[PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Heiner Kallweit <hkallweit1@gmail.com>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: "linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>
Subject: [PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()
Date: Fri, 17 Sep 2021 14:07:12 +0200	[thread overview]
Message-ID: <135abde5-dc5b-826e-e20d-0f53bf32d2dc@gmail.com> (raw)

We have a problem with a device where each VPD read returns 0x33 [0].
This results in a valid VPD structure (except the tag id) and
therefore pci_vpd_size() scans the full VPD address range.
On an affected system this took ca. 80s.

That's not acceptable, on the other hand we may not want to re-add
the old tag checks. In addition these tag check still wouldn't be able
to avoid the described scenario 100%.
Instead let's add a simple sanity check on the number of found tags.
A VPD image conforming to the PCI spec can have max. 4 tags:
id string, ro section, rw section, end tag.

[0] https://lore.kernel.org/lkml/20210915223218.GA1542966@bjorn-Precision-5520/

Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
---
 drivers/pci/vpd.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index 4be248901..75e48df2e 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -56,6 +56,7 @@ static size_t pci_vpd_size(struct pci_dev *dev)
 {
 	size_t off = 0, size;
 	unsigned char tag, header[1+2];	/* 1 byte tag, 2 bytes length */
+	int num_tags = 0;

 	/* Otherwise the following reads would fail. */
 	dev->vpd.len = PCI_VPD_MAX_SIZE;
@@ -66,6 +67,10 @@ static size_t pci_vpd_size(struct pci_dev *dev)
 		if (off == 0 && (header[0] == 0x00 || header[0] == 0xff))
 			goto error;

+		/* We can have max 4 tags: STRING_ID, RO, RW, END */
+		if (++num_tags > 4)
+			goto error;
+
 		if (header[0] & PCI_VPD_LRDT) {
 			/* Large Resource Data Type Tag */
 			if (pci_read_vpd(dev, off + 1, 2, &header[1]) != 2) {
-- 
2.33.0

next             reply	other threads:[~2021-09-17 12:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-17 12:07 Heiner Kallweit [this message]
2021-09-17 13:53 ` [PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size() Krzysztof Wilczyński
2021-09-17 19:07   ` Heiner Kallweit
2021-09-27 22:29     ` Krzysztof Wilczyński
2021-10-13 18:30       ` Heiner Kallweit

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4be24890 dfblob:75e48df2 )
 OR (
bs:"[PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=135abde5-dc5b-826e-e20d-0f53bf32d2dc@gmail.com \
    --to=hkallweit1@gmail.com \
    --cc=bhelgaas@google.com \
    --cc=linux-pci@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.