• Vadim Pasternak's avatar
    platform/mellanox: mlxreg-hotplug: Fix KASAN warning · 07a31820
    Vadim Pasternak authored
    [ Upstream commit e4c275f7 ]
    
    Fix the following KASAN warning produced when booting a 64-bit kernel:
    [   13.334750] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70
    [   13.342166] Read of size 8 at addr ffff880235067178 by task kworker/2:1/42
    [   13.342176] CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 4.20.0-rc1+ #106
    [   13.342179] Hardware name: Mellanox Technologies Ltd. MSN2740/Mellanox x86 SFF board, BIOS 5.6.5 06/07/2016
    [   13.342190] Workqueue: events deferred_probe_work_func
    [   13.342194] Call Trace:
    [   13.342206]  dump_stack+0xc7/0x15b
    [   13.342214]  ? show_regs_print_info+0x5/0x5
    [   13.342220]  ? kmsg_dump_rewind_nolock+0x59/0x59
    [   13.342234]  ? _raw_write_lock_irqsave+0x100/0x100
    [   13.351593]  print_address_description+0x73/0x260
    [   13.351603]  kasan_report+0x260/0x380
    [   13.351611]  ? find_first_bit+0x19/0x70
    [   13.351619]  find_first_bit+0x19/0x70
    [   13.351630]  mlxreg_hotplug_work_handler+0x73c/0x920 [mlxreg_hotplug]
    [   13.351639]  ? __lock_text_start+0x8/0x8
    [   13.351646]  ? _raw_write_lock_irqsave+0x80/0x100
    [   13.351656]  ? mlxreg_hotplug_remove+0x1e0/0x1e0 [mlxreg_hotplug]
    [   13.351663]  ? regmap_volatile+0x40/0xb0
    [   13.351668]  ? regcache_write+0x4c/0x90
    [   13.351676]  ? mlxplat_mlxcpld_reg_write+0x24/0x30 [mlx_platform]
    [   13.351681]  ? _regmap_write+0xea/0x220
    [   13.351688]  ? __mutex_lock_slowpath+0x10/0x10
    [   13.351696]  ? devm_add_action+0x70/0x70
    [   13.351701]  ? mutex_unlock+0x1d/0x40
    [   13.351710]  mlxreg_hotplug_probe+0x82e/0x989 [mlxreg_hotplug]
    [   13.351723]  ? mlxreg_hotplug_work_handler+0x920/0x920 [mlxreg_hotplug]
    [   13.351731]  ? sysfs_do_create_link_sd.isra.2+0xf4/0x190
    [   13.351737]  ? sysfs_rename_link_ns+0xf0/0xf0
    [   13.351743]  ? devres_close_group+0x2b0/0x2b0
    [   13.351749]  ? pinctrl_put+0x20/0x20
    [   13.351755]  ? acpi_dev_pm_attach+0x2c/0xd0
    [   13.351763]  platform_drv_probe+0x70/0xd0
    [   13.351771]  really_probe+0x480/0x6e0
    [   13.351778]  ? device_attach+0x10/0x10
    [   13.351784]  ? __lock_text_start+0x8/0x8
    [   13.351790]  ? _raw_write_lock_irqsave+0x80/0x100
    [   13.351797]  ? _raw_write_lock_irqsave+0x80/0x100
    [   13.351806]  ? __driver_attach+0x190/0x190
    [   13.351812]  driver_probe_device+0x17d/0x1a0
    [   13.351819]  ? __driver_attach+0x190/0x190
    [   13.351825]  bus_for_each_drv+0xd6/0x130
    [   13.351831]  ? bus_rescan_devices+0x20/0x20
    [   13.351837]  ? __mutex_lock_slowpath+0x10/0x10
    [   13.351845]  __device_attach+0x18c/0x230
    [   13.351852]  ? device_bind_driver+0x70/0x70
    [   13.351859]  ? __mutex_lock_slowpath+0x10/0x10
    [   13.351866]  bus_probe_device+0xea/0x110
    [   13.351874]  deferred_probe_work_func+0x1c9/0x290
    [   13.351882]  ? driver_deferred_probe_add+0x1d0/0x1d0
    [   13.351889]  ? preempt_notifier_dec+0x20/0x20
    [   13.351897]  ? read_word_at_a_time+0xe/0x20
    [   13.351904]  ? strscpy+0x151/0x290
    [   13.351912]  ? set_work_pool_and_clear_pending+0x9c/0xf0
    [   13.351918]  ? __switch_to_asm+0x34/0x70
    [   13.351924]  ? __switch_to_asm+0x40/0x70
    [   13.351929]  ? __switch_to_asm+0x34/0x70
    [   13.351935]  ? __switch_to_asm+0x40/0x70
    [   13.351942]  process_one_work+0x5cc/0xa00
    [   13.351952]  ? pwq_dec_nr_in_flight+0x1e0/0x1e0
    [   13.351960]  ? pci_mmcfg_check_reserved+0x80/0xb8
    [   13.351967]  ? run_rebalance_domains+0x250/0x250
    [   13.351980]  ? stack_access_ok+0x35/0x80
    [   13.351986]  ? deref_stack_reg+0xa1/0xe0
    [   13.351994]  ? schedule+0xcd/0x250
    [   13.352000]  ? worker_enter_idle+0x2d6/0x330
    [   13.352006]  ? __schedule+0xeb0/0xeb0
    [   13.352014]  ? fork_usermode_blob+0x130/0x130
    [   13.352019]  ? mutex_lock+0xa7/0x100
    [   13.352026]  ? _raw_spin_lock_irq+0x98/0xf0
    [   13.352032]  ? _raw_read_unlock_irqrestore+0x30/0x30
    [   13.352037] i2c i2c-2: Added multiplexed i2c bus 11
    [   13.352043]  worker_thread+0x181/0xa80
    [   13.352052]  ? __switch_to_asm+0x34/0x70
    [   13.352058]  ? __switch_to_asm+0x40/0x70
    [   13.352064]  ? process_one_work+0xa00/0xa00
    [   13.352070]  ? __switch_to_asm+0x34/0x70
    [   13.352076]  ? __switch_to_asm+0x40/0x70
    [   13.352081]  ? __switch_to_asm+0x34/0x70
    [   13.352086]  ? __switch_to_asm+0x40/0x70
    [   13.352092]  ? __switch_to_asm+0x34/0x70
    [   13.352097]  ? __switch_to_asm+0x40/0x70
    [   13.352105]  ? __schedule+0x3d6/0xeb0
    [   13.352112]  ? migrate_swap_stop+0x470/0x470
    [   13.352119]  ? save_stack+0x89/0xb0
    [   13.352127]  ? kmem_cache_alloc_trace+0xe5/0x570
    [   13.352132]  ? kthread+0x59/0x1d0
    [   13.352138]  ? ret_from_fork+0x35/0x40
    [   13.352154]  ? __schedule+0xeb0/0xeb0
    [   13.352161]  ? remove_wait_queue+0x150/0x150
    [   13.352169]  ? _raw_write_lock_irqsave+0x80/0x100
    [   13.352175]  ? __lock_text_start+0x8/0x8
    [   13.352183]  ? process_one_work+0xa00/0xa00
    [   13.352188]  kthread+0x1a4/0x1d0
    [   13.352195]  ? kthread_create_worker_on_cpu+0xc0/0xc0
    [   13.352202]  ret_from_fork+0x35/0x40
    
    [   13.353879] The buggy address belongs to the page:
    [   13.353885] page:ffffea0008d419c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
    [   13.353890] flags: 0x2ffff8000000000()
    [   13.353897] raw: 02ffff8000000000 ffffea0008d419c8 ffffea0008d419c8 0000000000000000
    [   13.353903] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
    [   13.353905] page dumped because: kasan: bad access detected
    
    [   13.353908] Memory state around the buggy address:
    [   13.353912]  ffff880235067000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   13.353917]  ffff880235067080: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04
    [   13.353921] >ffff880235067100: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04
    [   13.353923]                                                                 ^
    [   13.353927]  ffff880235067180: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 00 00 00 00 00
    [   13.353931]  ffff880235067200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   13.353933] ==================================================================
    
    The warning is caused by the below loop:
    	for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
    while "asserted" is declared as 'unsigned'.
    
    The casting of 32-bit unsigned integer pointer to a 64-bit unsigned long
    pointer. There are two problems here.
    It causes the access of four extra byte, which can corrupt memory
    The 32-bit pointer address may not be 64-bit aligned.
    
    The fix changes variable "asserted" to "unsigned long".
    
    Fixes: 1f976f69 ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox")
    Signed-off-by: default avatarVadim Pasternak <vadimp@mellanox.com>
    Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    07a31820
mlxreg-hotplug.c 19.2 KB