Received: by 10.192.165.148 with SMTP id m20csp784939imm; Fri, 27 Apr 2018 07:29:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp/Fx9YgsQ68EkjAlNC3HrgG6E8J+guGnJjOZ9xDlx+aoAfRzv2w+N1ltGyGgc8igam8CuW X-Received: by 2002:a63:8f16:: with SMTP id n22-v6mr2263233pgd.394.1524839363732; Fri, 27 Apr 2018 07:29:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524839363; cv=none; d=google.com; s=arc-20160816; b=wk2pyscy1YmLXCOCMErjhQFuVkN/SoeyO96jwCaCo2pe7W2Shoa2XKWdFyLZvziDsr WonOgPK6sqDNraXXljAuXqNIGPrLnbJphO3uf0yAIgnbOaiGCafHIyW1FDi3R0Aj1jnX dAxX6YbPR90wISyHRGCsUP8OzYqkmR1xXgVXe8WTUgS5gR6NAJnw/knUdSHvqShkP/xb WxPTiLnI620bIILqigily3V9P/QuJJHIR+zD2mP3hgeHiPbPcKM/gmoslU632p4yWBiI qaZ8hfOom5Wo6zOxpIHdc3Z+UJo6fIkQRKpvVXkmCDTunXpxBF7uLJ98TovX5rS2tIuq KTCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=4e8TT6r7vh0jRufwlZILqJcgNOOW4/LsaokrJNtTpmU=; b=xjubFtyEPy//eQakuEXrLxny/0Yheud0C6TDunglqbf4mVxbA3K5TlRJWa1Z6rl0mh hdTqOxEUx/HK0D768d0xsfofHLCbNXyCLOR7HkrJYLW/ZZIFiHsxmEjJ5R6CZa5X8RqB TpF902ulIPeIHbmhqDpL0jumagxCb3Tl8jYKjBLkRchBZ1ys/igMm06oSQ0tnEQ+xtej igypzYjsql0R54d86mqJFjgPtxv8cGrKyyoR5LINowtCTV312eHhHa2i7XiOa/gvczeU QYrzWUVsmB+mx6R1YvwgyLcVkZ4Wkk2sb2c+DWkfCAdevcpB7xI3Hk6GSwHj/pFlfz0U IQVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w127si671623pfd.313.2018.04.27.07.29.09; Fri, 27 Apr 2018 07:29:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935148AbeD0O04 (ORCPT + 99 others); Fri, 27 Apr 2018 10:26:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:56356 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935038AbeD0OLe (ORCPT ); Fri, 27 Apr 2018 10:11:34 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6FA0521895; Fri, 27 Apr 2018 14:11:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6FA0521895 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vasundhara Volam , Michael Chan , "David S. Miller" Subject: [PATCH 4.16 52/81] bnxt_en: Fix memory fault in bnxt_ethtool_init() Date: Fri, 27 Apr 2018 15:58:54 +0200 Message-Id: <20180427135746.276210299@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180427135743.216853156@linuxfoundation.org> References: <20180427135743.216853156@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vasundhara Volam [ Upstream commit a60faa60da891e311e19fd3e88d611863f431130 ] In some firmware images, the length of BNX_DIR_TYPE_PKG_LOG nvram type could be greater than the fixed buffer length of 4096 bytes allocated by the driver. This was causing HWRM_NVM_READ to copy more data to the buffer than the allocated size, causing general protection fault. Fix the issue by allocating the exact buffer length returned by HWRM_NVM_FIND_DIR_ENTRY, instead of 4096. Move the kzalloc() call into the bnxt_get_pkgver() function. Fixes: 3ebf6f0a09a2 ("bnxt_en: Add installed-package firmware version reporting via Ethtool GDRVINFO") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 51 +++++++++++---------- drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h | 2 2 files changed, 28 insertions(+), 25 deletions(-) --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c @@ -1874,22 +1874,39 @@ static char *bnxt_parse_pkglog(int desir return retval; } -static char *bnxt_get_pkgver(struct net_device *dev, char *buf, size_t buflen) +static void bnxt_get_pkgver(struct net_device *dev) { + struct bnxt *bp = netdev_priv(dev); u16 index = 0; - u32 datalen; + char *pkgver; + u32 pkglen; + u8 *pkgbuf; + int len; if (bnxt_find_nvram_item(dev, BNX_DIR_TYPE_PKG_LOG, BNX_DIR_ORDINAL_FIRST, BNX_DIR_EXT_NONE, - &index, NULL, &datalen) != 0) - return NULL; + &index, NULL, &pkglen) != 0) + return; + + pkgbuf = kzalloc(pkglen, GFP_KERNEL); + if (!pkgbuf) { + dev_err(&bp->pdev->dev, "Unable to allocate memory for pkg version, length = %u\n", + pkglen); + return; + } - memset(buf, 0, buflen); - if (bnxt_get_nvram_item(dev, index, 0, datalen, buf) != 0) - return NULL; + if (bnxt_get_nvram_item(dev, index, 0, pkglen, pkgbuf)) + goto err; - return bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, buf, - datalen); + pkgver = bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, pkgbuf, + pkglen); + if (pkgver && *pkgver != 0 && isdigit(*pkgver)) { + len = strlen(bp->fw_ver_str); + snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1, + "/pkg %s", pkgver); + } +err: + kfree(pkgbuf); } static int bnxt_get_eeprom(struct net_device *dev, @@ -2558,22 +2575,10 @@ void bnxt_ethtool_init(struct bnxt *bp) struct hwrm_selftest_qlist_input req = {0}; struct bnxt_test_info *test_info; struct net_device *dev = bp->dev; - char *pkglog; int i, rc; - pkglog = kzalloc(BNX_PKG_LOG_MAX_LENGTH, GFP_KERNEL); - if (pkglog) { - char *pkgver; - int len; - - pkgver = bnxt_get_pkgver(dev, pkglog, BNX_PKG_LOG_MAX_LENGTH); - if (pkgver && *pkgver != 0 && isdigit(*pkgver)) { - len = strlen(bp->fw_ver_str); - snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1, - "/pkg %s", pkgver); - } - kfree(pkglog); - } + bnxt_get_pkgver(dev); + if (bp->hwrm_spec_code < 0x10704 || !BNXT_SINGLE_PF(bp)) return; --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h @@ -59,8 +59,6 @@ enum bnxt_nvm_directory_type { #define BNX_DIR_ATTR_NO_CHKSUM (1 << 0) #define BNX_DIR_ATTR_PROP_STREAM (1 << 1) -#define BNX_PKG_LOG_MAX_LENGTH 4096 - enum bnxnvm_pkglog_field_index { BNX_PKG_LOG_FIELD_IDX_INSTALLED_TIMESTAMP = 0, BNX_PKG_LOG_FIELD_IDX_PKG_DESCRIPTION = 1,