[thirdparty/kernel/stable-queue.git] / queue-4.19 / platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch

From 23d00746c9f2f4f10a87d6453e6abb605b07f65f Mon Sep 17 00:00:00 2001
From: Vadim Pasternak <vadimp@mellanox.com>
Date: Sun, 17 Feb 2019 18:15:30 +0000
Subject: platform/mellanox: mlxreg-hotplug: Fix KASAN warning

[ Upstream commit e4c275f77624961b56cce397814d9d770a45ac59 ]

Fix the following KASAN warning produced when booting a 64-bit kernel:
[   13.334750] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70
[   13.342166] Read of size 8 at addr ffff880235067178 by task kworker/2:1/42
[   13.342176] CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 4.20.0-rc1+ #106
[   13.342179] Hardware name: Mellanox Technologies Ltd. MSN2740/Mellanox x86 SFF board, BIOS 5.6.5 06/07/2016
[   13.342190] Workqueue: events deferred_probe_work_func
[   13.342194] Call Trace:
[   13.342206]  dump_stack+0xc7/0x15b
[   13.342214]  ? show_regs_print_info+0x5/0x5
[   13.342220]  ? kmsg_dump_rewind_nolock+0x59/0x59
[   13.342234]  ? _raw_write_lock_irqsave+0x100/0x100
[   13.351593]  print_address_description+0x73/0x260
[   13.351603]  kasan_report+0x260/0x380
[   13.351611]  ? find_first_bit+0x19/0x70
[   13.351619]  find_first_bit+0x19/0x70
[   13.351630]  mlxreg_hotplug_work_handler+0x73c/0x920 [mlxreg_hotplug]
[   13.351639]  ? __lock_text_start+0x8/0x8
[   13.351646]  ? _raw_write_lock_irqsave+0x80/0x100
[   13.351656]  ? mlxreg_hotplug_remove+0x1e0/0x1e0 [mlxreg_hotplug]
[   13.351663]  ? regmap_volatile+0x40/0xb0
[   13.351668]  ? regcache_write+0x4c/0x90
[   13.351676]  ? mlxplat_mlxcpld_reg_write+0x24/0x30 [mlx_platform]
[   13.351681]  ? _regmap_write+0xea/0x220
[   13.351688]  ? __mutex_lock_slowpath+0x10/0x10
[   13.351696]  ? devm_add_action+0x70/0x70
[   13.351701]  ? mutex_unlock+0x1d/0x40
[   13.351710]  mlxreg_hotplug_probe+0x82e/0x989 [mlxreg_hotplug]
[   13.351723]  ? mlxreg_hotplug_work_handler+0x920/0x920 [mlxreg_hotplug]
[   13.351731]  ? sysfs_do_create_link_sd.isra.2+0xf4/0x190
[   13.351737]  ? sysfs_rename_link_ns+0xf0/0xf0
[   13.351743]  ? devres_close_group+0x2b0/0x2b0
[   13.351749]  ? pinctrl_put+0x20/0x20
[   13.351755]  ? acpi_dev_pm_attach+0x2c/0xd0
[   13.351763]  platform_drv_probe+0x70/0xd0
[   13.351771]  really_probe+0x480/0x6e0
[   13.351778]  ? device_attach+0x10/0x10
[   13.351784]  ? __lock_text_start+0x8/0x8
[   13.351790]  ? _raw_write_lock_irqsave+0x80/0x100
[   13.351797]  ? _raw_write_lock_irqsave+0x80/0x100
[   13.351806]  ? __driver_attach+0x190/0x190
[   13.351812]  driver_probe_device+0x17d/0x1a0
[   13.351819]  ? __driver_attach+0x190/0x190
[   13.351825]  bus_for_each_drv+0xd6/0x130
[   13.351831]  ? bus_rescan_devices+0x20/0x20
[   13.351837]  ? __mutex_lock_slowpath+0x10/0x10
[   13.351845]  __device_attach+0x18c/0x230
[   13.351852]  ? device_bind_driver+0x70/0x70
[   13.351859]  ? __mutex_lock_slowpath+0x10/0x10
[   13.351866]  bus_probe_device+0xea/0x110
[   13.351874]  deferred_probe_work_func+0x1c9/0x290
[   13.351882]  ? driver_deferred_probe_add+0x1d0/0x1d0
[   13.351889]  ? preempt_notifier_dec+0x20/0x20
[   13.351897]  ? read_word_at_a_time+0xe/0x20
[   13.351904]  ? strscpy+0x151/0x290
[   13.351912]  ? set_work_pool_and_clear_pending+0x9c/0xf0
[   13.351918]  ? __switch_to_asm+0x34/0x70
[   13.351924]  ? __switch_to_asm+0x40/0x70
[   13.351929]  ? __switch_to_asm+0x34/0x70
[   13.351935]  ? __switch_to_asm+0x40/0x70
[   13.351942]  process_one_work+0x5cc/0xa00
[   13.351952]  ? pwq_dec_nr_in_flight+0x1e0/0x1e0
[   13.351960]  ? pci_mmcfg_check_reserved+0x80/0xb8
[   13.351967]  ? run_rebalance_domains+0x250/0x250
[   13.351980]  ? stack_access_ok+0x35/0x80
[   13.351986]  ? deref_stack_reg+0xa1/0xe0
[   13.351994]  ? schedule+0xcd/0x250
[   13.352000]  ? worker_enter_idle+0x2d6/0x330
[   13.352006]  ? __schedule+0xeb0/0xeb0
[   13.352014]  ? fork_usermode_blob+0x130/0x130
[   13.352019]  ? mutex_lock+0xa7/0x100
[   13.352026]  ? _raw_spin_lock_irq+0x98/0xf0
[   13.352032]  ? _raw_read_unlock_irqrestore+0x30/0x30
[   13.352037] i2c i2c-2: Added multiplexed i2c bus 11
[   13.352043]  worker_thread+0x181/0xa80
[   13.352052]  ? __switch_to_asm+0x34/0x70
[   13.352058]  ? __switch_to_asm+0x40/0x70
[   13.352064]  ? process_one_work+0xa00/0xa00
[   13.352070]  ? __switch_to_asm+0x34/0x70
[   13.352076]  ? __switch_to_asm+0x40/0x70
[   13.352081]  ? __switch_to_asm+0x34/0x70
[   13.352086]  ? __switch_to_asm+0x40/0x70
[   13.352092]  ? __switch_to_asm+0x34/0x70
[   13.352097]  ? __switch_to_asm+0x40/0x70
[   13.352105]  ? __schedule+0x3d6/0xeb0
[   13.352112]  ? migrate_swap_stop+0x470/0x470
[   13.352119]  ? save_stack+0x89/0xb0
[   13.352127]  ? kmem_cache_alloc_trace+0xe5/0x570
[   13.352132]  ? kthread+0x59/0x1d0
[   13.352138]  ? ret_from_fork+0x35/0x40
[   13.352154]  ? __schedule+0xeb0/0xeb0
[   13.352161]  ? remove_wait_queue+0x150/0x150
[   13.352169]  ? _raw_write_lock_irqsave+0x80/0x100
[   13.352175]  ? __lock_text_start+0x8/0x8
[   13.352183]  ? process_one_work+0xa00/0xa00
[   13.352188]  kthread+0x1a4/0x1d0
[   13.352195]  ? kthread_create_worker_on_cpu+0xc0/0xc0
[   13.352202]  ret_from_fork+0x35/0x40

[   13.353879] The buggy address belongs to the page:
[   13.353885] page:ffffea0008d419c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   13.353890] flags: 0x2ffff8000000000()
[   13.353897] raw: 02ffff8000000000 ffffea0008d419c8 ffffea0008d419c8 0000000000000000
[   13.353903] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   13.353905] page dumped because: kasan: bad access detected

[   13.353908] Memory state around the buggy address:
[   13.353912]  ffff880235067000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   13.353917]  ffff880235067080: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04
[   13.353921] >ffff880235067100: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04
[   13.353923]                                                                 ^
[   13.353927]  ffff880235067180: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 00 00 00 00 00
[   13.353931]  ffff880235067200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   13.353933] ==================================================================

The warning is caused by the below loop:
	for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
while "asserted" is declared as 'unsigned'.

The casting of 32-bit unsigned integer pointer to a 64-bit unsigned long
pointer. There are two problems here.
It causes the access of four extra byte, which can corrupt memory
The 32-bit pointer address may not be 64-bit aligned.

The fix changes variable "asserted" to "unsigned long".

Fixes: 1f976f6978bf ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox")
Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/mellanox/mlxreg-hotplug.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c
index b6d44550d98c..eca16d00e310 100644
--- a/drivers/platform/mellanox/mlxreg-hotplug.c
+++ b/drivers/platform/mellanox/mlxreg-hotplug.c
@@ -248,7 +248,8 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
 			   struct mlxreg_core_item *item)
 {
 	struct mlxreg_core_data *data;
-	u32 asserted, regval, bit;
+	unsigned long asserted;
+	u32 regval, bit;
 	int ret;
 
 	/*
@@ -281,7 +282,7 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
 	asserted = item->cache ^ regval;
 	item->cache = regval;
 
-	for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
+	for_each_set_bit(bit, &asserted, 8) {
 		data = item->data + bit;
 		if (regval & BIT(bit)) {
 			if (item->inversed)
-- 
2.19.1
Commit	Line	Data
ba172962 SL	1	From 23d00746c9f2f4f10a87d6453e6abb605b07f65f Mon Sep 17 00:00:00 2001
	2	From: Vadim Pasternak <vadimp@mellanox.com>
	3	Date: Sun, 17 Feb 2019 18:15:30 +0000
	4	Subject: platform/mellanox: mlxreg-hotplug: Fix KASAN warning
	5
	6	[ Upstream commit e4c275f77624961b56cce397814d9d770a45ac59 ]
	7
	8	Fix the following KASAN warning produced when booting a 64-bit kernel:
	9	[ 13.334750] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70
	10	[ 13.342166] Read of size 8 at addr ffff880235067178 by task kworker/2:1/42
	11	[ 13.342176] CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 4.20.0-rc1+ #106
	12	[ 13.342179] Hardware name: Mellanox Technologies Ltd. MSN2740/Mellanox x86 SFF board, BIOS 5.6.5 06/07/2016
	13	[ 13.342190] Workqueue: events deferred_probe_work_func
	14	[ 13.342194] Call Trace:
	15	[ 13.342206] dump_stack+0xc7/0x15b
	16	[ 13.342214] ? show_regs_print_info+0x5/0x5
	17	[ 13.342220] ? kmsg_dump_rewind_nolock+0x59/0x59
	18	[ 13.342234] ? _raw_write_lock_irqsave+0x100/0x100
	19	[ 13.351593] print_address_description+0x73/0x260
	20	[ 13.351603] kasan_report+0x260/0x380
	21	[ 13.351611] ? find_first_bit+0x19/0x70
	22	[ 13.351619] find_first_bit+0x19/0x70
	23	[ 13.351630] mlxreg_hotplug_work_handler+0x73c/0x920 [mlxreg_hotplug]
	24	[ 13.351639] ? __lock_text_start+0x8/0x8
	25	[ 13.351646] ? _raw_write_lock_irqsave+0x80/0x100
	26	[ 13.351656] ? mlxreg_hotplug_remove+0x1e0/0x1e0 [mlxreg_hotplug]
	27	[ 13.351663] ? regmap_volatile+0x40/0xb0
	28	[ 13.351668] ? regcache_write+0x4c/0x90
	29	[ 13.351676] ? mlxplat_mlxcpld_reg_write+0x24/0x30 [mlx_platform]
	30	[ 13.351681] ? _regmap_write+0xea/0x220
	31	[ 13.351688] ? __mutex_lock_slowpath+0x10/0x10
	32	[ 13.351696] ? devm_add_action+0x70/0x70
	33	[ 13.351701] ? mutex_unlock+0x1d/0x40
	34	[ 13.351710] mlxreg_hotplug_probe+0x82e/0x989 [mlxreg_hotplug]
	35	[ 13.351723] ? mlxreg_hotplug_work_handler+0x920/0x920 [mlxreg_hotplug]
	36	[ 13.351731] ? sysfs_do_create_link_sd.isra.2+0xf4/0x190
	37	[ 13.351737] ? sysfs_rename_link_ns+0xf0/0xf0
	38	[ 13.351743] ? devres_close_group+0x2b0/0x2b0
	39	[ 13.351749] ? pinctrl_put+0x20/0x20
	40	[ 13.351755] ? acpi_dev_pm_attach+0x2c/0xd0
	41	[ 13.351763] platform_drv_probe+0x70/0xd0
	42	[ 13.351771] really_probe+0x480/0x6e0
	43	[ 13.351778] ? device_attach+0x10/0x10
	44	[ 13.351784] ? __lock_text_start+0x8/0x8
	45	[ 13.351790] ? _raw_write_lock_irqsave+0x80/0x100
	46	[ 13.351797] ? _raw_write_lock_irqsave+0x80/0x100
	47	[ 13.351806] ? __driver_attach+0x190/0x190
	48	[ 13.351812] driver_probe_device+0x17d/0x1a0
	49	[ 13.351819] ? __driver_attach+0x190/0x190
	50	[ 13.351825] bus_for_each_drv+0xd6/0x130
	51	[ 13.351831] ? bus_rescan_devices+0x20/0x20
	52	[ 13.351837] ? __mutex_lock_slowpath+0x10/0x10
	53	[ 13.351845] __device_attach+0x18c/0x230
	54	[ 13.351852] ? device_bind_driver+0x70/0x70
	55	[ 13.351859] ? __mutex_lock_slowpath+0x10/0x10
	56	[ 13.351866] bus_probe_device+0xea/0x110
	57	[ 13.351874] deferred_probe_work_func+0x1c9/0x290
	58	[ 13.351882] ? driver_deferred_probe_add+0x1d0/0x1d0
	59	[ 13.351889] ? preempt_notifier_dec+0x20/0x20
	60	[ 13.351897] ? read_word_at_a_time+0xe/0x20
	61	[ 13.351904] ? strscpy+0x151/0x290
	62	[ 13.351912] ? set_work_pool_and_clear_pending+0x9c/0xf0
	63	[ 13.351918] ? __switch_to_asm+0x34/0x70
	64	[ 13.351924] ? __switch_to_asm+0x40/0x70
65	[ 13.351929] ? __switch_to_asm+0x34/0x70
66	[ 13.351935] ? __switch_to_asm+0x40/0x70
67	[ 13.351942] process_one_work+0x5cc/0xa00
68	[ 13.351952] ? pwq_dec_nr_in_flight+0x1e0/0x1e0
69	[ 13.351960] ? pci_mmcfg_check_reserved+0x80/0xb8
70	[ 13.351967] ? run_rebalance_domains+0x250/0x250
71	[ 13.351980] ? stack_access_ok+0x35/0x80
72	[ 13.351986] ? deref_stack_reg+0xa1/0xe0
73	[ 13.351994] ? schedule+0xcd/0x250
74	[ 13.352000] ? worker_enter_idle+0x2d6/0x330
75	[ 13.352006] ? __schedule+0xeb0/0xeb0
76	[ 13.352014] ? fork_usermode_blob+0x130/0x130
77	[ 13.352019] ? mutex_lock+0xa7/0x100
78	[ 13.352026] ? _raw_spin_lock_irq+0x98/0xf0
79	[ 13.352032] ? _raw_read_unlock_irqrestore+0x30/0x30
80	[ 13.352037] i2c i2c-2: Added multiplexed i2c bus 11
81	[ 13.352043] worker_thread+0x181/0xa80
82	[ 13.352052] ? __switch_to_asm+0x34/0x70
83	[ 13.352058] ? __switch_to_asm+0x40/0x70
84	[ 13.352064] ? process_one_work+0xa00/0xa00
85	[ 13.352070] ? __switch_to_asm+0x34/0x70
86	[ 13.352076] ? __switch_to_asm+0x40/0x70
87	[ 13.352081] ? __switch_to_asm+0x34/0x70
88	[ 13.352086] ? __switch_to_asm+0x40/0x70
89	[ 13.352092] ? __switch_to_asm+0x34/0x70
90	[ 13.352097] ? __switch_to_asm+0x40/0x70
91	[ 13.352105] ? __schedule+0x3d6/0xeb0
92	[ 13.352112] ? migrate_swap_stop+0x470/0x470
93	[ 13.352119] ? save_stack+0x89/0xb0
94	[ 13.352127] ? kmem_cache_alloc_trace+0xe5/0x570
95	[ 13.352132] ? kthread+0x59/0x1d0
96	[ 13.352138] ? ret_from_fork+0x35/0x40
97	[ 13.352154] ? __schedule+0xeb0/0xeb0
98	[ 13.352161] ? remove_wait_queue+0x150/0x150
99	[ 13.352169] ? _raw_write_lock_irqsave+0x80/0x100
100	[ 13.352175] ? __lock_text_start+0x8/0x8
101	[ 13.352183] ? process_one_work+0xa00/0xa00
102	[ 13.352188] kthread+0x1a4/0x1d0
103	[ 13.352195] ? kthread_create_worker_on_cpu+0xc0/0xc0
104	[ 13.352202] ret_from_fork+0x35/0x40
105
106	[ 13.353879] The buggy address belongs to the page:
107	[ 13.353885] page:ffffea0008d419c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
108	[ 13.353890] flags: 0x2ffff8000000000()
109	[ 13.353897] raw: 02ffff8000000000 ffffea0008d419c8 ffffea0008d419c8 0000000000000000
110	[ 13.353903] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
111	[ 13.353905] page dumped because: kasan: bad access detected
112
113	[ 13.353908] Memory state around the buggy address:
114	[ 13.353912] ffff880235067000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
115	[ 13.353917] ffff880235067080: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04
116	[ 13.353921] >ffff880235067100: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04
117	[ 13.353923] ^
118	[ 13.353927] ffff880235067180: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 00 00 00 00 00
119	[ 13.353931] ffff880235067200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
120	[ 13.353933] ==================================================================
121
122	The warning is caused by the below loop:
123	for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
124	while "asserted" is declared as 'unsigned'.
125
126	The casting of 32-bit unsigned integer pointer to a 64-bit unsigned long
127	pointer. There are two problems here.
128	It causes the access of four extra byte, which can corrupt memory
129	The 32-bit pointer address may not be 64-bit aligned.
130
131	The fix changes variable "asserted" to "unsigned long".
132
133	Fixes: 1f976f6978bf ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox")
134	Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
135	Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
136	Signed-off-by: Sasha Levin <sashal@kernel.org>
137	---
138	drivers/platform/mellanox/mlxreg-hotplug.c \| 5 +++--
139	1 file changed, 3 insertions(+), 2 deletions(-)
140
141	diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c
142	index b6d44550d98c..eca16d00e310 100644
143	--- a/drivers/platform/mellanox/mlxreg-hotplug.c
144	+++ b/drivers/platform/mellanox/mlxreg-hotplug.c
145	@@ -248,7 +248,8 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
146	struct mlxreg_core_item *item)
147	{
148	struct mlxreg_core_data *data;
149	- u32 asserted, regval, bit;
150	+ unsigned long asserted;
151	+ u32 regval, bit;
152	int ret;
153
154	/*
155	@@ -281,7 +282,7 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
156	asserted = item->cache ^ regval;
157	item->cache = regval;
158
159	- for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
160	+ for_each_set_bit(bit, &asserted, 8) {
161	data = item->data + bit;
162	if (regval & BIT(bit)) {
163	if (item->inversed)
164	--
165	2.19.1
166