From: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@linux.intel.com>
To: Lukas Wunner <lukas@wunner.de>,
Bjorn Helgaas <helgaas@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org
Cc: Gregory Price <gregory.price@memverge.com>,
Ira Weiny <ira.weiny@intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dave Jiang <dave.jiang@intel.com>,
"Li, Ming" <ming4.li@intel.com>, Hillf Danton <hdanton@sina.com>,
Ben Widawsky <bwidawsk@kernel.org>,
Alexey Kardashevskiy <aik@amd.com>,
Davidlohr Bueso <dave@stgolabs.net>,
linuxarm@huawei.com
Subject: Re: [PATCH v4 02/17] cxl/pci: Handle truncated CDAT header
Date: Sun, 12 Mar 2023 19:42:30 -0700 [thread overview]
Message-ID: <db0b9164-09d3-e09d-44fa-948b166e1a1e@linux.intel.com> (raw)
In-Reply-To: <000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de>
On 3/11/23 6:40 AM, Lukas Wunner wrote:
> cxl_cdat_get_length() only checks whether the DOE response size is
> sufficient for the Table Access response header (1 dword), but not the
> succeeding CDAT header (1 dword length plus other fields).
>
> It thus returns whatever uninitialized memory happens to be on the stack
> if a truncated DOE response with only 1 dword was received. Fix it.
>
> Fixes: c97006046c79 ("cxl/port: Read CDAT table")
> Reported-by: Ming Li <ming4.li@intel.com>
> Tested-by: Ira Weiny <ira.weiny@intel.com>
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> Reviewed-by: Ming Li <ming4.li@intel.com>
> Reviewed-by: Dan Williams <dan.j.williams@intel.com>
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Cc: stable@vger.kernel.org # v6.0+
> ---
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
> drivers/cxl/core/pci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
> index 49a99a84b6aa..87da8c935185 100644
> --- a/drivers/cxl/core/pci.c
> +++ b/drivers/cxl/core/pci.c
> @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev,
> return rc;
> }
> wait_for_completion(&t.c);
> - if (t.task.rv < sizeof(__le32))
> + if (t.task.rv < 2 * sizeof(__le32))
> return -EIO;
I think adding a comment about the size requirement would be helpful. But
it is up to you.
>
> *length = le32_to_cpu(t.response_pl[1]);
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer
next prev parent reply other threads:[~2023-03-13 2:42 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-11 14:40 [PATCH v4 00/17] Collection of DOE material Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 01/17] cxl/pci: Fix CDAT retrieval on big endian Lukas Wunner
2023-03-15 16:39 ` Jonathan Cameron
2023-03-11 14:40 ` [PATCH v4 02/17] cxl/pci: Handle truncated CDAT header Lukas Wunner
2023-03-13 2:42 ` Sathyanarayanan Kuppuswamy [this message]
2023-03-11 14:40 ` [PATCH v4 03/17] cxl/pci: Handle truncated CDAT entries Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 04/17] cxl/pci: Handle excessive CDAT length Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 05/17] PCI/DOE: Silence WARN splat with CONFIG_DEBUG_OBJECTS=y Lukas Wunner
2023-03-21 3:42 ` Alexey Kardashevskiy
2023-03-21 9:05 ` Jonathan Cameron
2023-04-04 9:01 ` Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 06/17] PCI/DOE: Fix memory leak " Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 07/17] PCI/DOE: Provide synchronous API and use it internally Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 08/17] cxl/pci: Use synchronous API for DOE Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 09/17] PCI/DOE: Make asynchronous API private Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 10/17] PCI/DOE: Deduplicate mailbox flushing Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 11/17] PCI/DOE: Allow mailbox creation without devres management Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 12/17] PCI/DOE: Create mailboxes on device enumeration Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 13/17] cxl/pci: Use CDAT DOE mailbox created by PCI core Lukas Wunner
2023-04-22 2:51 ` [PATCH] cxl/port: Fix port to pci device assumptions in read_cdat_data() Dan Williams
2023-04-22 8:35 ` Lukas Wunner
2023-04-22 14:05 ` Lukas Wunner
2023-04-22 20:54 ` Dan Williams
2023-04-22 22:30 ` Lukas Wunner
2023-04-22 23:22 ` Dan Williams
2023-04-23 8:19 ` Lukas Wunner
2023-04-22 20:56 ` Dan Williams
2023-04-23 14:58 ` Jonathan Cameron
2023-04-23 15:07 ` Jonathan Cameron
2023-04-23 18:32 ` Dan Williams
2023-03-11 14:40 ` [PATCH v4 14/17] PCI/DOE: Make mailbox creation API private Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 15/17] PCI/DOE: Relax restrictions on request and response size Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 16/17] cxl/pci: Simplify CDAT retrieval error path Lukas Wunner
2023-03-15 16:48 ` Jonathan Cameron
2023-03-11 14:40 ` [PATCH v4 17/17] cxl/pci: Rightsize CDAT response allocation Lukas Wunner
2023-03-13 19:55 ` [PATCH v4 00/17] Collection of DOE material Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db0b9164-09d3-e09d-44fa-948b166e1a1e@linux.intel.com \
--to=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=aik@amd.com \
--cc=alison.schofield@intel.com \
--cc=bwidawsk@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=gregory.price@memverge.com \
--cc=hdanton@sina.com \
--cc=helgaas@kernel.org \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=lukas@wunner.de \
--cc=ming4.li@intel.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.