lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACKFLimcM8i1gA8LvAV3ny+mw-6GvjYRUYue-rkje1aobdFtvQ@mail.gmail.com>
Date:   Fri, 10 Jul 2020 10:01:10 -0700
From:   Michael Chan <michael.chan@...adcom.com>
To:     Davide Caratti <dcaratti@...hat.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Netdev <netdev@...r.kernel.org>,
        Jonathan Toppins <jtoppins@...hat.com>, feliu@...hat.com
Subject: Re: [PATCH net] bnxt_en: fix NULL dereference in case SR-IOV
 configuration fails

On Fri, Jul 10, 2020 at 3:55 AM Davide Caratti <dcaratti@...hat.com> wrote:
>
> we need to set 'active_vfs' back to 0, if something goes wrong during the
> allocation of SR-IOV resources: otherwise, further VF configurations will
> wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
> like the ones in the following sequence:
>
>  # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
>  # ip link set dev ens1f0np0 up
>  # ip link set dev ens1f0np0 vf 0 trust on
>
> will cause a kernel crash similar to this:
>
>  bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
>  BUG: kernel NULL pointer dereference, address: 0000000000000014
>  #PF: supervisor read access in kernel mode
>  #PF: error_code(0x0000) - not-present page
>  PGD 0 P4D 0
>  Oops: 0000 [#1] SMP PTI
>  CPU: 43 PID: 2059 Comm: ip Tainted: G          I       5.8.0-rc2.upstream+ #871
>  Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
>  RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
>  Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
>  RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
>  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
>  RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
>  RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
>  R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
>  R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
>  FS:  00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
>  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>  PKRU: 55555554
>  Call Trace:
>   do_setlink+0x994/0xfe0
>   __rtnl_newlink+0x544/0x8d0
>   rtnl_newlink+0x47/0x70
>   rtnetlink_rcv_msg+0x29f/0x350
>   netlink_rcv_skb+0x4a/0x110
>   netlink_unicast+0x21d/0x300
>   netlink_sendmsg+0x329/0x450
>   sock_sendmsg+0x5b/0x60
>   ____sys_sendmsg+0x204/0x280
>   ___sys_sendmsg+0x88/0xd0
>   __sys_sendmsg+0x5e/0xa0
>   do_syscall_64+0x47/0x80
>   entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.")
> Reported-by: Fei Liu <feliu@...hat.com>
> CC: Jonathan Toppins <jtoppins@...hat.com>
> CC: Michael Chan <michael.chan@...adcom.com>
> Signed-off-by: Davide Caratti <dcaratti@...hat.com>

Reviewed-by: Michael Chan <michael.chan@...adcom.com>

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ