-
由 Hongbo Yao 提交于
euler inclusion category: bugfix bugzilla: 5347 CVE: NA ------------------------------------------------ There is an out of bounds array access in nvme_cqe_peding(). When enable irq_thread for nvme interrupt, there is racing between the nvmeq->cq_head updating and reading. nvmeq->cq_head is updated in nvme_update_cq_head(), if nvmeq->cq_head equals nvmeq->q_depth and before its value set to zero, nvme_cqe_pending() uses its value as an array index, the index will be out of bounds. (When enabled nvme.using_thread_interrupts=1 in cmdline, i found this abnormal address access). [ 100.299140] Unable to handle kernel paging request at virtual address ffff00002416500e [ 100.307046] Mem abort info: [ 100.309826] ESR = 0x96000007 [ 100.312867] Exception class = DABT (current EL), IL = 32 bits [ 100.318771] SET = 0, FnV = 0 [ 100.321811] EA = 0, S1PTW = 0 [ 100.324938] Data abort info: [ 100.327805] ISV = 0, ISS = 0x00000007 [ 100.331626] CM = 0, WnR = 0 [ 100.334581] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000a9f05748 [ 100.341441] [ffff00002416500e] pgd=00000a5fffffe803, pud=00000a5fffffd803, pmd=0000003f780ac003, pte=0000000000000000 [ 100.352038] Internal error: Oops: 96000007 [#1] PREEMPT SMP [ 100.357597] Modules linked in: hns_roce_hw_v2(O) hns_roce(O) hns3(O) hclge(O) hnae3(O) [ 100.365505] CPU: 28 PID: 2888 Comm: irq/162-nvme0q7 Tainted: G O 4.19.0-g45910de #1 [ 100.374449] Hardware name: Huawei D06/D06, BIOS Hisilicon D06 UEFI RC0 - B080 (V8.01) 11/30/2018 [ 100.383218] pstate: 00400089 (nzcv daIf +PAN -UAO) [ 100.387999] pc : nvme_irq_check+0x10/0x28 [ 100.391995] lr : __handle_irq_event_percpu+0x70/0x2c8 [ 100.397032] sp : ffff000009ac3e60 [ 100.400333] x29: ffff000009ac3e60 x28: ffff803f73690d80 [ 100.405631] x27: ffff805f78494400 x26: ffff0000097d1000 [ 100.410930] x25: ffff000009ac3f04 x24: ffff0000097a2018 [ 100.416228] x23: ffff0000097d1b40 x22: 00000000000000a2 [ 100.421526] x21: 0000000000000000 x20: ffff805f78494438 [ 100.426825] x19: ffff803f70384480 x18: 0000000000000400 [ 100.432123] x17: 0000000000000000 x16: 0000000000000000 [ 100.437421] x15: 0000000000000400 x14: 0000000000000400 [ 100.442719] x13: 0000000000000000 x12: 0000000000000000 [ 100.448018] x11: 0000000000000000 x10: 0000000000000040 [ 100.453317] x9 : ffff0000097effe0 x8 : ffff803f775db908 [ 100.458615] x7 : ffff803f775dba40 x6 : 0000000000000110 [ 100.463913] x5 : ffff803f775db908 x4 : 0000805f7626a000 [ 100.469212] x3 : 0000000000000000 x2 : ffff000024161000 [ 100.474510] x1 : 0000000000000001 x0 : ffff000024165000 [ 100.479809] Process irq/162-nvme0q7 (pid: 2888, stack limit = 0x000000007f43f8e5) [ 100.487276] Call trace: [ 100.489710] nvme_irq_check+0x10/0x28 [ 100.493358] handle_irq_event_percpu+0x34/0x88 [ 100.497787] handle_irq_event+0x48/0x78 [ 100.501610] handle_fasteoi_irq+0xa8/0x180 [ 100.505692] generic_handle_irq+0x24/0x38 [ 100.509688] __handle_domain_irq+0x5c/0xb0 [ 100.513770] gic_handle_irq+0x7c/0x180 [ 100.517504] el1_irq+0xb0/0x128 [ 100.520631] nvme_irq+0x108/0x150 [ 100.523933] irq_thread_fn+0x28/0x68 [ 100.527494] irq_thread+0x124/0x1d0 [ 100.530969] kthread+0x12c/0x130 [ 100.534183] ret_from_fork+0x10/0x18 [ 100.537745] Code: 7940ec20 f9402422 3941f021 8b001040 (79401c00) [ 100.543895] ---[ end trace 119829d132a82da5 ]--- [ 100.548499] Kernel panic - not syncing: Fatal exception in interrupt [ 100.554881] SMP: stopping secondary CPUs [ 100.575347] Kernel Offset: disabled [ 100.578822] CPU features: 0x0,22800a38 [ 100.582556] Memory Limit: none [ 100.585633] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Signed-off-by: NHongbo Yao <yaohongbo@huawei.com> Reviewed-by: NXie XiuQi <xiexiuqi@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
c9bef76b