Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()

linux-pci.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Bjorn Helgaas <helgaas@kernel.org>
To: Heiner Kallweit <hkallweit1@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>,
	"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
	Qian Cai <quic_qiancai@quicinc.com>
Subject: Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
Date: Mon, 25 Oct 2021 19:22:21 -0500	[thread overview]
Message-ID: <20211026002221.GA58446@bhelgaas> (raw)
In-Reply-To: <20211025205700.GA28333@bhelgaas>

On Mon, Oct 25, 2021 at 03:57:00PM -0500, Bjorn Helgaas wrote:
> On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
> > Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
> > access") interferes with the original change, resulting in a stack
> > overflow. The following fix has been successfully tested by Qian
> > and myself.
> > 
> > Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
> > Reported-by: Qian Cai <quic_qiancai@quicinc.com>
> > Tested-by: Qian Cai <quic_qiancai@quicinc.com>
> > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> 
> What does this apply to?

Never mind, I'm an idiot.  Obviously this fixes 80484b7f8db1 which is
a commit on my pci/vpd branch, and this patch applies there.  Duh.

Anyway, I squashed this into that fix to avoid a bisection hole and
updated pci/vpd and my "next" branch

> > ---
> >  drivers/pci/vpd.c | 18 +++++++++++-------
> >  1 file changed, 11 insertions(+), 7 deletions(-)
> > 
> > diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> > index 5108bbd20..a4fc4d069 100644
> > --- a/drivers/pci/vpd.c
> > +++ b/drivers/pci/vpd.c
> > @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
> >  	return off ?: PCI_VPD_SZ_INVALID;
> >  }
> >  
> > -static bool pci_vpd_available(struct pci_dev *dev)
> > +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
> >  {
> >  	struct pci_vpd *vpd = &dev->vpd;
> >  
> >  	if (!vpd->cap)
> >  		return false;
> >  
> > -	if (vpd->len == 0) {
> > +	if (vpd->len == 0 && check_size) {
> >  		vpd->len = pci_vpd_size(dev);
> >  		if (vpd->len == PCI_VPD_SZ_INVALID) {
> >  			vpd->cap = 0;
> > @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
> >  			    void *arg, bool check_size)
> >  {
> >  	struct pci_vpd *vpd = &dev->vpd;
> > -	unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +	unsigned int max_len;
> >  	int ret = 0;
> >  	loff_t end = pos + count;
> >  	u8 *buf = arg;
> >  
> > -	if (!pci_vpd_available(dev))
> > +	if (!pci_vpd_available(dev, check_size))
> >  		return -ENODEV;
> >  
> >  	if (pos < 0)
> >  		return -EINVAL;
> >  
> > +	max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +
> >  	if (pos >= max_len)
> >  		return 0;
> >  
> > @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
> >  			     const void *arg, bool check_size)
> >  {
> >  	struct pci_vpd *vpd = &dev->vpd;
> > -	unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +	unsigned int max_len;
> >  	const u8 *buf = arg;
> >  	loff_t end = pos + count;
> >  	int ret = 0;
> >  
> > -	if (!pci_vpd_available(dev))
> > +	if (!pci_vpd_available(dev, check_size))
> >  		return -ENODEV;
> >  
> >  	if (pos < 0 || (pos & 3) || (count & 3))
> >  		return -EINVAL;
> >  
> > +	max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +
> >  	if (end > max_len)
> >  		return -EINVAL;
> >  
> > @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
> >  	void *buf;
> >  	int cnt;
> >  
> > -	if (!pci_vpd_available(dev))
> > +	if (!pci_vpd_available(dev, true))
> >  		return ERR_PTR(-ENODEV);
> >  
> >  	len = dev->vpd.len;
> > -- 
> > 2.33.0
> >

     prev parent reply	other threads:[~2021-10-26  0:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
2021-10-13 19:12   ` Heiner Kallweit
2021-10-25 20:57 ` Bjorn Helgaas
2021-10-26  0:22   ` Bjorn Helgaas [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211026002221.GA58446@bhelgaas \
    --to=helgaas@kernel.org \
    --cc=bhelgaas@google.com \
    --cc=hkallweit1@gmail.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=quic_qiancai@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).