,
struct sge_uld_rxq_info *rxq_info, bool lro)
{
- struct sge *s = &adap->sge;
unsigned int nq = rxq_info->nrxq + rxq_info->nciq;
+ int i, err, bmap_idx, msi_idx, que_idx = 0;
struct sge_ofld_rxq *q = rxq_info->uldrxq;
unsigned short *ids = rxq_info->rspq_id;
- unsigned int bmap_idx = 0;
+ struct sge *s = &adap->sge;
unsigned int per_chan;
- int i, err, msi_idx, que_idx = 0;
per_chan = rxq_info->nrxq / adap->params.nports;
@@ -161,6 +160,10 @@ static int alloc_uld_rxqs(struct adapter *adap,
if (msi_idx >= 0) {
bmap_idx = get_msix_idx_from_bmap(adap);
+ if (bmap_idx < 0) {
+ err = -ENOSPC;
+ goto freeout;
+ }
msi_idx = adap->msix_info_ulds[bmap_idx].idx;
}
err = t4_sge_alloc_rxq(adap, &q->rspq, false,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access
2019-09-30 22:37 [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access Vishal Kulkarni
@ 2019-10-01 6:33 ` kbuild test robot
2019-10-02 1:38 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: kbuild test robot @ 2019-10-01 6:33 UTC (permalink / raw)
To: Vishal Kulkarni
Cc: kbuild-all, netdev, davem, nirranjan, indranil, Vishal Kulkarni,
Shahjada Abul Husain
[-- Attachment #1: Type: text/plain, Size: 6202 bytes --]
Hi Vishal,
I love your patch! Perhaps something to improve:
[auto build test WARNING on net/master]
url: https://github.com/0day-ci/linux/commits/Vishal-Kulkarni/cxgb4-fix-out-of-bounds-MSI-X-info-array-access/20191001-134119
config: sparc64-allmodconfig (attached as .config)
compiler: sparc64-linux-gcc (GCC) 7.4.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=7.4.0 make.cross ARCH=sparc64
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Note: it may well be a FALSE warning. FWIW you are at least aware of it now.
http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings
All warnings (new ones prefixed by >>):
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c: In function 'cxgb4_register_uld':
>> drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:179:26: warning: 'bmap_idx' may be used uninitialized in this function [-Wmaybe-uninitialized]
rxq_info->msix_tbl[i] = bmap_idx;
~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:141:14: note: 'bmap_idx' was declared here
int i, err, bmap_idx, msi_idx, que_idx = 0;
^~~~~~~~
vim +/bmap_idx +179 drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 136
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 137 static int alloc_uld_rxqs(struct adapter *adap,
166e6045cacccb Ganesh Goudar 2016-10-26 138 struct sge_uld_rxq_info *rxq_info, bool lro)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 139 {
166e6045cacccb Ganesh Goudar 2016-10-26 140 unsigned int nq = rxq_info->nrxq + rxq_info->nciq;
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 141 int i, err, bmap_idx, msi_idx, que_idx = 0;
166e6045cacccb Ganesh Goudar 2016-10-26 142 struct sge_ofld_rxq *q = rxq_info->uldrxq;
166e6045cacccb Ganesh Goudar 2016-10-26 143 unsigned short *ids = rxq_info->rspq_id;
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 144 struct sge *s = &adap->sge;
166e6045cacccb Ganesh Goudar 2016-10-26 145 unsigned int per_chan;
166e6045cacccb Ganesh Goudar 2016-10-26 146
166e6045cacccb Ganesh Goudar 2016-10-26 147 per_chan = rxq_info->nrxq / adap->params.nports;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 148
80f61f19e542ae Arjun Vynipadath 2019-03-04 149 if (adap->flags & CXGB4_USING_MSIX)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 150 msi_idx = 1;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 151 else
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 152 msi_idx = -((int)s->intrq.abs_id + 1);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 153
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 154 for (i = 0; i < nq; i++, q++) {
166e6045cacccb Ganesh Goudar 2016-10-26 155 if (i == rxq_info->nrxq) {
166e6045cacccb Ganesh Goudar 2016-10-26 156 /* start allocation of concentrator queues */
166e6045cacccb Ganesh Goudar 2016-10-26 157 per_chan = rxq_info->nciq / adap->params.nports;
166e6045cacccb Ganesh Goudar 2016-10-26 158 que_idx = 0;
166e6045cacccb Ganesh Goudar 2016-10-26 159 }
166e6045cacccb Ganesh Goudar 2016-10-26 160
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 161 if (msi_idx >= 0) {
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 162 bmap_idx = get_msix_idx_from_bmap(adap);
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 163 if (bmap_idx < 0) {
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 164 err = -ENOSPC;
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 165 goto freeout;
18492f3ba5cfcc Vishal Kulkarni 2019-10-01 166 }
0fbc81b3ad513f Hariprasad Shenai 2016-09-17 167 msi_idx = adap->msix_info_ulds[bmap_idx].idx;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 168 }
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 169 err = t4_sge_alloc_rxq(adap, &q->rspq, false,
166e6045cacccb Ganesh Goudar 2016-10-26 170 adap->port[que_idx++ / per_chan],
0fbc81b3ad513f Hariprasad Shenai 2016-09-17 171 msi_idx,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 172 q->fl.size ? &q->fl : NULL,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 173 uldrx_handler,
0fbc81b3ad513f Hariprasad Shenai 2016-09-17 174 lro ? uldrx_flush_handler : NULL,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 175 0);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 176 if (err)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 177 goto freeout;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 178 if (msi_idx >= 0)
166e6045cacccb Ganesh Goudar 2016-10-26 @179 rxq_info->msix_tbl[i] = bmap_idx;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 180 memset(&q->stats, 0, sizeof(q->stats));
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 181 if (ids)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 182 ids[i] = q->rspq.abs_id;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 183 }
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 184 return 0;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 185 freeout:
166e6045cacccb Ganesh Goudar 2016-10-26 186 q = rxq_info->uldrxq;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 187 for ( ; i; i--, q++) {
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 188 if (q->rspq.desc)
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 189 free_rspq_fl(adap, &q->rspq,
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 190 q->fl.size ? &q->fl : NULL);
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 191 }
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 192 return err;
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 193 }
94cdb8bb993a23 Hariprasad Shenai 2016-08-17 194
:::::: The code at line 179 was first introduced by commit
:::::: 166e6045cacccb3046883a1a4c977f173fec5ccd cxgb4: Fix error handling in alloc_uld_rxqs().
:::::: TO: Ganesh Goudar <ganeshgr@chelsio.com>
:::::: CC: David S. Miller <davem@davemloft.net>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 59094 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access
2019-09-30 22:37 [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access Vishal Kulkarni
2019-10-01 6:33 ` kbuild test robot
@ 2019-10-02 1:38 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2019-10-02 1:38 UTC (permalink / raw)
To: vishal; +Cc: netdev, nirranjan, indranil, shahjada
From: Vishal Kulkarni <vishal@chelsio.com>
Date: Tue, 1 Oct 2019 04:07:57 +0530
> When fetching free MSI-X vectors for ULDs, check for the
> error code before accessing MSI-X info array. Otherwise,
> an out-of-bounds access is attempted, which results in
> kernel panic.
>
> Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of
> resources for ULD")
Please do not split Fixes: tags onto multiple lines.
> Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
> Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>
This patch adds a new warning:
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c: In function ‘cxgb4_register_uld’:
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:179:26: warning: ‘bmap_idx’ may be used uninitialized in this function [-Wmaybe-uninitialized]
rxq_info->msix_tbl[i] = bmap_idx;
~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:141:14: note: ‘bmap_idx’ was declared here
int i, err, bmap_idx, msi_idx, que_idx = 0;
^~~~~~~~
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-02 1:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-30 22:37 [PATCH net] cxgb4: fix out-of-bounds MSI-X info array access Vishal Kulkarni
2019-10-01 6:33 ` kbuild test robot
2019-10-02 1:38 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).