RE: 4.6-rc2 regression with commit 104daa71b396: check VPD access offset against length

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Steve Wise" <swise@opengridcomputing.com>
To: "'Casey Leedom'" <leedom@chelsio.com>
Cc: <linux-pci@vger.kernel.org>, <hariprasad@chelsio.com>,
	<hare@suse.com>, <bhelgaas@google.com>
Subject: RE: 4.6-rc2 regression with commit 104daa71b396: check VPD access offset against length
Date: Mon, 11 Apr 2016 13:16:17 -0500	[thread overview]
Message-ID: <02ec01d1941e$3dda2010$b98e6030$@opengridcomputing.com> (raw)
In-Reply-To: <BY2PR12MB0648F0C35D907AA640D7E56CC8940@BY2PR12MB0648.namprd12.prod.outlook.com>

> kernel.org commit 104daa71b396 added a check to make sure that efforts to
> read/write the VPD wouldn't extend past the computed length of the VPD.
> Later, kernel.org commit 408641e93aa5 folded the pci_vpd_pci22 into
> struct pci_vpd so things moved around a bit after that and an error return
> got changed into a silent failure instead of -EINVAL.
> 
>   The problem is that the previous pci_vpd_pci22_read() didn't check for a
read with
> a VPD Offset > VPD Length and the new pci_vpd_read() is checking that.  Worse
> yet, when a VPD Offset is greater than the recorded VPD Length, it simply
> returns 0 rather than -EINVAL.
> 
>   The problem is stemming from the fact that the Chelsio adapters actually
have
> two VPD structures stored in the VPD.  An abbreviated on at Offset 0x0 and the
> complete VPD at Offset 0x400.  The abbreviated one only contains the PN, SN
and
> EC Keywords, while the complete VPD contains those plus various adapter
> constants contained in V0, V1, etc.  And it also contains the Base Ethernet
MAC
> Address in the "NA" Keyword which the cxgb4 driver needs when it can't contact
> the adapter firmware.  (We don't have the "NA" Keywork in the VPD Structure at
> Offset 0x0 because that's not an allowed VPD Keyword in the PCI-E 3.0
> specification.)
> 
>   With the new code, the computed size of the VPD is 0x200 and so our efforts
> to read the VPD at Offset 0x400 silently fails.  We check the result of the
> read looking for a signature 0x82 byte but we're checking against random stack
> garbage.
> 
>   The end result is that the cxgb4 driver now fails the PCI-E Probe.
> 

Silently failing is wrong, in my opinion.  And I even question truncating which
is also done in pci_vpd_read().  To the PCI maintainers:  Should the length
checks just be removed?    If not, what is the correct solution?  Adding a
different "expert" API that ignores the length checks, or somehow allowing the
device driver to set the actual VPD size? 

Thanks,

Steve.

next prev parent reply	other threads:[~2016-04-11 18:15 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-08 22:24 4.6-rc2 regression with commit 104daa71b396: check VPD access offset against length Casey Leedom
     [not found] ` <BY2PR12MB0648F0C35D907AA640D7E56CC8940@BY2PR12MB0648.namprd12.prod.outlook.com>
2016-04-11 18:16   ` Steve Wise [this message]
2016-04-12  5:37     ` Bjorn Helgaas
2016-04-12  6:20       ` Hannes Reinecke
2016-04-12  8:23         ` Hariprasad Shenai
2016-04-12  8:46           ` Hannes Reinecke
2016-04-12 17:35             ` Casey Leedom
2016-04-12 20:17               ` Casey Leedom
2016-04-12 21:52               ` Steve Wise
2016-04-13  6:00               ` Hannes Reinecke
2016-04-13 16:52                 ` Casey Leedom
  -- strict thread matches above, loose matches on Subject: below --
2016-04-08 21:58 Casey Leedom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='02ec01d1941e$3dda2010$b98e6030$@opengridcomputing.com' \
    --to=swise@opengridcomputing.com \
    --cc=bhelgaas@google.com \
    --cc=hare@suse.com \
    --cc=hariprasad@chelsio.com \
    --cc=leedom@chelsio.com \
    --cc=linux-pci@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.