From: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@linux.intel.com>
To: Lukas Wunner <lukas@wunner.de>,
Bjorn Helgaas <helgaas@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org
Cc: Gregory Price <gregory.price@memverge.com>,
Ira Weiny <ira.weiny@intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dave Jiang <dave.jiang@intel.com>,
"Li, Ming" <ming4.li@intel.com>, Hillf Danton <hdanton@sina.com>,
Ben Widawsky <bwidawsk@kernel.org>,
Alexey Kardashevskiy <aik@amd.com>,
Davidlohr Bueso <dave@stgolabs.net>,
linuxarm@huawei.com
Subject: Re: [PATCH v4 02/17] cxl/pci: Handle truncated CDAT header
Date: Sun, 12 Mar 2023 19:42:30 -0700 [thread overview]
Message-ID: <db0b9164-09d3-e09d-44fa-948b166e1a1e@linux.intel.com> (raw)
In-Reply-To: <000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de>
On 3/11/23 6:40 AM, Lukas Wunner wrote:
> cxl_cdat_get_length() only checks whether the DOE response size is
> sufficient for the Table Access response header (1 dword), but not the
> succeeding CDAT header (1 dword length plus other fields).
>
> It thus returns whatever uninitialized memory happens to be on the stack
> if a truncated DOE response with only 1 dword was received. Fix it.
>
> Fixes: c97006046c79 ("cxl/port: Read CDAT table")
> Reported-by: Ming Li <ming4.li@intel.com>
> Tested-by: Ira Weiny <ira.weiny@intel.com>
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> Reviewed-by: Ming Li <ming4.li@intel.com>
> Reviewed-by: Dan Williams <dan.j.williams@intel.com>
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Cc: stable@vger.kernel.org # v6.0+
> ---
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
> drivers/cxl/core/pci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
> index 49a99a84b6aa..87da8c935185 100644
> --- a/drivers/cxl/core/pci.c
> +++ b/drivers/cxl/core/pci.c
> @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev,
> return rc;
> }
> wait_for_completion(&t.c);
> - if (t.task.rv < sizeof(__le32))
> + if (t.task.rv < 2 * sizeof(__le32))
> return -EIO;
I think adding a comment about the size requirement would be helpful. But
it is up to you.
>
> *length = le32_to_cpu(t.response_pl[1]);
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer
next prev parent reply other threads:[~2023-03-13 2:42 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-11 14:40 [PATCH v4 00/17] Collection of DOE material Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 01/17] cxl/pci: Fix CDAT retrieval on big endian Lukas Wunner
2023-03-15 16:39 ` Jonathan Cameron
2023-03-11 14:40 ` [PATCH v4 02/17] cxl/pci: Handle truncated CDAT header Lukas Wunner
2023-03-13 2:42 ` Sathyanarayanan Kuppuswamy [this message]
2023-03-11 14:40 ` [PATCH v4 03/17] cxl/pci: Handle truncated CDAT entries Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 04/17] cxl/pci: Handle excessive CDAT length Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 05/17] PCI/DOE: Silence WARN splat with CONFIG_DEBUG_OBJECTS=y Lukas Wunner
2023-03-21 3:42 ` Alexey Kardashevskiy
2023-03-21 9:05 ` Jonathan Cameron
2023-04-04 9:01 ` Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 06/17] PCI/DOE: Fix memory leak " Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 07/17] PCI/DOE: Provide synchronous API and use it internally Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 08/17] cxl/pci: Use synchronous API for DOE Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 09/17] PCI/DOE: Make asynchronous API private Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 10/17] PCI/DOE: Deduplicate mailbox flushing Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 11/17] PCI/DOE: Allow mailbox creation without devres management Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 12/17] PCI/DOE: Create mailboxes on device enumeration Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 13/17] cxl/pci: Use CDAT DOE mailbox created by PCI core Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 14/17] PCI/DOE: Make mailbox creation API private Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 15/17] PCI/DOE: Relax restrictions on request and response size Lukas Wunner
2023-03-11 14:40 ` [PATCH v4 16/17] cxl/pci: Simplify CDAT retrieval error path Lukas Wunner
2023-03-15 16:48 ` Jonathan Cameron
2023-03-11 14:40 ` [PATCH v4 17/17] cxl/pci: Rightsize CDAT response allocation Lukas Wunner
2023-03-13 19:55 ` [PATCH v4 00/17] Collection of DOE material Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db0b9164-09d3-e09d-44fa-948b166e1a1e@linux.intel.com \
--to=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=aik@amd.com \
--cc=alison.schofield@intel.com \
--cc=bwidawsk@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=gregory.price@memverge.com \
--cc=hdanton@sina.com \
--cc=helgaas@kernel.org \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=lukas@wunner.de \
--cc=ming4.li@intel.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).