From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from e9.ny.us.ibm.com (e9.ny.us.ibm.com [32.97.182.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id CFF7C2C00D2 for ; Fri, 20 Dec 2013 12:59:48 +1100 (EST) Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 19 Dec 2013 20:59:45 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id A997538C8045 for ; Thu, 19 Dec 2013 20:59:39 -0500 (EST) Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp22033.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id rBK1xfrK7340542 for ; Fri, 20 Dec 2013 01:59:41 GMT Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id rBK1xfUb007093 for ; Thu, 19 Dec 2013 20:59:41 -0500 Date: Fri, 20 Dec 2013 09:59:37 +0800 From: Gavin Shan To: Gavin Shan Subject: Re: [PATCH] powernv: eeh: fix possible buffer overrun in ioda_eeh_phb_diag() Message-ID: <20131220015937.GA13868@shangw.(null)> References: <20131219231407.GA22418@oc3347516403.ibm.com> <20131220013539.GA10795@shangw.(null)> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20131220013539.GA10795@shangw.(null)> Cc: linuxppc-dev@lists.ozlabs.org Reply-To: Gavin Shan List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Fri, Dec 20, 2013 at 09:35:39AM +0800, Gavin Shan wrote: >On Thu, Dec 19, 2013 at 05:14:07PM -0600, Brian W Hart wrote: >>PHB diagnostic buffer may be smaller than PAGE_SIZE, especially when >>PAGE_SIZE > 4KB. >> > >I think you're talking about that PAGE_SIZE could be configured >to have variable size (e.g. 4KB). So it's not safe to pass PAGE_SIZE >to OPAL API opal_pci_get_phb_diag_data2(). Instead, we should pass >PNV_PCI_DIAG_BUF_SIZE and it makes sense to me :-) > >Also, it needs to be backported to stable kernel as well. > >>Signed-off-by: Brian W Hart > >Acked-by: Gavin Shan > Sorry, Brian. It has been fixed as part of the following commit, which has been put into Ben's powerpc-next branch :-) commit 93aef2a789778e7ec787179fc9b34ca4885a5ef3 161 static void ioda_eeh_phb_diag(struct pci_controller *hose) 162 { 163 struct pnv_phb *phb = hose->private_data; 164 - struct OpalIoPhbErrorCommon *common; 165 long rc; 166 167 - common = (struct OpalIoPhbErrorCommon *)phb->diag.blob; 168 - rc = opal_pci_get_phb_diag_data2(phb->opal_id, common, PAGE_SIZE); 169 + rc = opal_pci_get_phb_diag_data2(phb->opal_id, phb->diag.blob, 170 + PNV_PCI_DIAG_BUF_SIZE); >>--- >> arch/powerpc/platforms/powernv/eeh-ioda.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >>diff --git a/arch/powerpc/platforms/powernv/eeh-ioda.c b/arch/powerpc/platforms/powernv/eeh-ioda.c >>index 02245ce..8184ef5 100644 >>--- a/arch/powerpc/platforms/powernv/eeh-ioda.c >>+++ b/arch/powerpc/platforms/powernv/eeh-ioda.c >>@@ -820,14 +820,15 @@ static void ioda_eeh_phb_diag(struct pci_controller *hose) >> struct OpalIoPhbErrorCommon *common; >> long rc; >> >>- common = (struct OpalIoPhbErrorCommon *)phb->diag.blob; >>- rc = opal_pci_get_phb_diag_data2(phb->opal_id, common, PAGE_SIZE); >>+ rc = opal_pci_get_phb_diag_data2(phb->opal_id, phb->diag.blob, >>+ PNV_PCI_DIAG_BUF_SIZE); >> if (rc != OPAL_SUCCESS) { >> pr_warning("%s: Failed to get diag-data for PHB#%x (%ld)\n", >> __func__, hose->global_number, rc); >> return; >> } >> >>+ common = (struct OpalIoPhbErrorCommon *)phb->diag.blob; >> switch (common->ioType) { >> case OPAL_PHB_ERROR_DATA_TYPE_P7IOC: >> ioda_eeh_p7ioc_phb_diag(hose, common); > Thanks, Gavin