Skip to content

Commit

Permalink
cxl/pci: Handle truncated CDAT header
Browse files Browse the repository at this point in the history 
cxl_cdat_get_length() only checks whether the DOE response size is
sufficient for the Table Access response header (1 dword), but not the
succeeding CDAT header (1 dword length plus other fields).

It thus returns whatever uninitialized memory happens to be on the stack
if a truncated DOE response with only 1 dword was received.  Fix it.

Fixes: c970060 ("cxl/port: Read CDAT table")
Reported-by: Ming Li <ming4.li@intel.com>
Tested-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Ming Li <ming4.li@intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: stable@vger.kernel.org # v6.0+
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Link: https://lore.kernel.org/r/000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
  • Loading branch information
Lukas Wunner authored and Dan Williams committed Apr 3, 2023
1 parent fbaa382 commit 34bafc7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/cxl/core/pci.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev,
return rc;
}
wait_for_completion(&t.c);
if (t.task.rv < sizeof(__le32))
if (t.task.rv < 2 * sizeof(__le32))
return -EIO;

*length = le32_to_cpu(t.response_pl[1]);
Expand Down

0 comments on commit 34bafc7

Please sign in to comment.