linux/drivers/net
Ido Schimmel c4317b1167 mlxsw: pci: Fix use-after-free in case of failed devlink reload
In case devlink reload failed, it is possible to trigger a
use-after-free when querying the kernel for device info via 'devlink dev
info' [1].

This happens because as part of the reload error path the PCI command
interface is de-initialized and its mailboxes are freed. When the
devlink '->info_get()' callback is invoked the device is queried via the
command interface and the freed mailboxes are accessed.

Fix this by initializing the command interface once during probe and not
during every reload.

This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
and also allows user space to query the running firmware version (for
example) from the device after a failed reload.

[1]
BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355

CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xf6/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
 memcpy+0x39/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:406 [inline]
 mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
 mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
 mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
 mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
 mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
 mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
 mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
 devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
 devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
 genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
 netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
 genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
 genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
 genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
 netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x150/0x190 net/socket.c:672
 ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
 ___sys_sendmsg+0xff/0x170 net/socket.c:2417
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
 do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a9c8336f65 ("mlxsw: core: Add support for devlink info command")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 14:33:34 -07:00
..
appletalk treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
arcnet treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
bonding net: change addr_list_lock back to static key 2020-06-09 12:59:45 -07:00
caif treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
can can: peak_canfd: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
dsa net: dsa: microchip: set the correct number of ports 2020-07-02 14:26:54 -07:00
ethernet mlxsw: pci: Fix use-after-free in case of failed devlink reload 2020-07-10 14:33:34 -07:00
fddi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
fjes
hamradio Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
hippi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hyperv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
ieee802154 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ipa net: ipa: include declarations in "ipa_gsi.c" 2020-07-07 12:43:18 -07:00
ipvlan net: partially revert dynamic lockdep key changes 2020-05-04 12:05:56 -07:00
netdevsim netdevsim: Register control traps 2020-06-01 11:49:23 -07:00
phy net: phy: mscc: avoid skcipher API for single block AES encryption 2020-06-25 12:16:14 -07:00
plip treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ppp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
slip treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
team treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
usb net: usb: qmi_wwan: add support for Quectel EG95 LTE modem 2020-07-07 12:58:03 -07:00
vmxnet3 vmxnet3: allow rx flow hash ops only when rss is enabled 2020-06-02 15:12:33 -07:00
wan drivers/net/wan/lapbether: Fixed the value of hard_header_len 2020-07-06 12:16:21 -07:00
wimax
wireguard wireguard: queueing: make use of ip_tunnel_parse_protocol 2020-06-30 12:29:39 -07:00
wireless wil6210: account for napi_gro_receive never returning GRO_DROP 2020-06-25 16:16:21 -07:00
xen-netback
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
LICENSE.SRC
Makefile
Space.c
bareudp.c bareudp: Fixed multiproto mode configuration 2020-06-18 20:31:11 -07:00
dummy.c
eql.c
geneve.c geneve: allow changing DF behavior after creation 2020-06-19 20:06:34 -07:00
gtp.c gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() 2020-05-01 15:34:09 -07:00
ifb.c
loopback.c
macsec.c net: get rid of lockdep_set_class_and_subclass() 2020-06-28 21:37:23 -07:00
macvlan.c net: get rid of lockdep_set_class_and_subclass() 2020-06-28 21:37:23 -07:00
macvtap.c
mdio.c
mii.c
net_failover.c net_failover: fixed rollback in net_failover_open() 2020-06-02 15:35:53 -07:00
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c rionet: Fix use correct return type for ndo_start_xmit() 2020-04-30 12:15:13 -07:00
sb1000.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: implement header_ops->parse_protocol for AF_PACKET 2020-06-30 12:29:39 -07:00
veth.c xdp: Rename convert_to_xdp_frame in xdp_convert_buff_to_frame 2020-06-01 15:02:53 -07:00
virtio_net.c xdp: Rename convert_to_xdp_frame in xdp_convert_buff_to_frame 2020-06-01 15:02:53 -07:00
vrf.c net: partially revert dynamic lockdep key changes 2020-05-04 12:05:56 -07:00
vsockmon.c
vxlan.c vxlan: fix last fdb index during dump of fdb with nhid 2020-06-25 16:12:34 -07:00
xen-netfront.c