Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1970592ybh; Tue, 14 Jul 2020 11:58:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwX4ePLZUM73iUQMd+kdLefZd8UryHeQMRNeNEuGA/q54v4NTIVFmHa0J8YHK20gMzppkEG X-Received: by 2002:a17:906:94c4:: with SMTP id d4mr5684078ejy.232.1594753095726; Tue, 14 Jul 2020 11:58:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594753095; cv=none; d=google.com; s=arc-20160816; b=0CL8qRqFHmA+2T6LiAfJ2w9Ud0QTPGMJ/5xrcw8+e9c+AUyNV1bzbKvDIx61ZyjNuI EWBn9DzO5bRMZWVXX0jGb160uVcYMIa1stCrT4pjzMpGohhAhIuXaOnknORjjfA36Zt/ eTm5lTZvFZNbsQgkeickDVtCZdg/74KY+Lmu2mfZ4VxwWdHTKmQ1bHx6jKGhqJojAVSN mh0g2mEDj/WE8B7kClag446PDhfAR7stHAk6qIX7OIud1tNjynyO7rcqviOSwsFTJyNE lVQunorKAnEmkS+8ifl+d5MJqqsLSpeikOY6eENzPPDnMpf4Htf1qOrpVeGpbFLbIUQi 039Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Zxwr/LKpZtcfok68jOCURviAhRYk0j3di4/uIlPAmA0=; b=h8gAqtbZB1F6ghSItv7Hd4MG52n4vcMRd+UAzxx8q6l7NqsY4CBmvqdNQBR/qGh6ES zYrHLAu+m0Uk+kjEAGdXNcHGfRrIQxt40YON1oyTTQyTlyi+nyfufzqsLGqrvDEGRJ3p hf/xRgqmwJFDPA88pCMrH+cNQgtR9WTVnGVdU8HEhAw6CBpZ1BXZsq9CQcwXEANlbG5Y kf9EYem0VhK269f8KOu2bgPU6A9c8qm+I55g3K32fRmFudc32ZNLAwIBs4bM72LhOdDR gBeA/Jk6bZFuXKpQURymYyCtxGz8iRmAK40nRopBE9YudiIuF+v0UrYQF1rpFpv6BLSF RRGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OVFtWbRH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l21si13036191ejg.690.2020.07.14.11.57.52; Tue, 14 Jul 2020 11:58:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OVFtWbRH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731065AbgGNS4w (ORCPT + 99 others); Tue, 14 Jul 2020 14:56:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:54904 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730217AbgGNS4r (ORCPT ); Tue, 14 Jul 2020 14:56:47 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ECAC7229CA; Tue, 14 Jul 2020 18:56:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594753006; bh=fyIViGjnqT3Isc8lUNNxqQHXm6quHzb/i5mIuWINQ9s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OVFtWbRHUm4Pj4kiwluSHPXCPV1PE05g2MceISX6+J5Jn7Y10dZnxz1aLoVKx+Hf8 YWRf0hlY/hE3rpzTpypg3Hb3EczEg9H1k72CNq4rhYJxKIjF3j/pJVqDtMK4hMcxX0 V+7TxzWEQ/eIWDdThz+pLLhdNCxzLByru89e1YvE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Lobakin , Igor Russkikh , "David S. Miller" , Sasha Levin Subject: [PATCH 5.7 083/166] net: qed: fix buffer overflow on ethtool -d Date: Tue, 14 Jul 2020 20:44:08 +0200 Message-Id: <20200714184119.826423080@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714184115.844176932@linuxfoundation.org> References: <20200714184115.844176932@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Lobakin [ Upstream commit da3287111ab43b32cec54d7ca6b48640f210a196 ] When generating debug dump, driver firstly collects all data in binary form, and then performs per-feature formatting to human-readable if it is supported. For ethtool -d, this is roughly incorrect for two reasons. First of all, drivers should always provide only original raw dumps to Ethtool without any changes. The second, and more critical, is that Ethtool's output buffer size is strictly determined by ethtool_ops::get_regs_len(), and all data *must* fit in it. The current version of driver always returns the size of raw data, but the size of the formatted buffer exceeds it in most cases. This leads to out-of-bound writes and memory corruption. Address both issues by adding an option to return original, non-formatted debug data, and using it for Ethtool case. v2: - Expand commit message to make it more clear; - No functional changes. Fixes: c965db444629 ("qed: Add support for debug data collection") Signed-off-by: Alexander Lobakin Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/qlogic/qed/qed.h | 2 ++ drivers/net/ethernet/qlogic/qed/qed_debug.c | 13 ++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h index fa41bf08a5895..58d6ef489d5bf 100644 --- a/drivers/net/ethernet/qlogic/qed/qed.h +++ b/drivers/net/ethernet/qlogic/qed/qed.h @@ -880,6 +880,8 @@ struct qed_dev { #endif struct qed_dbg_feature dbg_features[DBG_FEATURE_NUM]; bool disable_ilt_dump; + bool dbg_bin_dump; + DECLARE_HASHTABLE(connections, 10); const struct firmware *firmware; diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c index 3e56b6056b477..03ce18f653932 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_debug.c +++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c @@ -7506,6 +7506,12 @@ static enum dbg_status format_feature(struct qed_hwfn *p_hwfn, if (p_hwfn->cdev->dbg_params.print_data) qed_dbg_print_feature(text_buf, text_size_bytes); + /* Just return the original binary buffer if requested */ + if (p_hwfn->cdev->dbg_bin_dump) { + vfree(text_buf); + return DBG_STATUS_OK; + } + /* Free the old dump_buf and point the dump_buf to the newly allocagted * and formatted text buffer. */ @@ -7733,7 +7739,9 @@ int qed_dbg_mcp_trace_size(struct qed_dev *cdev) #define REGDUMP_HEADER_SIZE_SHIFT 0 #define REGDUMP_HEADER_SIZE_MASK 0xffffff #define REGDUMP_HEADER_FEATURE_SHIFT 24 -#define REGDUMP_HEADER_FEATURE_MASK 0x3f +#define REGDUMP_HEADER_FEATURE_MASK 0x1f +#define REGDUMP_HEADER_BIN_DUMP_SHIFT 29 +#define REGDUMP_HEADER_BIN_DUMP_MASK 0x1 #define REGDUMP_HEADER_OMIT_ENGINE_SHIFT 30 #define REGDUMP_HEADER_OMIT_ENGINE_MASK 0x1 #define REGDUMP_HEADER_ENGINE_SHIFT 31 @@ -7771,6 +7779,7 @@ static u32 qed_calc_regdump_header(struct qed_dev *cdev, feature, feature_size); SET_FIELD(res, REGDUMP_HEADER_FEATURE, feature); + SET_FIELD(res, REGDUMP_HEADER_BIN_DUMP, 1); SET_FIELD(res, REGDUMP_HEADER_OMIT_ENGINE, omit_engine); SET_FIELD(res, REGDUMP_HEADER_ENGINE, engine); @@ -7794,6 +7803,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) omit_engine = 1; mutex_lock(&qed_dbg_lock); + cdev->dbg_bin_dump = true; org_engine = qed_get_debug_engine(cdev); for (cur_engine = 0; cur_engine < cdev->num_hwfns; cur_engine++) { @@ -7993,6 +8003,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) QED_NVM_IMAGE_MDUMP, "QED_NVM_IMAGE_MDUMP", rc); } + cdev->dbg_bin_dump = false; mutex_unlock(&qed_dbg_lock); return 0; -- 2.25.1