[PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()

linux-pci.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Heiner Kallweit <hkallweit1@gmail.com>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: "linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>
Subject: [PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()
Date: Fri, 17 Sep 2021 14:07:12 +0200	[thread overview]
Message-ID: <135abde5-dc5b-826e-e20d-0f53bf32d2dc@gmail.com> (raw)

We have a problem with a device where each VPD read returns 0x33 [0].
This results in a valid VPD structure (except the tag id) and
therefore pci_vpd_size() scans the full VPD address range.
On an affected system this took ca. 80s.

That's not acceptable, on the other hand we may not want to re-add
the old tag checks. In addition these tag check still wouldn't be able
to avoid the described scenario 100%.
Instead let's add a simple sanity check on the number of found tags.
A VPD image conforming to the PCI spec can have max. 4 tags:
id string, ro section, rw section, end tag.

[0] https://lore.kernel.org/lkml/20210915223218.GA1542966@bjorn-Precision-5520/

Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
---
 drivers/pci/vpd.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index 4be248901..75e48df2e 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -56,6 +56,7 @@ static size_t pci_vpd_size(struct pci_dev *dev)
 {
 	size_t off = 0, size;
 	unsigned char tag, header[1+2];	/* 1 byte tag, 2 bytes length */
+	int num_tags = 0;

 	/* Otherwise the following reads would fail. */
 	dev->vpd.len = PCI_VPD_MAX_SIZE;
@@ -66,6 +67,10 @@ static size_t pci_vpd_size(struct pci_dev *dev)
 		if (off == 0 && (header[0] == 0x00 || header[0] == 0xff))
 			goto error;

+		/* We can have max 4 tags: STRING_ID, RO, RW, END */
+		if (++num_tags > 4)
+			goto error;
+
 		if (header[0] & PCI_VPD_LRDT) {
 			/* Large Resource Data Type Tag */
 			if (pci_read_vpd(dev, off + 1, 2, &header[1]) != 2) {
-- 
2.33.0

next             reply	other threads:[~2021-09-17 12:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-17 12:07 Heiner Kallweit [this message]
2021-09-17 13:53 ` [PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size() Krzysztof Wilczyński
2021-09-17 19:07   ` Heiner Kallweit
2021-09-27 22:29     ` Krzysztof Wilczyński
2021-10-13 18:30       ` Heiner Kallweit

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4be24890 dfblob:75e48df2 )
 OR (
bs:"[PATCH] PCI/VPD: Add simple sanity check to pci_vpd_size()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=135abde5-dc5b-826e-e20d-0f53bf32d2dc@gmail.com \
    --to=hkallweit1@gmail.com \
    --cc=bhelgaas@google.com \
    --cc=linux-pci@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).