Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-14 08:02:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
efda1b5d87
linux/drivers
History
Dan Williams efda1b5d87 acpi, nfit, libnvdimm: fix / harden ars_status output length handling 
Given ambiguities in the ACPI 6.1 definition of the "Output (Size)"
field of the ARS (Address Range Scrub) Status command, a firmware
implementation may in practice return 0, 4, or 8 to indicate that there
is no output payload to process.

The specification states "Size of Output Buffer in bytes, including this
field.". However, 'Output Buffer' is also the name of the entire
payload, and earlier in the specification it states "Max Query ARS
Status Output Buffer Size: Maximum size of buffer (including the Status
and Extended Status fields)".

Without this fix if the BIOS happens to return 0 it causes memory
corruption as evidenced by this result from the acpi_nfit_ctl() unit
test.

 ars_status00000000: 00020000 00000000                    ........
 BUG: stack guard page was hit at ffffc90001750000 (stack is ffffc9000174c000..ffffc9000174ffff)
 kernel stack overflow (page fault): 0000 [#1] SMP DEBUG_PAGEALLOC
 task: ffff8803332d2ec0 task.stack: ffffc9000174c000
 RIP: 0010:[<ffffffff814cfe72>]  [<ffffffff814cfe72>] __memcpy+0x12/0x20
 RSP: 0018:ffffc9000174f9a8  EFLAGS: 00010246
 RAX: ffffc9000174fab8 RBX: 0000000000000000 RCX: 000000001fffff56
 RDX: 0000000000000000 RSI: ffff8803231f5a08 RDI: ffffc90001750000
 RBP: ffffc9000174fa88 R08: ffffc9000174fab0 R09: ffff8803231f54b8
 R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000003 R15: ffff8803231f54a0
 FS:  00007f3a611af640(0000) GS:ffff88033ed00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffc90001750000 CR3: 0000000325b20000 CR4: 00000000000406e0
 Stack:
  ffffffffa00bc60d 0000000000000008 ffffc90000000001 ffffc9000174faac
  0000000000000292 ffffffffa00c24e4 ffffffffa00c2914 0000000000000000
  0000000000000000 ffffffff00000003 ffff880331ae8ad0 0000000800000246
 Call Trace:
  [<ffffffffa00bc60d>] ? acpi_nfit_ctl+0x49d/0x750 [nfit]
  [<ffffffffa01f4fe0>] nfit_test_probe+0x670/0xb1b [nfit_test]

Cc: <stable@vger.kernel.org>
Fixes: 747ffe11b4 ("libnvdimm, tools/testing/nvdimm: fix 'ars_status' output buffer sizing")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2016-12-06 16:08:10 -08:00
..
accessibility
acpi acpi, nfit, libnvdimm: fix / harden ars_status output length handling 2016-12-06 16:08:10 -08:00
amba
android ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct 2016-10-24 19:37:48 +02:00
ata ahci: always fall back to single-MSI mode 2016-11-21 11:06:57 -05:00
atm
auxdisplay auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays 2016-10-06 17:03:41 +02:00
base driver core fixes for 4.9-rc5 2016-11-13 10:22:07 -08:00
bcma
block zram: fix unbalanced idr management at hot removal 2016-11-30 16:32:52 -08:00
bluetooth Bluetooth: btwilink: Fix probe return value 2016-10-20 10:14:49 +02:00
bus bus: qcom-ebi2: depend on ARCH_QCOM or COMPILE_TEST 2016-10-17 13:46:09 -07:00
cdrom
char ipmi/bt-bmc: change compatible node to 'aspeed, ast2400-ibt-bmc' 2016-11-17 16:31:09 -08:00
clk Two small fixes for MIPI PLLs on sunxi devices and a build fix 2016-11-30 15:15:49 -08:00
clocksource Revert "clocksource/drivers/timer_sun5i: Replace code by clocksource_mmio_init" 2016-10-20 21:58:58 +02:00
connector
cpufreq Merge branches 'pm-cpufreq-fixes' and 'pm-sleep-fixes' 2016-10-29 01:29:17 +02:00
cpuidle Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-10-15 09:26:12 -07:00
crypto crypto: caam - fix type mismatch warning 2016-11-17 22:14:21 +08:00
dax device-dax: fail all private mapping attempts 2016-11-16 09:00:38 -08:00
dca
devfreq PM / devfreq: Skip status update on uninitialized previous_freq 2016-10-11 00:01:20 +02:00
dio
dma dmaengine: cppi41: More PM runtime fixes 2016-11-17 16:09:23 +05:30
dma-buf Merge tag 'drm-for-v4.9' of git://people.freedesktop.org/~airlied/linux 2016-10-11 18:12:22 -07:00
edac * Altera Arria10 enablement of NAND, DMA, USB, QSPI and SD-MMC FIFO 2016-10-04 12:06:26 -07:00
eisa
extcon extcon: qcom-spmi-misc: Sync the extcon state on interrupt 2016-10-26 16:04:29 +09:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-03 14:46:39 +01:00
firmware efi/arm: Fix absolute relocation detection for older toolchains 2016-10-19 14:49:44 +02:00
fmc
fpga
gpio gpio: Remove GPIO_DEVRES option 2016-11-16 20:46:32 +01:00
gpu Merge tag 'drm-intel-fixes-2016-12-01' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes 2016-12-04 06:31:26 +10:00
hid HID: hid-sensor-hub: clear memory to avoid random data 2016-11-23 17:54:58 +01:00
hsi
hv vmbus: make sysfs names consistent with PCI 2016-11-01 09:07:13 -06:00
hwmon hwmon: (core) fix resource leak on devm_kcalloc failure 2016-10-24 06:05:13 -07:00
hwspinlock
hwtracing
i2c Revert "i2c: octeon: thunderx: Limit register access retries" 2016-11-29 20:04:21 +01:00
ide
idle nmi_backtrace: generate one-line reports for idle cpus 2016-10-07 18:46:30 -07:00
iio iio: maxim_thermocouple: detect invalid storage size in read() 2016-11-13 10:08:32 +01:00
infiniband First round of -rc fixes 2016-11-17 13:53:02 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-12-01 10:29:41 -08:00
iommu Merge git://git.infradead.org/intel-iommu 2016-11-27 08:24:46 -08:00
ipack ipack: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
irqchip GIC updates for Linux 4.9-rc2 2016-10-21 21:40:29 +02:00
isdn
leds
lguest
lightnvm Merge branch 'for-4.9/block' of git://git.kernel.dk/linux-block 2016-10-07 14:42:05 -07:00
macintosh
mailbox mailbox: PCC: Fix lockdep warning when request PCC channel 2016-11-14 22:07:38 +01:00
mcb mcb: Add a dma_device to mcb_device 2016-09-27 12:33:47 +02:00
md Merge tag 'md/4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2016-11-05 11:34:07 -07:00
media xc2028: Fix use-after-free bug properly 2016-11-23 21:04:26 -02:00
memory ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-17 15:43:05 +02:00
message
mfd mfd: wm8994-core: Don't use managed regulator bulk get API 2016-11-25 11:10:55 +00:00
misc mei: bus: fix received data size check in NFC fixup 2016-10-31 10:25:22 -06:00
mmc mmc: dw_mmc: fix the error handling for dma operation 2016-11-21 11:08:28 +01:00
mtd MTD updates for 4.9-rc4: 2016-11-05 10:52:29 -07:00
net geneve: avoid use-after-free of skb->data 2016-12-02 14:07:11 -05:00
nfc mei: bus: fix received data size check in NFC fixup 2016-10-31 10:25:22 -06:00
ntb ntb_perf: potential info leak in debugfs 2016-11-13 16:48:30 -05:00
nubus
nvdimm acpi, nfit, libnvdimm: fix / harden ars_status output length handling 2016-12-06 16:08:10 -08:00
nvme nvme/pci: Don't free queues on error 2016-11-16 12:39:57 -07:00
nvmem ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
of of_mdio: add helper to deregister fixed-link PHYs 2016-11-29 23:17:02 -05:00
oprofile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
parisc
parport
pci pci-v4.9-fixes-4 2016-12-01 16:44:42 -08:00
pcmcia pcmcia: fix return value of soc_pcmcia_regulator_set 2016-11-11 08:45:08 -08:00
perf perf: xgene: Remove bogus IS_ERR() check 2016-10-17 15:50:07 +01:00
phy phy: twl4030-usb: Fix for musb session bit based PM 2016-11-17 16:25:40 +01:00
pinctrl pinctrl-aspeed-g5: Never set SCU90[6] 2016-11-07 10:31:33 +01:00
platform ACPI fix for v4.9-rc5 2016-11-11 17:02:01 -08:00
pnp
power power supply and reset changes for the v4.9 series 2016-10-06 18:21:15 -07:00
powercap
pps pps: kc: fix non-tickless system config dependency 2016-10-11 15:06:32 -07:00
ps3
ptp drivers/ptp: Fix kernel memory disclosure 2016-10-13 10:20:06 -04:00
pwm pwm: Fix device reference leak 2016-11-29 16:43:24 +01:00
rapidio mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
ras
regulator regulator: core: silence warning: "VDD1: ramp_delay not set" 2016-10-28 18:22:40 +01:00
remoteproc rpmsg updates for v4.9 2016-10-06 17:03:49 -07:00
reset reset: uniphier: rename MIO reset to SD reset for Pro5, PXs2, LD20 SoCs 2016-10-22 18:31:42 +09:00
rpmsg
rtc rtc: omap: prevent disabling of clock/module during suspend 2016-11-04 23:11:39 +01:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-10-27 14:16:30 -07:00
sbus
scsi SCSI fixes on 20161129 2016-11-29 11:15:37 -08:00
sfi
sh
sn
soc powerpc updates for 4.9 #2 2016-10-14 11:07:42 -07:00
spi Merge remote-tracking branches 'spi/fix/dt', 'spi/fix/fsl-dspi' and 'spi/fix/fsl-espi' into spi-linus 2016-10-29 12:51:55 -06:00
spmi spmi: pmic-arb: Return an error code if sanity check fails 2016-09-27 12:43:34 +02:00
ssb
staging Staging/IIO fixes for 4.9-rc5 2016-11-13 10:13:33 -08:00
target target/tcm_fc: use CPU affinity for responses 2016-10-21 01:19:44 -07:00
tc
thermal thermal/powerclamp: add back module device table 2016-11-21 20:54:40 +08:00
thunderbolt
tty tty: serial_core: fix NULL struct tty pointer access in uart_write_wakeup 2016-10-28 08:13:07 -04:00
uio
usb USB-serial fixes for v4.9-rc6 2016-11-18 15:49:31 +01:00
uwb uwb: fix device reference leaks 2016-11-01 09:04:04 -06:00
vfio vfio/pci: Fix integer overflows, bitmask check 2016-10-26 13:49:29 -06:00
vhost
video video: ARM CLCD: fix Vexpress regression 2016-11-03 12:20:14 +02:00
virt mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
virtio virtio_ring: mark vring_dma_dev inline 2016-10-31 00:40:08 +02:00
vlynq
vme vme: vme_get_size potentially returning incorrect value on failure 2016-10-28 08:25:18 -04:00
w1
watchdog Merge branches 'acpi-sleep-fixes' and 'acpi-wdat-fixes' 2016-11-25 22:24:07 +01:00
xen xen: fixes for 4.9-rc2 2016-10-24 19:52:24 -07:00
zorro
Kconfig
Makefile A small bug fix and a new driver for acting as an IPMI device. 2016-10-23 15:56:23 -07:00