diff options
| author | Lukas Wunner <[email protected]> | 2023-03-11 15:40:02 +0100 |
|---|---|---|
| committer | Dan Williams <[email protected]> | 2023-04-03 16:16:19 -0700 |
| commit | 34bafc747c54fb58c1908ec3116fa6137393e596 (patch) | |
| tree | 1da2e4dccc57d95eefd64caafaec582a07189dd9 | |
| parent | fbaa38214cd9e150764ccaa82e04ecf42cc1140c (diff) | |
cxl/pci: Handle truncated CDAT header
cxl_cdat_get_length() only checks whether the DOE response size is
sufficient for the Table Access response header (1 dword), but not the
succeeding CDAT header (1 dword length plus other fields).
It thus returns whatever uninitialized memory happens to be on the stack
if a truncated DOE response with only 1 dword was received. Fix it.
Fixes: c97006046c79 ("cxl/port: Read CDAT table")
Reported-by: Ming Li <[email protected]>
Tested-by: Ira Weiny <[email protected]>
Signed-off-by: Lukas Wunner <[email protected]>
Reviewed-by: Ming Li <[email protected]>
Reviewed-by: Dan Williams <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Cc: [email protected] # v6.0+
Reviewed-by: Kuppuswamy Sathyanarayanan <[email protected]>
Link: https://lore.kernel.org/r/000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de
Signed-off-by: Dan Williams <[email protected]>
| -rw-r--r-- | drivers/cxl/core/pci.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c index 49a99a84b6aa..87da8c935185 100644 --- a/drivers/cxl/core/pci.c +++ b/drivers/cxl/core/pci.c @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev, return rc; } wait_for_completion(&t.c); - if (t.task.rv < sizeof(__le32)) + if (t.task.rv < 2 * sizeof(__le32)) return -EIO; *length = le32_to_cpu(t.response_pl[1]); |