From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Junxiao Bi <junxiao.bi@oracle.com>, Sumit Saxena <sumit.saxena@broadcom.com>, "Martin K . Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>, megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 34/42] scsi: megaraid_sas: fix panic on loading firmware crashdump Date: Fri, 2 Aug 2019 09:22:54 -0400 Message-ID: <20190802132302.13537-34-sashal@kernel.org> (raw) In-Reply-To: <20190802132302.13537-1-sashal@kernel.org> From: Junxiao Bi <junxiao.bi@oracle.com> [ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ] While loading fw crashdump in function fw_crash_buffer_show(), left bytes in one dma chunk was not checked, if copying size over it, overflow access will cause kernel panic. Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index e0c87228438d3..806ceabcabc3f 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -3025,6 +3025,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, u32 size; unsigned long buff_addr; unsigned long dmachunk = CRASH_DMA_BUF_SIZE; + unsigned long chunk_left_bytes; unsigned long src_addr; unsigned long flags; u32 buff_offset; @@ -3050,6 +3051,8 @@ megasas_fw_crash_buffer_show(struct device *cdev, } size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset; + chunk_left_bytes = dmachunk - (buff_offset % dmachunk); + size = (size > chunk_left_bytes) ? chunk_left_bytes : size; size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size; src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] + -- 2.20.1
next prev parent reply index Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-08-02 13:22 [PATCH AUTOSEL 4.19 01/42] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 02/42] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 03/42] netfilter: Fix rpfilter dropping vrf packets by mistake Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 04/42] netfilter: conntrack: always store window size un-scaled Sasha Levin 2019-08-08 9:02 ` Thomas Jarosch 2019-08-14 10:19 ` Reindl Harald 2019-08-14 11:17 ` Jakub Jankowski 2019-08-14 17:01 ` Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 05/42] netfilter: nft_hash: fix symhash with modulus one Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 06/42] scripts/sphinx-pre-install: fix script for RHEL/CentOS Sasha Levin 2019-08-03 10:31 ` Alexander Kapshuk 2019-08-03 10:37 ` Mauro Carvalho Chehab 2019-08-03 12:09 ` Alexander Kapshuk 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 07/42] drm/amd/display: Wait for backlight programming completion in set backlight level Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 08/42] drm/amd/display: use encoder's engine id to find matched free audio device Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 09/42] drm/amd/display: Fix dc_create failure handling and 666 color depths Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 10/42] drm/amd/display: Only enable audio if speaker allocation exists Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 11/42] drm/amd/display: Increase size of audios array Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 12/42] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 13/42] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 14/42] mac80211: don't warn about CW params when not using them Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 15/42] allocate_flower_entry: should check for null deref Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 16/42] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 17/42] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 18/42] x86/mm: Sync also unmappings in vmalloc_sync_all() Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 19/42] drm/msm: stop abusing dma_map/unmap for cache Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 20/42] drm: silence variable 'conn' set but not used Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 21/42] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 22/42] s390/qdio: add sanity checks to the fast-requeue path Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 23/42] ALSA: compress: Fix regression on compressed capture streams Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 24/42] ALSA: compress: Prevent bypasses of set_params Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 25/42] ALSA: compress: Don't allow paritial drain operations on capture streams Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 26/42] ALSA: compress: Be more restrictive about when a drain is allowed Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 27/42] perf tools: Fix proper buffer size for feature processing Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 28/42] perf probe: Avoid calling freeing routine multiple times for same pointer Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 29/42] drbd: dynamically allocate shash descriptor Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 30/42] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 31/42] nvme: fix multipath crash when ANA is deactivated Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 32/42] ARM: davinci: fix sleep.S build error on ARMv4 Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 33/42] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Sasha Levin 2019-08-02 13:22 ` Sasha Levin [this message] 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 35/42] scsi: ibmvfc: fix WARN_ON during event pool release Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 36/42] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 37/42] test_firmware: fix a memory leak bug Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 38/42] sched/fair: Don't free p->numa_faults with concurrent readers Sasha Levin 2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 39/42] sched/fair: Use RCU accessors consistently for ->numa_group Sasha Levin 2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 40/42] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Sasha Levin 2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 41/42] perf/core: Fix creating kernel counters for PMUs that override event->cpu Sasha Levin 2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 42/42] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Sasha Levin
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190802132302.13537-34-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=junxiao.bi@oracle.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-scsi@vger.kernel.org \ --cc=martin.petersen@oracle.com \ --cc=megaraidlinux.pdl@broadcom.com \ --cc=stable@vger.kernel.org \ --cc=sumit.saxena@broadcom.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Stable Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \ stable@vger.kernel.org public-inbox-index stable Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.stable AGPL code for this site: git clone https://public-inbox.org/public-inbox.git