From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Stefan Raspl <raspl@linux.ibm.com>,
Julian Wiedmann <jwi@linux.ibm.com>,
Alexandra Winter <wintera@linux.ibm.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
Heiko Carstens <hca@linux.ibm.com>
Subject: [PATCH 5.10 047/103] s390/qeth: fix NULL deref in qeth_clear_working_pool_list()
Date: Mon, 27 Sep 2021 19:02:19 +0200 [thread overview]
Message-ID: <20210927170227.382896885@linuxfoundation.org> (raw)
In-Reply-To: <20210927170225.702078779@linuxfoundation.org>
From: Julian Wiedmann <jwi@linux.ibm.com>
[ Upstream commit 248f064af222a1f97ee02c84a98013dfbccad386 ]
When qeth_set_online() calls qeth_clear_working_pool_list() to roll
back after an error exit from qeth_hardsetup_card(), we are at risk of
accessing card->qdio.in_q before it was allocated by
qeth_alloc_qdio_queues() via qeth_mpc_initialize().
qeth_clear_working_pool_list() then dereferences NULL, and by writing to
queue->bufs[i].pool_entry scribbles all over the CPU's lowcore.
Resulting in a crash when those lowcore areas are used next (eg. on
the next machine-check interrupt).
Such a scenario would typically happen when the device is first set
online and its queues aren't allocated yet. An early IO error or certain
misconfigs (eg. mismatched transport mode, bad portno) then cause us to
error out from qeth_hardsetup_card() with card->qdio.in_q still being
NULL.
Fix it by checking the pointer for NULL before accessing it.
Note that we also have (rare) paths inside qeth_mpc_initialize() where
a configuration change can cause us to free the existing queues,
expecting that subsequent code will allocate them again. If we then
error out before that re-allocation happens, the same bug occurs.
Fixes: eff73e16ee11 ("s390/qeth: tolerate pre-filled RX buffer")
Reported-by: Stefan Raspl <raspl@linux.ibm.com>
Root-caused-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/qeth_core_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index 4d51c4ace8ea..7b0155b0e99e 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -210,6 +210,9 @@ static void qeth_clear_working_pool_list(struct qeth_card *card)
&card->qdio.in_buf_pool.entry_list, list)
list_del(&pool_entry->list);
+ if (!queue)
+ return;
+
for (i = 0; i < ARRAY_SIZE(queue->bufs); i++)
queue->bufs[i].pool_entry = NULL;
}
--
2.33.0
next prev parent reply other threads:[~2021-09-27 17:13 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 17:01 [PATCH 5.10 000/103] 5.10.70-rc1 review Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 001/103] PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 002/103] ocfs2: drop acl cache for directories too Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 003/103] mm: fix uninitialized use in overcommit_policy_handler Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 004/103] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 005/103] usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 006/103] usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 007/103] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 008/103] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 009/103] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 010/103] usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 011/103] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 012/103] USB: cdc-acm: fix minor-number release Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 013/103] Revert "USB: bcma: Add a check for devm_gpiod_get" Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 014/103] binder: make sure fd closes complete Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 015/103] staging: greybus: uart: fix tty use after free Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 016/103] Re-enable UAS for LaCie Rugged USB3-FW with fk quirk Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 017/103] usb: dwc3: core: balance phy init and exit Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 018/103] usb: core: hcd: Add support for deferring roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 019/103] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 020/103] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 021/103] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 022/103] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 023/103] mcb: fix error handling in mcb_alloc_bus() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 024/103] erofs: fix up erofs_lookup tracepoint Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 025/103] btrfs: prevent __btrfs_dump_space_info() to underflow its free space Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 026/103] xhci: Set HCD flag to defer primary roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 027/103] serial: 8250: 8250_omap: Fix RX_LVL register offset Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 028/103] serial: mvebu-uart: fix drivers tx_empty callback Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 029/103] scsi: sd_zbc: Ensure buffer size is aligned to SECTOR_SIZE Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 030/103] drm/amd/pm: Update intermediate power state for SI Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 031/103] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 032/103] comedi: Fix memory leak in compat_insnlist() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 033/103] afs: Fix incorrect triggering of sillyrename on 3rd-party invalidation Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 034/103] afs: Fix updating of i_blocks on file/dir extension Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 035/103] platform/x86/intel: punit_ipc: Drop wrong use of ACPI_PTR() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 036/103] enetc: Fix illegal access when reading affinity_hint Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 037/103] enetc: Fix uninitialized struct dim_sample field usage Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 038/103] bnxt_en: Fix TX timeout when TX ring size is set to the smallest Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 039/103] net: hns3: fix change RSS hfunc ineffective issue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 040/103] net: hns3: check queue id range before using Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 041/103] net/smc: add missing error check in smc_clc_prfx_set() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 042/103] net/smc: fix workqueue leaked lock in smc_conn_abort_work Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 043/103] net: dsa: dont allocate the slave_mii_bus using devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 044/103] net: dsa: realtek: register the MDIO bus under devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 045/103] kselftest/arm64: signal: Add SVE to the set of features we can check for Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 046/103] kselftest/arm64: signal: Skip tests if required features are missing Greg Kroah-Hartman
2021-09-27 17:02 ` Greg Kroah-Hartman [this message]
2021-09-27 17:02 ` [PATCH 5.10 048/103] s390/qeth: fix deadlock during failing recovery Greg Kroah-Hartman
2021-09-27 17:45 ` Naresh Kamboju
2021-09-27 18:25 ` Naresh Kamboju
2021-09-28 7:16 ` Greg Kroah-Hartman
2021-09-28 10:29 ` Julian Wiedmann
2021-09-27 17:02 ` [PATCH 5.10 049/103] gpio: uniphier: Fix void functions to remove return value Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 050/103] qed: rdma - dont wait for resources under hw error recovery flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 051/103] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 052/103] atlantic: Fix issue in the pm resume flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 053/103] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 054/103] scsi: target: Fix the pgr/alua_support_store functions Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 055/103] tty: synclink_gt, drop unneeded forward declarations Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 056/103] tty: synclink_gt: rename a conflicting function name Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 057/103] fpga: machxo2-spi: Return an error on failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 058/103] fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 059/103] nvme-tcp: fix incorrect h2cdata pdu offset accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 060/103] treewide: Change list_sort to use const pointers Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 061/103] nvme: keep ctrl->namespaces ordered Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 062/103] thermal/core: Potential buffer overflow in thermal_build_list_of_policies() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 063/103] cifs: fix a sign extension bug Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 064/103] scsi: qla2xxx: Restore initiator in dual mode Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 065/103] scsi: lpfc: Use correct scnprintf() limit Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 066/103] irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 067/103] irqchip/gic-v3-its: Fix potential VPE leak on error Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 068/103] md: fix a lock order reversal in md_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 069/103] x86/asm: Add a missing __iomem annotation in enqcmds() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 070/103] x86/asm: Fix SETZ size enqcmds() build failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 071/103] io_uring: put provided buffer meta data under memcg accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 072/103] blktrace: Fix uaf in blk_trace access after removing by sysfs Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 073/103] net: phylink: Update SFP selected interface on advertising changes Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 074/103] net: macb: fix use after free on rmmod Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 075/103] net: stmmac: allow CSR clock of 300MHz Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 076/103] blk-mq: avoid to iterate over stale request Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 077/103] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 078/103] ipv6: delay fib6_sernum increase in fib6_add Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 079/103] cpufreq: intel_pstate: Override parameters if HWP forced by BIOS Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 080/103] bpf: Add oversize check before call kvcalloc() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 081/103] xen/balloon: use a kernel thread instead a workqueue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 082/103] nvme-multipath: fix ANA state updates when a namespace is not present Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 083/103] nvme-rdma: destroy cm id before destroy qp to avoid use after free Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 084/103] sparc32: page align size in arch_dma_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 085/103] amd/display: downgrade validation failure log level Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 086/103] block: check if a profile is actually registered in blk_integrity_unregister Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 087/103] block: flush the integrity workqueue " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 088/103] blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 089/103] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 090/103] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 091/103] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 092/103] qnx4: " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 093/103] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 094/103] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 095/103] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 096/103] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 097/103] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 098/103] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 099/103] EDAC/dmc520: Assign the proper type to dimm->edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 100/103] thermal/drivers/int340x: Do not set a wrong tcc offset on resume Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 101/103] USB: serial: cp210x: fix dropped characters with CP2102 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 102/103] xen/balloon: fix balloon kthread freezing Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 103/103] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-09-27 17:43 ` [PATCH 5.10 000/103] 5.10.70-rc1 review Naresh Kamboju
2021-09-27 18:05 ` Florian Fainelli
2021-09-27 20:59 ` Pavel Machek
2021-09-27 22:36 ` Fox Chen
2021-09-27 22:58 ` Shuah Khan
2021-09-28 7:00 ` Jon Hunter
2021-09-28 7:58 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210927170227.382896885@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hca@linux.ibm.com \
--cc=jwi@linux.ibm.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=raspl@linux.ibm.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wintera@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).