lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 15 Sep 2018 22:04:44 -0700
From:   Saeed Mahameed <saeedm@....mellanox.co.il>
To:     mkubecek@...e.cz
Cc:     Linux Netdev List <netdev@...r.kernel.org>,
        Saeed Mahameed <saeedm@...lanox.com>,
        Leon Romanovsky <leon@...nel.org>
Subject: Re: mlx5_core: null pointer dereference in mlx5_accel_tls_device_caps()
 (net-next kernel)

On Fri, Sep 14, 2018 at 2:20 PM Michal Kubecek <mkubecek@...e.cz> wrote:
>
> I just encountered a null pointer dereference on mlx5_core module
> initialization while booting net-next kernel (based on commit
> ee4fccbee7d3) on an aarch64 machine:
>

Hi Michal, the issue was introduced last kernel cycle, due to
790af90c00d2 ("net/mlx5e: TLS, build TLS netdev from capabilities")
they should have checked for device TLS presence before reading TLS
capabilities.

I am preparing a fix already,
Thanks a lot for the report.

> [   12.021971] iommu: Adding device 0000:01:00.0 to group 3
> [   12.022925] mlx5_core 0000:01:00.0: firmware version: 12.17.2020
> [   12.022954] mlx5_core 0000:01:00.0: 63.008 Gb/s available PCIe bandwidth (8 GT/s x8 link)
> [   12.068709] Adding 98830144k swap on /dev/sda4.  Priority:-2 extents:1 across:98830144k FS
> [   12.347571] (0000:01:00.0): E-Switch: Total vports 9, per vport: max uc(1024) max mc(16384)
> [   12.351962] mlx5_core 0000:01:00.0: Port module event: module 0, Cable plugged
> [   12.366306] mlx5_core 0000:01:00.0: MLX5E: StrdRq(0) RqSz(1024) StrdSz(128) RxCqeCmprss(0)
> [   12.366741] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
> [   12.374603] Mem abort info:
> [   12.377368]   ESR = 0x96000004
> [   12.380406]   Exception class = DABT (current EL), IL = 32 bits
> [   12.386357]   SET = 0, FnV = 0
> [   12.389347]   EA = 0, S1PTW = 0
> [   12.392471] Data abort info:
> [   12.395343]   ISV = 0, ISS = 0x00000004
> [   12.399156]   CM = 0, WnR = 0
> [   12.402108] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
> [   12.408711] [0000000000000050] pgd=0000000000000000
> [   12.413567] Internal error: Oops: 96000004 [#1] SMP
> [   12.418427] Modules linked in: fat mlx5_core(+) ipmi_ssif(+) aes_ce_blk crypto_simd cryptd aes_ce_cipher crc32_ce crct10dif_ce ghash_ce aes_arm64 sha2_ce sha256_arm64 sha1_ce ipmi_devintf ipmi_msghandler sbsa_gwdt tls mlxfw devlink at803x qcom_emac btrfs libcrc32c xor zlib_deflate raid6_pq ahci_platform libahci_platform hdma hdma_mgmt i2c_qup sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
> [   12.454800] CPU: 40 PID: 742 Comm: systemd-udevd Not tainted 4.19.0-rc3-ethnl.15-default #1
> [   12.463131] Hardware name: To be filled by O.E.M. To be filled by O.E.M./To be filled by O.E.M., BIOS 5.13 12/12/2012
> [   12.473722] pstate: 60400005 (nZCv daif +PAN -UAO)
> [   12.478559] pc : mlx5_accel_tls_device_caps+0x28/0x38 [mlx5_core]
> [   12.484598] lr : mlx5e_tls_build_netdev+0x24/0x98 [mlx5_core]
> [   12.490301] sp : ffff000021873a30
> [   12.493599] x29: ffff000021873a30 x28: ffff2a72560a7940
> [   12.498895] x27: ffff2a7256df6000 x26: ffff2a71a0fed650
> [   12.504190] x25: 0000000000000000 x24: ffff92c7f2b988c0
> [   12.509485] x23: ffff92c7fe01c0c0 x22: ffff2a71a0fcfa70
> [   12.514780] x21: ffff92c7f2b808c0 x20: ffff92c7f741c110
> [   12.520075] x19: ffff92c7f2b988c0 x18: ffff0000218739b0
> [   12.525370] x17: 0000000000000000 x16: ffff2a725625ade0
> [   12.530665] x15: 0000000029818ed4 x14: 00000000d47aab07
> [   12.535961] x13: 8a24000000000000 x12: 0000000000000000
> [   12.541256] x11: 0000000000000000 x10: 0000000000000000
> [   12.546551] x9 : 0000000000000000 x8 : 0000000000000000
> [   12.551846] x7 : 0000000000000000 x6 : ffff92c8159dc910
> [   12.557141] x5 : 0000000000000400 x4 : ffff7e4b205a20c7
> [   12.562436] x3 : 0000000000000000 x2 : ffff2a725625ae1c
> [   12.567731] x1 : 00000000ab078a24 x0 : 0000000000000000
> [   12.573027] Process systemd-udevd (pid: 742, stack limit = 0x(____ptrval____))
> [   12.580232] Call trace:
> [   12.582688]  mlx5_accel_tls_device_caps+0x28/0x38 [mlx5_core]
> [   12.588419]  mlx5e_build_nic_netdev+0x27c/0x348 [mlx5_core]
> [   12.593974]  mlx5e_nic_init+0x1a0/0x258 [mlx5_core]
> [   12.598835]  mlx5e_create_netdev+0x74/0x118 [mlx5_core]
> [   12.604043]  mlx5e_add+0xf0/0x2c0 [mlx5_core]
> [   12.608384]  mlx5_add_device+0x88/0x1a8 [mlx5_core]
> [   12.613246]  mlx5_register_interface+0x78/0xb0 [mlx5_core]
> [   12.618713]  mlx5e_init+0x24/0x30 [mlx5_core]
> [   12.623052]  init+0x88/0xa0 [mlx5_core]
> [   12.626850]  do_one_initcall+0x54/0x200
> [   12.630667]  do_init_module+0x64/0x1d8
> [   12.634401]  load_module+0x1480/0x1510
> [   12.638132]  __se_sys_finit_module+0xc8/0xd8
> [   12.642385]  __arm64_sys_finit_module+0x24/0x30
> [   12.646901]  el0_svc_common+0x7c/0x118
> [   12.650631]  el0_svc_handler+0x38/0x78
> [   12.654364]  el0_svc+0x8/0xc
> [   12.657229] Code: d503201f f97c7e60 f9400bf3 a8c27bfd (f9402800)
> [   12.663306] ---[ end trace 57e772dd3cf718f1 ]---
>
> The function looks like this:
>
> ------------------------------------------------------------------------
> drivers/net/ethernet/mellanox/mlx5/core/accel/tls.c:
> 68      {
>    0x0000000000058230 <+0>:     stp     x29, x30, [sp, #-32]!
>    0x0000000000058234 <+4>:     mov     x29, sp
>    0x0000000000058238 <+8>:     str     x19, [sp, #16]
>    0x000000000005823c <+12>:    mov     x19, x0
>    0x0000000000058240 <+16>:    mov     x0, x30
>
> drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.h:
> 68              return mdev->fpga->tls->caps;
>    0x0000000000058244 <+20>:    add     x19, x19, #0x38, lsl #12
>
> drivers/net/ethernet/mellanox/mlx5/core/accel/tls.c:
> 68      {
>    0x0000000000058248 <+24>:    bl      0x58248
> <mlx5_accel_tls_device_caps+24>
>
> drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.h:
> 68              return mdev->fpga->tls->caps;
>    0x000000000005824c <+28>:    ldr     x0, [x19, #30968]
>
> drivers/net/ethernet/mellanox/mlx5/core/accel/tls.c:
> 70      }
>    0x0000000000058250 <+32>:    ldr     x19, [sp, #16]
>    0x0000000000058254 <+36>:    ldp     x29, x30, [sp], #32
>
> drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.h:
> 68              return mdev->fpga->tls->caps;
>    0x0000000000058258 <+40>:    ldr     x0, [x0, #80]
>
> drivers/net/ethernet/mellanox/mlx5/core/accel/tls.c:
> 70      }
>    0x000000000005825c <+44>:    ldr     w0, [x0, #20]
>    0x0000000000058260 <+48>:    ret
> ------------------------------------------------------------------------
>
> so IIUC mdev->fpga is null (offset of tls in struct mlx5_fpga_device is
> indeed 80 = 0x50).
>
> The NIC is
>
>   Model: "Mellanox MT27700 Family [ConnectX-4]"
>   Vendor: pci 0x15b3 "Mellanox Technologies"
>   Device: pci 0x1013 "MT27700 Family [ConnectX-4]"
>   SubVendor: pci 0x15b3 "Mellanox Technologies"
>   SubDevice: pci 0x0003
>
> Michal Kubecek

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ