• Thomas Falcon's avatar
    ibmvnic: Fix use-after-free of VNIC login response buffer · 507ebe64
    Thomas Falcon authored
    The login response buffer is freed after it is received
    and parsed, but other functions in the driver still attempt
    to read it, such as when the device is opened, causing the
    Oops below. Store relevant information in the driver's
    private data structures and use those instead.
    
    BUG: Kernel NULL pointer dereference on read at 0x00000010
    Faulting instruction address: 0xc00800000050a900
    Oops: Kernel access of bad area, sig: 11 [#1]
    LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
    Modules linked in: pseries_rng rng_core vmx_crypto gf128mul binfmt_misc ip_tables x_tables ibmvnic ibmveth crc32c_vpmsum autofs4
    CPU: 7 PID: 759 Comm: NetworkManager Not tainted 5.9.0-rc1-00124-gd0a84e1f #14
    NIP:  c00800000050a900 LR: c00800000050a8f0 CTR: 00000000005b1904
    REGS: c0000001ed746d20 TRAP: 0300   Not tainted  (5.9.0-rc1-00124-gd0a84e1f)
    MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 24428484  XER: 00000001
    CFAR: c0000000000101b0 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
    GPR00: c00800000050a8f0 c0000001ed746fb0 c008000000518e00 0000000000000000
    GPR04: 00000000000000c0 0000000000000080 0003c366c60c4501 0000000000000352
    GPR08: 000000000001f400 0000000000000010 0000000000000000 0000000000000000
    GPR12: 0001cf0000000019 c00000001ec97680 00000001003dfd40 0000010008dbb22c
    GPR16: 0000000000000000 0000000000000000 0000000000000000 c000000000edb6c8
    GPR20: c000000004e73e00 c000000004fd2448 c000000004e6d700 c000000004fd2448
    GPR24: c000000004fd2400 c000000004a0cd20 c0000001ed961860 c0080000005029d8
    GPR28: 0000000000000000 0000000000000003 c000000004a0c000 0000000000000000
    NIP [c00800000050a900] init_resources+0x338/0xa00 [ibmvnic]
    LR [c00800000050a8f0] init_resources+0x328/0xa00 [ibmvnic]
    Call Trace:
    [c0000001ed746fb0] [c00800000050a8f0] init_resources+0x328/0xa00 [ibmvnic] (unreliable)
    [c0000001ed747090] [c00800000050b024] ibmvnic_open+0x5c/0x100 [ibmvnic]
    [c0000001ed747110] [c000000000bdcc0c] __dev_open+0x17c/0x250
    [c0000001ed7471b0] [c000000000bdd1ec] __dev_change_flags+0x1dc/0x270
    [c0000001ed747260] [c000000000bdd2bc] dev_change_flags+0x3c/0x90
    [c0000001ed7472a0] [c000000000bf24b8] do_setlink+0x3b8/0x1280
    [c0000001ed747450] [c000000000bf8cc8] __rtnl_newlink+0x5a8/0x980
    [c0000001ed7478b0] [c000000000bf9110] rtnl_newlink+0x70/0xb0
    [c0000001ed7478f0] [c000000000bf07c4] rtnetlink_rcv_msg+0x364/0x460
    [c0000001ed747990] [c000000000c68b94] netlink_rcv_skb+0x84/0x1a0
    [c0000001ed747a00] [c000000000bef758] rtnetlink_rcv+0x28/0x40
    [c0000001ed747a20] [c000000000c68188] netlink_unicast+0x218/0x310
    [c0000001ed747a80] [c000000000c6848c] netlink_sendmsg+0x20c/0x4e0
    [c0000001ed747b20] [c000000000b9dc88] ____sys_sendmsg+0x158/0x360
    [c0000001ed747bb0] [c000000000ba1c88] ___sys_sendmsg+0x98/0xf0
    [c0000001ed747d10] [c000000000ba1db8] __sys_sendmsg+0x78/0x100
    [c0000001ed747dc0] [c000000000033820] system_call_exception+0x160/0x280
    [c0000001ed747e20] [c00000000000d740] system_call_common+0xf0/0x27c
    Instruction dump:
    3be00000 38810068 b1410076 3941006a 93e10072 fbea0000 b1210068 4bff9915
    eb9e0ca0 eabe0900 393c0010 3ab50048 <7fa04c2c> 7fba07b4 7b431764 7b4917a0
    ---[ end trace fbc5949a28e103bd ]---
    
    Fixes: f3ae59c0 ("ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct")
    Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    507ebe64
ibmvnic.h 24.8 KB