[PATCH 4.19 068/187] platform/mellanox: mlxreg-hotplug: Fix KASAN warning

From: Greg Kroah-Hartman
Date: Thu Apr 04 2019 - 05:02:02 EST


4.19-stable review patch. If anyone has any objections, please let me know.

------------------

[ Upstream commit e4c275f77624961b56cce397814d9d770a45ac59 ]

Fix the following KASAN warning produced when booting a 64-bit kernel:
[ 13.334750] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70
[ 13.342166] Read of size 8 at addr ffff880235067178 by task kworker/2:1/42
[ 13.342176] CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 4.20.0-rc1+ #106
[ 13.342179] Hardware name: Mellanox Technologies Ltd. MSN2740/Mellanox x86 SFF board, BIOS 5.6.5 06/07/2016
[ 13.342190] Workqueue: events deferred_probe_work_func
[ 13.342194] Call Trace:
[ 13.342206] dump_stack+0xc7/0x15b
[ 13.342214] ? show_regs_print_info+0x5/0x5
[ 13.342220] ? kmsg_dump_rewind_nolock+0x59/0x59
[ 13.342234] ? _raw_write_lock_irqsave+0x100/0x100
[ 13.351593] print_address_description+0x73/0x260
[ 13.351603] kasan_report+0x260/0x380
[ 13.351611] ? find_first_bit+0x19/0x70
[ 13.351619] find_first_bit+0x19/0x70
[ 13.351630] mlxreg_hotplug_work_handler+0x73c/0x920 [mlxreg_hotplug]
[ 13.351639] ? __lock_text_start+0x8/0x8
[ 13.351646] ? _raw_write_lock_irqsave+0x80/0x100
[ 13.351656] ? mlxreg_hotplug_remove+0x1e0/0x1e0 [mlxreg_hotplug]
[ 13.351663] ? regmap_volatile+0x40/0xb0
[ 13.351668] ? regcache_write+0x4c/0x90
[ 13.351676] ? mlxplat_mlxcpld_reg_write+0x24/0x30 [mlx_platform]
[ 13.351681] ? _regmap_write+0xea/0x220
[ 13.351688] ? __mutex_lock_slowpath+0x10/0x10
[ 13.351696] ? devm_add_action+0x70/0x70
[ 13.351701] ? mutex_unlock+0x1d/0x40
[ 13.351710] mlxreg_hotplug_probe+0x82e/0x989 [mlxreg_hotplug]
[ 13.351723] ? mlxreg_hotplug_work_handler+0x920/0x920 [mlxreg_hotplug]
[ 13.351731] ? sysfs_do_create_link_sd.isra.2+0xf4/0x190
[ 13.351737] ? sysfs_rename_link_ns+0xf0/0xf0
[ 13.351743] ? devres_close_group+0x2b0/0x2b0
[ 13.351749] ? pinctrl_put+0x20/0x20
[ 13.351755] ? acpi_dev_pm_attach+0x2c/0xd0
[ 13.351763] platform_drv_probe+0x70/0xd0
[ 13.351771] really_probe+0x480/0x6e0
[ 13.351778] ? device_attach+0x10/0x10
[ 13.351784] ? __lock_text_start+0x8/0x8
[ 13.351790] ? _raw_write_lock_irqsave+0x80/0x100
[ 13.351797] ? _raw_write_lock_irqsave+0x80/0x100
[ 13.351806] ? __driver_attach+0x190/0x190
[ 13.351812] driver_probe_device+0x17d/0x1a0
[ 13.351819] ? __driver_attach+0x190/0x190
[ 13.351825] bus_for_each_drv+0xd6/0x130
[ 13.351831] ? bus_rescan_devices+0x20/0x20
[ 13.351837] ? __mutex_lock_slowpath+0x10/0x10
[ 13.351845] __device_attach+0x18c/0x230
[ 13.351852] ? device_bind_driver+0x70/0x70
[ 13.351859] ? __mutex_lock_slowpath+0x10/0x10
[ 13.351866] bus_probe_device+0xea/0x110
[ 13.351874] deferred_probe_work_func+0x1c9/0x290
[ 13.351882] ? driver_deferred_probe_add+0x1d0/0x1d0
[ 13.351889] ? preempt_notifier_dec+0x20/0x20
[ 13.351897] ? read_word_at_a_time+0xe/0x20
[ 13.351904] ? strscpy+0x151/0x290
[ 13.351912] ? set_work_pool_and_clear_pending+0x9c/0xf0
[ 13.351918] ? __switch_to_asm+0x34/0x70
[ 13.351924] ? __switch_to_asm+0x40/0x70
[ 13.351929] ? __switch_to_asm+0x34/0x70
[ 13.351935] ? __switch_to_asm+0x40/0x70
[ 13.351942] process_one_work+0x5cc/0xa00
[ 13.351952] ? pwq_dec_nr_in_flight+0x1e0/0x1e0
[ 13.351960] ? pci_mmcfg_check_reserved+0x80/0xb8
[ 13.351967] ? run_rebalance_domains+0x250/0x250
[ 13.351980] ? stack_access_ok+0x35/0x80
[ 13.351986] ? deref_stack_reg+0xa1/0xe0
[ 13.351994] ? schedule+0xcd/0x250
[ 13.352000] ? worker_enter_idle+0x2d6/0x330
[ 13.352006] ? __schedule+0xeb0/0xeb0
[ 13.352014] ? fork_usermode_blob+0x130/0x130
[ 13.352019] ? mutex_lock+0xa7/0x100
[ 13.352026] ? _raw_spin_lock_irq+0x98/0xf0
[ 13.352032] ? _raw_read_unlock_irqrestore+0x30/0x30
[ 13.352037] i2c i2c-2: Added multiplexed i2c bus 11
[ 13.352043] worker_thread+0x181/0xa80
[ 13.352052] ? __switch_to_asm+0x34/0x70
[ 13.352058] ? __switch_to_asm+0x40/0x70
[ 13.352064] ? process_one_work+0xa00/0xa00
[ 13.352070] ? __switch_to_asm+0x34/0x70
[ 13.352076] ? __switch_to_asm+0x40/0x70
[ 13.352081] ? __switch_to_asm+0x34/0x70
[ 13.352086] ? __switch_to_asm+0x40/0x70
[ 13.352092] ? __switch_to_asm+0x34/0x70
[ 13.352097] ? __switch_to_asm+0x40/0x70
[ 13.352105] ? __schedule+0x3d6/0xeb0
[ 13.352112] ? migrate_swap_stop+0x470/0x470
[ 13.352119] ? save_stack+0x89/0xb0
[ 13.352127] ? kmem_cache_alloc_trace+0xe5/0x570
[ 13.352132] ? kthread+0x59/0x1d0
[ 13.352138] ? ret_from_fork+0x35/0x40
[ 13.352154] ? __schedule+0xeb0/0xeb0
[ 13.352161] ? remove_wait_queue+0x150/0x150
[ 13.352169] ? _raw_write_lock_irqsave+0x80/0x100
[ 13.352175] ? __lock_text_start+0x8/0x8
[ 13.352183] ? process_one_work+0xa00/0xa00
[ 13.352188] kthread+0x1a4/0x1d0
[ 13.352195] ? kthread_create_worker_on_cpu+0xc0/0xc0
[ 13.352202] ret_from_fork+0x35/0x40

[ 13.353879] The buggy address belongs to the page:
[ 13.353885] page:ffffea0008d419c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 13.353890] flags: 0x2ffff8000000000()
[ 13.353897] raw: 02ffff8000000000 ffffea0008d419c8 ffffea0008d419c8 0000000000000000
[ 13.353903] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 13.353905] page dumped because: kasan: bad access detected

[ 13.353908] Memory state around the buggy address:
[ 13.353912] ffff880235067000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 13.353917] ffff880235067080: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04
[ 13.353921] >ffff880235067100: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04
[ 13.353923] ^
[ 13.353927] ffff880235067180: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 00 00 00 00 00
[ 13.353931] ffff880235067200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 13.353933] ==================================================================

The warning is caused by the below loop:
for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
while "asserted" is declared as 'unsigned'.

The casting of 32-bit unsigned integer pointer to a 64-bit unsigned long
pointer. There are two problems here.
It causes the access of four extra byte, which can corrupt memory
The 32-bit pointer address may not be 64-bit aligned.

The fix changes variable "asserted" to "unsigned long".

Fixes: 1f976f6978bf ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox")
Signed-off-by: Vadim Pasternak <vadimp@xxxxxxxxxxxx>
Signed-off-by: Darren Hart (VMware) <dvhart@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/platform/mellanox/mlxreg-hotplug.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c
index b6d44550d98c..eca16d00e310 100644
--- a/drivers/platform/mellanox/mlxreg-hotplug.c
+++ b/drivers/platform/mellanox/mlxreg-hotplug.c
@@ -248,7 +248,8 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
struct mlxreg_core_item *item)
{
struct mlxreg_core_data *data;
- u32 asserted, regval, bit;
+ unsigned long asserted;
+ u32 regval, bit;
int ret;

/*
@@ -281,7 +282,7 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
asserted = item->cache ^ regval;
item->cache = regval;

- for_each_set_bit(bit, (unsigned long *)&asserted, 8) {
+ for_each_set_bit(bit, &asserted, 8) {
data = item->data + bit;
if (regval & BIT(bit)) {
if (item->inversed)
--
2.19.1