From: Lukas Wunner <lukas@wunner.de>
To: Dan Williams <dan.j.williams@intel.com>
Cc: Bjorn Helgaas <helgaas@kernel.org>,
linux-pci@vger.kernel.org,
Gregory Price <gregory.price@memverge.com>,
Ira Weiny <ira.weiny@intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dave Jiang <dave.jiang@intel.com>,
"Li, Ming" <ming4.li@intel.com>, Hillf Danton <hdanton@sina.com>,
Ben Widawsky <bwidawsk@kernel.org>,
linuxarm@huawei.com, linux-cxl@vger.kernel.org
Subject: Re: [PATCH v3 02/16] cxl/pci: Handle truncated CDAT header
Date: Sat, 11 Feb 2023 10:34:55 +0100 [thread overview]
Message-ID: <20230211093455.GA28981@wunner.de> (raw)
In-Reply-To: <63e6e3ef4d84e_1e4943294e6@dwillia2-xfh.jf.intel.com.notmuch>
On Fri, Feb 10, 2023 at 04:40:15PM -0800, Dan Williams wrote:
> Lukas Wunner wrote:
> > cxl_cdat_get_length() only checks whether the DOE response size is
> > sufficient for the Table Access response header (1 dword), but not the
> > succeeding CDAT header (1 dword length plus other fields).
> >
> > It thus returns whatever uninitialized memory happens to be on the stack
> > if a truncated DOE response with only 1 dword was received. Fix it.
[...]
> > --- a/drivers/cxl/core/pci.c
> > +++ b/drivers/cxl/core/pci.c
> > @@ -528,7 +528,7 @@ static int cxl_cdat_get_length(struct device *dev,
> > return rc;
> > }
> > wait_for_completion(&t.c);
> > - if (t.task.rv < sizeof(u32))
> > + if (t.task.rv < 2 * sizeof(u32))
> > return -EIO;
>
> Looks good, I wonder since this is standard for all data objects whether
> the check should be pushed into the core?
No, "t.task.rv" contains the payload length in bytes of the response
received via DOE. It doesn't include the DOE header.
I think it is legal to receive an empty response via DOE, so I cannot
push a length check down into the core.
In this case, the payload contains one dword for the Table Access Response
header (CXL r3.0 sec 8.1.11.1), followed by 3 dwords for the CDAT header:
https://uefi.org/sites/default/files/resources/Coherent%20Device%20Attribute%20Table_1.01.pdf
The CDAT header contains the length of the entire CDAT in the first
dword, hence the above-quoted check only verifies that at least two
dwords were received. It's harmless if the remainder of the CDAT
header is truncated.
Thanks,
Lukas
next prev parent reply other threads:[~2023-02-11 9:35 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-10 20:25 [PATCH v3 00/16] Collection of DOE material Lukas Wunner
2023-02-10 20:25 ` [PATCH v3 01/16] cxl/pci: Fix CDAT retrieval on big endian Lukas Wunner
2023-02-11 0:22 ` Dan Williams
2023-02-19 13:03 ` Lukas Wunner
2023-02-14 11:15 ` Jonathan Cameron
2023-02-14 13:51 ` Lukas Wunner
2023-02-14 15:45 ` Jonathan Cameron
2023-02-28 2:53 ` Alexey Kardashevskiy
2023-02-28 8:24 ` Lukas Wunner
2023-02-28 12:08 ` Alexey Kardashevskiy
2023-02-10 20:25 ` [PATCH v3 02/16] cxl/pci: Handle truncated CDAT header Lukas Wunner
2023-02-11 0:40 ` Dan Williams
2023-02-11 9:34 ` Lukas Wunner [this message]
2023-02-14 11:16 ` Jonathan Cameron
2023-02-15 1:41 ` Li, Ming
2023-02-10 20:25 ` [PATCH v3 03/16] cxl/pci: Handle truncated CDAT entries Lukas Wunner
2023-02-11 0:50 ` Dan Williams
2023-02-11 10:56 ` Lukas Wunner
2023-02-14 11:30 ` Jonathan Cameron
2023-02-10 20:25 ` [PATCH v3 04/16] cxl/pci: Handle excessive CDAT length Lukas Wunner
2023-02-11 1:04 ` Dan Williams
2023-02-14 11:33 ` Jonathan Cameron
2023-02-16 10:26 ` Lukas Wunner
2023-02-17 10:01 ` Jonathan Cameron
2023-02-10 20:25 ` [PATCH v3 05/16] PCI/DOE: Silence WARN splat with CONFIG_DEBUG_OBJECTS=y Lukas Wunner
2023-02-10 20:25 ` [PATCH v3 06/16] PCI/DOE: Fix memory leak " Lukas Wunner
2023-02-11 1:06 ` Dan Williams
2023-03-01 1:51 ` Davidlohr Bueso
2023-02-10 20:25 ` [PATCH v3 07/16] PCI/DOE: Provide synchronous API and use it internally Lukas Wunner
2023-02-15 1:45 ` Li, Ming
2023-02-28 18:58 ` Davidlohr Bueso
2023-02-10 20:25 ` [PATCH v3 08/16] cxl/pci: Use synchronous API for DOE Lukas Wunner
2023-02-10 20:25 ` [PATCH v3 09/16] PCI/DOE: Make asynchronous API private Lukas Wunner
2023-02-15 1:48 ` Li, Ming
2023-02-10 20:25 ` [PATCH v3 10/16] PCI/DOE: Deduplicate mailbox flushing Lukas Wunner
2023-02-14 11:36 ` Jonathan Cameron
2023-02-15 5:07 ` Li, Ming
2023-02-10 20:25 ` [PATCH v3 11/16] PCI/DOE: Allow mailbox creation without devres management Lukas Wunner
2023-02-14 11:51 ` Jonathan Cameron
2023-02-15 5:17 ` Li, Ming
2023-02-10 20:25 ` [PATCH v3 12/16] PCI/DOE: Create mailboxes on device enumeration Lukas Wunner
2023-02-15 2:07 ` Li, Ming
2023-02-28 1:18 ` Alexey Kardashevskiy
2023-02-28 1:39 ` Dan Williams
2023-02-28 5:43 ` Lukas Wunner
2023-02-28 7:24 ` Alexey Kardashevskiy
2023-02-28 10:42 ` Jonathan Cameron
2023-03-02 20:22 ` Lukas Wunner
2023-03-07 1:55 ` Alexey Kardashevskiy
2023-04-03 0:55 ` Alexey Kardashevskiy
2023-02-10 20:25 ` [PATCH v3 13/16] cxl/pci: Use CDAT DOE mailbox created by PCI core Lukas Wunner
2023-02-10 20:25 ` [PATCH v3 14/16] PCI/DOE: Make mailbox creation API private Lukas Wunner
2023-02-15 2:13 ` Li, Ming
2023-02-10 20:25 ` [PATCH v3 15/16] PCI/DOE: Relax restrictions on request and response size Lukas Wunner
2023-02-15 5:05 ` Li, Ming
2023-02-15 11:49 ` Lukas Wunner
2023-02-10 20:25 ` [PATCH v3 16/16] cxl/pci: Rightsize CDAT response allocation Lukas Wunner
2023-02-14 13:05 ` Jonathan Cameron
2023-02-16 0:56 ` Ira Weiny
2023-02-16 8:03 ` Lukas Wunner
2023-02-28 1:45 ` Alexey Kardashevskiy
2023-02-28 5:55 ` Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230211093455.GA28981@wunner.de \
--to=lukas@wunner.de \
--cc=Jonathan.Cameron@huawei.com \
--cc=alison.schofield@intel.com \
--cc=bwidawsk@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=gregory.price@memverge.com \
--cc=hdanton@sina.com \
--cc=helgaas@kernel.org \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=ming4.li@intel.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.