[PATCH AUTOSEL 6.0 01/30] cxl/mbox: Add a check on input payload size

Linux CXL
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 6.0 01/30] cxl/mbox: Add a check on input payload size
@ 2022-11-11  2:33 Sasha Levin
  2022-11-11  2:33 ` [PATCH AUTOSEL 6.0 27/30] cxl/pmem: Use size_add() against integer overflow Sasha Levin
  0 siblings, 1 reply; 2+ messages in thread
From: Sasha Levin @ 2022-11-11  2:33 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jonathan Cameron, Dan Williams, Sasha Levin, alison.schofield,
	vishal.l.verma, ira.weiny, bwidawsk, dave, linux-cxl

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

[ Upstream commit cf00b33058b196b4db928419dde68993b15a975b ]

A bug in the LSA code resulted in transfers slightly larger
than the mailbox size. Let us make it easier to catch similar
issues in future by adding a low level check.

Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/20220815154044.24733-2-Jonathan.Cameron@huawei.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cxl/core/mbox.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 16176b9278b4..0c90f13870a4 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -174,7 +174,7 @@ int cxl_mbox_send_cmd(struct cxl_dev_state *cxlds, u16 opcode, void *in,
 	};
 	int rc;
 
-	if (out_size > cxlds->payload_size)
+	if (in_size > cxlds->payload_size || out_size > cxlds->payload_size)
 		return -E2BIG;
 
 	rc = cxlds->mbox_send(cxlds, &mbox_cmd);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [PATCH AUTOSEL 6.0 27/30] cxl/pmem: Use size_add() against integer overflow
  2022-11-11  2:33 [PATCH AUTOSEL 6.0 01/30] cxl/mbox: Add a check on input payload size Sasha Levin
@ 2022-11-11  2:33 ` Sasha Levin
  0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2022-11-11  2:33 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yu Zhe, Dan Williams, Sasha Levin, alison.schofield,
	vishal.l.verma, ira.weiny, bwidawsk, linux-cxl

From: Yu Zhe <yuzhe@nfschina.com>

[ Upstream commit 4f1aa35f1fb7d51b125487c835982af792697ecb ]

"struct_size() + n" may cause a integer overflow,
use size_add() to handle it.

Signed-off-by: Yu Zhe <yuzhe@nfschina.com>
Link: https://lore.kernel.org/r/20220927070247.23148-1-yuzhe@nfschina.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cxl/pmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/cxl/pmem.c b/drivers/cxl/pmem.c
index 7dc0a2fa1a6b..8c08aa009a56 100644
--- a/drivers/cxl/pmem.c
+++ b/drivers/cxl/pmem.c
@@ -148,7 +148,7 @@ static int cxl_pmem_set_config_data(struct cxl_dev_state *cxlds,
 		return -EINVAL;
 
 	/* 4-byte status follows the input data in the payload */
-	if (struct_size(cmd, in_buf, cmd->in_length) + 4 > buf_len)
+	if (size_add(struct_size(cmd, in_buf, cmd->in_length), 4) > buf_len)
 		return -EINVAL;
 
 	set_lsa =
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-11-11  2:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-11  2:33 [PATCH AUTOSEL 6.0 01/30] cxl/mbox: Add a check on input payload size Sasha Levin
2022-11-11  2:33 ` [PATCH AUTOSEL 6.0 27/30] cxl/pmem: Use size_add() against integer overflow Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox