Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Junxiao Bi <junxiao.bi@oracle.com>,
	Sumit Saxena <sumit.saxena@broadcom.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 34/42] scsi: megaraid_sas: fix panic on loading firmware crashdump
Date: Fri,  2 Aug 2019 09:22:54 -0400
Message-ID: <20190802132302.13537-34-sashal@kernel.org> (raw)
In-Reply-To: <20190802132302.13537-1-sashal@kernel.org>

From: Junxiao Bi <junxiao.bi@oracle.com>

[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ]

While loading fw crashdump in function fw_crash_buffer_show(), left bytes
in one dma chunk was not checked, if copying size over it, overflow access
will cause kernel panic.

Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index e0c87228438d3..806ceabcabc3f 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3025,6 +3025,7 @@ megasas_fw_crash_buffer_show(struct device *cdev,
 	u32 size;
 	unsigned long buff_addr;
 	unsigned long dmachunk = CRASH_DMA_BUF_SIZE;
+	unsigned long chunk_left_bytes;
 	unsigned long src_addr;
 	unsigned long flags;
 	u32 buff_offset;
@@ -3050,6 +3051,8 @@ megasas_fw_crash_buffer_show(struct device *cdev,
 	}
 
 	size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset;
+	chunk_left_bytes = dmachunk - (buff_offset % dmachunk);
+	size = (size > chunk_left_bytes) ? chunk_left_bytes : size;
 	size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size;
 
 	src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +
-- 
2.20.1


  parent reply index

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-02 13:22 [PATCH AUTOSEL 4.19 01/42] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 02/42] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 03/42] netfilter: Fix rpfilter dropping vrf packets by mistake Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 04/42] netfilter: conntrack: always store window size un-scaled Sasha Levin
2019-08-08  9:02   ` Thomas Jarosch
2019-08-14 10:19     ` Reindl Harald
2019-08-14 11:17       ` Jakub Jankowski
2019-08-14 17:01         ` Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 05/42] netfilter: nft_hash: fix symhash with modulus one Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 06/42] scripts/sphinx-pre-install: fix script for RHEL/CentOS Sasha Levin
2019-08-03 10:31   ` Alexander Kapshuk
2019-08-03 10:37     ` Mauro Carvalho Chehab
2019-08-03 12:09       ` Alexander Kapshuk
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 07/42] drm/amd/display: Wait for backlight programming completion in set backlight level Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 08/42] drm/amd/display: use encoder's engine id to find matched free audio device Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 09/42] drm/amd/display: Fix dc_create failure handling and 666 color depths Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 10/42] drm/amd/display: Only enable audio if speaker allocation exists Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 11/42] drm/amd/display: Increase size of audios array Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 12/42] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 13/42] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 14/42] mac80211: don't warn about CW params when not using them Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 15/42] allocate_flower_entry: should check for null deref Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 16/42] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 17/42] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 18/42] x86/mm: Sync also unmappings in vmalloc_sync_all() Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 19/42] drm/msm: stop abusing dma_map/unmap for cache Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 20/42] drm: silence variable 'conn' set but not used Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 21/42] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 22/42] s390/qdio: add sanity checks to the fast-requeue path Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 23/42] ALSA: compress: Fix regression on compressed capture streams Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 24/42] ALSA: compress: Prevent bypasses of set_params Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 25/42] ALSA: compress: Don't allow paritial drain operations on capture streams Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 26/42] ALSA: compress: Be more restrictive about when a drain is allowed Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 27/42] perf tools: Fix proper buffer size for feature processing Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 28/42] perf probe: Avoid calling freeing routine multiple times for same pointer Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 29/42] drbd: dynamically allocate shash descriptor Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 30/42] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 31/42] nvme: fix multipath crash when ANA is deactivated Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 32/42] ARM: davinci: fix sleep.S build error on ARMv4 Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 33/42] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Sasha Levin
2019-08-02 13:22 ` Sasha Levin [this message]
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 35/42] scsi: ibmvfc: fix WARN_ON during event pool release Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 36/42] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 37/42] test_firmware: fix a memory leak bug Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 38/42] sched/fair: Don't free p->numa_faults with concurrent readers Sasha Levin
2019-08-02 13:22 ` [PATCH AUTOSEL 4.19 39/42] sched/fair: Use RCU accessors consistently for ->numa_group Sasha Levin
2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 40/42] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Sasha Levin
2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 41/42] perf/core: Fix creating kernel counters for PMUs that override event->cpu Sasha Levin
2019-08-02 13:23 ` [PATCH AUTOSEL 4.19 42/42] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190802132302.13537-34-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=junxiao.bi@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=megaraidlinux.pdl@broadcom.com \
    --cc=stable@vger.kernel.org \
    --cc=sumit.saxena@broadcom.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git