From: Bjorn Helgaas <helgaas@kernel.org>
To: Heiner Kallweit <hkallweit1@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
Qian Cai <quic_qiancai@quicinc.com>
Subject: Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
Date: Mon, 25 Oct 2021 15:57:00 -0500 [thread overview]
Message-ID: <20211025205700.GA28333@bhelgaas> (raw)
In-Reply-To: <6211be8a-5d10-8f3a-6d33-af695dc35caf@gmail.com>
On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
> Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
> access") interferes with the original change, resulting in a stack
> overflow. The following fix has been successfully tested by Qian
> and myself.
>
> Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
> Reported-by: Qian Cai <quic_qiancai@quicinc.com>
> Tested-by: Qian Cai <quic_qiancai@quicinc.com>
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
What does this apply to?
> ---
> drivers/pci/vpd.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> index 5108bbd20..a4fc4d069 100644
> --- a/drivers/pci/vpd.c
> +++ b/drivers/pci/vpd.c
> @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
> return off ?: PCI_VPD_SZ_INVALID;
> }
>
> -static bool pci_vpd_available(struct pci_dev *dev)
> +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
>
> if (!vpd->cap)
> return false;
>
> - if (vpd->len == 0) {
> + if (vpd->len == 0 && check_size) {
> vpd->len = pci_vpd_size(dev);
> if (vpd->len == PCI_VPD_SZ_INVALID) {
> vpd->cap = 0;
> @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
> void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> int ret = 0;
> loff_t end = pos + count;
> u8 *buf = arg;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0)
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (pos >= max_len)
> return 0;
>
> @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
> const void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> const u8 *buf = arg;
> loff_t end = pos + count;
> int ret = 0;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0 || (pos & 3) || (count & 3))
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (end > max_len)
> return -EINVAL;
>
> @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
> void *buf;
> int cnt;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, true))
> return ERR_PTR(-ENODEV);
>
> len = dev->vpd.len;
> --
> 2.33.0
>
next prev parent reply other threads:[~2021-10-25 20:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
2021-10-13 19:12 ` Heiner Kallweit
2021-10-25 20:57 ` Bjorn Helgaas [this message]
2021-10-26 0:22 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025205700.GA28333@bhelgaas \
--to=helgaas@kernel.org \
--cc=bhelgaas@google.com \
--cc=hkallweit1@gmail.com \
--cc=linux-pci@vger.kernel.org \
--cc=quic_qiancai@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).