From: Heiner Kallweit <hkallweit1@gmail.com>
To: Bjorn Helgaas <helgaas@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
Qian Cai <quic_qiancai@quicinc.com>
Subject: Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
Date: Wed, 13 Oct 2021 21:12:14 +0200 [thread overview]
Message-ID: <ff35d592-af37-2975-0b8f-9a8e2616d38a@gmail.com> (raw)
In-Reply-To: <20211013185353.GA1909717@bhelgaas>
On 13.10.2021 20:53, Bjorn Helgaas wrote:
> On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
>> Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
>> access") interferes with the original change, resulting in a stack
>> overflow. The following fix has been successfully tested by Qian
>> and myself.
>
> What does "the original change" refer to? 80484b7f8db1? I guess the
> stack overflow is an unintended recursion? Is there a URL to Qian's
> bug report with more details that we can include here?
>
1. yes
2. yes
3. https://lore.kernel.org/netdev/e89087c5-c495-c5ca-feb1-54cf3a8775c5@quicinc.com/
>> Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
>> Reported-by: Qian Cai <quic_qiancai@quicinc.com>
>> Tested-by: Qian Cai <quic_qiancai@quicinc.com>
>> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>> ---
>> drivers/pci/vpd.c | 18 +++++++++++-------
>> 1 file changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
>> index 5108bbd20..a4fc4d069 100644
>> --- a/drivers/pci/vpd.c
>> +++ b/drivers/pci/vpd.c
>> @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
>> return off ?: PCI_VPD_SZ_INVALID;
>> }
>>
>> -static bool pci_vpd_available(struct pci_dev *dev)
>> +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>>
>> if (!vpd->cap)
>> return false;
>>
>> - if (vpd->len == 0) {
>> + if (vpd->len == 0 && check_size) {
>> vpd->len = pci_vpd_size(dev);
>> if (vpd->len == PCI_VPD_SZ_INVALID) {
>> vpd->cap = 0;
>> @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
>> void *arg, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> + unsigned int max_len;
>> int ret = 0;
>> loff_t end = pos + count;
>> u8 *buf = arg;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, check_size))
>> return -ENODEV;
>>
>> if (pos < 0)
>> return -EINVAL;
>>
>> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> +
>> if (pos >= max_len)
>> return 0;
>>
>> @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
>> const void *arg, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> + unsigned int max_len;
>> const u8 *buf = arg;
>> loff_t end = pos + count;
>> int ret = 0;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, check_size))
>> return -ENODEV;
>>
>> if (pos < 0 || (pos & 3) || (count & 3))
>> return -EINVAL;
>>
>> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> +
>> if (end > max_len)
>> return -EINVAL;
>>
>> @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
>> void *buf;
>> int cnt;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, true))
>> return ERR_PTR(-ENODEV);
>>
>> len = dev->vpd.len;
>> --
>> 2.33.0
>>
next prev parent reply other threads:[~2021-10-13 19:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
2021-10-13 19:12 ` Heiner Kallweit [this message]
2021-10-25 20:57 ` Bjorn Helgaas
2021-10-26 0:22 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff35d592-af37-2975-0b8f-9a8e2616d38a@gmail.com \
--to=hkallweit1@gmail.com \
--cc=bhelgaas@google.com \
--cc=helgaas@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=quic_qiancai@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).