From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: maddy@linux.ibm.com
Cc: mpe@ellerman.id.au, npiggin@gmail.com, chleroy@kernel.org,
kees@kernel.org, srikar@linux.ibm.com, nathanl@linux.ibm.com,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
pengpeng@iscas.ac.cn
Subject: [PATCH] powerpc/pseries/lparcfg: size the scratch buffer to the system parameter payload
Date: Thu, 2 Apr 2026 00:03:16 +0800 [thread overview]
Message-ID: <20260401160316.88551-1-pengpeng@iscas.ac.cn> (raw)
parse_system_parameter_string() reads the shared processor LPAR
attributes into a firmware buffer that can hold up to 4000 bytes, but it
still tokenizes that payload through a fixed 1026-byte scratch buffer. A
single long key-value fragment can therefore overrun the local parser
buffer before the next comma delimiter is seen.
Allocate the scratch buffer to the current payload size so tokenization
stays within bounds.
Fixes: fff9846be00c ("powerpc/pseries/lparcfg: convert to papr_sysparm API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
arch/powerpc/platforms/pseries/lparcfg.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c
index 8821c378bfff..c09f474c241e 100644
--- a/arch/powerpc/platforms/pseries/lparcfg.c
+++ b/arch/powerpc/platforms/pseries/lparcfg.c
@@ -385,8 +385,6 @@ static void read_lpar_name(struct seq_file *m)
read_dt_lpar_name(m);
}
-#define SPLPAR_MAXLENGTH 1026*(sizeof(char))
-
/*
* parse_system_parameter_string()
* Retrieve the potential_processors, max_entitled_capacity and friends
@@ -407,27 +405,32 @@ static void parse_system_parameter_string(struct seq_file *m)
const char *local_buffer;
int splpar_strlen;
int idx, w_idx;
- char *workbuffer = kzalloc(SPLPAR_MAXLENGTH, GFP_KERNEL);
-
- if (!workbuffer)
- goto out_free;
+ size_t workbuf_size;
+ char *workbuffer;
splpar_strlen = be16_to_cpu(buf->len);
local_buffer = buf->val;
+ workbuf_size = splpar_strlen + 1;
+
+ workbuffer = kzalloc(workbuf_size, GFP_KERNEL);
+ if (!workbuffer)
+ goto out_free;
w_idx = 0;
idx = 0;
- while ((*local_buffer) && (idx < splpar_strlen)) {
+ while ((idx < splpar_strlen) && local_buffer[idx]) {
workbuffer[w_idx++] = local_buffer[idx++];
- if ((local_buffer[idx] == ',')
+ if (idx >= splpar_strlen ||
+ (local_buffer[idx] == ',')
|| (local_buffer[idx] == '\0')) {
workbuffer[w_idx] = '\0';
if (w_idx) {
/* avoid the empty string */
seq_printf(m, "%s\n", workbuffer);
}
- memset(workbuffer, 0, SPLPAR_MAXLENGTH);
- idx++; /* skip the comma */
+ memset(workbuffer, 0, workbuf_size);
+ if (idx < splpar_strlen)
+ idx++; /* skip the comma */
w_idx = 0;
} else if (local_buffer[idx] == '=') {
/* code here to replace workbuffer contents
--
2.50.1 (Apple Git-155)
reply other threads:[~2026-04-01 16:03 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401160316.88551-1-pengpeng@iscas.ac.cn \
--to=pengpeng@iscas.ac.cn \
--cc=chleroy@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nathanl@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=srikar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox