linux_dsm_epyc7002/drivers
Thomas Falcon 507ebe6444 ibmvnic: Fix use-after-free of VNIC login response buffer
The login response buffer is freed after it is received
and parsed, but other functions in the driver still attempt
to read it, such as when the device is opened, causing the
Oops below. Store relevant information in the driver's
private data structures and use those instead.

BUG: Kernel NULL pointer dereference on read at 0x00000010
Faulting instruction address: 0xc00800000050a900
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: pseries_rng rng_core vmx_crypto gf128mul binfmt_misc ip_tables x_tables ibmvnic ibmveth crc32c_vpmsum autofs4
CPU: 7 PID: 759 Comm: NetworkManager Not tainted 5.9.0-rc1-00124-gd0a84e1f38d9 #14
NIP:  c00800000050a900 LR: c00800000050a8f0 CTR: 00000000005b1904
REGS: c0000001ed746d20 TRAP: 0300   Not tainted  (5.9.0-rc1-00124-gd0a84e1f38d9)
MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 24428484  XER: 00000001
CFAR: c0000000000101b0 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
GPR00: c00800000050a8f0 c0000001ed746fb0 c008000000518e00 0000000000000000
GPR04: 00000000000000c0 0000000000000080 0003c366c60c4501 0000000000000352
GPR08: 000000000001f400 0000000000000010 0000000000000000 0000000000000000
GPR12: 0001cf0000000019 c00000001ec97680 00000001003dfd40 0000010008dbb22c
GPR16: 0000000000000000 0000000000000000 0000000000000000 c000000000edb6c8
GPR20: c000000004e73e00 c000000004fd2448 c000000004e6d700 c000000004fd2448
GPR24: c000000004fd2400 c000000004a0cd20 c0000001ed961860 c0080000005029d8
GPR28: 0000000000000000 0000000000000003 c000000004a0c000 0000000000000000
NIP [c00800000050a900] init_resources+0x338/0xa00 [ibmvnic]
LR [c00800000050a8f0] init_resources+0x328/0xa00 [ibmvnic]
Call Trace:
[c0000001ed746fb0] [c00800000050a8f0] init_resources+0x328/0xa00 [ibmvnic] (unreliable)
[c0000001ed747090] [c00800000050b024] ibmvnic_open+0x5c/0x100 [ibmvnic]
[c0000001ed747110] [c000000000bdcc0c] __dev_open+0x17c/0x250
[c0000001ed7471b0] [c000000000bdd1ec] __dev_change_flags+0x1dc/0x270
[c0000001ed747260] [c000000000bdd2bc] dev_change_flags+0x3c/0x90
[c0000001ed7472a0] [c000000000bf24b8] do_setlink+0x3b8/0x1280
[c0000001ed747450] [c000000000bf8cc8] __rtnl_newlink+0x5a8/0x980
[c0000001ed7478b0] [c000000000bf9110] rtnl_newlink+0x70/0xb0
[c0000001ed7478f0] [c000000000bf07c4] rtnetlink_rcv_msg+0x364/0x460
[c0000001ed747990] [c000000000c68b94] netlink_rcv_skb+0x84/0x1a0
[c0000001ed747a00] [c000000000bef758] rtnetlink_rcv+0x28/0x40
[c0000001ed747a20] [c000000000c68188] netlink_unicast+0x218/0x310
[c0000001ed747a80] [c000000000c6848c] netlink_sendmsg+0x20c/0x4e0
[c0000001ed747b20] [c000000000b9dc88] ____sys_sendmsg+0x158/0x360
[c0000001ed747bb0] [c000000000ba1c88] ___sys_sendmsg+0x98/0xf0
[c0000001ed747d10] [c000000000ba1db8] __sys_sendmsg+0x78/0x100
[c0000001ed747dc0] [c000000000033820] system_call_exception+0x160/0x280
[c0000001ed747e20] [c00000000000d740] system_call_common+0xf0/0x27c
Instruction dump:
3be00000 38810068 b1410076 3941006a 93e10072 fbea0000 b1210068 4bff9915
eb9e0ca0 eabe0900 393c0010 3ab50048 <7fa04c2c> 7fba07b4 7b431764 7b4917a0
---[ end trace fbc5949a28e103bd ]---

Fixes: f3ae59c0c0 ("ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct")
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-24 15:56:57 -07:00
..
accessibility TTY/Serial patches for 5.9-rc1 2020-08-06 14:56:11 -07:00
acpi More ACPI updates for 5.9-rc1 2020-08-15 08:18:22 -07:00
amba
android drivers: android: Fix the SPDX comment style 2020-07-29 17:05:44 +02:00
ata
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
auxdisplay Minor cleanup for auxdisplay: 2020-08-06 18:09:34 -07:00
base More power management updates for 5.9-rc1 2020-08-07 13:13:09 -07:00
bcma bcma: gpio: Use irqchip template 2020-08-02 18:26:51 +03:00
block block-5.9-2020-08-14 2020-08-15 20:36:42 -07:00
bluetooth Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2020-07-31 15:11:52 -07:00
bus MIPS upates for v5.9 2020-08-06 10:54:07 -07:00
cdrom
char Linux 5.8 2020-08-11 11:58:31 +10:00
clk More ACPI updates for 5.9-rc1 2020-08-15 08:18:22 -07:00
clocksource RISC-V: Remove CLINT related code from timer and arch 2020-08-20 10:58:13 -07:00
connector
counter
cpufreq cpufreq: intel_pstate: Implement passive mode with HWP enabled 2020-08-11 17:29:45 +02:00
cpuidle powerpc updates for 5.9 2020-08-07 10:33:50 -07:00
crypto crypto/chcr: Moving chelsio's inline ipsec functionality to /drivers/net 2020-08-21 14:15:16 -07:00
dax libnvdimm for 5.9 2020-08-11 10:59:19 -07:00
dca
devfreq PM / devfreq: Fix the wrong end with semicolon 2020-07-30 17:22:58 +09:00
dio
dma Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-08-07 21:14:30 -07:00
dma-buf A set of locking fixes and updates: 2020-08-10 19:07:44 -07:00
edac EDAC/{i7core,sb,pnd2,skx}: Fix error event severity 2020-08-18 15:40:30 +02:00
eisa
extcon
firewire
firmware efi/libstub: Handle unterminated cmdline 2020-08-20 11:18:58 +02:00
fpga Linux 5.8-rc7 2020-07-27 11:49:37 +02:00
fsi
gnss
gpio This is the bulk of GPIO changes for the v5.9 kernel cycle: 2020-08-05 12:56:27 -07:00
gpu Merge tag 'drm-intel-fixes-2020-08-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes 2020-08-21 11:03:52 +10:00
greybus greybus: Use fallthrough pseudo-keyword 2020-07-29 16:58:08 +02:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2020-08-10 16:33:54 -07:00
hsi
hv hyperv-fixes for 5.9-rc 2020-08-14 13:31:25 -07:00
hwmon pwm: Changes for v5.9-rc1 2020-08-14 16:00:09 -07:00
hwspinlock
hwtracing
i2c More ACPI updates for 5.9-rc1 2020-08-15 08:18:22 -07:00
i3c
ide
idle Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
iio
infiniband Revert "RDMA/hns: Reserve one sge in order to avoid local length error" 2020-08-20 08:35:19 -03:00
input Cleanup, SECCOMP_FILTER support, message printing fixes, and other 2020-08-15 18:50:32 -07:00
interconnect Char/Misc driver patches for 5.9-rc1 2020-08-05 11:43:47 -07:00
iommu dma-pool: fix coherent pool allocations for IOMMU mappings 2020-08-14 16:27:00 +02:00
ipack
irqchip The usual boring updates from the interrupt subsystem: 2020-08-04 18:11:58 -07:00
isdn
leds LEDs changes for 5.9-rc1. 2020-08-05 19:24:27 -07:00
lightnvm
macintosh powerpc updates for 5.9 2020-08-07 10:33:50 -07:00
mailbox iomap: constify ioreadX() iomem argument (as in generic implementation) 2020-08-14 19:56:57 -07:00
mcb
md block-5.9-2020-08-14 2020-08-15 20:36:42 -07:00
media IOMMU Updates for Linux v5.9 2020-08-11 14:13:24 -07:00
memory IOMMU Updates for Linux v5.9 2020-08-11 14:13:24 -07:00
memstick MMC core: 2020-08-05 13:23:24 -07:00
message
mfd - Core Frameworks 2020-08-15 08:09:38 -07:00
misc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-08-07 21:14:30 -07:00
mmc This tree adds the sched_set_fifo*() encapsulation APIs to remove 2020-08-06 11:55:43 -07:00
most drivers: most: add USB adapter driver 2020-07-31 14:38:12 +02:00
mtd This pull request contains changes for JFFS2, UBI and UBIFS 2020-08-10 18:20:04 -07:00
mux
net ibmvnic: Fix use-after-free of VNIC login response buffer 2020-08-24 15:56:57 -07:00
nfc nfc: st21nfca: Remove unnecessary cast 2020-08-20 16:18:13 -07:00
ntb ntb: intel: constify ioreadX() iomem argument (as in generic implementation) 2020-08-14 19:56:57 -07:00
nubus
nvdimm mm: add thp_size 2020-08-14 19:56:56 -07:00
nvme for-5.9/block-merge-20200804 2020-08-05 11:12:34 -07:00
nvmem nvmem: qcom-spmi-sdam: Enable multiple devices 2020-07-29 17:12:09 +02:00
of of: address: Work around missing device_type property in pcie nodes 2020-08-19 16:30:57 -06:00
opp opp: Enable resources again if they were disabled earlier 2020-08-20 11:30:22 +05:30
oprofile
parisc Merge branch 'parisc-5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2020-08-12 12:41:15 -07:00
parport
pci s390 fixes for 5.9-rc2 2020-08-22 10:12:49 -07:00
pcmcia
perf It looks like a smaller batch of clk updates this time around. In the core 2020-08-07 13:35:51 -07:00
phy
pinctrl This is the bulk of the pin control changes for the v5.9 2020-08-09 12:52:28 -07:00
platform linux-watchdog 5.9-rc1 tag 2020-08-12 12:13:44 -07:00
pnp
power power supply and reset changes for the v5.9 series 2020-08-07 21:27:37 -07:00
powercap This tree adds the sched_set_fifo*() encapsulation APIs to remove 2020-08-06 11:55:43 -07:00
pps
ps3
ptp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-23 11:48:27 -07:00
pwm pwm: Changes for v5.9-rc1 2020-08-14 16:00:09 -07:00
rapidio rapidio/rio_mport_cdev: use array_size() helper in copy_{from,to}_user() 2020-08-12 10:58:01 -07:00
ras
regulator Merge remote-tracking branch 'regulator/for-5.9' into regulator-next 2020-07-30 23:27:08 +01:00
remoteproc remoteproc updates for v5.9 2020-08-11 11:17:45 -07:00
reset SOC: TI Keystone driver update for v5.9 2020-07-27 14:24:51 +02:00
rpmsg
rtc RTC for 5.9 2020-08-12 17:17:00 -07:00
s390 s390 fixes for 5.9-rc2 2020-08-22 10:12:49 -07:00
sbus
scsi Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe" 2020-08-17 22:43:55 -04:00
sfi
sh iomap: constify ioreadX() iomem argument (as in generic implementation) 2020-08-14 19:56:57 -07:00
siox
slimbus
soc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-08-07 21:14:30 -07:00
soundwire
spi spi: Fixes for v5.9 2020-08-18 14:27:12 -07:00
spmi
ssb Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
staging pci-v5.9-changes 2020-08-07 18:48:15 -07:00
target SCSI misc on 20200814 2020-08-14 16:01:59 -07:00
tc
tee
thermal - Core Frameworks 2020-08-15 08:09:38 -07:00
thunderbolt thunderbolt: merge fix for kunix_resource changes 2020-08-09 11:06:10 -07:00
tty TTY/Serial patches for 5.9-rc1 2020-08-06 14:56:11 -07:00
uio
usb media updates for v5.9-rc1 2020-08-07 13:00:53 -07:00
vdpa virtio: fixes, features 2020-08-11 14:34:17 -07:00
vfio vfio/type1: Add proper error unwind for vfio_iommu_replay() 2020-08-17 11:09:13 -06:00
vhost virtio: fixes, features 2020-08-11 14:34:17 -07:00
video xen: branch for v5.9-rc2 2020-08-21 12:28:33 -07:00
virt
virtio virtio: pci: constify ioreadX() iomem argument (as in generic implementation) 2020-08-14 19:56:57 -07:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.9-rc1 tag 2020-08-12 12:13:44 -07:00
xen xen: branch for v5.9-rc1b 2020-08-14 13:34:37 -07:00
zorro
Kconfig
Makefile