niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity
linux/drivers
History
Nick Child bdf5d13aa0 ibmvnic: Don't reference skb after sending to VIOS 
Previously, after successfully flushing the xmit buffer to VIOS,
the tx_bytes stat was incremented by the length of the skb.

It is invalid to access the skb memory after sending the buffer to
the VIOS because, at any point after sending, the VIOS can trigger
an interrupt to free this memory. A race between reading skb->len
and freeing the skb is possible (especially during LPM) and will
result in use-after-free:
 ==================================================================
 BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
 Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
 <...>
 Call Trace:
 [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
 [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
 [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
 <...>
 Freed by task 0:
 kasan_save_stack+0x34/0x68
 kasan_save_track+0x2c/0x50
 kasan_save_free_info+0x64/0x108
 __kasan_mempool_poison_object+0x148/0x2d4
 napi_skb_cache_put+0x5c/0x194
 net_tx_action+0x154/0x5b8
 handle_softirqs+0x20c/0x60c
 do_softirq_own_stack+0x6c/0x88
 <...>
 The buggy address belongs to the object at c00000024eb48a00 which
  belongs to the cache skbuff_head_cache of size 224
==================================================================

Fixes: 032c5e8284 ("Driver for IBM System i/p VNIC protocol")
Signed-off-by: Nick Child <nnac123@linux.ibm.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250214155233.235559-1-nnac123@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-02-17 16:41:57 -08:00
..
accel A couple of fixes for ivpu to error handling, komeda for format 2025-02-07 14:47:25 +10:00
accessibility
acpi Merge branches 'acpi-property' and 'acpi-resource' 2025-02-07 13:06:31 +01:00
amba
android Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
ata ata changes for 6.14 part2 2025-01-31 11:07:56 -08:00
atm
auxdisplay auxdisplay for v6.14-1 2025-01-24 08:03:52 -08:00
base PM: sleep: core: Restrict power.set_active propagation 2025-02-09 14:41:48 +01:00
bcma
block block-6.14-20250207 2025-02-07 11:00:33 -08:00
bluetooth Bluetooth: btintel_pcie: Fix a potential race condition 2025-02-13 11:14:04 -05:00
bus genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
cache
cdrom treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
cdx cdx: disable cdx bus from bus shutdown callback 2025-01-10 15:43:16 +01:00
char treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
clk The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
clocksource hyperv: Switch from hyperv-tlfs.h to hyperv/hvhdk.h 2025-01-10 00:54:21 +00:00
comedi
connector
counter
cpufreq amd-pstate fixes 2/6/25 2025-02-06 20:39:43 +01:00
cpuidle More power management updates for 6.14-rc1 2025-01-30 15:10:34 -08:00
crypto Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
cxl cxl changes for v6.14 2025-01-29 11:23:22 -08:00
dax
dca
devfreq Update devfreq next for v6.14 2025-01-13 20:48:34 +01:00
dio
dma dmaengine updates for v6.14 2025-01-29 14:29:57 -08:00
dma-buf
dpll
edac - The first part of a restructuring of AMD's representation of a northbridge 2025-01-21 09:38:52 -08:00
eisa
extcon Update extcon next for v6.14 2025-01-12 13:44:27 +01:00
firewire Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
firmware * Kconfig and IPv6 minor fixes. 2025-02-07 11:05:50 -08:00
fpga FPGA Manager changes for 6.14-rc1 2025-01-09 10:56:57 +01:00
fsi
gnss
gpio gpio: GPIO_GRGPIO should depend on OF 2025-02-05 14:37:53 +01:00
gpu - Fix the build error with clamp after WARN_ON on gcc 13.x+ (Guenter) 2025-02-07 15:42:21 +10:00
greybus
hid hid-for-linus-2025021001 2025-02-10 09:50:01 -08:00
hsi
hte
hv treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
hwmon Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
hwspinlock
hwtracing KVM/arm64 updates for 6.14 2025-01-28 09:01:36 -08:00
i2c Revert "i2c: Replace list-based mechanism for handling auto-detected clients" 2025-02-05 14:22:12 +01:00
i3c I3C for 6.14 2025-01-24 15:48:01 -08:00
idle Power management updates for 6.14-rc1 2025-01-22 11:16:14 -08:00
iio IIO: 2nd set of fixes for the 6.13 cycle. 2025-01-16 13:46:08 +01:00
infiniband Mainly individually changelogged singleton patches. The patch series in 2025-01-26 17:50:53 -08:00
input platform-drivers-x86 for v6.14-1 2025-01-24 07:18:39 -08:00
interconnect interconnect changes for 6.14 2025-01-16 14:01:40 +01:00
iommu hyperv-next for v6.14 2025-01-25 09:22:55 -08:00
ipack
irqchip genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
isdn
leds Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
macintosh The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
mailbox mailbox: th1520: Fix memory corruption due to incorrect array size 2025-01-18 16:20:55 -06:00
mcb
md block-6.14-20250207 2025-02-07 11:00:33 -08:00
media [GIT PULL for v6.14] media updates 2025-02-01 09:15:01 -08:00
memory spi: Support DTR in spi-mem 2025-01-15 19:07:39 +01:00
memstick Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
message Merge branch '6.13/scsi-fixes' into 6.14/scsi-staging 2025-01-10 15:20:30 -05:00
mfd mfd: syscon: Restore device_node_to_regmap() for non-syscon nodes 2025-02-11 14:53:39 +00:00
misc treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
mmc MMC core: 2025-01-22 10:39:17 -08:00
most
mtd block-6.14-20250131 2025-01-31 11:49:30 -08:00
mux mux: constify mux class 2025-01-10 10:15:04 +01:00
net ibmvnic: Don't reference skb after sending to VIOS 2025-02-17 16:41:57 -08:00
nfc nfc: mrvl: Don't use "proxy" headers 2025-01-18 17:10:05 -08:00
ntb PCI: Remove devres from pci_intx() 2025-01-18 14:38:49 -06:00
nubus
nvdimm
nvme nvme fixes for Linux 6.14 2025-02-03 09:19:03 -07:00
nvmem nvmem: core: improve range check for nvmem_cell_write() 2025-01-10 16:16:48 +01:00
of Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
opp Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
parisc
parport
pci PCI/TPH: Restore TPH Requester Enable correctly 2025-02-06 10:30:11 -06:00
pcmcia
peci
perf treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
phy phy-for-6.14 2025-01-29 14:32:38 -08:00
pinctrl pinctrl: pinconf-generic: Print unsigned value if a format is registered 2025-02-06 10:13:15 +01:00
platform platform/x86: thinkpad_acpi: Fix registration of tpacpi platform driver 2025-02-12 13:49:37 +02:00
pmdomain pmdomain: airoha: Fix compilation error with Clang-20 and Thumb2 mode 2025-01-21 10:45:24 +01:00
pnp
power power supply and reset changes for the 6.14 series 2025-01-27 15:37:16 -08:00
powercap Merge branch 'pm-powercap' 2025-02-07 12:43:58 +01:00
pps pps: clients: gpio: Bypass edge's direction check when not needed 2025-01-10 16:12:33 +01:00
ps3
ptp ptp: vmclock: Remove goto-based cleanup logic 2025-02-11 10:20:52 +01:00
pwm Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
rapidio
ras x86/amd_nb: Move SMN access code to a new amd_node driver 2025-01-08 10:59:44 +01:00
regulator regulator: Fixes for v6.14 2025-01-29 11:56:55 -08:00
remoteproc remoteproc: st: Use syscon_regmap_lookup_by_phandle_args 2025-01-15 10:04:27 -07:00
reset soc: driver updates for 6.14 2025-01-24 14:56:59 -08:00
rpmsg
rtc RTC for 6.13 2025-01-30 17:50:02 -08:00
s390 s390/ism: add release function for struct device 2025-02-17 16:40:07 -08:00
sbus
scsi scsi: qla1280: Fix kernel oops when debug level > 2 2025-02-03 17:54:56 -05:00
sh
siox
slimbus Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
soc genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
soundwire soundwire updates for 6.14 2025-01-29 14:38:19 -08:00
spi spi: Fix for v6.14 2025-01-24 16:12:12 -08:00
spmi spmi: hisi-spmi-controller: Drop duplicated OF node assignment in spmi_controller_probe() 2025-01-17 12:58:49 +01:00
ssb
staging Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
target Merge branch '6.14/scsi-queue' into 6.14/scsi-fixes 2025-02-03 16:28:51 -05:00
tc
tee
thermal Merge branch 'thermal-intel' 2025-01-20 13:10:15 +01:00
thunderbolt Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
tty fsnotify: use accessor to set FMODE_NONOTIFY_* 2025-02-07 10:27:26 +01:00
ufs scsi: ufs: core: Fix error return with query response 2025-02-03 17:34:24 -05:00
uio Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
usb Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
vdpa virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
vfio VFIO updates for v6.14-rc1 2025-01-28 14:16:46 -08:00
vhost vhost/net: Set num_buffers for virtio 1.0 2025-01-27 09:39:25 -05:00
video fbdev fixes and updates for 6.14-rc1: 2025-01-24 11:32:13 -08:00
virt - A segmented Reverse Map table (RMP) is a across-nodes distributed 2025-01-21 09:00:31 -08:00
virtio virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
w1 1-Wire bus drivers for v6.14 2025-01-09 10:54:19 +01:00
watchdog linux-watchdog 6.14-rc1 tag 2025-01-25 16:19:10 -08:00
xen xen: branch for v6.14-rc1 2025-01-29 11:39:20 -08:00
zorro zorro: Constify 'struct bin_attribute' 2025-01-08 18:04:36 +01:00
Kconfig
Makefile